Learn how to manage Cloud Observability access with roles. You can use Cloud Observability’s standard roles, create custom roles, assign roles, and set default roles.
Assign roles
Before you begin
The steps below are intended for setups without SAML group mapping. If you’re using SAML group mapping, manage users’ roles in your Identity Provider (IdP), not Cloud Observability.
See Plan your workflow for more information about user-and-role-management setups.
Permissions required: Administration permissions
If you’re using SAML group mapping and change someone’s role in Cloud Observability,
what happens depends on the new role.
If the new role is Organization Admin or Billing Admin, the user keeps the new role.
If the new role isn’t an Admin role, the SAML role replaces the new role when the user logs in.
Procedure
-
Follow these steps to change a user’s role:
- In Cloud Observability, select Settings > User management > Users.
- Find the relevant user and select ⋮ > Edit user.
- Choose the new role in the Edit user panel and select Save changes.
Cloud Observability displays <email> roles updated and returns to the Users page.
-
To assign roles with Terraform, see the lightstep_user_role_binding resource.
A December 2024 release replaced the Project Editor and Project Viewer roles with custom roles. However, Terraform still supports those roles to work with existing setups.
Manage custom roles
Overview
In addition to using Cloud Observability’s standard roles, you can create custom roles. Custom roles give you more control over what users see, helping your teams work effectively and securely in Cloud Observability.
Before you begin
Before creating a custom role, identify the template you want to use. Templates are copies of existing Cloud Observability roles that you edit to create custom roles. Cloud Observability has three template options: Organization Admin, Organization Editor, and Organization Viewer.
The template you select affects the scope of your custom role:
- Permissions - The Organization Admin template has telemetry, project-resource, and administrative permissions. The Organization Editor and Organization Viewer templates only handle telemetry and project-resource permissions.
- Project access - The Organization Editor and Organization Viewer templates let you restrict access to specific projects. The Organization Admin template only supports organization-wide access.
Permissions required to create custom roles: Administration permissions
Create custom roles
Follow the steps below to create a custom role that restricts log access. To view other custom role examples, such as project-specific roles, see Custom role examples.
- In Cloud Observability, select Settings > User management > Roles.
- Select Create role from template and enter a name for the custom role: No log access.
- In the Select template section, choose Organization Editor. That template role comes with an editable set of Organization Editor permissions.
-
In the Project access section, select Entire organization to let users with your custom role access any project in your organization, including new projects.
If you select Only selected projects, users with the custom role can only access the projects you specify.
- Customize the role in the Customize permissions section. To keep users from accessing log data and features, select Telemetry data and toggle the Log data option.
- To activate your custom role, select Next: Review and save and review the custom role permissions. Then select Save role.
Cloud Observability displays New role created, and the role appears in the table on the Roles page. You can now assign the role to users.
Edit custom roles
You may need to update custom roles when teams require additional access or users create new projects. You can edit a custom role’s name, description, individual project access, and permissions.
For role security, you can’t edit a custom role’s template or change its project access between Only selected projects and Entire organization. If you need to edit those options, create and configure a new custom role.
Follow these steps to edit a custom role:
- In Cloud Observability, select Settings > User management > Roles.
- Find the relevant custom role and select ⋮ > Edit role.
- Change the custom role’s name, description, individual project access, or permissions.
- To activate your changes, select Next: Review and save and review your custom role. Then select Save role.
Cloud Observability displays Role saved.
Delete custom roles
Follow the steps below to delete a custom role, while considering the impact on users. Deleting unused or unneeded custom roles helps you maintain an up-to-date list of roles and access.
To delete a custom role that’s also the default role, set a new default role first.
- In Cloud Observability, select Settings > User management > Roles.
- Find the relevant custom role and select ⋮ > Delete role.
- In the Delete role? dialog, review the users and projects affected by the custom role, enter CONFIRM, and select Yes, delete.
Cloud Observability displays Role deleted, and the role no longer appears on the Roles page.
Set the default role
Before you begin
See Plan your workflow for more information about user-and-role-management setups.
Permissions required: Administration permissions
Procedure
Cloud Observability assigns the default role to all new users. If you’re using SAML group mapping, Cloud Observability only assigns the default role to users without a role.
Avoid making Organization Admin the default role. If the default role is Organization Admin, all new users get full access to Cloud Observability.
- In Cloud Observability, select Settings > User management > Additional settings.
- Select the Default role drop-down to select a role.
Cloud Observability displays <organization> default role updated.
View your roles
Before you begin
Permissions required: Administration permissions
Procedure
Follow these steps to view your roles in Cloud Observability:
- In Cloud Observability, select Settings > User management > Users.
-
Enter your email in the search box.
Your roles appear in the Roles column.
- [Optional] To view your roles’ permissions, select ⋮ > View user and select the Permissions tab.
You can also view your roles using the Cloud Observability API.
See also
Updated Dec 6, 2024