Roles and permissions

Learn about the roles and permissions in Cloud Observability’s role-based access control (RBAC).

Overview

RBAC lets you manage user access to Cloud Observability with permissions and roles.

A permission is something users can do in Cloud Observability, for example, create and edit API keys. And a role is a named set of permissions you assign to users.

Cloud Observability has five organization roles (Admin, Billing Admin, Editor, Viewer, and Restricted Member) and two project roles (Project Editor and Project Viewer). Users can have one organization role and several project roles. Examples:

  • spacecat is a Restricted Member at the organization level. At the project level, spacecat is a Project Viewer for project A, Project Editor for project B, and spacecat can’t access project C.
  • astronomer123 is a Viewer at the organization level. At the project level, astronomer123 is a Project Editor for project C.

For conceptual information about managing users and roles and possible setups, visit User and role management.

Organization roles

Organization roles are sets of permissions users have across all Cloud Observability projects. Some organization roles also have administrative permissions.

These sections summarize Cloud Observability’s organization roles. To see all role permissions, view the table below.

Admin

Users with the Admin role can do almost everything in Cloud Observability. Admin users can’t access some billing-related features.

Only assign a few users to the Admin role. In most cases, Admin users are Cloud Observability power users and understand the product well.

Billing Admin

Users with the Billing Admin role can do everything in Cloud Observability, including billing-related tasks. Billing Admin users are also the only users who get emails about Cloud Observability billing overages.

Only Cloud Observability Customer Success representatives can assign the Billing Admin role. Contact your Customer Success representative to assign or reassign the Billing Admin role.

Editor

Users with the Editor role can view and manage key Cloud Observability features, such as alerts, charts, dashboards, and notebooks. Editor users can’t manage several things in Cloud Observability, including projects, users, organizations, and Microsatellites.

Assign this role to most users.

Restricted Member

Users with the Restricted Member role have no project access by default. Restricted Member users can get access to specific projects with the Project Editor and Project Viewer roles.

Viewer

Users with the Viewer role can see several Cloud Observability features, including existing alerts, charts, dashboards, and notebooks. Viewer users can only manage their own notebooks.

Assign this role to new and onboarding organization users. The role can keep users from inadvertently changing existing configurations. You may also want to assign this role to temporary users.

Project roles

Project roles are sets of permissions users have for specific Cloud Observability projects.

These sections summarize Cloud Observability’s project roles. To see all role permissions, view the table below.

Project Editor

Users with the Project Editor role have access to specific Cloud Observability projects. In those projects, Project Editor users can view and manage key Cloud Observability features, such as alerts, dashboards, and notebooks.

Project Viewer

Users with the Project Viewer role have access to specific Cloud Observability projects. In those projects, Project Viewer users can view several Cloud Observability features including existing alerts, dashboards, and notebooks. Project Viewer users can also create, edit, and delete their own notebooks in specific projects.

Role permissions

The tabs below show the permissions in Cloud Observability’s organization and project roles.

Note that project-role permissions are scoped to projects. For example, Project Editors can only edit dashboards in the projects they can access.

The tabs don’t include the Restricted Member role. Users with that role can only log into Cloud Observability. To give them access to Cloud Observability features, assign them the Project Editor or Project Viewer role.

  • Permissions Organization Admin Organization
    Billing Admin
    Organization Editor Organization Viewer Project Editor Project Viewer
    Activate previews for Slack integrations ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
    Activate Slack integrations ✔️ ✔️        
    Create and revoke Satellite keys (for Enterprise accounts only) ✔️ ✔️        
    Create, edit, and delete metric ingestion rules   ✔️        
    Create, edit, and delete projects ✔️ ✔️        
    Create, view, and edit default roles ✔️ ✔️        
    Create, view, and revoke API keys ✔️ ✔️ ✔️
    (Organization Editors can only view their API keys.)
         
    Create, view, edit, and delete domains for JIT provisioning ✔️ ✔️        
    Create, view, edit, and delete single sign-on (SSO) ✔️ ✔️        
    Create, view, edit, and delete users ✔️ ✔️        
    Edit own password (for manually added users only) ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
    Export billing information to CSV   ✔️        
    Subscribe and unsubscribe from monthly instrumentation digest emails ✔️ ✔️        
    Subscribe and unsubscribe from service-level instrumentation emails ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
    View and edit timezones ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
    View billing contract details ✔️ ✔️        
    View billing overage costs (For Active service bundle plans only)   ✔️        
    View billing usage and overage percentages ✔️ ✔️ ✔️ ✔️    
    View metric ingestion rules ✔️ ✔️ ✔️ ✔️    
    View the metric usage page ✔️ ✔️ ✔️ ✔️    
    View the trace usage page ✔️ ✔️ ✔️ ✔️    
  • Permissions Organization Admin Organization
    Billing Admin
    Organization Editor Organization Viewer Project Editor Project Viewer  
    Create and edit Data Retention policy ✔️ ✔️          
    Create, edit, and delete workflow links ✔️ ✔️          
    Create, view, edit, and delete access tokens ✔️ ✔️ ✔️   ✔️    
    Create, view, edit, and delete AWS integrations ✔️ ✔️ ✔️   ✔️    
    Edit Metric details ✔️ ✔️          
    Set a project landing page ✔️ ✔️ ✔️   ✔️    
    View and edit deployment versions ✔️ ✔️ ✔️   ✔️    
    View and edit Inferred services ✔️ ✔️ ✔️   ✔️    
    View and edit Ingest service blocking ✔️ ✔️ ✔️   ✔️    
    View and edit Instrumentation quality ✔️ ✔️ ✔️   ✔️    
    View and edit Mapping metrics to services ✔️ ✔️ ✔️   ✔️    
    View and edit Satellite pools ✔️ ✔️          
    View Data Retention policy ✔️ ✔️ ✔️   ✔️    
    View Metric details ✔️ ✔️ ✔️ ✔️ ✔️ ✔️  
    View workflow links ✔️ ✔️   ✔️   ✔️  
  • Permissions Organization Admin Organization
    Billing Admin
    Organization Editor Organization Viewer Project Editor Project Viewer
    Create, edit, and delete alert conditions and destinations ✔️ ✔️ ✔️   ✔️  
    Create, edit, and delete charts ✔️ ✔️ ✔️   ✔️  
    Create, edit, and delete dashboards ✔️ ✔️ ✔️   ✔️  
    Create, edit, and delete Streams ✔️ ✔️ ✔️   ✔️  
    Create, view, edit, delete, and favorite notebooks ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
    (Project Viewers can only work with their own notebooks.)
    View alert conditions and destinations ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
    View projects ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
    View and favorite dashboards ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
    View charts ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
    View Explorer and run queries ✔️ ✔️ ✔️ ✔️ ✔️ ✔️
    View Streams ✔️ ✔️ ✔️ ✔️ ✔️ ✔️

Visit the links below to learn more about setting up and using RBAC.

See also

User and role management

Set up JIT provisioning

Manage users and roles

Updated Sep 28, 2023