Learn about the roles and permissions in Cloud Observability’s role-based access control (RBAC).
Overview
RBAC lets you manage access to Cloud Observability with permissions and roles.
A permission is something users can do in Cloud Observability, for example, create dashboards. A role is a named set of permissions you assign to teams or users.
Cloud Observability has standard and custom roles:
- Standard roles appear in Cloud Observability by default, for example, Organization Admin and Organization Editor.
- Custom roles are standard roles that you customize to meet your needs. For example, to keep a user or team from accessing logs, you can create a custom role that lacks the log data permission.
In Cloud Observability, users or teams can have many roles. Users with multiple roles have a combined set of permissions from every assigned role, for example:
spacecat-useris an Organization Restricted Member. They also have custom roles that let them view Project A and edit Project B.astronomer-useris an Organization Viewer. They also have a custom role that lets them edit Project C.
If your roles overlap, you get the highest permission level. For example, if one role restricts access to logs and another grants access, you can access logs.
For conceptual information about managing users and roles and possible setups, see User and role management and Plan your workflow.
Standard roles
These sections summarize Cloud Observability’s five standard roles. To view all role permissions, see Role permissions.
Previous Cloud Observability versions had the Project Editor and Project Viewer roles.
With the custom roles release in December 2024, those roles became custom roles.
For example, if someone was a Project Editor in demo and a Project Viewer in staging, they now have these custom roles: Project editor in demo and Project viewer in staging.
There is an exception for Terraform users.
If you previously assigned Project Editor or Project Viewer with Terraform’s lightstep_saml_group_mappings or lightstep_user_role_binding resources,
users keep their access, and the roles still appear in Cloud Observability.
Organization Admin
Users with the Organization Admin role can do almost everything in Cloud Observability. Organization Admin users can’t access some billing-related features.
Only assign a few users to the Organization Admin role. In most cases, Organization Admin users are Cloud Observability power users and understand the product well.
Organization Billing Admin
Users with the Organization Billing Admin role can do everything in Cloud Observability, including billing-related tasks. Organization Billing Admin users are also the only users who get emails about Cloud Observability billing overages.
Only Cloud Observability Customer Success representatives can assign the Organization Billing Admin role. Contact your Customer Success representative to assign or reassign the Organization Billing Admin role.
Organization Editor
Users with the Organization Editor role can view and manage key Cloud Observability features, such as alerts, charts, dashboards, and notebooks. Organization Editor users can’t manage several things in Cloud Observability, including projects, users, organizations, and Microsatellites.
Assign this role to most users.
Organization Restricted Member
Users with the Organization Restricted Member role have no telemetry, project, or administrative access by default. Organization Restricted Member users can gain permissions through custom roles.
Organization Viewer
Users with the Organization Viewer role can see several Cloud Observability features, including existing alerts, charts, dashboards, and notebooks. Organization Viewer users can only manage their own notebooks.
Assign this role to new and onboarding organization users. The role can keep users from inadvertently changing existing configurations. You may also want to assign this role to temporary users.
Custom roles and examples
If the standard roles don’t meet your needs, you can create custom roles. Custom roles give you more control over what users see, helping your teams work effectively and securely in Cloud Observability.
The examples below outline several custom-role use cases. For how to create, edit, and delete custom roles, see Manage custom roles.
Keep users from accessing logs.
Custom role name: No log access
- Template: Organization Editor
- Project access: Entire organization
- Permissions:
- Telemetry data: No log data
Let users view a specific project.
Custom role name: View demo
- Template: Organization Viewer
- Project access: Only selected projects
- Projects: demo
Let users edit a specific project.
Custom role name: Edit demo
- Template: Organization Editor
- Project access: Only selected projects
- Projects: demo
Role permissions
Permissions are divided into three categories: telemetry data, project resources, and administration. Follow these steps to view all Cloud Observability permissions in a table.
- In Cloud Observability, go to Settings > User management > Roles and select Create role from template.
-
In the Select template section, choose Organization Admin and then select Next: Review and save. (You won’t finish creating the role – this procedure is just for viewing permissions.)
The table lists all Cloud Observability permissions, organized into the following columns:
- Section: The high-level permission category: telemetry data, project resources, or administration.
- Resource Category: The broader resource related to the permission, such as log data or alerts.
- Resource: The specific resource associated with the permission, for example, alerts created by other users.
- Action: The permission’s action, such as create, delete, edit, or view.
- To exit the table without saving a new role, select Quit. Cloud Observability returns you to the to the Roles page.
Visit the links below to learn more about setting up and using RBAC.
See also
Updated Nov 19, 2024