RudderStack's permissions management feature lets you manage users and their permissions in your RudderStack workspace.

This feature allows you to:

  • Easily collaborate between other members of your organization.
  • Restrict edit permissions for business-critical objects in your workspace.
  • Limit access to product features where PII is exposed (for example, Live Events, debug logs, etc.) for compliance purposes.

Inviting users

To invite a member to your RudderStack workspace, follow these steps:

  1. Go to Settings > Members and click the Invite Teammate button, as shown:
Invite teammates option
  1. Enter the member's Email and select an appropriate role from the dropdown.
Refer to the Role permissions section below for more information on the Read-Only, Read-Write, and Admin roles.
  1. Finally, click Invite.
Your teammate will be automatically added to the workspace once they accept the invite.

Role permissions

You can assign any of the following three roles to the member you want to invite to your workspace:

  • Read-Only
  • Read-Write
  • Admin

The following sections list the default permissions associated with each role.

You can also set granular access controls and lock down access to specific RudderStack objects and features to a select list of members in your workspace. For more information, refer to the Setting granular access controls section below.

Read-Only

This user role has the following permissions:

FeatureViewAddModifyDelete
SourcesYesNoNoNo
DestinationsYesNoNoNo
ConnectionsYesNoNoNo
Live EventsYes---
TransformationsYesNoNoNo
Audit LogsNo---
Tracking PlansYesNoNoNo
ModelsYesNoNoNo

Some things to note regarding the read-only user permissions:

  • Read-only users can view the settings of all the destinations. However, secrets like access keys are hidden from them.
  • They can also view any secrets, like API keys in the transformation code.

Read-Write

A read-write user has all the permissions of a read-only user in addition to modifying the key workspace features and options listed below:

FeatureViewAddModifyDelete
SourcesYesYesYesYes
DestinationsYesYesYesYes
ConnectionsYesYesYesYes
Live EventsYes---
TransformationsYesYesYesYes
Audit LogsYes---
Tracking PlansYesYesYesYes
ModelsYesYesYesYes

Admin

This user role has complete access to the RudderStack workspace, including all the features in the current plan:

FeatureViewAddModifyDelete
SourcesYesYesYesYes
DestinationsYesYesYesYes
ConnectionsYesYesYesYes
Live EventsYes---
TransformationsYesYesYesYes
Audit LogsYes---
Tracking PlansYesYesYesYes
ModelsYesYesYesYes
The Admin role also has some additional permissions related to the configuration of the workspace settings, including managing users, modifying user permissions, enforcing MFA(multi-factor authentication), and more. This role also has the required permissions to set granular access controls for certain business-critical objects and limit PII access to certain users.

Setting granular access controls

When you add a member to your workspace, RudderStack lets you assign any of the three default global roles - Read-Only, Read-Write, and Admin.

Although these permissions provide basic controls, they can end up being too broad or too narrow for certain use-cases. For example, admins cannot restrict access to modify a destination's settings without removing edit permissions for the user entirely.

With RudderStack's granular access control features, admins can lock down business-critical objects to a select list of people. They can also restrict PII(Personally Identifiable Information) access to certain users.

With these features, you can allow certain data pipelines to be edited only by the users who have the required access. Also, you can ensure your access controls are in compliance with the major data regulations like SOC2, GDPR, CCPA, HIPAA, etc.
This is an enterprise-only feature.
All the access-related changes are recorded in the audit logs.

Restricting edit permissions for individual objects

The Permissions tab in the RudderStack dashboard lets you specify the list of members having edit permissions to a given object or resource.

Only the users with Admin role have access to the Permissions tab.

This tab is visible for every source, destination, and model present in the workspace, as seen below:

Permissions tab

The edit permissions include the ability to:

  • Connect/disconnect a resource with another resource. For example, source to destination, source to tracking plan, transformation to destination, model to reverse ETL source, etc.
  • Enable, disable, or delete a resource.
  • Edit or change the resource-specific configuration.
Any action involving setting up a connection between two resources or linking/de-linking a resource with another resource requires edit permissions for both the resources. The only exception is the SQL model which can used without explicitly setting any edit permissions.

To specify the list of users who can make changes to a given resource, follow these steps:

  1. Go to the resource and click on the Permissions tab, as shown:
Permissions tab
  1. Under Who can make changes?, select any of the following two options:

    • Anyone with write access: All the members with the Read-Write or Admin role can make changes to the resource.
    • Only people you select: With this option, only the members who are given the edit permission can make changes to the resource.
  2. To allow specific members of your team to edit the resource, click Only people you select, followed by Add member.

  3. Finally, select the team members from the drop-down and click Add Members, as shown:

Add members option
Members with Read-Only permissions cannot be added as they do not have permissions to modify a resource, by default.

With this feature, you can safeguard your customers' privacy by controlling who has access to the raw event data containing the PII. You can either allow anyone on your team to access the PII or restrict the access only to a select list of members.

Anyone with the access can view the customers' PII in the Live Events and the error logs under the Events tab for your destination, as shown:

Error logs

To set the PII permissions, follow these steps:

  1. In your RudderStack dashboard, go to Settings > Data Privacy, as shown:
Data privacy option
Only users with the Admin role have access to this tab.
  1. Under Who can view restricted data?, select the appropriate option:

    • Anyone on your team: All the members in your workspace can view the raw event data containing your customers' PII.
    • Only people you select: With this option, only the people you select can view the raw data.
  2. To allow specific members of your team to edit the object, click Only people you select, followed by Add member.

  3. Finally, select the team members from the drop-down and click Add Members, as shown:

Add members option
If the admins are removed from the access list, they will be restricted from viewing the PII.

Contact us

For queries on any of the sections covered in this guide, you can contact us or start a conversation in our Slack community.

Contents