Amplitude’s Role-based Access Controls (RBAC) system unifies permissions across all Amplitude products and features. This guide describes best practices for designing and governing access at the project level, and not separately for each project.
In Amplitude, projects define the data users can view or modify, the Amplitude products and features they can use, and the actions they can perform within that project.
When you configure and manage permissions by project, users in your organization receive consistent access across all Amplitude products within that project.
Follow these guidelines to help ensure your RBAC implementation meets your organization’s access and security requirements.
Groups are the foundation for managing access at scale. In Amplitude, a group defines:
All members of a group inherit the same set of permissions for the same projects. This helps simplify onboarding, offboarding, and audits.
Use individual user-level permissions only when group membership isn’t practical. For example:
If you assign permissions directly to a user, document the reason internally.
Define a small set of core, reusable roles that apply across projects and products. This creates a shared mental model, and reduces administrative overhead. Review the following table for examples of roles you might create, their intended use, and the permissions they provide.
| Role | Intended For | Permissions Summary |
|---|---|---|
| Viewer | Executives, stakeholders | Read-only access to all Amplitude products within assigned projects |
| Analyst | PMs, analysts | Can build and share charts and dashboards only (no data model or experiment editing) |
| Data Governor | Data stewards, admins | Manages event taxonomy, tracking plans, and naming conventions across products |
| Engineer | Experiment owners, feature developers | Manages feature flags, experiment setups, and validation within Experiment |
| Growth Marketer | Lifecycle and activation teams | Manages Guides & Surveys, CDP audiences, and cohort syncs |
Groups are the foundation of scalable access in Amplitude’s RBAC system. Amplitude recommends building groups that combine function and scope into one logical structure by considering:
As you plan your groups, make sure to design groups that capture:
In other words, consider both the team’s function or use case, and the data or product context they need to do their job.
Ensure each group describes what the members of the group do, and where they do it.
A well designed group is one that provides a clear function, a set of projects, and a consistent role.
To achieve this:
Use a predictable, readable naming format that reflects the role and the project scope:
Function / Use Case - Role - Projects
The following table contains a list of group names using this format.
| Group | Users |
|---|---|
| Product Analytics - Analysts (Web App + iOS App) | Analysts who create charts and dashboards for both web and mobile. |
| Experiment Owners - Engineers (Android App) | Engineers who make feature flags and experiments in the Android project. |
| Marketing Ops - Growth Marketers (web App) | Marketers who manage Guides, Surveys, and cohort syncs for the Web App. |
| Data Governance Council - Data Governors (All Projects) | Data stewards who maintain the taxonomy and tracking plans. |
Consistent naming makes it clear who belongs in the group, and the content and features they can access.
Think of groups as access blueprints. Each one should have a clear purpose, ownership, and lifecycle management.
Experimentation – Engineer – Android App or Experimentation – Engineer – iOS App.All Analysts or Marketing Team. They can create confusion, and overexpose parts of your Amplitude environment.October 27th, 2025
Need help? Contact Support
Visit Amplitude.com
Have a look at the Amplitude Blog
Learn more at Amplitude Academy
© 2025 Amplitude, Inc. All rights reserved. Amplitude is a registered trademark of Amplitude, Inc.