RBAC best practices
Amplitude’s Role-based Access Controls (RBAC) system unifies permissions across all Amplitude products and features. This guide describes best practices for designing and governing access at the project level.
Projects in Amplitude
In Amplitude, projects define the data users can view or modify, the Amplitude products and features they can use, and the actions they can perform within that project.
When you configure and manage permissions by project, users in your organization receive consistent access across Amplitude products within that project.
System architecture
Follow these guidelines to help ensure your RBAC implementation meets your organization’s access and security requirements.
Use Groups as the default management layer
Groups are the foundation for managing access at scale. In Amplitude, a group defines:
- The projects that the group’s members have access to.
- The roles users hold in those projects.
- Any Data Access Controls that apply.
All members of a group inherit the same set of permissions for the same projects. This helps simplify onboarding, offboarding, and audits.
Don’t mix management methods
If a user belongs to a group, ensure their permissions derive from that group and aren't manually overridden.
Use direct role assignment only when necessary
Use individual user-level permissions only when group membership isn’t practical. For example:
- Contractors or temporary collaborators.
- Executives who need read-only access.
- Service or system accounts.
If you assign permissions directly to a user, document the reason internally.
Be consistent
As much as possible, manage each user through a group or individually. Avoid using both methods for the same user.
Standardize roles across the organization
Define a small set of core, reusable roles that apply across projects and products. This creates a shared mental model and reduces administrative overhead. Review the following table for example roles, intended use, and permissions.
| Role | Intended For | Permissions Summary |
|---|---|---|
| Viewer | Executives, stakeholders | Read-only access to all Amplitude products within assigned projects |
| Analyst | PMs, analysts | Can build and share charts and dashboards only (no data model or experiment editing) |
| Data Governor | Data stewards, admins | Manages event taxonomy, tracking plans, and naming conventions across products |
| Engineer | Experiment owners, feature developers | Manages feature flags, experiment setups, and validation within Experiment |
| Growth Marketer | Lifecycle and activation teams | Manages Guides & Surveys, CDP audiences, and cohort syncs |
Keep it simple
Most organizations succeed with between five and seven roles. Add custom roles only when governance or compliance requires it.
Design groups
Groups are the foundation of scalable access in Amplitude’s RBAC system. Amplitude recommends groups that combine function and scope into one logical structure by considering:
- How users in your organization use Amplitude.
- The projects those users need to access.
Anchor groups to both workflow and project scope
As you plan your groups, make sure to design groups that capture:
- How teams in your organization use Amplitude.
- The projects each team should access.
Consider both the team’s function or use case and the data or product context they need to do their job.
Ensure each group describes what the members of the group do, and where they do it.
Keep groups project-scoped and purposeful
A well-designed group provides a clear function, a set of projects, and a consistent role.
To achieve this:
- Assign each group to the specific projects they need. Avoid granting access to the entire workspace.
- If a team works across projects, assign those projects within the same group.
- Avoid overlapping or nesting groups to keep access clear and auditable.
Apply clear and consistent naming
Use a predictable, readable naming format that reflects the role and the project scope:
Function / Use Case - Role - Projects
The following table contains a list of group names using this format.
| Group | Users |
|---|---|
| Product Analytics - Analysts (Web App + iOS App) | Analysts who create charts and dashboards for both web and mobile. |
| Experiment Owners - Engineers (Android App) | Engineers who make feature flags and experiments in the Android project. |
| Marketing Ops - Growth Marketers (web App) | Marketers who manage Guides, Surveys, and cohort syncs for the Web App. |
| Data Governance Council - Data Governors (All Projects) | Data stewards who maintain the taxonomy and tracking plans. |
Consistent naming makes it clear who belongs in the group and the content and features they can access.
Keep membership manageable
Think of groups as access blueprints. Each one should have a clear purpose, ownership, and lifecycle management.
- Keep your groups to between 10 and 50 members.
- Split groups when their project roles or responsibilities diverge. For example,
Experimentation - Engineer - Android ApporExperimentation - Engineer - iOS App. - Avoid catchall groups like
All AnalystsorMarketing Team. Catchall groups can create confusion and overexpose parts of your Amplitude environment.
Was this helpful?