Role-based Access Controls (RBAC)

Amplitude Academy

Manage Roles and Permissions with Role-based Access Controls (RBAC)

Manage user access and permissions across Amplitude's platform with greater control using Role-Based Access Controls (RBAC) to enhance security, compliance, and scalability for your enterprise.

Get started

Role-based Access Control (RBAC) lets you manage who can access specific areas of Amplitude and the actions they can perform in those areas. Granular access controls help Amplitude administrators scale Amplitude adoption and prevent unauthorized actions.

RBAC provides administrators a centralized location for assigning permissions to individual users or groups. For example, if your organization has an Analyst role, you can assign the same base permissions to that role. When a new analyst joins the team and receives the Analyst role, they automatically inherit the same set of permissions as everyone else with the Analyst role.

RBAC provides the following benefits to your enterprise:

Improved security: Limit data access based on job responsibilities.
Operational efficiency: Simplify user management across large organizations.
Compliance support: Support regulatory requirements around access control and auditing.
Scalability: Manage access for growing teams and multiple business units.

Feature availability

RBAC requires an Enterprise plan. If you aren't on an Enterprise plan, go to your Account Management roles and permissions.

To learn more, take the Manage roles and permissions with RBAC course on Amplitude Academy.

Amplitude RBAC concepts

Amplitude's RBAC contains three main layers: Roles, Permissions, and Actions. Roles contain permissions, and permissions contain actions. An action is a single task, such as editing a metric or creating an annotation.

Roles

By default, your Amplitude organization contains four default roles, in order of increasing access:

Viewer.
Member.
Manager.
Admin.

Admin role

The Administrator (Admin) role is the only default role that doesn't support permission updates. If administrators require different permissions in your org, create a new role to reflect those permissions.

Amplitude’s default roles cover most common use cases, but every organization has unique structures and responsibilities. Custom roles enable your organization to fine-tune access for:

Specialized teams, such as Growth Engineering or Data Governance, can have finely scoped permissions.
Hybrid roles created for employees who work across functions. For example, a product manager may also create official dashboards and metrics.

This flexibility enables your organization to follow the security best practice of providing the least access users need to complete their work.

Admin-only permissions

The Admin role has special permissions that custom roles don't have.

Admin-only permissions include:

Modify discovery settings at org level.
Change the organization's master password.
Modify organization admin assignments.
Change the organization's subscription plan.
Modify query time sampling rules.
Change event sampling rules.
Configure Single Sign-On settings.
Permanently delete the organization.
Edit permission groups/settings.
Full administrative access flag.
Invite users with restrictions.
Transfer org ownership.

Permissions

Permissions define the specific actions Amplitude users can perform. They’re the building blocks of RBAC. Most permissions define a user’s ability to create, edit, or delete items in specific areas. Some permissions provide access to a single action, like marking a dashboard or metric as official.

Amplitude organizes permissions by product area:

Administration.
Charts & Metrics.
Data Management.
Audiences.
Integrations.
Session Replay & Heatmaps.
Zoning.
Experiment.
Guides & Surveys.
Resource Center & Content.

Projects

In Amplitude, projects determine which projects an organization member can access. Roles within each project determine what that member can do in that project. Organization-level actions are controlled separately by organization-level roles.

Groups

Groups enable you to manage users at scale. Groups define the projects that a member can access and their role within those projects. Groups most often map to teams in your organization. For example, the Business Intelligence team may use a defined set of Amplitude projects and permissions. You may have a group called "Business Intelligence" with access to Project A and Project B, with the Analyst role.

Group permission prioritization

When you add a user to a group, admins can't change their permissions at the individual level for projects where the group grants access. This ensures permission consistency and simplifies troubleshooting when determining why a user has certain access levels.

When you try to modify permissions for a user who has group-assigned access, a tooltip explains that group access controls the project.

To change a user's permissions for projects they access through a group:

Remove the user from the group and assign permissions directly.
Modify the group's permissions for that project.

Permission assignment warnings

Amplitude displays warning indicators when permission assignments require attention:

Multiple: Appears when a user has different roles for the same project, typically because they belong to multiple groups with different permission levels. When this occurs, Amplitude grants the user the union of all assigned role permissions for that project.

Conflict: Appears when you manage roles for multiple users simultaneously and those users have a permissions mismatch for the same project.

Access definitions

The access method column in the User Overview panel indicates how a user received their project access:

Access method	Meaning
Direct	Amplitude assigned this role directly through the Manage Project Access modal.
[Group Name]	The user received this role through membership in the specified group.

RBAC permission reference

RBAC Permissions Reference

Role-based access control permissions grouped by product area.

Was this helpful?