Get Started
Data
Analytics
Amplitude AI
Session Replay
Guides and Surveys
Experiment
Admin
SDKs APIs
Partners
FAQ
Monthly tracked users (MTUs) billing guide Usage reports: Understand how your organization uses Amplitude
The Settings page Change the unit of currency your project uses Set up SCIM provisioning in Amplitude Portfolio: Conduct cross-project analysis in Amplitude Manage organizations and projects Manage permissions at scale with permission groups Manage user privacy notifications in Amplitude Manage users and permissions User roles and permissions in Amplitude Self-service data deletion in Amplitude Webhooks for custom monitors Manage your API keys and secret keys
Single sign-on (SSO) in Amplitude Set up single sign-on (SSO) for Amplitude using Auth0 Set up single sign-on (SSO) for Amplitude using G Suite Set up single sign-on (SSO) for Amplitude using Microsoft Azure Active Directory Set up single sign-on (SSO) for Amplitude using Okta Set up single sign-on (SSO) for Amplitude using OneLogin Set up single sign-on (SSO) for Amplitude using another service
Admin
/
Account management
/
Role-based Access Controls (RBAC)

Role-based Access Controls (RBAC)

Role-based Access Control (RBAC) lets you manage who can access specific areas of Amplitude and the actions they can perform in those areas. By offering granular access controls, your Amplitude administrators can scale Amplitude adoption and prevent unauthorized actions.

RBAC provides administrators a centralized location for assigning permissions to individual users or groups. For example, if your organization has an Analyst role, you can assign the same base permissions to that role. When a new analyst joins the team and is assigned Analyst, they automatically inherit the same set of permissions as everyone else with the Analyst role.

RBAC: Key benefits

RBAC Provides the following benefits to your enterprise:

  • Improved security: Limit data access based on job responsibilities.
  • Operational efficiency: Simplify user management across large organizations.
  • Compliance support: Supports regulatory requirements around access control and auditing.
  • Scalability: Manages access for growing teams and multiple business units.

Feature availability

RBAC is available to organizations on the Enterprise plan.

Amplitude RBAC concepts

Amplitude's RBAC contains three main layers: Roles, Permissions, and Actions. Roles contain permissions, and Permissions contain actions. An action is a singular task, editing a metric, or creating an annotation.

Roles

By default, your Amplitude organization contains four default roles, in order of increasing access:

  • Viewer
  • Member
  • Manager
  • Admin

Admin role

The Administrator (Admin) role is the only default role that doesn’t support updating permissions. If you require administrators to carry different permissions in your org, create a new role to reflect those permissions.

Amplitude’s default roles cover most common use cases, but every organization has unique structures and responsibilities. Custom roles enable your organization to fine tune access for:

  • Specialized teams, for example Growth Engineering or Data Governance, can have finely scoped permissions.
  • Hybrid roles created for employees who straddle functions. For example, a product manager who is also in charge of creating official dashboards and metrics.

This flexibility enables your organization to follow the security best practice of providing the least amount of access that enables users to complete their work.

Permissions

Permissions define the specific actions Amplitude users can perform. They’re the building blocks of RBAC. Most permissions define a user’s ability to create, edit, or delete items in specific areas. Some permissions provide access to a single action, like marking a dashboard or metric as official.

Amplitude organizes permissions by product area:

  • Administration
  • Charts & Metrics
  • Data Management
  • Audiences
  • Integrations
  • Session Replay & Heatmaps
  • Experiment
  • Guides & Surveys
  • Resource Center & Content

Projects

In Amplitude, you assign roles to users for each project. This means that project membership determines access to that project, and roles within the project determine what a user can do.

If a user has conflicting roles for the same project through group assignment (for example, Group A assigns them Viewer for Project A, but Group B assigns them Manager for Project A), they get the union of both sets of permissions. On the Members page, that user's role shows as "multiple" with an error warning icon.

If you set a user's permission at the individual level (directly in the Members page), that role overrides any other assignments.

Groups

Groups enable you to manage users at scale. They define the projects that a member of the group has access to, and their role within those projects. Groups most often map to teams in your organization. For example, the Business Intelligence team has a defined set of Amplitude projects where they do their work, and a set of permissions they need to do that work. As a result, you may have a group called "Business Intelligence," with access to Project A and Project B, with the Analyst role.

Permission conflicts

When you assign roles to users both individually and through groups, the permissions may conflict. When this happens, Amplitude provides grants the user the combination of roles assigned individually and through groups, and displays a warning in the UI.

RBAC permission reference

RBAC Permissions

Was this page helpful?

November 10th, 2025

Need help? Contact Support

Visit Amplitude.com

Have a look at the Amplitude Blog

Learn more at Amplitude Academy

Terms of Service Privacy Notice Acceptable Use Policy Legal

© 2025 Amplitude, Inc. All rights reserved. Amplitude is a registered trademark of Amplitude, Inc.