Role-based Access Controls (RBAC)

AMPLITUDE ACADEMY

Manage Roles and Permissions with Role-based Access Controls (RBAC)

Manage user access and permissions across Amplitude's platform with greater control using Role-Based Access Controls (RBAC) to enhance security, compliance, and scalability for your enterprise.

Get started

Role-based Access Control (RBAC) lets you manage who can access specific areas of Amplitude and the actions they can perform in those areas. By offering granular access controls, your Amplitude administrators can scale Amplitude adoption and prevent unauthorized actions.

RBAC provides administrators a centralized location for assigning permissions to individual users or groups. For example, if your organization has an Analyst role, you can assign the same base permissions to that role. When a new analyst joins the team and is assigned Analyst, they automatically inherit the same set of permissions as everyone else with the Analyst role.

RBAC Provides the following benefits to your enterprise:

Improved security: Limit data access based on job responsibilities.
Operational efficiency: Simplify user management across large organizations.
Compliance support: Supports regulatory requirements around access control and auditing.
Scalability: Manages access for growing teams and multiple business units.

Feature availability

RBAC is available to organizations on any Enterprise plan. If you aren't on an Enterprise plan, go to your Account Management roles and permissions.

To learn more, take the Manage roles and permissions with RBAC course on Amplitude Academy.

Amplitude RBAC concepts

Amplitude's RBAC contains three main layers: Roles, Permissions, and Actions. Roles contain permissions, and Permissions contain actions. An action is a singular task, editing a metric, or creating an annotation.

Roles

By default, your Amplitude organization contains four default roles, in order of increasing access:

Viewer
Member
Manager
Admin

Admin role

The Administrator (Admin) role is the only default role that doesn’t support updating permissions. If you require administrators to carry different permissions in your org, create a new role to reflect those permissions.

Amplitude’s default roles cover most common use cases, but every organization has unique structures and responsibilities. Custom roles enable your organization to fine tune access for:

Specialized teams, for example Growth Engineering or Data Governance, can have finely scoped permissions.
Hybrid roles created for employees who straddle functions. For example, a product manager who is also in charge of creating official dashboards and metrics.

This flexibility enables your organization to follow the security best practice of providing the least amount of access that enables users to complete their work.

Admin-only permissions

The Admin role has special permissions that custom roles don't have.

Admin-only permissions include:

Modify discovery settings at org level
Change the organization's master password
Modify organization admin assignments
Change the organization's subscription plan
Modify query time sampling rules
Change event sampling rules
Configure Single Sign-On settings
Permanently delete the organization
Edit permission groups/settings
Full administrative access flag
Invite users with restrictions
Transfer org ownership

Permissions

Permissions define the specific actions Amplitude users can perform. They’re the building blocks of RBAC. Most permissions define a user’s ability to create, edit, or delete items in specific areas. Some permissions provide access to a single action, like marking a dashboard or metric as official.

Amplitude organizes permissions by product area:

Administration
Charts & Metrics
Data Management
Audiences
Integrations
Session Replay & Heatmaps
Experiment
Guides & Surveys
Resource Center & Content

Projects

In Amplitude, you assign roles to users for each project. This means that project membership determines access to that project, and roles within the project determine what a user can do.

Groups

Groups enable you to manage users at scale. They define the projects that a member of the group has access to, and their role within those projects. Groups most often map to teams in your organization. For example, the Business Intelligence team has a defined set of Amplitude projects where they do their work, and a set of permissions they need to do that work. As a result, you may have a group called "Business Intelligence," with access to Project A and Project B, with the Analyst role.

Group permission prioritization

When you add a user to a group, admins can't change their permissions at the individual level for projects where access is granted through that group. This ensures permission consistency and simplifies troubleshooting when determining why a user has certain access levels.

When you try to modify permissions for a user who has group-assigned access, a tooltip appears stating "User(s) are assigned access to this project via Group(s)".

To change a user's permissions for projects they access through a group:

Remove the user from the group and assign permissions directly, or
Modify the group's permissions for that project

Permission assignment warnings

Amplitude displays warning indicators when permission assignments require attention:

Multiple: Displayed when a user has different roles for the same project, typically because they belong to multiple groups with different permission levels. When this occurs, Amplitude grants the user the union of all assigned role permissions for that project.

Conflict: Displayed when you manage roles for multiple users simultaneously and those users have a permissions mismatch for the same project.

Access definitions

The ACCESS VIA column in the User Overview panel indicates how a user received their project access:

Access Via	Meaning
Direct	Role was assigned to the user directly through the Manage Project Access modal
[Group Name]	Role was assigned to the user through membership in the specified group

RBAC permission reference

RBAC Permissions