No Result

RudderStack's permissions management feature gives you the ability to:

  • Restrict edit permissions for business-critical objects in your workspace.
  • Limit access to the product features where PII is exposed (for example, Live Events, debug logs, etc.) for compliance purposes.
Github Badge

Setting granular access controls

When you invite a member to your workspace, RudderStack lets you assign any of the three default global roles to them - Read-Only, Read-Write, and Admin.

Although these permissions provide basic controls, they can end up being too broad or too narrow for certain use-cases. For example, admins cannot restrict access to modify a destination's settings without removing edit permissions for the user entirely.

With RudderStack's granular access control features, admins can lock down business-critical objects to a select list of people. They can also restrict PII(Personally Identifiable Information) access to certain users.

With these features, you can allow certain data pipelines to be edited only by the users who have the required access. Also, you can ensure your access controls are in compliance with the major data regulations like SOC2, GDPR, CCPA, HIPAA, etc.
All the access-related changes are recorded in the audit logs.

Restricting edit permissions for individual objects

The Permissions tab in the RudderStack dashboard lets you specify the list of members having edit permissions to a given object or resource.

Only users with the Admin role have access to the Permissions tab.

This tab is visible for every source, destination, and model present in the workspace, as seen below:

Permissions tab

The edit permissions include the ability to:

  • Connect/disconnect a resource with another resource. For example, source to destination, source to tracking plan, transformation to destination, model to reverse ETL source, etc.
  • Enable, disable, or delete a resource.
  • Edit or change the resource-specific configuration.
Any action involving setting up a connection between two resources or linking/de-linking a resource with another resource requires edit permissions for both the resources. The only exception is the SQL Models which can used without explicitly setting any edit permissions.

To specify the list of users who can make changes to a given resource, follow these steps:

  1. Go to the resource and click the Permissions tab, as shown:
Permissions tab

  1. Under Who can make changes?, select any of the following two options:

    • Anyone with write access: All the members with the Read-Write or Admin role can make changes to the resource.
    • Only people you select: With this option, only the members who are given the edit permission can make changes to the resource.

  2. To allow specific members of your team to edit the resource, click Only people you select, followed by Add member.

  3. Finally, select the team members from the drop-down and click Add Members, as shown:

Add members option
Members with Read-Only permissions cannot be added as they do not have permissions to modify a resource, by default.

With this feature, you can safeguard your customers' privacy by controlling who has access to the raw event data containing the PII. You can either allow anyone on your team to access the PII or restrict the access only to a select list of members.

Anyone with the access can view the customers' PII in the Live Events and the error logs under the Events tab for your destination, as shown:

Error logs

To set the PII permissions, follow these steps:

  1. In your RudderStack dashboard, go to Settings > Data Privacy, as shown:
Data privacy option
Only users with the Admin role have access to this tab.

  1. Under Who can view restricted data?, select the appropriate option:

    • Anyone on your team: All the members in your workspace can view the raw event data containing your customers' PII.
    • Only people you select: With this option, only the people you select can view the raw data.

  2. To allow specific members of your team to edit the object, click Only people you select, followed by Add member.

  3. Finally, select the team members from the drop-down and click Add Members, as shown:

Add members option
If the admins are removed from the access list, they will be restricted from viewing the PII.

Contact us

For more information on the topics covered on this page, email us or start a conversation in our Slack community.

On this page