Authorization Overview

SigNoz Cloud - This page applies to SigNoz Cloud editions.
Self-Hosted Enterprise - This page applies to self-hosted SigNoz with an active license.

Fine-grained access control is currently in beta.

Overview

SigNoz uses role-based access control to manage what principals can do. Roles group transactions together — when a principal is assigned a role, they receive all the transactions that role contains.

Transactions are additive. When a principal has multiple roles, they receive the union of all transactions from each role.

Key Concepts

Principal — A user or service account in SigNoz. Principals are the entities that authenticate and perform actions on objects.

Role — A named collection of transactions. Principals are assigned roles, and through those roles they receive transactions. Roles can be managed (built-in, immutable) or custom (configurable).

Transaction — Defines what a principal is allowed to do. A transaction combines a relation with a resource type. For example, "create dashboard" or "read alert rule". A role's transactions are configured and displayed together as its Transaction Groups.

Relation — The action in a transaction. SigNoz defines seven relations: create, read, update, delete, list, attach, and detach.

Selector — Determines which instances a transaction applies to. When configuring a custom role, each resource can be set to All (every instance), Only selected (specific instances), or None (no instances).

Relations

Every transaction in SigNoz is built from one of these seven relations:

RelationDescription
createCreate a new instance of a resource.
readView a specific resource instance.
updateModify an existing resource instance.
deleteRemove a resource instance.
listList all instances of a resource type.
attachCreate a relationship between two resources. For example, assigning a role to a service account creates a relationship between them.
detachRemove a relationship between two resources. For example, unassigning a role from a service account removes that relationship.

Dual authorization for attach and detach — Attach and detach operations require the principal to have the relation on both resources involved. For example, assigning a role to a service account requires attach on both the service account and the role.

Resources

The following resources are currently available for fine-grained access control:

ResourceKindDescription
roleroleManaged and custom roles
serviceaccountserviceaccountNon-human identities for programmatic API access
metaresourcefactor-api-keyAuthentication keys for service accounts

For the full transactions reference for each resource, see the Transactions Reference.

Selectors

A selector determines which specific instances of a resource a transaction applies to. When configuring transactions on a custom role, you choose one of three selector modes for each resource:

ModeSelector ValueMeaning
All*The transaction applies to every instance of that resource.
Only selectedResource name or IDThe transaction applies only to the specified instances. Refer to the Transactions Reference for the selector format used by each resource.
NoneNo selectorThe transaction is not granted for any instance of that resource.

Managed Roles

SigNoz includes four built-in managed roles. These roles cannot be edited or deleted.

SigNoz-Admin — Full administrative access to all SigNoz resources, including user management, role management, service account management, billing, and SSO configuration.

SigNoz-Editor — Can create and modify observability resources such as dashboards, alerts, and pipelines. Cannot manage users, roles, or service accounts.

SigNoz-Viewer — Read-only access to observability data and resources. Cannot create or modify any resources.

SigNoz-Anonymous — Grants access to public resources only, such as publicly shared dashboards. This role is assigned automatically and does not need to be managed.

For the complete list of transactions each managed role includes, see the Transactions Reference.

Custom Roles

Principals with the appropriate transactions can create custom roles with granular transactions. When creating a custom role, you choose which relations to grant on which resource types — using either the interactive editor or JSON mode — and set the selector to all instances or only selected ones. Custom roles require an active SigNoz license.

See Roles for a step-by-step walkthrough.

Next Steps

Last updated: June 26, 2026

Edit on GitHub

Was this page helpful?

Your response helps us improve this page.

On this page

Is this page helpful?

Your response helps us improve this page.