Fine-grained access control is currently in beta.
Overview
SigNoz uses role-based access control to manage what principals can do. Roles group transactions together — when a principal is assigned a role, they receive all the transactions that role contains.
Transactions are additive. When a principal has multiple roles, they receive the union of all transactions from each role.
Key Concepts
Principal — A user or service account in SigNoz. Principals are the entities that authenticate and perform actions on objects.
Role — A named collection of transactions. Principals are assigned roles, and through those roles they receive transactions. Roles can be managed (built-in, immutable) or custom (configurable).
Transaction — Defines what a principal is allowed to do. A transaction combines a relation with a resource type. For example, "create dashboard" or "read alert rule". A role's transactions are configured and displayed together as its Transaction Groups.
Relation — The action in a transaction. SigNoz defines seven relations: create, read, update, delete, list, attach, and detach.
Selector — Determines which instances a transaction applies to. When configuring a custom role, each resource can be set to All (every instance), Only selected (specific instances), or None (no instances).
Relations
Every transaction in SigNoz is built from one of these seven relations:
| Relation | Description |
|---|---|
create | Create a new instance of a resource. |
read | View a specific resource instance. |
update | Modify an existing resource instance. |
delete | Remove a resource instance. |
list | List all instances of a resource type. |
attach | Create a relationship between two resources. For example, assigning a role to a service account creates a relationship between them. |
detach | Remove a relationship between two resources. For example, unassigning a role from a service account removes that relationship. |
Dual authorization for attach and detach — Attach and detach operations require the principal to have the relation on both resources involved. For example, assigning a role to a service account requires attach on both the service account and the role.
Resources
The following resources are currently available for fine-grained access control:
| Resource | Kind | Description |
|---|---|---|
role | role | Managed and custom roles |
serviceaccount | serviceaccount | Non-human identities for programmatic API access |
metaresource | factor-api-key | Authentication keys for service accounts |
For the full transactions reference for each resource, see the Transactions Reference.
Selectors
A selector determines which specific instances of a resource a transaction applies to. When configuring transactions on a custom role, you choose one of three selector modes for each resource:
| Mode | Selector Value | Meaning |
|---|---|---|
| All | * | The transaction applies to every instance of that resource. |
| Only selected | Resource name or ID | The transaction applies only to the specified instances. Refer to the Transactions Reference for the selector format used by each resource. |
| None | No selector | The transaction is not granted for any instance of that resource. |
Managed Roles
SigNoz includes four built-in managed roles. These roles cannot be edited or deleted.
SigNoz-Admin — Full administrative access to all SigNoz resources, including user management, role management, service account management, billing, and SSO configuration.
SigNoz-Editor — Can create and modify observability resources such as dashboards, alerts, and pipelines. Cannot manage users, roles, or service accounts.
SigNoz-Viewer — Read-only access to observability data and resources. Cannot create or modify any resources.
SigNoz-Anonymous — Grants access to public resources only, such as publicly shared dashboards. This role is assigned automatically and does not need to be managed.
For the complete list of transactions each managed role includes, see the Transactions Reference.
Custom Roles
Principals with the appropriate transactions can create custom roles with granular transactions. When creating a custom role, you choose which relations to grant on which resource types — using either the interactive editor or JSON mode — and set the selector to all instances or only selected ones. Custom roles require an active SigNoz license.
See Roles for a step-by-step walkthrough.
Next Steps
- Transactions Reference — Look up transactions for each resource
- Roles — Create and manage roles
- Service Accounts — Set up programmatic API access