Fine-grained access control is currently in private beta. Contact the SigNoz team for more information.
Overview
SigNoz uses role-based access control to manage what principals can do. Roles group permissions together — when a principal is assigned a role, they receive all the permissions that role contains.
Permissions are additive. When a principal has multiple roles, they receive the union of all permissions from each role.
Key Concepts
Principal — A user or service account in SigNoz. Principals are the entities that authenticate and perform actions on objects.
Role — A named collection of permissions. Principals are assigned roles, and through those roles they receive permissions. Roles can be managed (built-in, immutable) or custom (configurable).
Permission — Defines what a principal is allowed to do. A permission combines a relation with a resource type. For example, "create dashboard" or "read alert rule".
Relation — The action in a permission. SigNoz defines seven relations: create, read, update, delete, list, attach, and detach.
Selector — Determines which instances a permission applies to. When configuring a custom role, each resource can be set to All (every instance), Only selected (specific instances), or None (no instances).
Relations
Every permission in SigNoz is built from one of these seven relations:
| Relation | Description |
|---|---|
create | Create a new instance of a resource. |
read | View a specific resource instance. |
update | Modify an existing resource instance. |
delete | Remove a resource instance. |
list | List all instances of a resource type. |
attach | Create a relationship between two resources. For example, assigning a role to a service account creates a relationship between them. |
detach | Remove a relationship between two resources. For example, unassigning a role from a service account removes that relationship. |
Dual authorization for attach and detach — Attach and detach operations require the principal to have the relation on both resources involved. For example, assigning a role to a service account requires attach on both the service account and the role.
Resources
The following resources are currently available for fine-grained access control:
| Resource | Kind | Description |
|---|---|---|
role | role | Managed and custom roles |
serviceaccount | serviceaccount | Non-human identities for programmatic API access |
metaresource | factor-api-key | Authentication keys for service accounts |
For the full permissions reference for each resource, see the Permissions Reference.
Selectors
A selector determines which specific instances of a resource a permission applies to. When configuring permissions on a custom role, you choose one of three selector modes for each resource:
| Mode | Selector Value | Meaning |
|---|---|---|
| All | * | The permission applies to every instance of that resource. |
| Only selected | Resource name or ID | The permission applies only to the specified instances. Refer to the Permissions Reference for the selector format used by each resource. |
| None | No selector | The permission is not granted for any instance of that resource. |
Managed Roles
SigNoz includes four built-in managed roles. These roles cannot be edited or deleted.
SigNoz-Admin — Full administrative access to all SigNoz resources, including user management, role management, service account management, billing, and SSO configuration.
SigNoz-Editor — Can create and modify observability resources such as dashboards, alerts, and pipelines. Cannot manage users, roles, or service accounts.
SigNoz-Viewer — Read-only access to observability data and resources. Cannot create or modify any resources.
SigNoz-Anonymous — Grants access to public resources only, such as publicly shared dashboards. This role is assigned automatically and does not need to be managed.
For the complete list of permissions each managed role includes, see the Permissions Reference.
Custom Roles
Principals with the appropriate permissions can create custom roles with granular permissions. When creating a custom role, you choose which relations to grant on which resource types, and set the selector to all instances or only selected ones. Custom roles require an active SigNoz license.
See Roles for a step-by-step walkthrough.
Next Steps
- Permissions Reference — Look up permissions for each resource
- Roles — Create and manage roles
- Service Accounts — Set up programmatic API access