Role-Based Access Control
This section explains how to configure Role-Based Access Control (RBAC).
Role-Based Access Control (RBAC) allows you to manage and restrict access to your data and resources efficiently. You can control access to your data with the following:
Role-based access control (RBAC), Directory Sync, and Single Sign-On (SAML SSO) are available as add-ons if you’re on the Axiom Cloud plan, and they are included by default on the Bring Your Own Cloud plan. For more information on ugrading, see the Plan page in your Axiom settings.
Groups
Groups connect users with roles, making it easier to manage access control at scale. For example, you can create groups for areas of your business like Security, Infrastructure, or Business Analytics, with specific roles assigned to serve the unique needs of these domains.
A user’s complete set of capabilities is derived from the additive union of their base role, plus any roles assigned through group membership.
Create new group
- Click
Settings > Groups - Click New group.
- Enter the name and description of the group.
- Click Add users to add users to the group.
- Click Add roles to add roles to the group.
Roles
Roles are sets of capabilities that define which actions a user can perform at both the organization and dataset levels.
Default roles
The default roles are the following:
- Owner: Assigns all capabilities across the entire Axiom platform.
- Admin: Assigns administrative capabilities except for Billing capabilities, which are reserved for Owners.
- User: Assigns standard access for regular users.
- Read-only: Assigns read capabilities for datasets, plus read access on various resources like dashboards, monitors, notifiers, users, queries, saved queries, and virtual fields.
- None: Assigns zero capabilities, useful for adopting the principle of least privilege when inviting new users. You can build up specific capabilities for these users by assigning their role to a group.
Create custom role
- Ensure you have create permission for the access control capability. By default, this capability is assigned to the Owner and Admin roles.
- Click Settings > Roles.
- Click New role.
- Enter the name and description of the role.
- Assign permissions (create, read, update, and delete) across capabilities (access control, API tokens, dashboards, datasets, etc.).
Assign capabilities to roles
You can assign organization-level and dataset-level capabilities to roles. You can assign create, read, update, or delete (CRUD) permissions to most capabilities.
Organization-level capabilities define access for various parts of your Axiom organization:
- Access control: Full CRUD.
- Annotations: Full CRUD.
- API tokens: Full CRUD.
- Apps: Full CRUD.
- Audit log: Read only.
- Billing: Read and update only.
- Dashboards: Full CRUD.
- Datasets: Full CRUD.
- Endpoints: Full CRUD.
- Flows: Full CRUD.
- Monitors: Full CRUD.
- Notifiers: Full CRUD.
- Shared access keys: Read and update only.
- Users: Full CRUD.
- Views: Full CRUD.
The table below describes these organization-level capabilities:
| Capability | Create | Read | Update | Delete |
|---|---|---|---|---|
| Access control | User can create custom roles and groups. | User can view the list of existing roles and groups. | User can update the and description of roles and groups, and modify permissions. | User can delete custom roles or groups. |
| Annotations | User can create annotations. | User can view the list of existing annotations in an organization. | User can modify annotations. | User can delete annotations. |
| API tokens | User can create an API token with access to the datasets their user has access to. | User can access the list of tokens that have been in their organization. | User can regenerate a token from the list of tokens in an organization. | User can delete API tokens created in their organization. |
| Apps | User can create a new app. | Users can access the list of installed apps in their organization. | Users can modify the existing apps in their organization. | User can disconnect apps installed in their organization. |
| Audit log | — | Users can access the audit log in an organization. | — | — |
| Billing | — | User can access billing settings. | User can change the organization plan. | — |
| Dashboards | User can create new dashboards. | User can access their own dashboards and those created by other users in their organization. | User can modify dashboard titles and descriptions. User can add, resize, and delete charts from dashboards. | User can delete a dashboard from their organization. |
| Datasets | User can create a new dataset. | Users can access the list of datasets in an organization, and their associated fields. | User can trim a dataset, and modify dataset fields. | User can delete a dataset from their organization. |
| Endpoints | User can create a new endpoint. | User can access the list of existing endpoints in an organization. | Users can rename an endpoint and modify which dataset data is ingested into. | User can delete an endpoint from their organization. |
| Flows | User can create a new flow. | User can access the list of existing flows in an organization. | Users can modify flows. | User can delete a flow from their organization. |
| Monitors | User can create a monitor. | User can access the list of monitors in their organization. User can also review the monitor status. | Users can modify a monitor configuration in their organization. | Users can delete monitors that have been created in their organization. |
| Notifiers | User can create a new notifier in their organization. | User can access the list of notifiers in their organization. | User can update existing notifiers in their organization. User can snooze a notifier. | User can delete notifiers that have been created in their organization. |
| Shared access keys | — | User can access shared access keys in their organization. | User can update shared access keys in their organization. | — |
| Users | Users can invite new users to an organization. | User can access the list of users that are part of their organization. | User can update user roles and information within the organization. | Users can remove other users from their organization and delete their own account. |
| Views | User can create new views. | User can access the list of views in an organization in their organization. | User can modify views. | User can delete views from their organization. |
Dataset-level capabilities provide fine-grained control over access to datasets. You can assign the following capabilities for all datasets or individual datasets:
- Data: Delete only.
- Ingest: Create only.
- Query: Read only.
- Share: Create, read, and update only.
- Saved queries: Full CRUD.
- Trim: Update only.
- Vacuum: Update only.
- Virtual fields: Full CRUD.
The table below describes these dataset-level capabilities:
| Datasets | Create | Read | Update | Delete |
|---|---|---|---|---|
| Data | — | — | — | — |
| Ingest | User can ingest events to datasets. | — | — | User can delete data from datasets. |
| Query | — | User can query events from datasets. | — | — |
| Share | User can share datasets. | User can access the list of shared datasets in their organization. | User can modify an existing shared dataset in their organization. | — |
| Saved queries | User can create a saved query for datasets. | User can access the list of saved queries in their organization. | User can modify an existing saved query in their organization. | User can delete a saved query from a dataset. |
| Trim | — | — | User can trim datasets. | — |
| Vacuum | — | — | User can vacuum datasets. | — |
| Virtual fields | User can create a new virtual field. | User can see the list of virtual fields. | User can modify the definition of a virtual field. | User can delete a virtual field. |
Access to datasets
The datasets that individual users have access to determine the following:
- The data they see in dashboards. If a user has access to a dashboard but only to some of the datasets referenced in the dashboard’s elements, the user only sees data from the datasets they have access to.
- The monitors they see. A user only sees the monitors that reference the datasets that the user has access to. If a user has access to the monitors of an organization but only to some of the datasets referenced in the monitors, the user only sees the monitors that reference the datasets they have access to. If a monitor joins several datasets, a user can only see the monitor if the user has access to all of the datasets.
Users
Users in Axiom are the individual accounts that have access to an Axiom organization. You assign a base role to users when you invite them to join your organization. For organizations with the role-based access control (RBAC) add-on, additional roles can be added through group membership.
Assign roles to users
- Click Settings > Users.
- Find the user in the list, and then assign a role to them on the right.
Access for a user is the additive union of capabilities assigned through their default role, plus any capabilities included in roles assigned through group membership.
Delete users
This is a destructive action. After you delete a user, you cannot recover their account.
- Click Settings > Users.
- Find the user in the list, and then click
Delete user on the right.
Directory Sync
Directory Sync automatically mirrors user account data between a central directory, such as Active Directory, and connected applications. When the status of an employee changes, all systems are automatically updated.
For this feature, Axiom relies on WorkOS. For more information, see Directory Sync and Enterprise Single Sign-On in the WorkOS documentation.
Single Sign-On (SAML SSO)
To simplify access management and enhance security, Security Assertion Markup Language-based Single Sign-On (SAML SSO) allows you to keep access grants up-to-date with support for the industry standard SCIM protocol.
Axiom supports secure, centralized user authentication through both types of flow for SAML-based SSO:
- IdP-initiated flow (identity-provider-initiated flow)
- SP-initiated flow (service-provider-initiated flow)