How Migration to New Access Management System Works

Permissions Management (RBAC) deprecation timeline

The legacy Permissions Management (RBAC) system will be deprecated on October 31, 2026. RudderStack recommends completing your migration before this date.

• Understand the pre-migration considerations
• Start your migration now

This guide explains how RudderStack transitions the members, Service Access Tokens, and Personal Access Tokens within your workspace to the new Access Management system once you migrate to it.

Migration overview

During migration, RudderStack considers your import strategy and maps permissions accordingly.

• If you choose Import members, RudderStack imports all members to the new Access Management system with baseline, view-only permissions instead of their existing permissions.
• If you choose Import members with policies, RudderStack imports all members to the new Access Management system with their existing permissions, ensuring each member’s effective access policy has the same permissions as before.
• Data Privacy (PII) permissions also follow this strategy: Import members does not preserve legacy member PII access, while Import members with policies preserves existing PII permissions and their resource-level scopes.

Service Access Tokens are migrated with their existing permissions, while Personal Access Tokens continue to inherit permissions from their associated users.

Members

When you migrate members using the Import members with policies import strategy, RudderStack performs the following assessment:

• Analyzes current permissions: RudderStack reviews each user’s assigned roles and permissions in the legacy Permissions Management (RBAC) system — this includes their role-level and resource-level permissions.
• Maps roles to policies: The permissions a user had in the legacy RBAC system are mapped to their individual Member Workspace Policy.

For example, if a user had the Connections Admin role with permissions to create, edit, connect, and disconnect resources, these permissions will be preserved in their Member Workspace Policy after migration.

Role mapping reference

The table below shows how roles in the legacy RBAC system map to the new Access Management system:

When you choose the Use existing policies import strategy, RudderStack automatically maps your current roles to individual Member Workspace Policies. You can then organize members into Groups for easier management.

Service Access Tokens

Service Access Tokens created in the legacy RBAC system are automatically imported during migration and follow the same migration patterns as members.

During migration, RudderStack:

• Analyzes Service Access Token permissions: RudderStack reviews each Service Access Token’s assigned roles and permissions in the legacy RBAC system — this includes their role-level and resource-level permissions.
• Maps roles to workspace policies: The token’s permissions in the legacy RBAC system are mapped to its workspace-level access policy in the new Access Management system.

For example, if a Service Access Token had the Connections Admin role with permissions to create, edit, connect, and disconnect resources, these permissions will be preserved in its workspace policy after migration.

See the Migration Scenarios guide for more information on how Service Access Tokens are migrated.

Personal Access Tokens

Personal Access Tokens are tied to individual users — they inherit permissions of the user who created them.

After migration, Personal Access Tokens:

• Inherit user permissions: Personal Access Tokens continue to inherit the permissions of the user who created them. Since user permissions are migrated to their Member Workspace Policy, Personal Access Tokens automatically reflect those permissions.
• Maintain scope behavior: Personal Access Tokens created with Read-Only or Read-Write scopes continue to work as before, with their effective permissions determined by the user’s Individual Workspace Policy.

See the Migration Scenarios guide for detailed examples of how Personal Access Tokens are migrated.

Note the following:

• To change a Personal Access Token’s permissions after migration, you will have to either:

  • Modify the user’s Member Workspace Policy
  • Create a new Personal Access Token with the desired scope

• You cannot create new Personal Access Tokens with Admin scope. However, any existing Personal Access Tokens with Admin scope will continue to work as before, even after migration.

Tip: Use Personal Access Tokens only for development, testing, and personal use cases.

Resource-level permissions

What are resource-level permissions?

Resource-level permissions allow Admins to restrict editing particular resources to specific users or Service Access Tokens. Admins can configure an allowlist of members and tokens who can edit a resource.

During the assessment, RudderStack considers whether resource-level permissions are configured for users and Service Access Tokens in the workspace.

If resource-level permissions are configured, RudderStack automatically configures the user’s individual Member Workspace Policy and the Service Access Token’s workspace policy to have the same permissions as before during migration.

For example, if a user had edit permissions for only 10 out of the 100 sources in the workspace, their Member Workspace Policy will reflect Edit permission only for those 10 sources after migration.

See the Migration Scenarios guide for more information on how migration works in different scenarios.

Data Privacy permissions

During import, workspace Data Privacy permissions are handled using the same strategy as other member permissions:

• With Import members (Start fresh), member PII permissions from the legacy system are not migrated. Members start with baseline access and you configure required PII permissions in staging.
• With Import members with policies (Use existing policies), RudderStack carries forward member PII permissions as part of the migrated workspace policies.

See Pre-migration Considerations for guidance on how to handle Data Privacy permissions before migration.

Staging area

During migration, the new Access Management system is in Preview Mode — a staging area where you configure and preview policies before deployment.

In Preview Mode, you can review how permissions map to the new system and adjust policies without affecting permissions enforced in the Permissions Management (RBAC) system.

Your existing RBAC permissions remain in effect until you deploy. When you deploy, the RBAC system is removed from your workspace and the policies you configured in the staging area take effect.

What happens after migration

After migration, members and access tokens in your workspace will experience the following changes:

• Admins: Admins in the legacy RBAC system will continue to have the same level of access.
• Members: Members in the legacy RBAC system will have their permissions mapped to their individual Member Workspace Policy.
• Service Access Tokens: Service Access Tokens will have their permissions mapped to workspace-level access policies, maintaining the same access levels they had before migration.
• Personal Access Tokens: Personal Access Tokens continue to inherit the permissions of their associated users, now defined by the user’s Member Workspace Policy.
• Interface: Admins will be able to manage permissions through the new Access Management interface, which includes an intuitive policy editor to manage the Baseline Workspace Policy, Group Workspace Policies, and Member Workspace Policy.
• New users: New members added to the workspace after migration will inherit the Baseline Workspace Policy by default.
• Baseline Workspace Policy: If you selected the Import option during migration, the Baseline Workspace Policy will be set to view-only for resources and restricted access to all PII views by default, providing Admins with a blank slate to configure workspace permissions from scratch.

See more

• Migration Steps: Step-by-step instructions for performing migration to the new Access Management system
• Migration Scenarios: Understand how Access Management migration works in different scenarios