Customize user permissions and streamline access to resources across your organization.
4 minute read
Migrating from Permissions Management (RBAC)?
The legacy Permissions Management (RBAC) system is deprecated and will be removed in a future release. RudderStack recommends migrating to the new Access Management system for enhanced security, granular control, and compliance capabilities.
RudderStack’s Access Management system gives you enterprise-grade access configuration across the entire platform. Built to be flexible, scalable, and clear, it lets Admins quickly and confidently implement permissions through an intuitive and powerful policy model.
Why Access Management?
RudderStack’s Access Management system replaces the legacy Permissions Management (RBAC) system with a more powerful Policy-based Access Control (PBAC) model. Some benefits are listed below:
Benefit
Description
Granular control
Define permissions at the resource level, not just by role. Grant access to specific sources, destinations, or transformations instead of broad categories.
Enhanced security
Implement least-privilege access with precision. Users get exactly what they need and nothing more.
Compliance-ready
Meet InfoSec and audit requirements with clear, traceable permission policies. PII access controls help you maintain data privacy standards.
Additive permission model
Permissions are only added, never overridden. This makes access policies predictable and easy to reason about.
Scalable architecture
Manage permissions efficiently across large teams using groups, baseline policies, and inheritance.
The Access Management system makes it easy for Admins to define who can perform what actions across RudderStack — at the workspace, group, and individual member levels.
Key features
Regardless of your organization’s size, securely managing access to sensitive data and platform functionality is critical. RudderStack’s Access Management system ensures that:
Developers, analysts, and marketers get exactly the access they need and no more.
Fine-grained control over PII-related features simplifies InfoSec compliance even in complex team structures.
Access is auditable and intentional — the policies are clear, traceable, and built for scale.
Use cases
Grant a team of senior data engineers edit access to all sources and destinations in a production workspace so that they can modify and troubleshoot production pipelines.
Allow an individual marketer to configure tools like Braze or Adobe Analytics without touching technical features like Transformations.
Let developers build and test specific Transformations without the ability to connect them to Destinations.
Use Groups to define permissions for a list of users and workspaces.
How it works
RudderStack’s Access Management system is based on permissions, which are bundled into workspace policies and ultimately rolled up into an individual member’s access policy.
1. Workspace context
Access evaluation begins in the context of a specific workspace, where policies are defined and applied (for example, a Prod or Dev workspace).
2. Gather applicable policies
RudderStack gathers all policies assigned to a member:
Baseline Workspace Policy: Applies to every member and group in the workspace.
Group Workspace Policies: Inherited from any groups the member belongs to.
Member Workspace Policy: Directly assigned to the individual member.
3. Union of permissions
The system combines all permissions from the above policies into a single Access Policy. This is an additive model — permissions are only added, never overridden or removed.
4. Result: Effective permissions
The resulting access policy defines what the member can or cannot do in the workspace, that is, what resources they can access, configure, or edit.
Get started
Go to Settings > Access Management in your dashboard.
Set up your Baseline Workspace Policy to define baseline permissions for the workspace.
Create and assign Group Policies for specific roles like Data Engineering, Marketing, Data Ops, and more.
Add Member policies for users with additional access needs.
See the following guides for more information on the different access policies:
The following features are not available in the Access Management (PBAC) system currently and will be added in future releases:
Users onboarded via SCIM cannot be auto-assigned to groups — they will automatically inherit the permissions specified in the Baseline Workspace Policy.
You cannot tag or categorize resources for dynamic permissioning.
Admins cannot copy permission settings between workspaces, for example, from Dev to Prod.
Questions? We're here to help.
Join the RudderStack Slack community or email us for support
This site uses cookies to improve your experience while you navigate through the website. Out of
these
cookies, the cookies that are categorized as necessary are stored on your browser as they are as
essential
for the working of basic functionalities of the website. We also use third-party cookies that
help
us
analyze and understand how you use this website. These cookies will be stored in your browser
only
with
your
consent. You also have the option to opt-out of these cookies. But opting out of some of these
cookies
may
have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This
category only includes cookies that ensures basic functionalities and security
features of the website. These cookies do not store any personal information.
This site uses cookies to improve your experience. If you want to
learn more about cookies and why we use them, visit our cookie
policy. We'll assume you're ok with this, but you can opt-out if you wish Cookie Settings.
