Feature-wise Permissions

Understand the permissions required to use different RudderStack features in the new Access Management system.

  •   10 minute read  

This guide provides a comprehensive reference of the permissions required to use different RudderStack features in the new Access Management system.

It also lists the permissions required to use the same features in the legacy Permissions Management (RBAC) system for comparison.

APIs

info
To consume APIs, you require a Service Access Token with specific permissions.

Audit Logs API

  • Access Management system: Organization-level Service Access Token
  • Legacy RBAC system: Organization-level Service Access Token

See Audit Logs API for more details.

Data Catalog API

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
Tracking PlansCreate & Delete, Edit
Data CatalogEdit
  • Legacy RBAC system: Workspace-level Service Access Token with Admin permissions

See Data Catalog API for more details.

Event Audit API

  • Access Management system: Workspace-level Service Access Token with no dedicated permissions
  • Legacy RBAC system: Workspace-level Service Access Token with Viewer permissions

See Event Audit API for more details.

HTTP API

No dedicated permissions are required to consume the HTTP API — it uses your source write key for authentication.

Pixel API

No dedicated permissions are required to consume the Pixel API — it uses your source write key for authentication.

Profiles API

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
ProfilesEdit
  • Legacy RBAC system: Workspace-level Service Access Token with Editor permissions

See Profiles API for more details.

Reverse ETL Connections API

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
Tables / SQL Models / AudiencesEdit, Connect
DestinationsEdit, Connect
PII permissions
Enterprise plan only		Reverse ETL Sync Failure Samples configured for the required source
  • Legacy RBAC system: Workspace-level Service Access Token with Admin permissions

See Reverse ETL Connections API for more details.

Test API

  • Access Management system: Workspace-level Service Access Token with no dedicated permissions
  • Legacy RBAC system: Workspace-level Service Access Token with Viewer permissions

See Test API for more details.

Transformations API

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
TransformationsCreate & Delete, Connect, Edit
Transformation LibrariesEdit
DestinationsConnect
  • Legacy RBAC system: Workspace-level Service Access Token with Admin permissions with Grant edit access toggled on under Transformations.
workspace-level Service Access Token with Transformations Admin permission

See Transformations API for more details.

User Suppression API

  • Access Management system: Workspace-level Service Access Token with no dedicated permissions
  • Legacy RBAC system: Workspace-level Service Access Token with Viewer permissions

See User Suppression API for more details.

AI Features

info
To use these features, you require a Service Access Token with specific permissions.

Rudder AI Reviewer

  • Access Management system: Workspace-level Service Access Token with no dedicated permissions
  • Legacy RBAC system: Workspace-level Service Access Token with Viewer permissions

See Rudder AI Reviewer for more details.

CLI and Dev Tools

info
To use these tools, you require a Service Access Token with specific permissions.

RudderTyper

  • Access Management system: Workspace-level Service Access Token with no dedicated permissions
  • Legacy RBAC system: Workspace-level Service Access Token with Viewer permissions

See RudderTyper for more details.

Rudder CLI

info
To use Rudder CLI, you require a Service Access Token with specific permissions to manage the resources you want to manage.

Tracking Plans and Data Catalog

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
Tracking PlansCreate & Delete, Edit
Data CatalogEdit
  • Legacy RBAC system: Workspace-level Service Access Token with Admin permissions

See CLI-based Tracking Plans and Data Catalog Management for more details.

Event Stream Sources

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
Description
Event Stream SourcesCreate & DeleteCreate or delete Event Stream sources in the workspace
Event Stream SourcesEditMake changes to the configuration of Event Stream sources
Event Stream SourcesConnectConnect an Event Stream source to a Tracking Plan
Tracking PlansEdit, ConnectConnect a Tracking Plan to an Event Stream source
  • Legacy RBAC system: Workspace-level Service Access Token with Admin permissions

See Manage Event Stream Sources using Rudder CLI for more details.

SQL Models

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
SQL ModelsCreate & Delete, Edit
  • Legacy RBAC system: Workspace-level Service Access Token with Admin permissions

See Manage SQL Models using Rudder CLI for more details.

Transformations and Transformation Libraries

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
TransformationsCreate & Delete, Edit, Connect
Transformation LibrariesEdit
  • Legacy RBAC system: Workspace-level Service Access Token with Admin role and Grant edit access toggled on under Transformations

See Manage Transformations and Transformation Libraries using Rudder CLI for more details.

Data Governance

This section lists the permissions required to use different Data Governance features in the new Access Management system.

Tracking Plans

  • Access Management system:

    • Admins have full access to create and manage tracking plans
    • Members must have the following permissions:
ResourcePermissions
Tracking PlansCreate & Delete, Edit, Connect
Data CatalogEdit

  • Legacy RBAC system:

    • Org Admins have full access to create and manage Tracking Plans
    • Members with the Connections Admin role in their workspace policy can create and manage Tracking Plans
    • Members with the Connections Editor role in their workspace policy can only connect Tracking Plans to Event Stream sources

See the Tracking Plans documentation for more details.

Data Catalog

  • Access Management system:

    • Admins have full access to manage Data Catalog
    • Members must have the following permissions:
ResourcePermissions
Data CatalogEdit

  • Legacy RBAC system:

    • Org Admins have full access to manage Data Catalog
    • Members must have the Connections Admin role in their workspace policy

See the Data Catalog documentation for more details.

Bot Management

  • Access Management system:

    • Admins have full access to the Bot Management feature
    • Members must have the Bot Management permission

  • Legacy RBAC system:

    • Org Admins have full access to the Bot Management feature
    • Members must have the Connections Admin role in their workspace policy

See the Bot Management documentation for more details.

Event Blocking

  • Access Management system: Only Admins can manage event blocking
  • Legacy RBAC system: Only Org Admins can manage event blocking

See Event Blocking for more details.

Alerts

  • Access Management system:

    • Only Admins can set up workspace-level alerts
    • Admins and Members with the Alert Overrides permission can set up resource-level alerts

  • Legacy RBAC system:

    • Only Org Admins can set up workspace-level alerts
    • Org Admins and members with the Connections Admin role in their workspace policy can set up resource-level alerts

See Configurable Alerts for more details.

Data Pipelines

This section lists the permissions required to manage data pipelines and their associated resources.

Event Stream Sources

  • Access Management system:

    • Admins have full access to create and manage event stream sources
    • Members can have the following permissions in their workspace policy:
ResourcePermissions
Event Stream SourcesEdit, Connect, Create & Delete

  • Legacy RBAC system:

    • Org Admins have full access to create and manage Event Stream sources
    • Members with the Connections Admin role in their workspace policy can create and manage Event Stream sources
    • Members with the Connections Editor role in their workspace policy can only edit the Event Stream source configuration and connect Event Stream sources to destinations

See Event Stream Sources for more details.

Reverse ETL Sources

  • Access Management system:

    • Admins have full access to create and manage reverse ETL sources
    • Members can have the following permissions in their workspace policy:
ResourcePermissions
Tables / SQL Models / AudiencesEdit, Connect, Create & Delete

  • Legacy RBAC system:

    • Org Admins have full access to create and manage reverse ETL sources
    • Members with the Connections Admin role in their workspace policy can create and manage reverse ETL sources
    • Members with the Connections Editor role in their workspace policy can only edit the reverse ETL source configuration and connect reverse ETL sources to destinations

See Reverse ETL Sources for more details.

Destinations

  • Access Management system:

    • Admins have full access to create and manage destinations
    • Members can have the following permissions in their workspace policy:
ResourcePermissions
DestinationsEdit, Connect, Create & Delete

  • Legacy RBAC system:

    • Org Admins have full access to create and manage destinations
    • Members with the Connections Admin role in their workspace policy can create and manage destinations
    • Members with the Connections Editor role in their workspace policy can only edit the destination configuration and connect destinations to sources

See Destinations for more details.

Airflow Orchestrator

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
Tables / SQL Models / AudiencesEdit, Connect
DestinationsEdit, Connect
ProfilesEdit, Connect
  • Legacy RBAC system: Workspace-level Service Access Token with Admin permissions

See RudderStack Airflow Integration for more details.

Dagster Orchestrator

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
Tables / SQL Models / AudiencesEdit, Connect
DestinationsEdit, Connect
ProfilesEdit, Connect
  • Legacy RBAC system: Workspace-level Service Access Token with Admin permissions

See RudderStack Dagster Integration for more details.

Profiles

  • Access Management system:

    • Admins have full access to create and manage Profiles projects
    • Members can have the following permissions in their workspace policy:
ResourcePermissions
ProfilesEdit, Create & Delete, Connect

  • Legacy RBAC system:

    • Org Admins have full access to create and manage Profiles projects
    • Members with the Connections Admin role in their workspace policy can create and manage Profiles projects
    • Members with the Connections Editor role in their workspace policy can only edit the Profiles project configuration and connect Profiles projects to destinations

See Profiles Quickstart for more details.

Activation API

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
PII PermissionDestination Data Access for the specific Redis destination
  • Legacy RBAC system: Workspace-level Service Access Token with Admin permissions

See Activation API for more details.

Profiles Audit

  • Access Management system: Workspace-level Service Access Token with no dedicated permissions
  • Legacy RBAC system: Workspace-level Service Access Token with Viewer permissions

See the Profiles Audit documentation for more details.

SSO and Audit Logs

This section lists the permissions required to use the Audit Logs and different SSO setups.

Audit Logs

  • Access Management system: Only Admins can access the Audit Logs
  • Legacy RBAC system: Only Org Admins can access the Audit Logs

See Audit Logs for more details.

Okta SSO (SCIM)

  • Access Management system: Organization-level Service Access Token
  • Legacy RBAC system: Organization-level Service Access Token

See Okta SCIM Configuration for more details.

Azure Entra ID SSO (SCIM)

  • Access Management system: Organization-level Service Access Token
  • Legacy RBAC system: Organization-level Service Access Token

See Azure Entra ID SSO Setup for more details.

Transformations

  • Access Management system:

    • Admins have full access to create and manage transformations
    • Members can have the following permissions in their workspace policy:
ResourcePermissions
TransformationsEdit, Connect, Create & Delete

  • Legacy RBAC system:

    • Org Admins have full access
    • Members must have the Grant edit access permission in Transformations and Library toggled on to create, edit, and delete transformations
    • Members with the Connections Admin or Connections Editor role in their workspace policy can only connect transformations to destinations

See Transformations for more details.

Libraries

  • Access Management system:

    • Admins have full access to create and manage transformation libraries
    • Members must have the Transformation Libraries permission in their workspace policy

  • Legacy RBAC system:

    • Org Admins have full access
    • Members must have the Grant edit access permission in Transformations and Library toggled on to create, edit, and delete transformation libraries

See Transformation Libraries for more details.

Credential Store

  • Access Management system:

    • Admins have full access to the credential store
    • Members must have the Credential Store permission in their workspace policy

  • Legacy RBAC system:

    • Org Admins have full access to the credential store
    • Members must have the Connections Admin role in their workspace policy

See Credential Store for more details.

Transformation Action

  • Access Management system: Workspace-level Service Access Token with the following permissions:
ResourcePermissions
TransformationsEdit, Connect, Create & Delete
Transformation LibrariesEdit
  • Legacy RBAC system: Workspace-level Service Access Token with Admin role and Grant edit access toggled on under Transformations

See Transformation Action for more details.


Questions? We're here to help.

Join the RudderStack Slack community or email us for support

Slack Join now Email Reach out