import AccessToDatasets from "/snippets/access-to-datasets.mdx"

Role-Based Access Control (RBAC) allows you to manage and restrict access to your data and resources efficiently. You can control access to your data with the following:

Role-Based Access Control (RBAC), Directory Sync, and Single Sign-On (SAML SSO) are available as add-ons on the Axiom Cloud plan. For more information, see [Manage add-ons](/reference/usage-billing#manage-add-ons).

Groups

Groups connect users with roles, making it easier to manage access control at scale. For example, you can create groups for areas of your business like Security, Infrastructure, or Business Analytics, with specific roles assigned to serve the unique needs of these domains.

A user’s complete set of capabilities is derived from the additive union of their base role, plus any roles assigned through group membership.

Create new group

  1. Click Settings > Groups
  2. Click New group.
  3. Enter the name and description of the group.
  4. Click Add users to add users to the group.
  5. Click Add roles to add roles to the group.

Roles

Roles are sets of capabilities that define which actions a user can perform at both the organization and dataset levels.

Default roles

The default roles are the following:

  • Owner: Assigns all capabilities across the entire Axiom platform.
  • Admin: Assigns administrative capabilities except for Billing capabilities, which are reserved for Owners.
  • User: Assigns standard access for regular users.
  • Read-only: Assigns read capabilities for datasets, plus read access on various resources like dashboards, monitors, notifiers, users, queries, saved queries, and virtual fields.
  • None: Assigns zero capabilities, useful for adopting the principle of least privilege when inviting new users. You can build up specific capabilities for these users by assigning their role to a group.

Create custom role

  1. Ensure you have create permission for the access control capability. By default, this capability is assigned to the Owner and Admin roles.
  2. Click Settings > Roles.
  3. Click New role.
  4. Enter the name and description of the role.
  5. Assign permissions (create, read, update, and delete) across capabilities (access control, API tokens, dashboards, datasets, etc.).

Assign capabilities to roles

You can assign organization-level and dataset-level capabilities to roles. You can assign create, read, update, or delete (CRUD) permissions to most capabilities.

Organization-level capabilities define access for various parts of your Axiom organization:

  • Access control: Full CRUD.
  • Annotations: Full CRUD.
  • API tokens: Full CRUD.
  • Apps: Full CRUD.
  • Audit log: Read only.
  • Billing: Read and update only.
  • Dashboards: Full CRUD.
  • Datasets: Full CRUD.
  • Endpoints: Full CRUD.
  • Monitors: Full CRUD.
  • Notifiers: Full CRUD.
  • Shared access keys: Read and update only.
  • Users: Full CRUD.
  • Views: Full CRUD.

The table below describes these organization-level capabilities:

Capability Create Read Update Delete
Access control User can create custom roles and groups. User can view the list of existing roles and groups. User can update the and description of roles and groups, and modify permissions. User can delete custom roles or groups.
Annotations User can create annotations. User can view the list of existing annotations in an organization. User can modify annotations. User can delete annotations.
API tokens User can create an API token with access to the datasets their user has access to. User can access the list of tokens that have been in their organization. User can regenerate a token from the list of tokens in an organization. User can delete API tokens created in their organization.
Apps User can create a new app. Users can access the list of installed apps in their organization. Users can modify the existing apps in their organization. User can disconnect apps installed in their organization.
Audit log Users can access the audit log in an organization.
Billing User can access billing settings. User can change the organization plan.
Dashboards User can create new dashboards. User can access their own dashboards and those created by other users in their organization. User can modify dashboard titles and descriptions. User can add, resize, and delete charts from dashboards. User can delete a dashboard from their organization.
Datasets User can create a new dataset. Users can access the list of datasets in an organization, and their associated fields. User can trim a dataset, and modify dataset fields. User can delete a dataset from their organization.
Endpoints User can create a new endpoint. User can access the list of existing endpoints in an organization. Users can rename an endpoint and modify which dataset data is ingested into. User can delete an endpoint from their organization.
Monitors User can create a monitor. User can access the list of monitors in their organization. User can also review the monitor status. Users can modify a monitor configuration in their organization. Users can delete monitors that have been created in their organization.
Notifiers User can create a new notifier in their organization. User can access the list of notifiers in their organization. User can update existing notifiers in their organization. User can snooze a notifier. User can delete notifiers that have been created in their organization.
Shared access keys User can access shared access keys in their organization. User can update shared access keys in their organization.
Users Users can invite new users to an organization. User can access the list of users that are part of their organization. User can update user roles and information within the organization. Users can remove other users from their organization and delete their own account.
Views User can create new views. User can access the list of views in an organization in their organization. User can modify views. User can delete views from their organization.

Dataset-level capabilities provide fine-grained control over access to datasets. You can assign the following capabilities for all datasets or individual datasets:

  • Data: Delete only.
  • Ingest: Create only.
  • Query: Read only.
  • Share: Create, read, and update only.
  • Saved queries: Full CRUD.
  • Trim: Update only.
  • Vacuum: Update only.
  • Virtual fields: Full CRUD.

The table below describes these dataset-level capabilities:

Datasets Create Read Update Delete
Data
Ingest User can ingest events to datasets. User can delete data from datasets.
Query User can query events from datasets.
Share User can share datasets. User can access the list of shared datasets in their organization. User can modify an existing shared dataset in their organization.
Saved queries User can create a saved query for datasets. User can access the list of saved queries in their organization. User can modify an existing saved query in their organization. User can delete a saved query from a dataset.
Trim User can trim datasets.
Vacuum User can vacuum datasets.
Virtual fields User can create a new virtual field. User can see the list of virtual fields. User can modify the definition of a virtual field. User can delete a virtual field.

Users

Users in Axiom are the individual accounts that have access to an Axiom organization. You assign a base role to users when you invite them to join your organization. For organizations with the role-based access control (RBAC) add-on, additional roles can be added through group membership.

Assign roles to users

  1. Click Settings > Users.
  2. Find the user in the list, and then assign a role to them on the right.

Access for a user is the additive union of capabilities assigned through their default role, plus any capabilities included in roles assigned through group membership.

Delete users

This is a destructive action. After you delete a user, you can’t recover their account.
  1. Click Settings > Users.
  2. Find the user in the list, and then click Delete user on the right.

Directory Sync

Directory Sync automatically mirrors user account data between a central directory, such as Active Directory, and connected applications. When the status of an employee changes, all systems are automatically updated.

For this feature, Axiom relies on WorkOS. For more information, see Directory Sync and Supported vendors in the WorkOS documentation.

Single Sign-On (SAML SSO)

To simplify access management and enhance security, Security Assertion Markup Language-based Single Sign-On (SAML SSO) allows you to keep access grants up-to-date with support for the industry standard SCIM protocol.

Axiom supports secure, centralized user authentication through both types of flow for SAML-based SSO:

  • IdP-initiated flow (identity-provider-initiated flow)
  • SP-initiated flow (service-provider-initiated flow)
Two-factor authentication (2FA) is a security feature that requires users to provide two forms of identification before accessing their accounts. You can turn on 2FA for users logging in through SAML SSO and enforce it through your identity provider. Axiom doesn’t offer 2FA natively.

For this feature, Axiom relies on WorkOS:

  1. Axiom provisions an organization for you in WorkOS, connects it to your Axiom organization, and turns on SSO.

  2. Axiom provides you with a setup link to your WorkOS organization.

  3. You follow the instructions using the setup link. The setup requires the following attributes for your users:

    • idp_id
    • first_name
    • last_name
    • email

For more information, see Enterprise Single Sign-On and Supported vendors in the WorkOS documentation.

Good afternoon

I'm here to help you with the docs.

I
AIBased on your context