Skip to main content

Role-based access control

Reading time: 0 minute(s) (0 words)

Nobl9 supports role-based access control (RBAC) to ensure granular user permissions and access to resources in the Nobl9 platform.

There are two levels of permissions, the organization level and the project level:

  • Organization roles ensure access across the Nobl9 platform. Depending on the desired access rights, users can be assigned the Organization Admin, User, Integrations User, Viewer, or Responder role.

  • Project roles entitle users to access a project and its underlying resources, such as services or SLOs. Project-level roles include Project Owner, Editor, Viewer, Integrations User, and Responder.

Projects in the Nobl9 platform

Projects are the primary logical grouping of resources in the Nobl9 platform. They are intended for use in organizations where many users are spread across multiple teams and/or departments. Projects group and organize all resources available to users in the Nobl9 platform, enabling users across teams or departments to access those resources safely.

The resources that can be grouped under a project include:

  • Services

  • SLOs

  • Data sources

  • Alert policies

  • Alert methods

Important

Projects cannot be nested inside one another, but data sources and alert methods can be shared across many projects.

Resources cannot be moved between projects. If you create a resource (such as a service or SLO) in the wrong project, you must delete it first, then go to the correct project and add the resource there. For more details, see Managing Shared Resources.

Adding a project

To add a project in Nobl9, follow these steps:

  1. Go to Catalog > Projects.

  2. Click .

  3. In the Project Creation wizard, enter the following information:

    • Display name (optional)

    • Name (mandatory)

    • Description (optional)

  4. Click Create Project in the bottom-right corner.

note

When you create a project, you are automatically assigned the role of Project Owner.

Roles in the Nobl9 platform

In this section, we’ll walk through the different organization- and project-level roles in detail. Role management is also available with sloctl using Role Binding.

Organization roles

Organization Admin

Organization Admins have full read and write access to all areas in the Nobl9 platform. They are responsible for setting up single sign-on (SSO) and user management. Organization Admins can:

  • Add, delete, and suspend users.

  • Assign organization- and project-level roles to other users.

  • Promote other users to an Admin role.

  • Grant other users the view permission to all projects.
    For example, to executives who require the read-only access to all services for dashboards.

  • Access all projects.

  • Create new projects.

  • View, create, edit, and delete user annotations.

  • View and delete system annotations.

  • View, create, edit, and delete SLI analyses.

  • View, edit, and delete labels.

Organization User

By default, anyone who signs in to the Nobl9 platform is an Organization User (unless a different default role has been set for your organization). Organization Users can be granted access to one or more projects by being assigned the role of Project Owner, Editor, Viewer, Integrations User, or Responder. Organization Users can:

  • Create projects (and automatically become the Owner of these projects).

  • Manage resources (provided they are assigned the Owner or Editor role for the project in question).

  • View SLOs and other resources for projects in which they are assigned the Viewer role.

  • View labels.

note

Organization Users can only see the resources in a project if they have been granted access to this project by the Organization Admin or the Project Owner.

Organization Integrations User

The Organization Integrations User role covers permissions to access all data sources and SLI Analyzer within the organization. This role is one of the default Nobl9 roles. Once selected as the default, Organization Integrations User is automatically assigned to every new user of your organization.

Organization Integrations Users can:

  • View services.

  • View and create projects.

  • View SLOs.

  • View dashboards.

  • View and use integrations.

  • View and use alert methods.

  • View reports.

  • View other users.

  • View user and system annotations.

  • View, create, edit, and delete SLI analyses.

  • View labels.

Organization Viewer

An Organization Viewer has read-only access to all resources in the Nobl9 platform. Organization Viewers can:

  • View services.

  • View projects.

  • View SLOs.

  • View dashboards.

  • View integrations.

  • View alert methods.

  • View reports.

  • View other users.

  • View user and system annotations.

  • View SLI analyses.

  • View labels.

note

Organization Viewers cannot edit any resources in the Nobl9 platform.

Organization Responder

An Organization Responder has read-only access to most of the resources in the Nobl9 platform except SLO annotations and alert silence. Organization Responders can create and manage these resources. Organization Responders can:

  • View services.

  • View projects.

  • View SLOs.

  • View dashboards.

  • View integrations.

  • View alert methods.

  • View reports.

  • View other users.

  • View, create, edit, and delete user annotations.

  • View system annotations.

  • View, apply, and delete Alert silence.

  • View SLI analyses.

  • View labels.

note

Organization Responders cannot edit any resources in the Nobl9 platform except user annotations and managing alert silence.

Project roles

Project Owner

Project Owners have read and write access to the project(s) they own. A Project Owner can:

  • Add existing Nobl9 users to the project.

  • Manage existing users’ levels of access to the project.

  • Remove users from the project.

  • Delete the project.

  • View, create, edit, and delete user annotations in the project.

  • View system annotations.

  • View, create, edit, and delete SLI analyses.

Project Editor

The Project Editor is the primary user of the Nobl9 platform. Project Editors can:

  • Create, edit, and delete resources in the projects they are assigned to.

  • Manage SLOs, integrations, and alert policies.

  • View dashboards.

  • Pull reports and charts.

  • View, create, edit, and delete user annotations in the projects they can edit.

  • View system annotations.

  • View, create, edit, and delete SLI analyses.

Project Integrations User

A Project Integrations user can use a data source or an alert method in a given project, but cannot create, edit, or delete project resources. Project Integrations Users can:

  • Use a data source from one project to set up SLOs in another project.

  • Use an alert method from one project to configure an alert policy in another project.

  • View, create, edit, and delete SLI analyses.

note

For example, if a user is a Project Editor for Project A and a Project Integrations User for Project B, they can use data sources and alert methods from Project B in Project A. However, they cannot edit any resources in Project B.

Project Viewer

The Project Viewer is the primary consumer of data in the Nobl9 platform. Project Viewers can:

  • Generate reports for the projects to which they are assigned.

  • View dashboards in the projects to which they are assigned.

  • View the SLO grid in the projects to which they are assigned.

  • View system and user annotations.

  • View SLI analyses.

note

Project Viewers cannot create, edit, or delete resources.

Project Responder

Project Responder can manage SLO annotations and alert silence (view, apply, and delete these resources). Project Responders can:

  • View services.

  • View SLOs.

  • View projects to which they are assigned.

  • View dashboards in the projects to which they are assigned.

  • View, create, edit, and delete user annotations.

  • View system annotations.

  • View, apply, and delete Alert silence.

  • View SLI analyses.

Role-Permission matrix

This section provides the summary of permissions for all Nobl9 roles.

Organization level

Organization AdminOrganization UserOrganization Integrations UserOrganization ViewerOrganization Responder
View all resourcesDepends on project access granted to this user
Add, remove, and suspend users
Assign and remove user roles (on an organization and project level)
Create projects and resourcesProjects onlyProjects only
View dashboards
View Resource Usage Summary report
View user and system annotations
Create/edit/delete user annotations
Delete system annotations
Create access keys1
View alert silence
Apply or delete alert silence
View SLI analyses
Create/edit/delete SLI analyses
Create SLO from an analysis
View labels
Edit/delete labels

1 All Nobl9 users can create access keys.

Project level

Project OwnerProject EditorProject ViewerProject ResponderProject Integrations User
Add existing users to the project
Create/edit SLOs
Create/edit services
Create/edit alert policies
Add/use integrationsCan use but can't create integrations
View reports
View SLO details
View dashboards
Create/edit/delete user annotations
View system and user annotations
View alert silence
Apply or delete alert silence
Create access keys
View SLI analyses
Create/edit/delete SLI analyses
Create SLO from an analysis

Managing users and user roles

Roles in the Nobl9 platform can be managed on the organization and project levels. To access the user management UI, navigate to Settings > Access Controls.

Organization roles can only be assigned and changed by Organization Admins. Organization Admins can also invite new users to their organization, delete users, or suspend users' accounts.

note

Users can reset their password by going to the Forgot password page and following the provided instructions. When a user is resetting their password, the status of that user is automatically set to Recovery. It will be changed to Active after the password is successfully changed.

Project roles can be assigned either by Organization Admins or by the Project Owner.

note

Project Owners cannot invite new users or delete or suspend user accounts.

Adding users

  1. Go to Settings > Access Controls.

  2. Click .

  3. In the Create User wizard, enter the following information:

    • First name

    • Last name

    • Email address

    • Organization role

  4. Click the Add User button in the bottom-right corner.

note

An invitation to join Nobl9 will automatically be sent to the user, and their role will be applied once they log in. The status of the invited user is automatically set to Pending. It will be changed to Active after the user accepts the invitation. Organization Admins can issue reminders to users with the Pending status by resending the invitations.

Deleting users

  1. Go to Settings > Access Controls.

  2. In the user list, hover over the user you want to remove.

  3. Click the trash can plus button icon on the right.

  4. Click the Delete button in the pop-up window to confirm.

caution

Deleted users will be permanently removed from the organization, along with their access keys. They will no longer be able to log in to the Nobl9 platform via the UI or access Nobl9 with sloctl.

Suspending users

  1. Go to Settings > Access Controls.

  2. Find the user whose account you want to suspend in the user list.

  3. In the Status column, click the down-pointing arrow to display the drop-down menu.

  4. Select Suspended.

  5. Click the Deactivate button in the pop-up window.

Suspended users will not be removed from the database, but they will not be able to access the Nobl9 platform via the UI or with sloctl. Access keys belonging to a suspended user will be temporarily deactivated. An Organization Admin can reactivate a suspended user by navigating to Settings > Access Controls and changing the user’s status to Active.

Changing users' organization role

  1. Go to Settings > Access Controls.

  2. In the user list, find the user whose role you wish to update.

  3. In the Organization Role column, click the to display the drop-down menu.

  4. Select the organization role you wish to assign to the user.

Assigning users to projects

  1. Go to Settings > Access Controls.

  2. In the user list, find the user you wish to add to the project.

  3. Hover over the user’s name, and click the project icon on the right-hand side of the user list. If the user has access to multiple projects, click the next to the user’s name to display the list.

  4. In the dialog box, in the Projects column, select or enter the name of the project that you want to assign the user to.

  5. In the Access Permissions column, click the and select the access permission that you want to assign to the user.

note

Organization Admins can manage project-level permissions for all projects, and Project Owners can manage permissions for the projects they own.

warning

A user cannot be assigned to a project without a role. If an Organization Admin or a Project Owner attempts to add a user to a project without assigning the user a specific role in the project, the change will not be saved.

Changing users' project role

To remove a project role from a user, you must remove the user from the project (i.e., delete the user). You can then reassign them to the project with a different role if desired. Follow the steps in the preceding sections to complete these actions.

Changing the default organization role

The default role for all new Nobl9 users is Organization User. However, Organization Admins can configure a Default Organization Role from their Setting panel in the Users tab by clicking the Configure Default Role button.

Organization Admins can choose between the following roles:

  • Organization User
  • Organization Viewer
  • Organization Responder
caution

This setting will be applied to every newly added user once they log in to the app for the first time. If users have already logged in before, their role won’t be changed.

Managing projects and project resources

Users can review and manage their projects in the Catalog section in the UI. The Catalog view allows users with the appropriate role to edit and delete resources that belong to a given project directly in the project details.

To manage a project’s resources in this way:

  1. Click Catalog in the left navigation pane.

  2. Select the project from the list in the Projects tab.

The Project Details tab allows users (depending on their roles) to review and manage services, SLOs, data sources, alert policies, alert methods, and users that belong to a specific project. From here, users with the appropriate role can directly access all of the project’s resources, edit them through the UI wizards, or delete them.

User roles and the visibility of resources

Project permissions affect what data is visible and what actions are available to a user in the Catalog and on the Project Details tab:

  • Organization Admins can view, edit, or delete all projects, services, SLOs, and other resources within their organization.

  • Organization Users can see only the project(s) they have been assigned to. Their permissions will vary depending on the role they have in a project.

  • Organization Viewers and Responders can can view all projects, services, SLOs, and other resources within their organization.

  • Project Owners can edit or delete their projects as well as adding, editing, and deleting resources belonging to these projects. They can also assign existing users to the projects they own.

  • Project Editors can edit a project and add, edit, and delete resources within the project. They can’t delete the project (the trash icon icon will be grayed out). They also can’t add users to the project.

  • Project Viewers and Responders can only view their own project and its resources. They can’t edit or delete the project or add, edit, or delete project resources. The pencil icon and trash icon icons will be greyed out.

User Roles and the Settings tab

Project permissions also restrict the content that is visible to users on the Settings > Access Controls tab:

  • Only Organization Admins can view the organization’s roles and assign organization roles to other users in their organization. They can also invite new users and assign them organizational roles in the invitation.

  • Organization Users, Viewers, and Responders cannot see the organizational roles of other users within their organization.

  • On the project level, Organization Users, Viewers, and Responders can only see the roles of those users assigned to the projects that they own or can edit or view. They can only assign and edit project roles in the project(s) that they own.

User roles and access to resources

Project permissions affect user access to resources. For example:

  • Users can pull reports (in the Reports section) and view services and SLOs (in the SLO grid view) only from projects in which they are assigned the Project Viewer, Responder, Editor, or Owner role.

  • In the Service Health Dashboard, users can only see services that belong to projects they have access to (i.e., where they have the role of Project Viewer, Responder, Editor, or Owner).

note

The same limitations apply to sloctl. The role bindings that are visible depend on the role that is assigned to the user.

Managing shared resources

Data sources and alert methods are global resources in Nobl9. They can be used across projects by users with the following roles assigned:

  • Project Owner or Project Editor in the project where SLOs and alert policies will be configured.

  • Project Integrations User in the project to which the data source or alert method belongs.

Project Integrations Users can only use data sources and alert methods; they cannot edit or delete these integrations. They also cannot add, edit, or delete any other resources in projects they are assigned to with this role.

Project Owners have control over the use of their data sources and alert methods. Project Owners must explicitly agree that users who do not belong to their projects can use their integrations by assigning them the Integrations User role.

If you want to share specific data sources and/or alert methods across the entire organization, it may be preferable to create a project specifically for this purpose. To do this:

  • Create a new project, and add the data sources and/or alert methods to it.

  • Grant any users in the organization that you want to be able to access these resources the Editor or Integrations User role in this project.

Default security status of projects in Nobl9

The default role for all new users in Nobl9 is Organization User (unless a different default role has been set for your organization). This means that if you create a new Project as an Organization Admin, users who reside in your organization will not see the Project in their Project list (Catalog > Projects) or any SLOs related to this Project.

There are two methods in which you can give your users access to the Project, and all resources that are related to it:

  • From the Organization level: change the organization roles of the users to Organization Viewer. This way, they will be able to see all Projects (and their related resources) within your organization. Keep in mind that Organization viewers can’t create new Projects.

  • From the Project level: when you create a Project, assign users from Settings > Access Controls. Add the project to the relevant users from the level of the Settings pane and assign appropriate project roles to them.

tip

Any Project role will be sufficient for the assigned users to view all resources related to the Project.

Last updated on
On this page