Skip to main content
Role-based access control (RBAC) is the default access control system in Sift. RBAC uses predefined roles and groups to manage user permissions across resources. Understanding these core concepts will help you effectively manage access in your organization.

Roles

RBAC uses four predefined roles that determine the level of access granted to users. Each role provides a specific set of permissions:
  • Admin: Full access to data, configuration settings, and user management. Admins can create and modify groups, manage users, and configure system settings.
  • Editor: Can view, edit, and write time series data and metadata. Editors have full data access but cannot manage users or system configuration.
  • Collaborator: Can view time series data and add metadata. Collaborators can annotate and tag data but cannot modify the underlying time series data.
  • View-only: Read-only access to time series data. View-only users can explore and analyze data but cannot make any changes.
Custom roles in RBAC are not supported at this time. All organizations use these four predefined roles. For custom defined roles an organization needs to use ABAC.

Role permissions

The following table shows which permissions are available for each role. An "" indicates that the role has that permission.

Groups

Groups are collections of users that share the same role and asset access permissions. Groups simplify access management by allowing administrators to assign permissions to multiple users at once. Key characteristics of groups:
  • Role assignment: Each group is assigned one of the four predefined roles (Admin, Editor, Collaborator, or View-only).
  • User membership: Users can belong to one or more groups, inheriting permissions from all groups they belong to.
  • Default groups: Internal users (those with email addresses matching the organization’s domain) are automatically added to a default group during sign-up. External users are assigned to a specified group during invitation.

Asset access

Asset access determines which resources (runs, channels, reports, etc.) a group can access. Groups can be configured with:
  • All assets: Access to all resources in the organization.
  • Specific assets: Access restricted to a defined subset of assets.
This allows administrators to create groups with the same role but different data access. For example, you might have an “Engine Team - Editors” group with Editor role and access to Engine assets, and a “Propulsion Team - Editors” group with Editor role and access to Propulsion assets.

How permissions work

Permissions in RBAC are determined by a user’s group memberships:
  1. Group role: Each group has a role that defines what actions its members can perform.
  2. Asset access: Each group has access to either all assets or a specific subset of assets.
  3. Combined permissions: When a user belongs to multiple groups, they inherit the union of permissions from all groups. For example, if a user belongs to a group with Editor role and access to Engine assets, and another group with Collaborator role and access to Propulsion assets, they will have:
    • Editor permissions on Engine assets
    • Collaborator permissions on Propulsion assets
This group-based approach makes it easy to manage access as team structures change—simply add or remove users from groups rather than modifying individual user permissions.