Ask or search…
K
Links

SSO & RBAC (Role Based Access Control)

Single Sign On

Arize supports Single Sign-On via SAML2. Configure your Identity Provider with the following information about the Arize Service:
  1. 1.
    SSO URL / ACS (Assertion Consumer Service) : https://app.arize.com/auth/v2/saml
  2. 2.
    URI / EntityID: https://app.arize.com
  3. 3.
    UserName / NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If needed for your Identity Provider, Arize SAML metadata.xml can be downloaded from https://app.arize.com/auth/v2/saml/metadata
Once configured in your Identity Provider, send Arize your IdP metadata URL, or the metadata.xml directly.

Role Based Access Control

Arize supports full role based access control. Using organizations and spaces, users can be restricted to only have access to data they are permitted. Your Arize account can consist of multiple organizations and spaces.

Account

You are a member of one Arize account. An account consists of one or more organizations.
Admin - Has full access to all entities in the account.
Member - Access is determined by organization and space roles.
Action
Admin
Member
User management
  • Invite users, remove users, and change user roles
Create organizations

Organizations

Organizations represent a single business unit and help you silo work across different areas of your business. Within your account, you can be a member of multiple Organizations. An Organization may consist of one or more spaces.
Admin - Has full access to all entities in the organization.
Member - Has partial access at the organizational level. Can create spaces and integration keys. They can only edit or delete integration keys they create. Space access is determined by space role.
Read-only Member - Has read-only access to the organization. Cannot create spaces nor integration keys. Public space access is read-only unless added to the space. Private space access is determined by space role.
Action
Admin
Member
Read-only Member
Organization Member management
  • Invite and remove members and change their roles
Create spaces
View public spaces
Edit public spaces
❌ (unless explicitly added)
View private spaces
If added to space:
If not: ❌
If added to space:
If not: ❌
Create integration keys
Edit / delete integration keys
If creator: If not: ❌

Spaces

Spaces represent an environment for groups of models. You can be a member of multiple spaces across multiple organizations within your account. Spaces can either be public or private. Public Spaces are visible to all members (regardless of role) of the parent organization. Private spaces are only visible to explicitly invited members of the space.
Admin - Has full access to all entities in the space.
Member - Has write access to entities associated to models (e.g., monitors) but does not have access to API keys, model creation, or membership management.
Read-only Member - Has read-only access to entities in the space.
Action
Admin
Member
Read-only Member
Access to SDK API Key
Space Member management
  • Invite and remove members and change their roles
Delete models
Create and delete file import jobs
Update model settings
Create/Edit Dashboards
Create/Edit Monitors
View model entities (monitors, dashboards etc.)

Invite Users

Want to invite team members?
  1. 1.
    Go to 'Account Settings' --> Members --> Add Members
  2. 2.
    Go to 'Org Settings' --> Members --> Add Members
  3. 3.
    Go to 'Space Settings' --> Members --> Add Members
When adding a member, you will select their permission level for your Account, Organization, and Space.
Adding a user to a workspace

JIT User Provisioning

To enable just-in-time user provisioning, you must also provide an attribute Name or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name that maps to the full name of the user.
Arize also supports automated user role assignment alongside JIT user provisioning to allow you to enforce role based access control. You can declare a mapping between values of a specified SAML user attribute defined within your idP and each value's corresponding Arize user role assignment. After this has been configured, the Arize platform, when provisioning a new user via SSO, will automatically assign the appropriate Arize roles for the user according your role mapping configuration. Contact support to make these configuration mappings.
Questions? Email us at [email protected] or Slack us in the #arize-support channel