LogoLogo
Python SDKSlack
  • Documentation
  • Cookbooks
  • Self-Hosting
  • Release Notes
  • Reference
  • API Reference
    • Overview
    • Python SDK
    • OpenTelemetry SDK
    • OpenInference SDK
    • Phoenix OSS
    • GraphQL API
      • Getting Started with GraphQL
      • How To Use GraphQL
        • Forming Calls
        • Using global node IDs
        • Querying Nested Data
        • Notebook Examples
        • Mutations
      • Admin API
      • Annotations API
      • Custom Metrics API
      • Dashboards API
      • File Importer API
      • Online Tasks API
      • Metrics API
      • Models API
      • Monitors API
      • Table Importer API
      • Resource Limitations
  • Export Data API
  • Prompt Hub API
  • Authentication & security
    • Arize Private Connect
    • API Keys
    • SSO & RBAC
      • Setting Up SSO with Okta
    • Compliance
      • Arize Audit Log
    • Whitelisting
Powered by GitBook

Support

  • Chat Us On Slack
  • support@arize.com

Get Started

  • Signup For Free
  • Book A Demo

Copyright © 2025 Arize AI, Inc

On this page
  • Single Sign On
  • Role Based Access Control
  • Account
  • Organizations
  • Spaces
  • Invite Users
  • JIT User Provisioning

Was this helpful?

  1. Authentication & security

SSO & RBAC

Last updated 3 days ago

Was this helpful?

  • Single Sign On

  • Role Based Access Control (RBAC)

  • Invite Users

  • JIT User Provisioning

Single Sign On

Arize supports Single Sign-On via SAML2. Configure your Identity Provider with the following information about the Arize Service:

  • SSO URL / ACS (Assertion Consumer Service) : https://app.arize.com/auth/v2/saml

  • URI / EntityID: https://app.arize.com

  • UserName / NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

If needed for your Identity Provider, Arize SAML metadata.xml can be downloaded from https://app.arize.com/auth/v2/saml/metadata

  • SSO URL / ACS (Assertion Consumer Service) : https://app.eu-west-1a.arize.com/auth/v2/saml

  • URI / EntityID: https://app.eu-west-1a.arize.com/

  • UserName / NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

If needed for your Identity Provider, Arize SAML metadata.xml can be downloaded from https://app.eu-west-1a.arize.com/auth/v2/saml/metadata

Once configured in your Identity Provider, send Arize your IdP metadata URL, or the metadata.xml directly.

Role Based Access Control

Arize supports full role based access control. Using organizations and spaces, users can be restricted to only have access to data they are permitted. Your Arize account can consist of multiple organizations and spaces.

Account

You are a member of one Arize account. An account consists of one or more organizations.

Admin - Has full access to all entities in the account.

Member - Access is determined by organization and space roles.

Action

Admin

Member

User management

  • Invite users, remove users, and change user roles

✅

❌

Create organizations

✅

❌

Organizations

Organizations represent a single business unit and help you silo work across different areas of your business. Within your account, you can be a member of multiple Organizations. An Organization may consist of one or more spaces.

Admin - Has full access to all entities in the organization.

Member - Has partial access at the organizational level. Can create spaces and integration keys. They can only edit or delete integration keys they create. Space access is determined by space role.

Read-only Member - Has read-only access to the organization. Cannot create spaces nor integration keys. Public space access is read-only unless added to the space. Private space access is determined by space role.

Action

Admin

Member

Read-only Member

Organization Member management

  • Invite and remove members and change their roles

✅

❌

❌

Create spaces

✅

✅

❌

View public spaces

✅

✅

✅

Edit public spaces

✅

✅

❌ (unless explicitly added)

View private spaces

✅

If added to space: ✅

If not: ❌

If added to space: ✅

If not: ❌

Create integration keys

✅

✅

❌

Edit / delete integration keys

✅

If creator: ✅ If not: ❌

❌

Spaces

Spaces represent an environment for groups of models. You can be a member of multiple spaces across multiple organizations within your account. Spaces can either be public or private. Public Spaces are visible to all members (regardless of role) of the parent organization. Private spaces are only visible to explicitly invited members of the space.

Admin - Has full access to all entities in the space.

Member - Has write access to entities associated to models (e.g., monitors) but does not have access to membership management.

Read-only Member - Has read-only access to entities in the space. Due to popular customer request, read-only members are still able to run the prompt playground.

Annotator - Has access only to assigned items in the labeling queue.

Action

Admin

Member

Read-only Member

Annotator

Access to SDK API Key

✅

✅

❌

❌

Space Member management

  • Invite and remove members and change their roles

✅

❌

❌

❌

Delete Projects

✅

❌

❌

❌

Create and delete file import jobs

✅

❌

❌

❌

Update model settings

✅

✅

❌

❌

Create/Edit Dashboards

✅

✅

❌

❌

Create/Edit Monitors

✅

✅

❌

❌

View project entities (Datasets, monitors, dashboards etc.)

✅

✅

✅

❌

Create/Edit Tasks

Create/Edit Datatsets

✅

✅

❌

❌

Run Experiments

✅

✅

❌

❌

Annotate on Spans

✅

✅

❌

❌

Create / Edit /Delete Prompts

✅

✅

❌

❌

Access Annotation Queues

✅

✅

✅

✅

Run Playground

✅

✅

✅

❌

Invite Users

Want to invite team members?

  1. Go to 'Account Settings' --> Members --> Add Members

  2. Go to 'Org Settings' --> Members --> Add Members

  3. Go to 'Space Settings' --> Members --> Add Members

When adding a member, you will select their permission level for your Account, Organization, and Space.

JIT User Provisioning

To enable just-in-time user provisioning, it's recommended to provide an attribute Name or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name that maps to the full name of the user to properly create the First/Last Name for the user in the Arize platform.

Arize also supports automated role assignment during JIT provisioning, enabling you to enforce role-based access control. To configure this, you can declare a mapping between the values of a specified SAML attribute from your Identity Provider (idP) and corresponding Arize user roles. For example, if you have an attribute for team/department in your idP (e.g., "Department": "Ads ML Engineering"), you can map that attribute to a specific Space/Org role in Arize. These attributes need to be included in the SAML assertion/response.

Below is an example configuration:

<saml2:Attribute Name="Department" 
                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:type="xs:string"
                >Ads ML Engineering</saml2:AttributeValue>
</saml2:Attribute>

Once this configuration is set, Arize will automatically assign the appropriate roles when provisioning users via SSO, based on your role mapping. Contact your dedicated customer success engineer or the Arize support email/slack to make these configuration mappings.

These permissions reflect using the new . We recommend using them over the legacy ingestion keys.

Questions? Email us at or in the #arize-support channel

User keys
support@arize.com
Slack us
✅
✅
❌
❌