RBAC (Role Based Access Control)

This documentation provides the setup instructions for Role-Based Access Control (RBAC). With this feature, members can be grouped based on common job responsibilities or system access need. Members are only allowed to access the logs necessary to effectively perform their duties, as defined by their group.

What are roles and groups?

Roles are predefined titles that have default privileges. Mezmo supports 4 types of roles: Owner, Admin, Member and Read. Read the section below to learn more about each specific role.

Groups are a collection of Members with specific, customizable access permissions where every user in the group shares the same permissions. Only users with the role of “Member” can be added to a group. Owners, Admins and Read roles are not able to be added to a group. Read the section below to learn more about how to create groups.

When should I use roles vs groups?

By default, every user in the organization has a role and each role has a set of permissions (visualized in this feature matrix).

Groups are useful for limiting access to certain types of log data for specific users on your team (who have the role of “Member”). For example, if your SREs only need access to a specific source, you can define a group with a query that allows access to that specific source and add all the SREs to the group.

Users with the role of “Member” can also be a part of multiple groups. This means that they would have access to the aggregate of all the information in each of the groups.

Note: If a user is put into a group that has limited data access, they will not know what data they cannot see unless the admin tells them. When they search for specific data they don’t have access to, the data will not show up and there is no warning available to them.

What are the roles in Mezmo’s ecosystem?




The owner of the Mezmo organization. There is only one unique owner assigned for each account. This user will have the highest level of access in the platform and cannot be restricted. They can view all the logs, add, and remove admins/users.


Each Mezmo organization can have more than one admin. Admins have the second highest level access in the platform; can view all the logs, and admin access cannot be restricted.


Standard members of your Mezmo organization. Members will be subject to access defined by your RBAC rules.


Read only roles have access to view logs, perform searches, view boards, and export lines with no access to modify.

The logic behind RBAC is simple. Team members are assigned memberships to Groups. Where Groups are the backbone of the access control by specifying access scopes. All log data access by team members are gated by their Group membership and the associated access scopes within the Groups.

Please note that:

  • Only Members can be added to Groups. (Owner and Admins cannot be added to Groups)
  • Only Owner and Admins can manage Groups.
  • Owner and Admins can access all log data without any restrictions.

In order to set up and manage RBAC, use Settings>Team (Manage Team) page.

Members tab shows the list of users.
Actions such as adding/removing new users to the Mezmo organization, management of the roles and groups can be performed on this page.
Note: Users with "Role: Member" has read-only access on this page.

Groups tab shows the list of Groups.
Actions such as creating/managing Groups can be performed on this page.
Note: This page can be accessed by "Role: Owner" or "Role: Admin".

Settings tab lists the Team settings.
Group Access, Discoverability, and Sign-in Policy can be updated on this page.
Note: This page can be accessed by "Role: Owner" or "Role: Admin".

Let's dive into the details of the Groups page

This page lists of Groups created by the Owner or Admins of the account. Each Group contains:
Group Name (required), Members (optional, recommended), Access Scope (optional, recommended) components.

  • Group Name is a required field. Owner/Admin can name the Group in a way that it makes sense to their organizational structure. Such as; Customer Support.
  • Members list the users who are a part of the Group. Such as; Customer Support team members within the organization. Members can be a part of multiple Groups. The level of access is the combination of all.
  • Access Scope defines the access level of the Group Member. Group Members can only see the logs that are described in the Access Scope. To test the Access Scope and confirm the logs that Group Members see, you can click on "Preview".

If we use "Customer Support" Group as an example from the screenshot above;
[email protected], [email protected], [email protected] are restricted to see only the logs that contain app:web, and logs that contain accountID.

On the Settings tab;

By default, each account lets “Members without assigned Groups” see all the logs with no restriction. If this is toggled "off", then “Members without assigned Groups” cannot see the logs until they are added to a Group.
The state of this rule only affects the users who have "Role: Members" and also not part of any Groups.