- Single Sign On
- Role Based Access Control (RBAC)
- Invite Users
- [Configuration Changes]
- JIT User Provisioning
Single Sign On
Arize supports Single Sign-On via SAML2. Configure your Identity Provider with the following information about the Arize Service:- US Client
- EU Client
- SSO URL / ACS (Assertion Consumer Service) :
https://app.arize.com/auth/v2/saml - URI / EntityID:
https://app.arize.com - UserName / NameID format:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
https://app.arize.com/auth/v2/saml/metadataSAML Configuration
Role Based Access Control
Arize supports full role-based access control. Using organizations and spaces, users can be restricted to only have access to data they are permitted. Your Arize account can consist of multiple organizations and spaces. In addition to built-in roles, Arize supports fine-grained custom roles that can be assigned at the space or project level for more granular access control.
Custom Roles
Create roles with fine-grained permissions
Project Restrictions
Restrict access to sensitive projects
RBAC REST API
Manage access control programmatically
Account
You are a member of one Arize account. An account consists of one or more organizations. Admin - Has full access to all entities in the account. Can manage users, create organizations, manage custom roles, and configure AI provider integrations. Member - Access is determined by organization and space roles.| Action | Admin | Member |
|---|---|---|
User management
| ✅ | ❌ |
| Create organizations | ✅ | ❌ |
| Create and manage custom roles | ✅ | ❌ |
| Manage AI provider integrations | ✅ | ❌ |
Organizations
Organizations represent a single business unit and help you silo work across different areas of your business. Within your account, you can be a member of multiple Organizations. An Organization may consist of one or more spaces. Admin - Has full access to all entities in the organization, including AI provider integrations. Member - Has partial access at the organizational level. Can create spaces and integration keys. They can only edit or delete integration keys they create. Space access is determined by space role. Read-only Member - Has read-only access to the organization. Cannot create spaces nor integration keys. Public space access is read-only unless added to the space. Private space access is determined by space role.| Action | Admin | Member | Read-only Member |
|---|---|---|---|
Organization Member management
| ✅ | ❌ | ❌ |
| Create spaces | ✅ | ✅ | ❌ |
| View public spaces | ✅ | ✅ | ✅ |
| Edit public spaces | ✅ | ✅ | ❌ (unless explicitly added) |
| View private spaces | ✅ | If added to space: ✅ If not: ❌ | If added to space: ✅ If not: ❌ |
| Create integration keys | ✅ | ✅ | ❌ |
| Edit / delete integration keys | ✅ | If creator: ✅ If not: ❌ | ❌ |
| Manage AI provider integrations | ✅ | ❌ | ❌ |
Spaces
Spaces represent an environment for groups of models. You can be a member of multiple spaces across multiple organizations within your account. Spaces can either be public or private. Public Spaces are visible to all members (regardless of role) of the parent organization. Private spaces are only visible to explicitly invited members of the space. Admin - Has full access to all entities in the space. Member - Has write access to entities associated to models (e.g., monitors) but does not have access to membership management. Read-only Member - Has read-only access to entities in the space. Due to popular customer request, read-only members are still able to run the prompt playground. Annotator - Has access only to assigned items in the labeling queue.| Action | Admin | Member | Read-only | Annotator |
|---|---|---|---|---|
Space Member management
| ✅ | ❌ | ❌ | ❌ |
| Delete Projects | ✅ | ❌ | ❌ | ❌ |
| Create and delete file import jobs | ✅ | ❌ | ❌ | ❌ |
| Update model settings | ✅ | ✅ | ❌ | ❌ |
| Create/Edit Dashboards | ✅ | ✅ | ❌ | ❌ |
| Create/Edit Monitors | ✅ | ✅ | ❌ | ❌ |
| View project entities (Datasets, monitors, dashboards etc.) | ✅ | ✅ | ✅ | ❌ |
| Create/Edit Evaluation Tasks | ✅ | ✅ | ❌ | ❌ |
| Create/Edit Datasets | ✅ | ✅ | ❌ | ❌ |
| Run Experiments | ✅ | ✅ | ❌ | ❌ |
| Annotate on Spans | ✅ | ✅ | ❌ | ❌ |
| Create/Edit/Delete Prompts | ✅ | ✅ | ❌ | ❌ |
| Create/Edit Evaluators | ✅ | ✅ | ❌ | ❌ |
| Create/Edit Custom Metrics | ✅ | ✅ | ❌ | ❌ |
| Manage Tags | ✅ | ✅ | ❌ | ❌ |
| View/Manage Data Fabric | ✅ | ✅ | ❌ | ❌ |
| Access Annotation Queues | ✅ | ✅ | ✅ | ✅ |
| Run Playground | ✅ | ✅ | ✅ | ❌ |
For more granular control over permissions, you can create custom roles and assign them to specific users at the space or project level.
Invite Users
Want to invite team members?- Go to ‘Account Settings’ —> Members —> Add Members
- Go to ‘Org Settings’ —> Members —> Add Members
- Go to ‘Space Settings’ —> Members —> Add Members
Configuration Changes
To re-name an organization:- Go to ‘Organization Settings’ —> Config
- Go to ‘Space Settings’ —> Config
JIT User Provisioning
To enable just-in-time user provisioning, it’s recommended to provide an attributeName or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name that maps to the full name of the user to properly create the First/Last Name for the user in Arize AX.
Arize also supports automated role assignment during JIT provisioning, enabling you to enforce role-based access control. To configure this, you can declare a mapping between the values of a specified SAML attribute from your Identity Provider (idP) and corresponding Arize user roles. For example, if you have an attribute for team/department in your idP (e.g., "Department": "Ads ML Engineering"), you can map that attribute to a specific Space/Org role in Arize. Role mappings also support assigning custom roles for fine-grained permissions. These attributes need to be included in the SAML assertion/response.
Below is an example configuration: