Roles and permissions
These are the built-in roles for the Observability service. Each row lists a role, what it
grants, and the exact permissions it includes. Roles are system-defined (built-in) or
custom; permissions are system-defined and read-only. The platform-wide Viewer,
Editor, and Admin roles also apply across every service; see the
roles and permissions catalogue. You can also compose
a custom role from any of these permissions.
Two Observability specifics are worth knowing:
- There is no ingest permission. Workloads push telemetry through the collection pipeline, never through an API call, so no permission governs raw ingestion. Permissions cover reading telemetry and managing the configuration around it.
- Quota-limit changes are admin-only. The editor tier can read quota definitions and limits but cannot create or update a limit, so an editor cannot raise the query quotas of their own workspace.
An organisation-wide query (the - workspace wildcard) additionally requires the relevant
query permission granted at organisation scope.
Observability ships the service-level trio today; per-resource roles follow the same matrix as the other services and are planned.
| Role | Included permissions |
|---|---|
| Observability Viewer Read-only access to all observability resources | observability.activity.getobservability.activity.listobservability.alertrule.getobservability.alertrule.listobservability.ingestionconfig.getobservability.ingestionconfig.listobservability.log.queryobservability.log.tailobservability.logsink.getobservability.logsink.listobservability.metric.queryobservability.operation.getobservability.operation.listobservability.quotadefinition.getobservability.quotadefinition.listobservability.quotalimit.getobservability.quotalimit.listobservability.retentionpolicy.getobservability.retentionpolicy.listobservability.silence.getobservability.silence.listobservability.trace.query |
| Observability Editor Read/write access to all observability resources | observability.activity.getobservability.activity.listobservability.alertrule.createobservability.alertrule.getobservability.alertrule.listobservability.alertrule.updateobservability.ingestionconfig.createobservability.ingestionconfig.getobservability.ingestionconfig.listobservability.ingestionconfig.updateobservability.log.queryobservability.log.tailobservability.logsink.createobservability.logsink.getobservability.logsink.listobservability.logsink.updateobservability.metric.queryobservability.operation.getobservability.operation.listobservability.quotadefinition.getobservability.quotadefinition.listobservability.quotalimit.getobservability.quotalimit.listobservability.retentionpolicy.createobservability.retentionpolicy.getobservability.retentionpolicy.listobservability.retentionpolicy.updateobservability.silence.createobservability.silence.getobservability.silence.listobservability.trace.query |
| Observability Admin Full access to all observability resources | observability.activity.getobservability.activity.listobservability.alertrule.createobservability.alertrule.deleteobservability.alertrule.getobservability.alertrule.listobservability.alertrule.updateobservability.ingestionconfig.createobservability.ingestionconfig.getobservability.ingestionconfig.listobservability.ingestionconfig.updateobservability.log.queryobservability.log.tailobservability.logsink.createobservability.logsink.deleteobservability.logsink.getobservability.logsink.listobservability.logsink.updateobservability.metric.queryobservability.operation.getobservability.operation.listobservability.quotadefinition.getobservability.quotadefinition.listobservability.quotalimit.createobservability.quotalimit.deleteobservability.quotalimit.getobservability.quotalimit.listobservability.quotalimit.updateobservability.retentionpolicy.createobservability.retentionpolicy.getobservability.retentionpolicy.listobservability.retentionpolicy.updateobservability.silence.createobservability.silence.deleteobservability.silence.getobservability.silence.listobservability.trace.query |