Guides
ChangelogStatus PageAPI ExplorerAPI ReferenceCLI ReferenceBlogIMPACT 2025
Start typing to search…

Authorization

Monte Carlo uses permission-based authorization. Permission policy statements are specified in role definitions. Roles are assigned to groups, and users are added as members of groups. A user's effective permissions are dependent on the groups they are in.

graph LR
    U[User] -->|member of| G[Authorization Group]
    G -->|assigned| R1[Role A]
    G -->|assigned| R2[Role B]
    R1 -->|policy statement| P1["dashboard/*: allow"]
    R1 -->|policy statement| P2["dashboard/edit: deny"]
    R2 -->|policy statement| P3["monitors/*: allow"]
    G -.->|optionally scoped to| D[Domain]

Key concepts

Permissions

A permission represents an action in the system that is controlled by authorization. Permissions are organized hierarchically under resources, which map to features and feature areas in Monte Carlo. The full IAM resources and permissions list provides full information on what is currently available.

Roles

A role is a named set of policy statements — each statement pairs a permission path with an effect (allow or deny). Monte Carlo provides built-in roles for common use cases, and you can create custom roles to tailor permissions for your organization.

Authorization groups

An authorization group combines one or more roles with a list of members and optional domain restrictions. Groups are the unit through which permissions are assigned to users. See Managing authorization groups for details on creating and configuring groups.

Domains

Authorization groups can further be scoped to specific domains, limiting permission effects to particular subsets of assets in Monte Carlo. If a group has no domain restriction, its permissions apply to all data.

Topics

TopicDescription
Managing usersInviting users, assigning them to groups, SSO integration
Managing authorization groupsCreating groups, assigning roles, domain restrictions, multi-group behavior
Data authorizationHow domain and connection restrictions limit which specific data a user can access
Managing rolesBuilt-in roles overview, creating custom roles via API and UI
Custom role recipesReady-to-use patterns for common custom role scenarios
Policies and permission resolutionHow policy statements, effects, types, paths, and specificity determine a user's effective permissions

Reference

PageDescription
IAM built-in rolesDetailed permissions for each built-in role
IAM resources and permissionsFull catalog of resources and permissions available for use in role definitions

Updated about 7 hours ago