User Roles
Manage user roles and permissions with role-based access control.
Last9 provides role-based access control (RBAC) to manage what users can do within your organization. While User Access controls who can sign up and access your account, the Users feature determines their permissions and capabilities.
Navigate to Users in Settings to view and manage user roles.
User Roles
Last9 supports three role types that determine what actions users can perform:
Admin
Admins have full access to all features and settings, including the ability to manage other users’ roles and organization settings. Only admins can:
- Change any user’s role (including promoting users to Admin)
- Deactivate and reactivate users
- Access organization-wide settings
- Generate and revoke API refresh tokens
- View integration credentials and tokens
- Create and delete ingestion/query tokens
Editor
Editors can create, modify, and delete resources across Last9. This includes creating dashboards, configuring alerts, managing SLOs, and performing all standard platform operations. Editor is currently the default role for new users joining your organization.
Editors can access the API Access page and exchange refresh tokens for access tokens, but they cannot generate new refresh tokens or view integration credentials.
Viewer
Viewers have read-only access across the Last9 platform. This applies to both the web application and APIs. Viewers can:
- Browse dashboards and metrics
- View configurations and settings
- Access reports and analytics
Viewers cannot:
- Create, edit, or delete any resources
- Save changes to configurations
- Modify alerts, SLOs, or other platform settings
- Access the API Access page or generate API tokens
- View integration credentials or tokens
Note on embedded Grafana: Open source Grafana doesn’t include the enterprise role-based access control features. As a workaround, Last9 blocks viewers from saving any edits. When viewers attempt to edit dashboards in the embedded Grafana, they can make changes in the UI, but those changes won’t be saved to the server.
API Token Permissions
Access to API tokens and sensitive credentials is controlled based on user roles:
| Capability | Viewer | Editor | Admin |
|---|---|---|---|
| Access API Access page | ❌ | ✅ | ✅ |
| Generate refresh tokens | ❌ | ❌ | ✅ |
| Revoke refresh tokens | ❌ | ❌ | ✅ |
| Exchange refresh token for access token | ❌ | ✅ | ✅ |
| Create ingestion tokens | ❌ | ❌ | ✅ |
| Create query tokens | ❌ | ❌ | ✅ |
| Delete ingestion/query tokens | ❌ | ❌ | ✅ |
| View integration credentials | ❌ | ❌ | ✅ |
Managing User Roles
Only admins can update user roles. To change a user’s role:
- Navigate to Users in Settings
- Locate the user whose role you want to change
- Click the role dropdown next to their name (showing Admin, Editor, or Viewer)
- Select the new role from the dropdown
Changes take effect immediately, and the user will see updated permissions on their next action or page refresh.
Deactivating Users
Admins can deactivate users who no longer need access to the organization. Deactivating a user:
- Revokes their access to the Last9 platform
- Preserves their historical data and audit trail
- Shows the user as “(deactivated)” in the user list
To deactivate a user:
- Navigate to Users in Settings
- Locate the user you want to deactivate
- Click the ⋮ (more options) menu
- Select Deactivate User
- Confirm the action in the dialog
Reactivating Users
Admins can reactivate previously deactivated users, restoring their access to the organization.
To reactivate a user:
- Navigate to Users in Settings
- Locate the deactivated user (shown with “(deactivated)” label)
- Click the ⋮ (more options) menu
- Select Activate User
- Confirm the action in the dialog
Once reactivated:
- The user regains access to the Last9 platform
- Their previous role is restored
- They can log in immediately
Filtering and Sorting
The Users table provides filtering and sorting capabilities to help you manage larger teams:
- Filter by role: Click the filter icon in the Role column to show only Admins, Editors, or Viewers
- Sort columns: Click any column header to sort users by name, email, role, or when they became active
- Search: Use the search functionality to quickly find specific users
Understanding User Permissions
The combination of User Access and Users settings provides complete control over your Last9 organization:
- User Access determines which email addresses can sign up and access your account through allowlists or blocklists
- Users (this feature) determines what those users can do once they have access through role-based permissions
For example, you might use User Access to allow only users from your engineering team to sign up, then use the Users feature to give most team members the Editor role while assigning the Viewer role to stakeholders who only need read access.
Troubleshooting
Please get in touch with us on Discord or Email if you have any questions.