> ## Documentation Index > Fetch the complete documentation index at: https://arize-ax.mintlify.dev/docs/llms.txt > Use this file to discover all available pages before exploring further. # SSO & RBAC * [Single Sign On](#single-sign-on) * [Role Based Access Control (RBAC)](#role-based-access-control) * [Invite Users](#invite-users) * \[Configuration Changes] * [JIT User Provisioning](#jit-user-provisioning) # Single Sign On Arize AX supports Single Sign-On via SAML2. Configure your Identity Provider with the following information about the Arize Service: * SSO URL / ACS (Assertion Consumer Service) : `https://app.arize.com/auth/v2/saml` * URI / EntityID: `https://app.arize.com` * UserName / NameID format: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` If needed for your Identity Provider, Arize SAML metadata.xml can be downloaded from `https://app.arize.com/auth/v2/saml/metadata` * SSO URL / ACS (Assertion Consumer Service) : `https://app.eu-west-1a.arize.com/auth/v2/saml` * URI / EntityID: `https://app.eu-west-1a.arize.com` * UserName / NameID format: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` If needed for your Identity Provider, Arize SAML metadata.xml can be downloaded from `https://app.eu-west-1a.arize.com/auth/v2/saml/metadata` To configure SAML settings, role mappings, and user provisioning, see the SAML Configuration page. # Role Based Access Control Arize AX supports full role-based access control. Using organizations and spaces, users can be restricted to only have access to data they are permitted. Your Arize AX account can consist of multiple organizations and spaces. In addition to built-in roles, Arize AX supports fine-grained custom roles that can be assigned at the space or project level for more granular access control. Create roles with fine-grained permissions Restrict access to sensitive projects Manage access control programmatically ### Account You are a member of *one* Arize AX account. An account consists of one or more organizations. **Admin** - Has full access to all entities in the account. Can manage users, create organizations, manage custom roles, and configure AI provider integrations. **Member** - Access is determined by organization and space roles.
Action Admin Member

User management

  • Invite users, remove users, and change user roles
Create organizations
Create and manage custom roles
Manage AI provider integrations
### Organizations Organizations represent a single business unit and help you silo work across different areas of your business. Within your account, you can be a member of multiple Organizations. An Organization may consist of one or more spaces. **Admin** - Has full access to all entities in the organization, including AI provider integrations. **Member** - Has partial access at the organizational level. Can create spaces and integration keys. They can only edit or delete integration keys they create. Space access is determined by space role. **Read-only Member** - Has read-only access to the organization. Cannot create spaces nor integration keys. Public space access is read-only unless added to the space. Private space access is determined by space role.
Action Admin Member Read-only Member

Organization Member management

  • Invite and remove members and change their roles
Create spaces
View public spaces
Edit public spaces ❌ (unless explicitly added)
View private spaces

If added to space:

If not: ❌

If added to space:

If not: ❌
Create integration keys
Edit / delete integration keys If creator:
If not: ❌
Manage AI provider integrations
### Spaces Spaces represent an environment for groups of models. You can be a member of multiple spaces across multiple organizations within your account. Spaces can either be public or private. Public Spaces are visible to all members (regardless of role) of the parent organization. Private spaces are only visible to explicitly invited members of the space. **Admin** - Has full access to all entities in the space. **Member** - Has write access to entities associated to models (e.g., monitors) but does not have access to membership management. **Read-only Member** - Has read-only access to entities in the space. Due to popular customer request, read-only members are still able to run the prompt playground. **Annotator** - Has access only to assigned items in the labeling queue.
Action Admin Member Read-only Annotator

Space Member management

  • Invite and remove members and change their roles
Create Projects
Delete Projects
Send traces
Create and delete file import jobs
Update model settings
Create/Edit Dashboards
Create/Edit Monitors
View project entities (Datasets, monitors, dashboards etc.)
Create/Edit Evaluation Tasks
Create/Edit Datasets
Run Experiments
Annotate on Spans
Create/Edit/Delete Prompts
Create/Edit Evaluators
Create/Edit Custom Metrics
Manage Tags
View/Manage Data Fabric
Access Annotation Queues
Run Playground
Managing AI provider integrations (creating, updating, deleting) requires Organization Admin or Account Admin access. Space-level roles do not grant AI provider management permissions. For more granular control over permissions, you can create [custom roles](/ax/security-and-settings/sso-and-rbac/custom-roles) and assign them to specific users at the space or project level. # Invite Users Want to invite team members? 1. Go to 'Account Settings' --> Members --> Add Members 2. Go to 'Org Settings' --> Members --> Add Members 3. Go to 'Space Settings' --> Members --> Add Members When adding a member, you will select their permission level for your Account, Organization, and Space. You can also invite and manage users programmatically — including listing, updating, and removing users across your account, organizations, and spaces. See the [RBAC REST API](/ax/security-and-settings/sso-and-rbac/rbac-rest-api) for the full endpoint reference, or go directly to the [interactive API docs](https://api.arize.com/v2/docs). ## Troubleshooting Invite Errors This generic error can be triggered by several conditions: * **Email already exists in the system** — If the email address is associated with an active or inactive user (even in a different account), the invite will be rejected. Check whether the user already has an Arize account with that email. * **Missing required fields** — A role (admin, member, annotator) must be assigned at invite time. * **SAML misconfiguration** — If the email domain matches a configured IdP and the configuration is invalid (e.g., bad metadata), the invite may be blocked. Verify your SAML metadata is correct in [SAML Configuration](/ax/security-and-settings/sso-and-rbac/saml-configuration). If none of the above apply, contact [Arize support](mailto:support@arize.com). No. If **Allow Only SAML Logins** is off, invites work the same as for accounts without SSO. Role mappings and the "Sync permissions on each login" setting are login-time features and have no effect on the invite flow. # Configuration Changes To re-name an organization: 1. Go to 'Organization Settings' --> Config 2. Go to 'Space Settings' --> Config Note: project names are defined when tracing is set up. They are not configurable in the UI. # JIT User Provisioning To enable just-in-time user provisioning, it's recommended to provide an attribute `Name` or `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` that maps to the full name of the user to properly create the First/Last Name for the user in Arize AX. Arize also supports automated role assignment during JIT provisioning, enabling you to enforce role-based access control. To configure this, you can declare a mapping between the values of a specified SAML attribute from your Identity Provider (idP) and corresponding Arize user roles. For example, if you have an attribute for team/department in your idP (e.g., **`"Department": "Ads ML Engineering"`**), you can map that attribute to a specific Space/Org role in Arize AX. Role mappings also support assigning [custom roles](/ax/security-and-settings/sso-and-rbac/custom-roles) for fine-grained permissions. These attributes need to be included in the SAML assertion/response. Below is an example configuration: ``` Ads ML Engineering ``` Once this configuration is set, Arize AX will automatically assign the appropriate roles when provisioning users via SSO, based on your role mapping. To configure SAML settings, see the SAML Configuration page.