Arize supports custom roles that give Account Admins precise control over what users can do. Instead of relying solely on the built-in roles (Admin, Member, Read-only, Annotator), you can create roles with specific permissions tailored to your team’s needs.
Custom roles are account-wide and can be assigned to users on individual spaces or projects through role bindings.
Built-in vs Custom Roles
| Built-in Roles | Custom Roles |
|---|
| Definition | Predefined by Arize (Admin, Member, Read-only, Annotator) | Created by Account Admins with specific permissions |
| Scope | Applied at the account, organization, or space level | Assigned at the space or project level via role bindings |
| Granularity | Broad permission groups | Individual permissions per feature |
| Modifiable | No | Yes — edit or delete at any time |
Both systems work together. A user’s effective access is the combination of their built-in role and any custom role assignments. For example, a user with a Read-only space role could also have a custom role binding on a specific project that grants write access to that project.
Creating a Custom Role
Only Account Admins can create custom roles.
- Go to Account Settings → Roles.
- Click Create Role.
- Enter a name and optional description for the role.
- Select permissions from the available categories.
- Click Create.
Permission Categories
When creating or editing a custom role, permissions are organized into the following categories:
| Category | Description |
|---|
| Projects & Traces | View, create, update, and delete projects, spans, and trace views |
| Datasets & Experiments | Manage datasets, examples, experiments, and experiment runs |
| Tasks | Manage evaluation tasks for projects and experiments |
| Annotations | Configure annotation types, manage labeling queues and queue records |
| Dashboards | Create, edit, and delete dashboards |
| Monitors | Create, edit, delete, and trigger monitors |
| Custom Metrics | Define and manage custom metrics |
| Prompts | Manage prompts, prompt optimization, and playground views |
| Evaluators | Create and manage evaluators |
| AI Providers | View AI provider integrations |
| Tags | Create and manage tags |
| Data Fabric | Manage data fabric connectors |
| ML Models | Manage ML model configurations and file import jobs |
| Users | View and manage user accounts |
| Spaces | Manage space settings |
| Roles | View and manage role bindings and service keys |
| Alyx | Run Alyx AI assistant |
Within each category, you can select individual permissions (e.g., allow creating datasets but not deleting them).
The AI Providers category only includes read access. Creating, updating, and deleting AI provider integrations requires Organization Admin or Account Admin access and cannot be granted through custom roles.
Predefined Project Roles
Arize includes three predefined project-level roles that are ready to use without customization. These roles are designed for project-level restrictions and cannot be modified.
| Capability | Viewer | Editor | Admin |
|---|
| View project, traces, and spans | ✅ | ✅ | ✅ |
| Read evaluations | ✅ | ✅ | ✅ |
| Create and update spans | ❌ | ✅ | ✅ |
| Annotate traces | ❌ | ✅ | ✅ |
| Manage evaluation tasks | ❌ | ✅ | ✅ |
| Delete project | ❌ | ❌ | ✅ |
| Manage project access and restrictions | ❌ | ❌ | ✅ |
You can also create custom roles with any combination of project-level permissions to suit your specific needs.
Assigning Roles (Role Bindings)
A role binding assigns a role to a user on a specific resource — either a space or a project. Each user can have one role binding per resource.
Via the UI
- Navigate to Space Settings or Project Settings.
- Go to the Members section.
- Click Add Member.
- Select the user and choose a role (predefined or custom).
- Click Save.
Via the REST API
Role bindings can also be managed programmatically. See the RBAC REST API for details.
Via SAML
Role mappings in your SAML configuration can automatically assign custom roles when users log in via SSO. See SAML Configuration for details. 
