Managed ClickStack onlyRBAC is only available in Managed ClickStack deployments.
User access prerequisites
ClickStack authenticates through ClickHouse Cloud. Before you can assign ClickStack roles, each user must:- Be invited to your ClickHouse Cloud organization. An organization admin invites users from the Cloud console. See Manage cloud users for details.
- Have SQL Console access on the service. Navigate to your service’s Settings → SQL Console Access and set the appropriate permission level:
Once a user has Cloud access, they appear in the ClickStack Team Settings page where you can assign a ClickStack role.
- Cloud Users and roles
- ClickStack Team Settings
Built-in roles
ClickStack includes three system roles. You can’t edit or delete these. The Admin role is assigned to the team creator by default.Assigning roles to team members
The Team Settings page lists all team members with their current role. To change a role, click Edit next to the user’s name and select a new role. Each user has exactly one role.Default new user role
You can set a default role for new users under Security policies. New users who auto-join the team are automatically assigned this role.Creating a custom role
1
Navigate to Team Settings
Open Team Settings and scroll to RBAC Roles.2
Add a new role
Click + Add Role. Enter a Role Name and optionally add a Description.3
Configure permissions and save
Set permissions for the role, then click Create Role.Role permissions
Resource permissions
Each role grants an access level per resource type. The three levels are:
The resource types you can control are:
- Dashboards — saved dashboard layouts and charts.
- Saved searches — persisted log/trace/event queries.
- Sources — ingestion source configurations.
- Alerts — alert rules and their notification settings.
- Webhooks — outbound notification destinations (such as Slack, PagerDuty, and generic HTTP endpoints) that alerts deliver to. This doesn’t refer to the ClickStack API.
- Notebooks — collaborative investigation notebooks.
Administrative permissions
In addition to resource permissions, each role includes two administrative settings:- Users (No Access · Limited Access) — controls whether the role can view team members and their roles. Only Admins can invite, remove, or update users.
- Team (Read · Manage) — controls whether the role can view or modify team-level settings such as security policies and RBAC configuration.
Fine-grained access rules
Dashboards, Saved Searches, Sources, and Notebooks support fine-grained controls that restrict access to individual resources within a category. Use these when you need to limit a role to specific resources rather than granting blanket access to the entire resource type.Default access vs. fine-grained controls
Each resource type has an Access Control Mode:- Default Access — applies a single access level (No Access, Read, or Manage) to all resources of that type.
- Fine-Grained Controls — lets you define access rules that match specific resources by condition. Resources that don’t match any rule default to no access.
Configuring access rules
Each access rule consists of a condition and an access level. Conditions match resources by their properties:
The following screenshot shows both the dashboard ID highlighted in the URL bar and a “TESTING” tag visible in the tag panel (top-right).
You can add multiple rules per resource type. Each rule is checked independently using OR logic — a resource is accessible if it matches any rule. Resources that don’t match any rule aren’t accessible.
Example: To give a role read-only access to testing dashboards, expand Dashboards, switch to Fine-Grained Controls, and add two rules:
- Name
containstestingwith access level Read - Tag
istestingwith access level Read