Access control

Last updated:

|Edit this page

PostHog's access control system allows you to manage permissions at three levels: organization, project, and resource. This hierarchical approach provides granular control over who can view and edit different parts of PostHog.

Levels of access control

1. Organization level

Organization members can have one of three access levels, which determine their permissions for organization-wide settings and actions.

The three access levels are: Member, Admin, and Owner. An organization must have at least one Owner but can have more than one.

PermissionMember (base level)AdminOwner
Viewing and querying project data
Accessing billing management
Managing reverse proxies
Creating and deleting projects
Managing project access controls (see more below)
Changing authentication settings (SAML, SSO settings, 2FA enforcement, etc.)
Changing organization settings (name, logo, etc.)
Managing RBAC Roles (creating, editing, deleting, changing members, etc.)
Inviting new members (only for current level or below)
Managing members (changing roles, removing, etc.)
Leaving an organization
Transferring organization ownership
Deleting an organization

Access levels can be viewed and changed in the Members section of organization settings.

2. Project level

This feature is currently being rolled out to all users, so you may not see this experience yet. If you're interested in trying it out, please email zach@posthog.com with "Access control beta" in the subject line.

At the project level, there are two access levels: member and admin.

Each project has a default access level that applies to all organization members:

  • No access – Members need explicit permission to access the project
  • Member – All organization members have member-level access
  • Admin – All organization members have admin-level access

You can override the default access level for specific members or roles. A user's effective access level is the highest level granted from any source.

Organization owners and admins automatically receive project admin access.

Project access control

See the table below for a summary of project-level permissions:

PermissionMemberAdmin
Manage project access controls
Delete project
Edit project settings
View/edit own or permitted resources (based on resource-level access controls)
View/edit all resources (regardless of resource-level access controls)

3. Resource level

This feature is currently being rolled out to all users, so you may not see this experience yet. If you're interested in trying it out, please email zach@posthog.com with "Access control beta" in the subject line.

Resource access controls allow you to control who can view and edit specific resource objects. These can be accessed in the "Access control" sidebar when viewing a supported resource.

Currently, resource access controls are available for:

  • Insights
  • Dashboards
  • Notebooks
  • Feature flags
  • (more resource types coming soon – looking for others? Let us know!)

Note: We do not yet support limiting access to querying data, viewing replays, or accessing person / group profiles. Support for these features is planned for the near future.

Resource access controls have three possible access levels:

  • No access – Cannot view or edit the resource
  • View – Can view but not modify the resource
  • Edit – Can view and modify the resource

There are two ways to set resource-level access controls:

a. Individual resource object

These settings allow you to control who can view and edit a specific resource object. You can access these controls via the project's access control settings.

By default, new resources are set to "Edit" access. Users with appropriate permissions can modify this default and set specific permissions for members and roles.

Resource creators and project admins can always view and edit resources, as well as manage their access controls. Only creators and project admins can manage access controls for a resource object.

You cannot set resource-level access controls for project admins, as they always have full access.

Object access control

b. All resource objects of a given type in a project

These settings allow you to control who can view and edit all resources of a given type within a project. These controls are set at the project level.

You can set default access levels for all resources of a given type in a project. This allows you to set it once and apply it to all resources of that type in the project (past and future).

Project-wide access controls for resources take precedence over individual resource object access controls.

You cannot set project-wide access controls for project admins, as they always have full access.

Resource access control

Feature availability

Free / Ridiculously cheap

These plans do not currently offer any access control features. All projects are open to all members and all resources are open to all members with "Edit" access.

Teams

The Teams Add-on gives advanced permissions.

The goal of this is to allow teams with stricter access requirements to control who can access their projects and resources.

On this plan, you can set default access levels for projects and resources, and also set specific access levels for individual members (but not roles).

Enterprise

While you can create roles on any plan, they can only be used for access control on Enterprise plans.

Instead of managing permissions individually, you can create roles to group users together. Roles can be assigned permissions at both the project and resource level.

RBAC settings

Questions? Ask Max AI.

It's easier than reading through 627 docs articles.

Community questions

Was this page useful?

Next article

Single sign-on authentication

SSO makes logging in easier for users to log and compliance easier for administrators. We also allow support just-in-time provisioning of users with the Teams add-on, which means that team members can self-serve creating their account, while still enforcing log in through a specified SSO provider. Some SSO features are add-ons. Please review each section below for details. Authentication domains SSO configuration mostly occurs in your Organization settings and is based on authentication domains…

Read next article