Skip to main content
Access control is critical for protecting your AI observability data. ABV provides enterprise-grade authentication and authorization mechanisms to ensure that only the right people can access your organization’s data.

​
Authentication Methods

ABV supports multiple authentication methods to fit your organization’s security requirements.
The default authentication method for ABV. When you sign up with email and password, ABV enforces standard password complexity requirements to ensure account security.Password Requirements:
  • Minimum length and complexity standards
  • Protection against common passwords
  • Secure password reset flow with email verification
If you initially signed up with a social login, you can add password authentication by using the “reset password” link on the login page. This creates a password for your existing account without creating a duplicate account.
For simplified access, you can sign in with your Google account. Social login uses OAuth 2.0 to authenticate you without requiring ABV to store your password.Benefits:
  • One-click authentication
  • No password to remember
  • Leverage Google’s security infrastructure
By default, ABV does not support switching between social login providers or adding social login after signing up with email/password. If you need help with your authentication method, contact support.
For organizations with centralized identity management, ABV supports Enterprise Single Sign-On via OpenID Connect (OIDC).Supported Identity Providers:
  • Okta
  • Azure Active Directory (Azure AD)
  • Google Workspace
  • Keycloak
  • Any OIDC-compliant provider
How It Works:

Configuration

Your organization’s SSO provider is configured in ABV by the ABV team. Contact us to enable Enterprise SSO for your organization.

User Login

Users enter their email address and click “Continue”. ABV detects that the email domain is configured for SSO and redirects to your identity provider.

Authentication

The user authenticates with your identity provider (Okta, Azure AD, etc.) using whatever authentication methods you’ve configured (password, MFA, biometrics, etc.).

Access Granted

After successful authentication, the user is redirected back to ABV with a secure token, granting them access based on their assigned role.
Enterprise SSO is available on Enterprise plans. Contact sales to learn more.
For maximum security, you can enforce SSO for your entire domain. When SSO enforcement is enabled:
  • All users with email addresses from your domain must use SSO
  • Email/password authentication is disabled for your domain
  • Social logins are disabled for your domain
  • Ensures compliance with corporate authentication policies
Use Cases:
  • Regulatory compliance requiring centralized authentication
  • Organizations that want to disable password-based authentication
  • Companies requiring MFA for all users (enforced via your IdP)
  • Audit trails for all authentication events (via your IdP)
SSO enforcement is configured per domain. Contact support to enable this feature for your organization.

​
Authorization with RBAC

Once authenticated, authorization determines what you can do within ABV. ABV uses Role-Based Access Control (RBAC) to manage permissions at both the organization and project levels.

​
How RBAC Works in ABV

Organizations

Organizations are the top-level entity in ABV. An organization typically represents your company or team. Users are invited to organizations and assigned an organization-level role.

Projects

Projects exist within organizations and contain your traces, prompts, and evaluations. Users can have different roles in different projects within the same organization.

Roles & Permissions

Roles define what actions a user can perform. Permissions are granular and include actions like viewing traces, creating prompts, managing users, or configuring integrations.

Principle of Least Privilege

Users should have the minimum permissions necessary to perform their job functions. This limits the potential damage from compromised accounts or insider threats.

​
Available Roles

ABV provides several predefined roles with different permission levels:
Full control over the organization, including:
  • Managing all projects
  • Inviting and removing users
  • Configuring SSO and authentication
  • Managing billing and subscriptions
  • Deleting the organization
When to use: Assign to executives or administrators who need full control
Administrative access without billing control:
  • Managing projects
  • Inviting and removing users
  • Configuring integrations
  • Cannot manage billing or delete the organization
When to use: Assign to team leads or IT administrators
Full control within a specific project:
  • Managing project settings
  • Viewing and modifying all traces, prompts, and evaluations
  • Managing project-level integrations
  • Cannot invite users to the organization
When to use: Assign to project managers or team leads for specific projects
Standard access to a project:
  • Viewing traces, prompts, and evaluations
  • Creating and editing content
  • Cannot change project settings
  • Cannot manage users
When to use: Assign to developers and engineers working with the project
Read-only access to a project:
  • Viewing traces, prompts, and evaluations
  • Cannot create, edit, or delete content
  • Cannot change any settings
When to use: Assign to stakeholders, auditors, or support staff who need visibility without edit access
For detailed instructions on inviting users, assigning roles, and managing permissions, see our Role-Based Access Controls documentation.

​
Next Steps

RBAC Documentation

Detailed guide on managing users and permissions

Encryption

Learn how we encrypt data in transit and at rest

Penetration Testing

See how we test our security controls

Security Overview

Return to the security overview