RBAC in groundcover: Enterprise-Grade Observability Security

At groundcover, we believe that security and observability should go hand in hand. That's part of the reason why we built our sensor with eBPF at its core and are using a truly unique BYOC deployment model, both ensuring data is ingested in the most secure way possible and stored with the highest level of privacy. That’s also why we’re excited to introduce Role-Based Access Control (RBAC) - a powerful feature that gives organizations granular control over user access to observability data. Whether you’re running a multi-cluster environment, handling sensitive logs, or need to enforce strict compliance policies, groundcover’s next-gen RBAC ensures that only the right people have access to the right data - nothing more, nothing less.

Why RBAC Matters in Observability

Observability platforms handle massive amounts of sensitive data, from application logs and traces to infrastructure metrics and events. Without a proper access control mechanism, organizations risk exposing critical telemetry data to unintended users - introducing security gaps and potential compliance issues.

With groundcover RBAC, enterprises can now:

• Define fine-grained access policies to restrict user visibility 
• Enforce data limitations at multiple levels (cluster, namespace, environment) 
• Seamlessly integrate with Single Sign-On (SSO) for automated role assignment
• Ensure real-time policy enforcement with a powerful filtering mechanism

This means your security team can rest easy, knowing that access to logs, traces, metrics, and workloads is precisely controlled and fully auditable.

Total Control, No Bottlenecks

One of the core advantages of groundcover’s RBAC is its self-serve policy management. Instead of relying on predefined roles that may not fit your organization’s needs, admins can create custom access policies directly within the groundcover UI.

With a few clicks, you can:

• Assign role-based permissions (Admin, Editor, Read-Only)
• Define data access scopes for logs, traces, events, metrics, and infrastructure
• Restrict visibility at the cluster, namespace, or environment level

The flexibility of custom policies means that whether you’re an SRE, security team lead, or compliance officer, you have total control over how observability data is accessed across your organization.

{{rbac_demo}}

Seamless SSO Integration: Streamline Access with Identity Providers

Managing user access at scale can be a headache - especially in large enterprises where employees come and go. That’s why groundcover’s RBAC fully integrates with Single Sign-On (SSO) solutions like Okta, Azure AD, and Google Workspace.

When users log in via SSO, groundcover can automatically map them to predefined policies based on their identity provider attributes - eliminating the need for manual access assignments. This ensures that access policies remain consistent and up to date, even as teams evolve.

Limit Access to Only What’s Necessary

Not every engineer or analyst needs access to every part of your observability data. That’s why groundcover RBAC allows data scoping at multiple levels:

• Observability Area Scoping – Restrict access by logs, traces, metrics, workloads, or events.
• Multi-Level Filtering & Restrictions – Ensure users can only view data from specific clusters, namespaces, or environments.

For example, a developer troubleshooting an application issue might need access to logs and traces for their namespace in the dev cluster, but should not have visibility into production logs or infrastructure metrics. With groundcover RBAC, you can enforce these boundaries effortlessly.

Built for Scale

RBAC policies in groundcover are evaluated in real time. Every query is checked against the assigned data permissions, ensuring users only see the telemetry data they’re authorized to access.

Behind the scenes, our RBAC system leverages filtering to enforce restrictions dynamically. This approach ensures fast, efficient policy enforcement even in high-scale environments, without slowing down query performance.

Smooth Transition for Existing Users

If you’re already using groundcover, transitioning to the new RBAC model is seamless. Existing roles will automatically map to new policies, and default Admin, Editor, and Read-Only policies will be created per tenant. This ensures that teams retain access while gaining more control over permissions moving forward.

Organizations that require customized access control can refine their policies using the self-serve UI.

Get Started with RBAC Today

RBAC is available now for all groundcover users! Here’s how to get started:

1. Read the Docs – Explore our docs for a step-by-step guide on setting up RBAC.
2. Talk to Us – Need help integrating RBAC with your SSO provider? 

At groundcover, we’re redefining observability with speed, efficiency, and enterprise-grade security. With RBAC, we’re ensuring that security isn’t a barrier to great observability - it’s a built-in advantage.