Grant production trace access
Follow this guide when you need to give a teammate or API key the ability to read production traces in a project they already belong to.Before you start
You need:org_admin(or higher) in the organisation containing the project.- The principal you intend to grant — a user or an API key — already exists and either holds a non-prod-capable membership in the project, or you are about to create the API key with the relevant scopes.
- The project has at least one environment flagged
is_production = true. If it does not, follow the environment-policy how-to first; trace classification is sourced from that flag at capture time.
Grant to a user
For an existing teammate already a member of the project:- Open the Team page in your organisation:
/org/[orgSlug]/settings/team. - Locate the principal in the role matrix. The role columns cover every tier (organisation, workspace, project); the current role at each tier appears in the corresponding column.
- Open the role popover for the principal at the tier where you want to grant prod-trace access and select a role that carries
traces:read:prod.
traces:read:prod:
| Role | traces:read | traces:read:prod |
|---|---|---|
project_developer | Y | |
project_admin | Y | Y |
project_owner | Y | Y |
workspace_admin | Y | Y |
workspace_owner | Y | Y |
org_admin | Y | Y |
org_owner | Y | Y |
Changing the role grants every capability the new role carries — not just the trace permission. If the principal should hold only the trace permission and nothing else, use an API key with a narrow scope instead (see the next section).
Grant to an API key
For machine-to-machine access (ingestion pipelines, scheduled reports, support tooling):- Open the API keys settings page:
/settings/api-keys. - Click “Create API key” and step through the wizard.
- On the scope step, select the trace permissions you need:
traces:read and traces:read:prod as independent checkboxes; pick the combination that matches the key’s intended use.
traces:read:prod alone is a legal scope and is the right choice for a key that only reads production traffic.
Revoke
To revoke prod-trace access:- For a user: open
/org/[orgSlug]/settings/team, find the principal in the role matrix, and change their role at the relevant tier to one that does not carrytraces:read:prod(for example,project_developer). The change takes effect on the next request the user issues; existing in-flight requests complete under the prior permission set. - For an API key: open the API keys settings page, locate the key, and either edit the scope list to remove
traces:read:prodor revoke the key entirely. Revoking the key is the safer option if you suspect compromise.
Verify the grant in the audit log
To confirm a grant or revocation was recorded:- Open the project audit feed:
/org/[orgSlug]/ws/[workspaceSlug]/prj/[projectSlug]/audit. - Filter the event type to
rbac_grant. - Locate the row matching the principal and timestamp.
Troubleshooting
I granted the role but the user still sees the boundary state. Wait for the next request and refresh; the dashboard may take a few seconds to reflect the new role. If the boundary state persists, verify in the isolation-conformance view that the role cascade is in force. The audit log row does not appear. Confirm the grant actually changed the effective permission set. Granting an already-held permission writes no audit row — the log records effective-set changes, not raw role-assignment events. I want to grant prod-trace access for a fixed window — for example, four hours during an incident. Time-bounded grants are on the Phase 2 roadmap (PRD §Phase 2 item 4). Today the workaround is to grant the role at the start of the window and revoke it at the end; both operations are audited.Next steps
How trace access works
Reference page covering the two permissions, the role cascade, capture-time classification, and the boundary state.
Isolation conformance view
Confirm the cross-store policies are in force on every project-scoped table in your organisation.