Use this runbook when the collaborator needs access to Amplitude. The same workflow applies to the production org and any sandbox environments you share for QA.
Prerequisites
Before inviting a user to Amplitude, verify you have the correct information and permissions to complete the process successfully.
Required Information
- Organization Details: Verify the correct Amplitude organization URL (e.g.,
analytics.amplitude.com/yourorg) and confirm which organization tier you're running (Growth, Enterprise, Scholarship). - Project List: Document every project the collaborator should access, including production, staging, development, and any regional or brand-specific instances.
- Service Account Email: Collect the collaborator's service account email address. This should be a dedicated service account, not a personal email, to ensure continuity across personnel changes.
- Scope of Work: Review the statement of work or engagement contract to understand which Amplitude features the collaborator needs (e.g., analytics only, Govern tracking plans, Experiment feature flags, Data tables).
- Timeline: Confirm how long access is needed. For temporary engagements, note the end date in your access management system.
Permission Requirements
- Organization Admin Role: You must have Organization Admin privileges to invite new members and assign project roles. If you lack this role, escalate to your Amplitude administrator.
- Module Access Rights: If the collaborator needs access to Govern, Experiment, Audiences, or other add-on modules, confirm you have permissions to grant those capabilities.
SSO and Identity Provider Considerations
If your organization uses single sign-on (SSO) with Amplitude:
- Pre-Provision in IdP: Create the service account in your identity provider (Okta, Azure AD, OneLogin, etc.) before inviting in Amplitude.
- Group Mappings: Add the user to the appropriate IdP groups that map to Amplitude roles. Common patterns include
amplitude-admins,amplitude-members, or project-specific groups. - SCIM Synchronization: If SCIM is enabled, confirm that user provisioning is working correctly. Test with a temporary account if you're unsure.
- MFA Requirements: Verify whether multi-factor authentication is required for the service account and document the enrollment process.
Security and Compliance Checklist
- Access Request Approval: Obtain written approval from the project sponsor, SOW signatory, or security team as required by your organization's policies.
- Data Classification: Confirm what data classification levels the collaborator can access (PII, financial data, healthcare information, etc.) and whether Amplitude projects contain restricted data.
- Audit Trail: Prepare to document the invitation in your IAM tracker, ITSM system, or compliance log with requester name, approval date, and justification.
- VPN or IP Restrictions: If Amplitude access requires VPN connection or IP allowlisting, coordinate with your network team before sending the invite.
Understanding Amplitude Roles
Amplitude provides organization-level and project-level roles that work together to control access.
Organization Roles
- Admin: Full control over organization settings, billing, SSO configuration, and all projects. Grant only to trusted administrators who manage the Amplitude instance.
- Member: Default role for most users. Can access assigned projects and use standard analytics features but cannot modify organization-level settings.
- Billing Contact: Special role for finance teams managing subscription and payment information. Rarely needed for collaborator service accounts.
Project Roles
Each project within the organization has separate role assignments:
- Admin: Full control over project settings, integrations, data destinations, and user management within that project. Use for collaborators leading implementation or governance work.
- Manager: Can create and edit charts, dashboards, cohorts, and notebooks. Cannot modify project settings or integrations. Appropriate for analytics-focused engagements.
- Member: Can view and create personal content but cannot share with the team or modify existing team assets. Useful for junior analysts or read-mostly roles.
- Viewer: Read-only access to existing dashboards and charts. Cannot create new content. Use for stakeholders who need visibility without editing capabilities.
Add-On Module Permissions
If your organization has purchased additional Amplitude modules, you'll need to grant access separately:
- Govern: Tracking plan management, event schema validation, and data quality monitoring. Grant to collaborators responsible for instrumentation governance.
- Experiment: Feature flag management and A/B testing analysis. Required for collaborators supporting experimentation programs.
- Audiences: Customer segmentation and activation to downstream tools. Grant when the collaborator manages audience syncs to marketing platforms.
- Data Tables: SQL-based querying and custom data modeling. Needed for advanced analytics work beyond the standard UI.
Invite the Service Account
Follow these steps to invite the collaborator and configure appropriate access levels.
Step 1: Navigate to Member Management
- Log into Amplitude using an account with Organization Admin privileges.
- Click the gear icon in the top-right corner to open Settings.
- In the left sidebar, select Members & Groups under the Organization section.
- Review the current member list to confirm the collaborator doesn't already have access (check for existing accounts with similar email addresses or previous service accounts).
Step 2: Initiate the Invitation
- Click the Invite Members button in the top-right corner of the Members page.
- In the email field, enter the collaborator's service account email address.
- If inviting multiple users from the same organization, you can add additional email addresses separated by commas or new lines.
- Verify the email address for typos before proceeding to avoid sending invites to the wrong recipient.
Step 3: Assign Organization Role
- In the Organization Role dropdown, select the appropriate level:
- Choose Member for standard collaborator engagements (most common).
- Choose Admin only if the collaborator will manage organization-wide settings, SSO configuration, or billing.
- Review the role description shown in the UI to confirm it matches the collaborator's needs.
Step 4: Configure Add-On Module Access
If your organization has add-on modules enabled:
- Govern Access: Toggle on if the collaborator will manage tracking plans, validate event schemas, or monitor data quality.
- Experiment Access: Toggle on if the collaborator will create feature flags, run experiments, or analyze test results.
- Audiences Access: Toggle on if the collaborator will build audience segments or manage syncs to marketing platforms.
- Data Tables Access: Toggle on if the collaborator needs SQL query capabilities or custom data modeling features.
Leave modules disabled if they're not required for the engagement to maintain least-privilege access.
Step 5: Assign Project Access and Roles
- Under the Projects section, you'll see a list of all projects in your organization.
- Check the box next to each project the collaborator should access.
- For each selected project, choose the appropriate project role from the dropdown:
- Admin: For collaborators leading implementation, configuring integrations, or managing project settings.
- Manager: For collaborators performing analysis, creating dashboards, or managing cohorts.
- Member: For collaborators with view-and-create access but no sharing or editing privileges on team content.
- Viewer: For read-only access to existing dashboards and reports.
- Consider project purpose when assigning roles:
- Production projects typically get more restrictive roles (Manager or Viewer).
- Staging/development projects can have Admin access for testing and validation.
- Regional or brand-specific projects should be granted only if relevant to the engagement scope.
Step 6: Add Documentation and Context
- In the Note or Message field (if available), add context about the invitation:
- Reference the SOW, contract number, or support ticket ID.
- Note the engagement purpose (e.g., "Implementation support for mobile app instrumentation").
- Include the expected access duration if temporary (e.g., "Access through Q2 2025").
- This documentation helps future administrators understand why access was granted and when it should be reviewed.
Step 7: Send the Invitation
- Review all selections one final time:
- Email address is correct
- Organization role matches requirements
- Add-on modules are appropriately assigned
- Project access and roles align with engagement scope
- Documentation note is complete
- Click Send Invite or Invite to finalize.
- Amplitude will send an email invitation to the specified address with a link to accept and activate the account.
Bulk Invitation Process
For organizations bringing on multiple collaborators simultaneously (e.g., entire consulting teams or agency partners):
Preparing Bulk Invitations
- Create a spreadsheet listing all service accounts with columns for:
- Email address
- Organization role
- Module access requirements (Govern, Experiment, etc.)
- Project access list
- Per-project role assignments
- Engagement reference (SOW number, ticket ID)
- Review with your security or compliance team if required by policy.
- Obtain batch approval from the appropriate stakeholder.
Executing Bulk Invitations
- If Amplitude supports CSV upload (Enterprise plans), use the bulk import feature:
- Navigate to Settings → Members & Groups
- Look for Import Members or Bulk Invite option
- Upload your prepared CSV file
- Review the preview and confirm
- If bulk import isn't available, invite users one at a time using the standard process but prepare all invitation details in advance to streamline the workflow.
Bulk Invitation Best Practices
- Stagger Invitations: For very large groups (20+ users), consider sending invites in batches to avoid email delivery issues or overwhelming your security monitoring systems.
- Standardized Naming: Use consistent naming conventions for service accounts (e.g.,
analytics-vendor-firstname.lastname@vendor.com) to simplify future audits. - Grouped Projects: If possible, organize projects into logical groups that align with common access patterns to speed up role assignment.
SSO and SCIM Integration
Organizations using enterprise identity management should follow additional steps.
SSO-Enabled Organizations
When SSO is required for Amplitude access:
Pre-Create in Identity Provider:
- Create the user account in your IdP (Okta, Azure AD, OneLogin, etc.) before sending the Amplitude invitation.
- Assign the user to the Amplitude application in your IdP.
- Map the user to the correct IdP groups that correspond to Amplitude roles.
Group Mapping Verification:
- Confirm your IdP group mappings are current:
amplitude-org-admins→ Organization Admin roleamplitude-org-members→ Organization Member roleamplitude-project-admins→ Project Admin role for specified projectsamplitude-project-viewers→ Project Viewer role for specified projects
- Verify the collaborator is assigned to the correct groups.
- Confirm your IdP group mappings are current:
First Login Flow:
- The collaborator should click the invitation link from email.
- They'll be redirected to your SSO login page.
- After authenticating through your IdP, they'll be returned to Amplitude with the appropriate access.
- Role assignments from the invitation will merge with group-based assignments from your IdP.
SCIM-Provisioned Accounts
For organizations using SCIM (System for Cross-domain Identity Management):
Automatic Provisioning:
- When properly configured, adding a user to the appropriate IdP group automatically creates their Amplitude account.
- Manual invitation through Amplitude UI may not be necessary.
- Verify SCIM connector is functioning correctly before relying on automatic provisioning.
Manual Invitation with SCIM:
- If you send a manual invitation for a SCIM-provisioned user, ensure the email address matches exactly what's configured in your IdP.
- Role conflicts between manual assignment and SCIM group mapping will typically favor the IdP group mapping.
Troubleshooting SCIM:
- If provisioning fails, check SCIM connector logs in your IdP.
- Verify the user's email address matches the expected format.
- Confirm SCIM API credentials haven't expired.
- Test with a temporary account to isolate issues.
After Sending the Invite
Once the invitation is sent, monitor progress and prepare the collaborator for successful onboarding.
Monitor Invitation Status
Check Pending Invitations:
- In Settings → Members & Groups, click the Pending Invitations tab.
- Monitor for the status to change from Pending to Accepted.
- Note the timestamp when the invitation was sent and when it was accepted for your audit log.
Set Follow-Up Reminders:
- If the invitation isn't accepted within 24-48 hours, follow up with the collaborator's team to ensure they received the email.
- Check spam/junk folders if the invitation email wasn't delivered.
- Set a reminder to revoke unaccepted invitations after 7-14 days to maintain security hygiene.
Invitation Expiration:
- Amplitude invitations typically expire after 7-14 days (varies by plan).
- If an invitation expires before acceptance, you'll need to resend it.
- Document expired invitations in your tracker to identify potential delivery or communication issues.
Communicate Access Details
Send a detailed onboarding email to the collaborator's team with the following information:
Access Confirmation:
- Amplitude organization URL
- List of projects they can access
- Assigned roles (organization and per-project)
- Add-on modules they can use (Govern, Experiment, etc.)
Technical Requirements:
- VPN connection instructions if required
- SSO login process and IdP portal URL
- MFA enrollment steps if applicable
- IP allowlist requirements if your network restricts access
Getting Started Resources:
- Links to key dashboards, charts, or notebooks they should review
- Documentation for your organization's naming conventions and governance standards
- Training materials or recorded sessions about your Amplitude implementation
- Contact information for your internal Amplitude administrators
Security and Compliance:
Update Access Management Records
Document the invitation in your organization's systems:
IAM Tracker or Spreadsheet:
- Record the service account email, invitation date, assigned roles, and approver name.
- Note the SOW or ticket reference for audit purposes.
- Set a review date based on engagement duration (e.g., quarterly review for ongoing access, specific end date for project-based work).
ITSM or Ticketing System:
- Update the access request ticket with "Granted" status and relevant details.
- Attach screenshots of the invitation confirmation and pending status.
- Link to any related configuration tickets (VPN access, IdP changes, etc.).
Compliance Logs:
- If required by your industry or organization policies, log the access grant in your GRC (Governance, Risk, and Compliance) system.
- Include justification, approvals, and data classification levels.
Collaboration Tools:
- Notify relevant stakeholders in Slack, Teams, or email that access has been granted.
- Update project runbooks or wikis with current team member lists.
Troubleshooting Tips
Common issues and their resolutions when inviting users to Amplitude.
Invite Not Received
Symptoms: The collaborator reports they haven't received the invitation email after several hours.
Resolution Steps:
Check Email Deliverability:
- Ask your email administrators to allowlist
@amplitude.comand@notifications.amplitude.comdomains. - Check SPF, DKIM, and DMARC records for Amplitude's sending domains.
- Review email gateway logs for blocked or quarantined messages from Amplitude.
- Ask your email administrators to allowlist
Verify Email Address:
- Confirm the email address entered in the invitation matches the collaborator's active account.
- Check for typos, extra spaces, or incorrect domain names.
- In the Pending Invitations tab, verify the displayed email address is correct.
Resend the Invitation:
- In Settings → Members & Groups → Pending Invitations, locate the pending invite.
- Click Resend or delete the pending invitation and create a new one.
- Ask the collaborator to check their spam/junk folder immediately after resending.
Alternative Delivery Methods:
- If email delivery continues to fail, consider whether SSO/SCIM auto-provisioning can be used instead.
- For urgent access needs, work with Amplitude support to verify email delivery configuration.
SSO Blocking Login
Symptoms: The collaborator clicks the invitation link but gets an error during SSO authentication or is redirected to a "no access" page.
Resolution Steps:
Verify IdP Account Exists:
- Confirm the user account exists in your identity provider with the exact email address used in the Amplitude invitation.
- Check that the account is active and not disabled or pending activation.
Review Group Assignments:
- Verify the user is assigned to the correct IdP groups that map to Amplitude roles.
- Test the group mapping by logging in with a known-working account in the same group.
- Review your Amplitude SSO configuration to ensure group attribute mappings are correct.
Check Application Assignment:
- In your IdP admin console, confirm the user is assigned to the Amplitude application.
- Some IdPs require explicit application assignment even if group-based access is configured.
Role Mapping Conflicts:
- If manual invitation roles conflict with IdP group mappings, the IdP usually wins.
- Align the manual invitation roles with what your IdP groups will assign to avoid confusion.
- Document the authoritative source for role assignments (IdP vs. Amplitude UI) in your runbooks.
SSO Configuration Issues:
User Limit Reached
Symptoms: Invitation fails with an error message indicating the organization has reached its user limit.
Resolution Steps:
Review Current User Count:
- In Settings → Members & Groups, check how many active users exist vs. your plan limit.
- Identify inactive users who can be removed to free up seats.
Remove Inactive Users:
- Audit the member list for users who haven't logged in recently (check Last Active column).
- Remove former employees, completed project accounts, or duplicate accounts.
- See the Remove User Access documentation for deprovisioning steps.
Upgrade Plan:
- If all current users are active and needed, contact your Amplitude account manager to upgrade your plan.
- Consider moving to an Enterprise plan if you frequently hit user limits.
Temporary Access Patterns:
- For short-term engagements, consider rotating access by removing users when their work is complete rather than accumulating seats.
- Implement a regular access review process (quarterly) to identify accounts that can be deprovisioned.
Permission Errors
Symptoms: You cannot see the "Invite Members" button or get an error when attempting to send invitations.
Resolution Steps:
Verify Your Role:
- Confirm you have Organization Admin privileges in Amplitude.
- Check with another administrator if you're unsure of your role assignment.
SSO/SCIM Restrictions:
- Some organizations configure SSO/SCIM to be the only provisioning method, which disables manual UI invitations.
- Check with your Identity team whether manual invitations are allowed or if all provisioning must go through your IdP.
Browser Issues:
- Clear browser cache and cookies, then try again.
- Test in an incognito/private browsing window to rule out extension conflicts.
- Try a different browser if the issue persists.
Project Access Not Appearing
Symptoms: The collaborator accepts the invitation and logs in successfully but doesn't see the expected projects.
Resolution Steps:
Verify Project Selection:
- Review the original invitation to confirm the projects were actually selected during the invitation process.
- Check the user's account in Settings → Members & Groups to see which projects are listed.
Add Missing Projects:
- If projects are missing, edit the user's account and add the appropriate project assignments.
- See the Update Access documentation for modification steps.
Data Restrictions:
- Some organizations apply data restrictions that limit which projects users can see.
- Review data governance policies that might filter project visibility.
SSO Group Overrides:
- If using SSO with group mappings, IdP group assignments may override manual project selections.
- Verify the user is in the correct IdP groups for the intended projects.
Need Temporary or Time-Limited Access
Symptoms: The engagement is short-term, and you want to ensure access is automatically revoked after a specific date.
Resolution Steps:
Calendar Reminders:
- Set calendar reminders for yourself and your team to review and remove the access on the end date.
- Include the service account email and justification in the reminder.
Access Review Schedule:
- Add the user to your quarterly or monthly access review list with an expiration flag.
- Mark the account as "Temporary - Review [DATE]" in your IAM tracker.
Automated Reminders:
- If your organization uses automated access review tools, tag the account for time-based review.
- Set up alerts in your ITSM system to notify you before the access should expire.
Service Account Naming:
- Consider including expiration dates in service account names or notes (e.g., "contractor-Q4-2025").
- Document the expected end date in the user's note field within Amplitude.
Security and Compliance Best Practices
Follow these guidelines to maintain secure and compliant access management.
Least Privilege Principle
- Grant the minimum organization role, module access, and project permissions necessary for the engagement.
- Start with more restrictive roles (Member, Manager) and escalate only if clearly justified.
- Review project access regularly and remove permissions that are no longer needed.
Regular Access Reviews
- Conduct quarterly reviews of all Amplitude users to identify inactive or unnecessary accounts.
- Verify that project access still aligns with current engagement scopes.
- Remove or downgrade users who have completed their work.
Audit Trail Maintenance
- Document every invitation with justification, approvals, and timestamps.
- Retain invitation confirmations and acceptance records for compliance audits.
- Export Amplitude's access logs regularly and store in your GRC system.
Segregation of Duties
- Keep production and non-production environments separate in access assignments.
- Ensure collaborators with Admin access to staging don't automatically get Admin access to production.
- Require additional approvals for production access grants.
Service Account Hygiene
- Use dedicated service accounts rather than personal email addresses for collaborator access.
- Implement consistent naming conventions (e.g.,
vendor-firstname.lastname@vendor.com). - Rotate credentials and review access when personnel changes occur at the collaborator's organization.
Related Documentation
- Update Access & Roles - Modify roles and project assignments when engagement scope changes
- Remove User Access - Deprovision users and maintain compliance records
- User Management Overview - Complete guide to Amplitude roles, permissions, and governance