Segment User Management

Coordinate Segment workspace roles, source access, and lifecycle tasks for the collaborator.

Overview

Segment provides granular access control through workspace roles and source-level permissions. This layered approach allows organizations to grant broad collaboration capabilities while restricting access to production data, sensitive destinations, or specific sources. Understanding Segment's permission model is essential for maintaining data governance, security compliance, and operational efficiency.

Access Structure

Workspace Hierarchy

Segment organizes access at multiple levels:

Organization (Business Tier)
└── Workspace
    ├── Sources (web, mobile, server)
    │   └── Source-level permissions
    ├── Destinations
    │   └── Destination-level permissions
    ├── Tracking Plans
    │   └── Schema editing rights
    └── Functions
        └── Code execution permissions

Workspace Roles

Role	Description	Use Case
Workspace Owner	Full control including billing, settings, and member management	Account administrators, engineering leads
Workspace Admin	Manage sources, destinations, and team members (no billing)	Platform managers, senior engineers
Workspace Member	Create and edit sources and destinations	Implementation engineers
Read-Only	View-only access to all workspace data	Stakeholders, auditors, analysts

Role Permissions Matrix

Permission	Owner	Admin	Member	Read-Only
View workspace	✓	✓	✓	✓
View sources/destinations	✓	✓	✓	✓
Create sources	✓	✓	✓	✗
Edit sources	✓	✓	✓	✗
Delete sources	✓	✓	✗	✗
Create destinations	✓	✓	✓	✗
Edit destinations	✓	✓	✓	✗
Delete destinations	✓	✓	✗	✗
Manage team members	✓	✓	✗	✗
Modify workspace settings	✓	✓	✗	✗
Manage billing	✓	✗	✗	✗
Transfer ownership	✓	✗	✗	✗
Manage Tracking Plans	✓	✓	✓*	✗
Create Functions	✓	✓	✓	✗
Manage API tokens	✓	✓	✗	✗

*Members can edit Tracking Plans but may require approval for production changes.

Source-Level Permissions

Why Source Permissions Matter

Source-level permissions provide additional control beyond workspace roles:

Separate production from development: Protect live data while enabling testing
Limit sensitive data access: Restrict access to sources with PII
Enable vendor collaboration: Grant access to specific integrations only
Support multi-team environments: Different teams own different sources

Available Source Permissions

Permission	Capabilities
Full Access	Create, edit, delete source and connected destinations
Read & Write	Modify source settings, view all data
Read Only	View source configuration, cannot modify
No Access	Source hidden from user's view

Configuring Source Access

Navigate to Settings > Workspace Settings > Team
Select the user to modify
Click Edit Permissions
Under each source, set the appropriate access level
Save changes

Example Configuration:

User: developer@company.com
Role: Workspace Member

Source Permissions:
  - Production Web: Read Only
  - Production Mobile: Read Only
  - Staging Web: Full Access
  - Staging Mobile: Full Access
  - Server (Node): Read & Write
  - Development: Full Access

Destination-Level Permissions

Controlling Destination Access

Similar to sources, destinations can have specific permissions:

Permission Level	Capabilities
Full Access	Configure, enable/disable, delete
Read & Write	Modify settings, view credentials
Read Only	View configuration, no changes
No Access	Destination hidden

Sensitive Destinations

Apply stricter controls to:

Data warehouses: Snowflake, BigQuery, Redshift
Marketing platforms: Customer data goes to ad platforms
CRM systems: Salesforce, HubSpot contact data
Payment systems: Stripe, payment-related destinations

SSO and SCIM Integration

Single Sign-On (SSO)

Segment supports SAML 2.0 SSO for enterprise authentication:

Supported Identity Providers:

Okta
Azure Active Directory
OneLogin
Google Workspace
Ping Identity
Custom SAML 2.0 providers

SSO Configuration:

Navigate to Settings > Authentication
Enable Single Sign-On
Configure SAML settings:
- Entity ID
- SSO URL
- Certificate
Map IdP attributes to Segment fields
Test with a non-admin user first

IdP Attribute Mapping:

# Required mappings
email: user.email
firstName: user.firstName
lastName: user.lastName

# Optional mappings
role: user.segmentRole  # For automatic role assignment
groups: user.groups     # For SCIM group sync

SCIM Provisioning

Automate user lifecycle with SCIM 2.0:

Features:

Automatic user provisioning from IdP
Group-to-workspace role mapping
Deprovisioning on IdP removal
Attribute synchronization

SCIM Endpoints:

Base URL: https://api.segment.io/scim/v2
Users: /Users
Groups: /Groups

# Bearer token authentication required
Authorization: Bearer YOUR_SCIM_TOKEN

Example: Create User via SCIM:

curl -X POST 'https://api.segment.io/scim/v2/Users' \
  -H 'Authorization: Bearer YOUR_SCIM_TOKEN' \
  -H 'Content-Type: application/scim+json' \
  -d '{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "userName": "user@example.com",
    "name": {
      "givenName": "Jane",
      "familyName": "Doe"
    },
    "emails": [{
      "value": "user@example.com",
      "primary": true
    }],
    "active": true
  }'

Group Mapping Example:

IdP Group	Segment Workspace Role
`segment-admins`	Workspace Admin
`segment-engineers`	Workspace Member
`segment-analysts`	Read-Only

API Access and Tokens

Personal Access Tokens

For CLI and programmatic access:

Go to Settings > Access Management > Tokens
Click Generate Token
Set token name and expiration
Copy and store securely (shown only once)

Token Scopes:

Scope	Permissions
`workspace:read`	Read workspace configuration
`workspace:write`	Modify workspace settings
`sources:read`	View source settings
`sources:write`	Create/modify sources
`tracking_plan:read`	View tracking plans
`tracking_plan:write`	Edit tracking plans

Using Tokens:

# Config API authentication
curl 'https://api.segment.io/v1/sources' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'

# Public API authentication
curl 'https://platform.segmentapis.com/v1beta/workspaces' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'

Write Keys

Source-specific authentication for data ingestion:

Each source has a unique write key
Write keys only allow data to be sent to that source
Cannot read data or modify configurations
Rotate if compromised

Write Key Usage:

// Browser
analytics.load('YOUR_WRITE_KEY');

// Node.js
const Analytics = require('analytics-node');
const analytics = new Analytics('YOUR_WRITE_KEY');

Token Rotation

Best practices for token management:

Scheduled rotation: Every 90 days for production tokens
Immediate rotation: Upon team member departure
Scope limitation: Use minimum required permissions
Audit logging: Review token usage in access logs

Tracking Plan Governance

Schema Editing Rights

Control who can modify your Tracking Plan:

Role	Schema Viewing	Schema Editing	Publish to Production
Owner	✓	✓	✓
Admin	✓	✓	✓
Member	✓	✓	Configurable
Read-Only	✓	✗	✗

Change Request Workflow

For regulated environments:

Member proposes schema change
Change enters review queue
Admin/Owner approves or rejects
Approved changes publish to production
Audit log records all changes

Protocols Enforcement

Configure validation behavior:

Block violations: Reject non-compliant events
Allow with warnings: Pass events but flag issues
Off: No enforcement (not recommended for production)

Access Lifecycle Management

Adding Users

See Add User Access for detailed steps:

Invite via email
Assign workspace role
Configure source-level permissions
Set destination restrictions
Document the access grant

Updating Access

See Update Access & Roles for detailed steps:

Adjust workspace role as needed
Modify source permissions
Update destination access
Revalidate token permissions
Communicate changes to user

Removing Users

See Remove User Access for detailed steps:

Transfer ownership of resources
Revoke workspace access
Remove IdP group memberships
Rotate any shared credentials
Audit and document removal

Audit and Compliance

Access Audit Trail

Segment logs access-related events:

User invitations and removals
Role changes
Source/destination permission modifications
Token creation and revocation
SSO/SCIM provisioning events

Accessing Audit Logs:

Navigate to Settings > Activity Log
Filter by user, action type, or date range
Export for compliance documentation

Compliance Frameworks

Segment supports:

Framework	Relevant Controls
SOC 2	Access control, audit logging
GDPR	Data access limitations, consent
HIPAA	PHI access restrictions
ISO 27001	Access management

Evidence Collection

For audits, document:

## Access Control Evidence

**User**: engineer@company.com
**Workspace**: Production Analytics
**Role**: Workspace Member
**Source Access**:
  - Production Web: Read Only
  - Production Mobile: Read Only
  - Staging: Full Access

**Justification**: Implementation engineer requires
staging access for integration work.

**Approved By**: admin@company.com
**Date**: 2024-01-15
**Review Date**: 2024-04-15

Best Practices

Role Assignment

Default to least privilege: Start with Read-Only
Separate environments: Different access for prod vs staging
Regular reviews: Quarterly access audits
Just-in-time access: Temporary elevations for specific tasks

Source Organization

Organize sources for easier permission management:

Workspace Structure:
├── Production Sources
│   ├── web-prod
│   ├── mobile-ios-prod
│   ├── mobile-android-prod
│   └── server-prod
├── Staging Sources
│   ├── web-staging
│   ├── mobile-staging
│   └── server-staging
└── Development Sources
    ├── web-dev
    └── sandbox

Token Management

Named tokens: Descriptive names indicating purpose
Minimal scope: Only grant necessary permissions
Expiration dates: Set reasonable expiration
Secure storage: Use secrets management (Vault, AWS Secrets Manager)
Rotation schedule: Regular rotation calendar

Documentation Requirements

Maintain records of:

Current access roster with justifications
Token inventory with owners and purposes
SSO/SCIM configuration
Permission change history
Quarterly review results

Troubleshooting

Common Issues

Issue	Cause	Solution
Cannot see source	No source permission	Grant source access
Cannot create destination	Member role, source restricted	Elevate role or grant source access
SSO login fails	Attribute mapping incorrect	Verify IdP configuration
SCIM user not created	Group mapping missing	Add to correct IdP group
Token rejected	Expired or revoked	Generate new token
Write key not working	Wrong source or key	Verify source and key match

Permission Verification

Check a user's effective permissions:

Navigate to Settings > Team
Find the user
Click to view their profile
Review workspace role and source permissions
Check destination-specific access

Escalation Path

When access issues arise:

Verify user's workspace role
Check source-level permissions
Review destination restrictions
Confirm SSO/SCIM sync status
Contact Segment support if unresolved

Governance Checklist

Onboarding

□ User invited with appropriate role
□ Source permissions configured
□ Destination access restricted appropriately
□ SSO/SCIM group membership verified
□ Access documented with justification
□ Training provided on data handling

Quarterly Review

□ All users still require access
□ Roles match current responsibilities
□ Source permissions remain appropriate
□ Tokens reviewed and rotated if needed
□ Terminated users removed
□ Access documentation current

Offboarding

□ Resource ownership transferred
□ Workspace access revoked
□ IdP group memberships removed
□ Tokens revoked
□ Write keys rotated if shared
□ Function code reviewed for credentials
□ Removal documented

Add User Access - Inviting new team members
Update Access & Roles - Modifying permissions
Remove User Access - Offboarding procedures
Segment Documentation - Official IAM docs

शीर्ष पर वापस जाएँ