Using Label-Based Access Control

By default, all workspaces include labels for Dev (development) and Prod (production) environments. Workspace Owners can configure what these labels are applied to, and can create up to 5 custom environments.

Labels must use the key:value format. Both the key and value must begin with a letter, and they can only contain letters, numbers, hyphens, or dashes.

To apply labels to sources and spaces, click the Assign Labels tab from the Manage Labels screen. In the screen that appears, select the sources and spaces to apply the label to.

Once a label is in use (either assigned to a resource or used to restrict permissions on a user), the label cannot be deleted. You must first manually remove the label from any resources and permissions before you can delete it.

Workspace Owners can also grant specific role access to specific labels. For example, you might give a Source Admin access to only sources that have the Prod label.

Permissions can then be assigned to users in Access Management by label, on the Source Admin, Source Read-Only, Engage Admin, Engage User and Engage Read-Only users.

Expand image

To create additional custom labels, a Workspace Owner can create new key types in the Manage Labels screen. The Workspace Owner can customize any combination of labels to mirror how resources should be partitioned in their organization.

For example, some organizations may restrict access to sources and spaces by brand or product area, while others might organize resources by tech stack or engineering department.

When you create a new key, it becomes available in the Sources page as a column type that can be used to organize sources.

You can create labels for sources and spaces from Segment workspace by going to Settings -> Admin and then clicking the Label Management tab.

You can apply labels to sources and spaces.

You can assign labels to sources and spaces using the Assign Labels tab in the Manage Labels screen. Source Admins and Space Admins can edit the labels on their individual resources in the Settings tab.

Once a label has been created and has been assigned to resources within the workspace, workspace owners can use these labels to restrict permissions on user access, restrict which sources can be connected to a space through a Connection Policy, and organize sources by viewing these labels as columns in the Sources page.

Workspace owners can only delete a label if it's not in use. See Custom Environments for details on removing labels.

No. If you need to rename a label, first create a new label, assign it to all resources using the old label, and then delete the old label.

No, each resource can have only one value per label category. This prevents confusion about permissions. For example, if a user has access to brand:A, it's unclear whether they should also have access to sources labeled both brand:A and brand:B. Limiting resources to one value per category avoids this confusion.

Labels are additive, meaning they can only further restrict a user's permissions. For example, if a user has access to everything labeled environment:production, then they're not restricted by other label categories. This results in broader permissions compared to a user with access to both environment:production AND region:apac.

For example, if the following sources had these set of labels:

Then the following users with Source Admin restricted with labels will only have access to the following sources:

To grant a user access to sources labeled brand:a or brand:b, use group permissions. Create two groups: one with Source Admin access to brand:a and another with Source Admin access to brand:b, then assign the user to both groups.