Role-based access control¶
Role-based access control (RBAC) controls access to the DataRobot application by assigning users roles with designated privileges. Role-based permissions and role-role relationships make it simple to assign the appropriate permissions the specific ways in which users intend to use the application.
You can assign a role to specific users in User Permissions, or to all members in a group in Group Permissions. The assigned role controls both what the user sees when using the application and which objects they have access to. RBAC is additive, so a user's permissions will be the sum of all permissions set at the user and group level.
Additive user roles
Permissions can be set for a group of people and for individual users. A user's permissions will be equal to the union of:
- The permissions that are set for that user.
- The permissions that are set for the group(s) to which they belong.
For example, say the role assigned to you at a group level allows A but not B, and the role assigned to you at a user level allows B but not A. In this case, you have access to both A (granted at the group level) and B (granted at the user level).
Although the group does not have access to B, individual users may still have access to B, and to revoke access to A, it must be removed for the entire group or individual users must be removed from the group.
The following roles can be assigned:
- Data Scientist
- Viewer
- MLOps Admin
- Apps Consumer
- Apps Admin
- Project Admin
- Prediction-only
- Data Consumer
- Data Admin
The following objects also use the RBAC framework in the DataRobot application:
- Projects
- Deployments
- Database Connectivity
- Datasets
- Dataset metadata
- Custom Models and Environments
- Execution Environments
- AI Applications
- Model Packages
The sections below describe the permissions applied for each role provided with Role-based access control.
Tiers of access¶
Each role is granted a different degree of access for the various object types available within the application:
-
Read access to an object allows the user to access that area of the application for viewing but they cannot create these objects.
-
Write access to an object type allows the user to create objects in that area of the application. There are no restrictions applied with write access aside from administrative permissions.
-
Admin access to an object type grants a user access to all objects of a given type that belong to the user's organization. For example, if a user has admin access to projects, they can view every project created within their organization and make edits to them.
-
No Access disables a user's access to an object type. This is indicated by the red "X" label displayed for a given permission. They will be unable to access that part of the application, create that type of object, or gain access to any of the objects of that type.
Data Scientist¶
Access: Can build or add models in the platform, both using AutoML and creating custom or remote models.
Notes: Cannot perform any actions that will break production systems. This type of user can also build AI applications.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | |
| Custom Environment | ✔ | ||
| Custom Model | ✔ | ✔ | |
| Dataset Data | ✔ | ✔ | |
| Dataset Info | ✔ | ✔ | |
| Deployment | ✔ | ||
| Model Package | ✔ | ✔ | |
| Prediction Environment | ✔ | ||
| Project | ✔ | ✔ |
Viewer¶
Access: Can view any object across the system that they have access to, but cannot perform any actions beyond viewing datasets.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ||
| Custom Environment | ✔ | ||
| Custom Model | ✔ | ||
| Dataset Data | ✔ | ||
| Dataset Info | ✔ | ||
| Deployment | ✔ | ||
| Model Package | ✔ | ||
| Prediction Environment | ✔ | ||
| Project | ✔ |
MLOps Admin¶
Access: Can access every MLOps object on the system—deployments, model packages, custom models, and custom environments.
Useful for: Debugging and reporting usage and activity for any MLOps object created in their organization.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | |
| Custom Environment | ✔ | ✔ | ✔ |
| Custom Model | ✔ | ✔ | ✔ |
| Dataset Data | ✔ | ✔ | |
| Dataset Info | ✔ | ✔ | |
| Deployment | ✔ | ✔ | ✔ |
| Model Package | ✔ | ✔ | ✔ |
| Prediction Environment | ✔ | ✔ | ✔ |
| Project | ✔ | ✔ |
Apps Consumer¶
Access: Can consume the DataRobot AI-powered applications that are shared with them to help make business decisions.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ||
| Custom Environment | |||
| Custom Model | |||
| Dataset Data | ✔ | ||
| Dataset Info | ✔ | ||
| Deployment | |||
| Model Package | |||
| Prediction Environment | |||
| Project |
Apps Admin¶
Access: Can access every AI Application created across the system with admin permissions.
Useful for: Debugging and reporting on usage and activity for any AI Application created in their organization.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | ✔ |
| Custom Environment | |||
| Custom Model | |||
| Dataset Data | ✔ | ✔ | |
| Dataset Info | ✔ | ✔ | |
| Deployment | ✔ | ✔ | |
| Model Package | ✔ | ✔ | |
| Prediction Environment | |||
| Project | ✔ | ✔ |
Project Admin¶
Access: Can access every modeling project created across the system.
Useful for: Debugging and reporting on usage and activity for any modeling project created in their organization.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | |
| Custom Environment | |||
| Custom Model | |||
| Dataset Data | ✔ | ✔ | |
| Dataset Info | ✔ | ✔ | |
| Deployment | |||
| Model Package | |||
| Prediction Environment | |||
| Project | ✔ | ✔ | ✔ |
Prediction-only¶
Access: Can make predictions on a specified deployment and no other.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | |||
| Custom Environment | |||
| Custom Model | |||
| Dataset Data | ✔ | ||
| Dataset Info | ✔ | ||
| Deployment | ✔ | ||
| Model Package | |||
| Prediction Environment | ✔ | ||
| Project |
Data Consumer¶
Access: Can consume the datasets created across the system.
Notes: To restrict users from being able to upload local files to a project directly, combine this role with the "Enable AI Catalog as File Source Limitation" feature flag.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | |
| Custom Environment | ✔ | ||
| Custom Model | ✔ | ✔ | |
| Dataset Data | ✔ | ||
| Dataset Info | ✔ | ||
| Deployment | ✔ | ✔ | |
| Model Package | ✔ | ✔ | |
| Prediction Environment | ✔ | ||
| Project | ✔ | ✔ |
Data Admin¶
Access: Can access every dataset created across the system with admin permissions, including all metadata associated with each dataset.
Useful for: Debugging and reporting on usage and activity for any data asset pulled into the AI Catalog.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | |||
| Custom Environment | |||
| Custom Model | |||
| Dataset Data | ✔ | ✔ | ✔ |
| Dataset Info | ✔ | ✔ | ✔ |
| Deployment | |||
| Model Package | |||
| Prediction Environment | |||
| Project |