Role-based access control¶

Role-based access control (RBAC) controls access to the DataRobot application by assigning users roles with designated privileges. Role-based permissions and role-role relationships make it simple to assign the appropriate permissions the specific ways in which users intend to use the application.

You can assign a role to specific users in User Permissions, or to all members in a group in Group Permissions. The assigned role controls both what the user sees when using the application and which objects they have access to. RBAC is additive, so a user's permissions will be the sum of all permissions set at the user and group level. The following roles can be assigned:

• Data Scientist
• Viewer
• MLOps Admin
• Apps Consumer
• Apps Admin
• Project Admin
• Prediction-only
• Data Consumer
• Data Admin

The following objects also use the RBAC framework in the DataRobot application:

• Projects
• Deployments
• Database Connectivity
• Datasets
• Dataset metadata
• Custom Models and Environments
• Execution Environments
• AI Applications
• Model Packages

The sections below describe the permissions applied for each role provided with Role-based access control.

Tiers of access¶

Each role is granted a different degree of access for the various object types available within the application:

• Read access to an object allows the user to access that area of the application for viewing but they cannot create these objects.

• Write access to an object type allows the user to create objects in that area of the application. There are no restrictions applied with write access aside from administrative permissions.

• Admin access to an object type grants a user access to all objects of a given type that belong to the user's organization. For example, if a user has admin access to projects, they can view every project created within their organization and make edits to them.

• No Access disables a user's access to an object type. This is indicated by the red "X" label displayed for a given permission. They will be unable to access that part of the application, create that type of object, or gain access to any of the objects of that type.

Data Scientist¶

Access: Can build or add models in the platform, both using AutoML and creating custom or remote models.

Notes: Cannot perform any actions that will break production systems. This type of user can also build AI applications.

Viewer¶

Access: Can view any object across the system that they have access to, but cannot perform any actions beyond viewing datasets.

MLOps Admin¶

Access: Can access every MLOps object on the system—deployments, model packages, custom models, and custom environments.

Useful for: Debugging and reporting usage and activity for any MLOps object created in their organization.

Apps Consumer¶

Access: Can consume the DataRobot AI-powered applications that are shared with them to help make business decisions.

Apps Admin¶

Access: Can access every AI Application created across the system with admin permissions.

Useful for: Debugging and reporting on usage and activity for any AI Application created in their organization.

Project Admin¶

Access: Can access every modeling project created across the system.

Useful for: Debugging and reporting on usage and activity for any modeling project created in their organization.

Prediction-only¶

Access: Can make predictions on a specified deployment and no other.

Data Consumer¶

Access: Can consume the datasets created across the system.

Notes: To restrict users from being able to upload local files to a project directly, combine this role with the "Enable AI Catalog as File Source Limitation" feature flag.

Data Admin¶

Access: Can access every dataset created across the system with admin permissions, including all metadata associated with each dataset.

Useful for: Debugging and reporting on usage and activity for any data asset pulled into the AI Catalog.