Skip to content

Click in-app to access the full platform documentation for your version of DataRobot.

Roles and permissions

DataRobot employs many layers of security to help protect customer data—at the architecture, entity access, and authentication levels. The sections on this page provide details for roles and permissions at each level.

General access guidance

Access is comprised of roles and permissions. Roles categorize a user’s access; permissions specify the function-based privileges associated with the role.

Role definitions

In general, role types have the following access:

Role Access
Consumer/Observer Read-only
Editor/User Read/Write
Owner Read/Write/Administer

Role priority and sharing

Role-based access control (RBAC) controls access to the DataRobot application and is managed by organization administrators. The RBAC roles are named differently but covey the same read/write/admin permissions. The assigned role controls both what you can see when using the application and which objects you have access to.

RBAC overrides sharing-based role permissions. For example, let's say you share with another user who was assigned the RBAC Viewer role (Read-only access) by the admin. You grant them User permissions (Read/Write access). However, because the Viewer role takes priority, the user is denied Write access.

A user can have multiple roles assigned for a single entity—the most permissive role takes precedence and is then updated according to RBAC. Consider:

  • A dataset is shared to an organization, with members assigned the consumer role. The dataset is then shared to a user in that organization and assigned the editor role. The user will have editor capabilities. Other organization members will be consumers.
  • A dataset is shared to a group, with members given owner permissions. You want one user in the group to have consumer access only. Remove that user from the group and reassign them individually to restrict their permissions.

Project roles

The following table describes general capabilities allowed by each role. See also specific roles and privileges, below.

Capability Owner User Consumer
View everything
Launch IDEs
Make predictions
Create and edit feature lists
Set target
Delete jobs from queue
Run Autopilot
Share project with others
Rename project
Delete project
Unlock holdout
Clone project

Shared data connection and data asset roles

To support nuanced access across collaborative enterprises, there are three user roles to define different capabilities. The roles represent three levels of permissions across data connections and data sources (entities). When you share entities, you must assign a role to the user(s) you share with:

Note

Only an administrator can add database drivers.

  • Editor: An active user of an entity. This role has limitations based on the entity (read and write).
  • Consumer: A passive user of an entity (read-only).
  • Owner: The creator or assigned administrator of an entity. This role has the highest level of access and ability (read, write, administer).

The following table indicates which role is required for tasks associated with the AI Catalog. The table refers to the following roles:

  • Consumer (C)
  • Consumer w/ data access (CA)
  • Editor (E)
  • Editor w/ data access (EA)
  • Owner (O)
Task Permission
Data store/Data connections
View data connections C, CA, E, EA, O
Test connections C, CA, E, EA, O
Create new data sources from a data connection E, EA, O
List schemas and tables E, EA, O
Edit and rename data connection E, EA, O
Delete data connection O
Dataset/Data asset
View metadata and collaborators C, CA, E, EA, O
Share Collaborators can share with others, assigning a role as high as their own role. For example, a Consumer can share and assign role Consumer but not role Editor. Owner can assign any of the roles.
Download data sample CA, EA, O
Download dataset CA, EA, O
View sample data CA, EA, O
Use dataset for project creation CA, EA, O
Use dataset for custom model training CA, EA, O
Use dataset for predictions CA, EA, O
Modify metadata E, EA, O
Create new version (remote or snapshot)* EA, O
Reload** EA, O
Delete dataset O

* "Remote" refers to information on where to find data (e.g., a URL link); "snapshot" is actual data

** If the dataset is "remote," it is converted to a snapshot

Deployment roles

The following table defines the permissions for each deployment role:

Capability Owner User Consumer
Consume predictions*
View deployment in inventory
Get data via API
Replace model
Edit deployment metadata
Delete deployment
Add user to deployment
Change permission levels of users ✔**
Remove users from shared deployment ✔***

* Consumers can make predictions using the deploy API route but the deployment will not be part of their deployment inventory.

** To Consumer or User only.

*** Can remove self only if there is another user with the role of Owner.

Model Registry roles

The following table defines the permissions for each model package role:

Option Description Availability
View a model package View the metadata for a model package, including the model target, prediction type, creation date, and more. Owner, User, Consumer
Deploy a model package Creates a new deployment with the selected model package. Owner, User, Consumer
Share a model package Provides sharing capabilities independent of project permissions. Owner, User, Consumer
Permanently archive a model package Provides sharing capabilities independent of project permissions. Owner

Custom Model and Environment roles

The following tables defines the permissions for each custom model or environment role. Note that there is no editor role for custom environments, only for custom models:

Environment Roles and Permissions

Capability Owner Consumer
Use and view the environment
Update metadata and add new versions of the environment
Delete the environment

Model Roles and Permissions

Capability Owner Editor Consumer
Use and view the model
Update metadata and add new versions of the model
Delete the model

*All roles are able to share an application by sharing the application link with an embedded authorization token.

Automated Application roles

The following table defines the permissions for each role supported for Automated Applications.

Capability Owner Editor Consumer
Make predictions
Deactivate an application
Share an application to other DataRobot licensed users
Delete an application
Upgrade an application
Update an application's settings

Updated April 12, 2022
Back to top