Role-based access control¶
Role-based access control (RBAC) controls access to the DataRobot application by assigning users roles with designated privileges. Role-based permissions and role-role relationships make it simple to assign the appropriate permissions the specific ways in which users intend to use the application.
System or organization admins can assign a role to specific users in User Permissions, or to all members in a group in Group Permissions. The assigned role controls both what the user sees when using the application and which objects they have access to. RBAC is additive, so a user's permissions will be the sum of all permissions set at the user and group level.
Additive user roles
Permissions can be set for a group of people and for individual users. A user's permissions will be equal to the union of:
- The permissions that are set for that user.
- The permissions that are set for the group(s) to which they belong.
For example, say the role assigned to you at a group level allows A but not B, and the role assigned to you at a user level allows B but not A. In this case, you have access to both A (granted at the group level) and B (granted at the user level).
Although the group does not have access to B, individual users may still have access to B, and to revoke access to A, it must be removed for the entire group or individual users must be removed from the group.
System or organization admins can assign the following roles:
- Apps Admin
- Apps Consumer
- Data Admin
- Data Consumer
- Data Scientist
- MLOps Admin
- Prediction-only
- Project Admin
- Use Case Admin
- Viewer
The following objects also use the RBAC framework in the DataRobot application:
- AI Applications
- Custom Models and Environments
- Database Connectivity
- Dataset metadata
- Datasets
- Deployments
- Execution Environments
- Model Packages
- Projects
- Risk Management Framework
Tiers of access¶
Each role is granted a different degree of access for the various object types available within the application:
| Access Level | Description |
|---|---|
| Read | Access to an object allows the user to access that area of the application for viewing but they cannot create these objects. |
| Write | Access to an object type allows the user to create objects in that area of the application. There are no restrictions applied with write access aside from administrative permissions. |
| Admin | Access to an object type grants a user access to all objects of a given type that belong to the user's organization. For example, if a user has admin access to projects, they can view every project created within their organization and make edits to them. |
| No Access | Disables a user's access to an object type. This is indicated by the red "X" label displayed for a given permission. They will be unable to access that part of the application, create that type of object, or gain access to any of the objects of that type. |
Object types¶
You can grant any combination of the tiers of access described above for a variety of object types. The following sections describe the different object types and the permissions that can be granted for each.
Application¶
Controls access to DataRobot's AI-powered applications that provide business solutions and decision-making capabilities. These applications can include custom dashboards, automated workflows, predictive analytics tools, and interactive business intelligence solutions built on top of DataRobot's machine learning models. Users with access can view, create, modify, and delete applications that may integrate multiple models, data sources, and business logic to deliver end-to-end AI solutions for specific business use cases.
To read more about applications in DataRobot, see Applications.
Custom Environment¶
Controls access to custom execution environments that define the runtime context for model deployment and inference. These environments specify the programming language, dependencies, libraries, and system configurations required for custom models to run properly in production. Users can create, modify, and manage environments that support various frameworks (Python, R, Java, etc.) and ensure consistent model execution across different deployment scenarios.
To read more about custom environments in DataRobot, see Create a custom environment.
Custom Model¶
Controls access to custom machine learning models that users create outside of DataRobot's AutoML capabilities. These models can be built using external frameworks (TensorFlow, PyTorch, scikit-learn, etc.) and uploaded to DataRobot for deployment and management. Users can view, create, modify, and delete custom models, including their associated code, dependencies, and metadata, enabling integration of specialized algorithms and domain-specific models.
To read more about custom models in DataRobot, see Create custom models.
Data Source¶
Controls access to data sources, which are typically used to add and work with datasets. They contain a reference to a data store and the location of a data resource within the remote store. For example, this can be a SQL query in a database connection, a database table (with optional schema and catalog location), or a blob storage path (such as AWS S3 or Azure Blob Storage).
To read more about data sources in DataRobot, see the API reference.
Data Store¶
Controls access to configured data connections to external data systems and repositories, such as SQL databases, AWS S3, etc. Users can manage connection parameters, query configurations, and data source metadata.
To read more about data stores in DataRobot, see Data connections.
Dataset Data¶
Controls access to the actual data content stored within datasets. Users with appropriate permissions can view the data in a dataset, as well as add more data by creating a new version.
To read more about datasets in DataRobot, see Explore data.
Dataset Info¶
Controls access to dataset metadata, schema information, and data lineage. This includes data types, column descriptions, data quality metrics, version history, and other descriptive information about datasets without accessing the actual data content. Users can manage dataset documentation, tagging, categorization, and governance metadata.
To read more about datasets in DataRobot, see Metadata info.
Deployment¶
Controls access to deployed models. Deployments represent the operationalized versions of trained models that can receive prediction requests and return results. Users can manage deployment configurations, scaling parameters, monitoring settings, and the lifecycle of production models.
To read more about deployments in DataRobot, see Deployments dashboard.
Model Package¶
Controls access to packaged model artifacts that contain the trained model, preprocessing logic, and all dependencies required for deployment. Model packages are self-contained units that can be deployed across different environments and include the model binary, feature engineering code, and runtime requirements. Users can manage package versions, dependencies, and deployment configurations.
To read more about model packages in DataRobot, see Import model packages into Registry.
Prediction Environment¶
Controls access to the infrastructure and configuration settings for prediction services. These environments define the computational resources, networking, security, and operational parameters for serving model predictions. Users can manage prediction endpoints, load balancing, auto-scaling, and the overall prediction service infrastructure.
To read more about prediction environments in DataRobot, see Prediction environments.
Project¶
Controls access to DataRobot projects, which are the primary workspaces for machine learning development. Projects contain model experiments, feature engineering, model training runs, and evaluation results. Users can create, manage, and collaborate on projects that represent the complete lifecycle of model development from data preparation to model validation.
To read more about projects in DataRobot, see Import projects to DataRobot Workbench.
Registered Model¶
Controls access to the model registry, which serves as a centralized repository for tracking, versioning, and managing trained models. Registered models include metadata about model performance, training parameters, feature lists, and lineage information. Users can manage model versions, approval workflows, and the governance process for model promotion to production.
To read more about registered models in DataRobot, see Register DataRobot models.
Risk Management Framework¶
Controls access to DataRobot's risk management and governance framework that ensures responsible AI practices. This includes model monitoring, bias detection, explainability tools, compliance reporting, and governance workflows. Users can manage risk assessments, compliance documentation, audit trails, and governance policies that ensure AI systems meet organizational and regulatory requirements.
To read more about the Risk Management Framework, see Assess risk.
Use Case¶
Controls access to the Use Case Admin view on Workbench, which allows the user to view and manage all Use Cases in the organization. Use Cases contain model experiments, feature engineering, model training runs, and evaluation results.
To read more about use cases in DataRobot, see Use Case overview.
RBAC roles¶
The sections below describe the permissions applied for each role provided with RBAC.
Apps Admin¶
Access: Can access every AI Application created across the system with admin permissions.
Useful for: Debugging and reporting on usage and activity for any AI Application created in their organization.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | ✔ |
| Custom Environment | |||
| Custom Model | |||
| Data Source | ✔ | ✔ | |
| Data Store | ✔ | ✔ | |
| Dataset Data | ✔ | ✔ | |
| Dataset Info | ✔ | ✔ | |
| Deployment | ✔ | ✔ | |
| Model Package | ✔ | ✔ | |
| Prediction Environment | |||
| Project | ✔ | ✔ | |
| Registered Model | ✔ | ✔ | |
| Risk Management Framework | ✔ | ✔ | ✔ |
| Use Case | ✔ | ✔ |
Apps Consumer¶
Access: Can consume the DataRobot AI-powered applications that are shared with them to help make business decisions.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ||
| Custom Environment | |||
| Custom Model | |||
| Data Source | ✔ | ||
| Data Store | ✔ | ||
| Dataset Data | ✔ | ||
| Dataset Info | ✔ | ||
| Deployment | |||
| Model Package | |||
| Prediction Environment | |||
| Project | |||
| Registered Model | |||
| Risk Management Framework | ✔ | ||
| Use Case | ✔ | ✔ |
Data Admin¶
Access: Can access every dataset created across the system with admin permissions, including all metadata associated with each dataset.
Useful for: Debugging and reporting on usage and activity for any data asset pulled into the AI Catalog.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | |||
| Custom Environment | |||
| Custom Model | |||
| Data Source | ✔ | ✔ | ✔ |
| Data Store | ✔ | ✔ | ✔ |
| Dataset Data | ✔ | ✔ | ✔ |
| Dataset Info | ✔ | ✔ | ✔ |
| Deployment | |||
| Model Package | |||
| Prediction Environment | |||
| Project | |||
| Registered Model | |||
| Risk Management Framework | ✔ | ✔ | ✔ |
| Use Case | ✔ | ✔ |
Data Consumer¶
Access: Can consume the datasets created across the system.
Notes: To restrict users from being able to upload local files to a project directly, combine this role with the "Enable AI Catalog as File Source Limitation" feature flag.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | |
| Custom Environment | ✔ | ||
| Custom Model | ✔ | ✔ | |
| Data Source | ✔ | ✔ | |
| Data Store | ✔ | ✔ | |
| Dataset Data | ✔ | ||
| Dataset Info | ✔ | ||
| Deployment | ✔ | ✔ | |
| Model Package | ✔ | ✔ | |
| Prediction Environment | ✔ | ||
| Project | ✔ | ✔ | |
| Registered Model | ✔ | ✔ | |
| Risk Management Framework | ✔ | ||
| Use Case | ✔ |
Data Scientist¶
Access: Can build or add models in the platform, both using AutoML and creating custom or remote models.
Notes: Cannot perform any actions that will break production systems. This type of user can also build AI applications.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | |
| Custom Environment | ✔ | ||
| Custom Model | ✔ | ✔ | |
| Data Source | ✔ | ✔ | |
| Data Store | ✔ | ✔ | |
| Dataset Data | ✔ | ✔ | |
| Dataset Info | ✔ | ✔ | |
| Deployment | ✔ | ||
| Model Package | ✔ | ✔ | |
| Prediction Environment | ✔ | ||
| Project | ✔ | ✔ | |
| Registered Model | ✔ | ✔ | |
| Risk Management Framework | ✔ | ✔ | |
| Use Case | ✔ | ✔ |
MLOps Admin¶
Access: Can access every MLOps object on the system—deployments, model packages, custom models, and custom environments.
Useful for: Debugging and reporting usage and activity for any MLOps object created in their organization.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | |
| Custom Environment | ✔ | ✔ | ✔ |
| Custom Model | ✔ | ✔ | ✔ |
| Data Source | ✔ | ✔ | |
| Data Store | ✔ | ✔ | |
| Dataset Data | ✔ | ✔ | |
| Dataset Info | ✔ | ✔ | |
| Deployment | ✔ | ✔ | ✔ |
| Model Package | ✔ | ✔ | ✔ |
| Prediction Environment | ✔ | ✔ | ✔ |
| Project | ✔ | ✔ | |
| Registered Model | ✔ | ✔ | ✔ |
| Risk Management Framework | ✔ | ✔ | ✔ |
| Use Case | ✔ | ✔ |
Prediction-only¶
Access: Can make predictions on a specified deployment and no other.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | |||
| Custom Environment | |||
| Custom Model | |||
| Data Source | ✔ | ||
| Data Store | ✔ | ||
| Dataset Data | ✔ | ||
| Dataset Info | ✔ | ||
| Deployment | ✔ | ||
| Model Package | |||
| Prediction Environment | ✔ | ||
| Project | |||
| Registered Model | |||
| Risk Management Framework | ✔ | ||
| Use Case | ✔ | ✔ |
Project Admin¶
Access: Can access every modeling project created across the system.
Useful for: Debugging and reporting on usage and activity for any modeling project created in their organization.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | |
| Custom Environment | |||
| Custom Model | |||
| Data Source | ✔ | ✔ | |
| Data Store | ✔ | ✔ | |
| Dataset Data | ✔ | ✔ | |
| Dataset Info | ✔ | ✔ | |
| Deployment | |||
| Model Package | |||
| Prediction Environment | |||
| Project | ✔ | ✔ | ✔ |
| Registered Model | |||
| Risk Management Framework | ✔ | ✔ | ✔ |
| Use Case | ✔ | ✔ |
Use Case Admin¶
Access: Can access every Use Case created across the system.
Useful for: Viewing and managing any Use Case created in their organization.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ✔ | ✔ |
| Custom Environment | ✔ | ✔ | ✔ |
| Custom Model | ✔ | ✔ | ✔ |
| Data Source | ✔ | ✔ | ✔ |
| Data Store | ✔ | ✔ | ✔ |
| Dataset Data | ✔ | ✔ | ✔ |
| Dataset Info | ✔ | ✔ | ✔ |
| Deployment | ✔ | ✔ | ✔ |
| Model Package | ✔ | ✔ | ✔ |
| Prediction Environment | ✔ | ✔ | ✔ |
| Project | ✔ | ✔ | ✔ |
| Registered Model | ✔ | ✔ | ✔ |
| Risk Management Framework | ✔ | ✔ | ✔ |
| Use Case | ✔ | ✔ | ✔ |
Viewer¶
Access: Can view any object across the system that they have access to, but cannot perform any actions beyond viewing datasets.
| Object | Admin | Read | Write |
|---|---|---|---|
| Application | ✔ | ||
| Custom Environment | ✔ | ||
| Custom Model | ✔ | ||
| Data Source | ✔ | ||
| Data Store | ✔ | ||
| Dataset Data | ✔ | ||
| Dataset Info | ✔ | ||
| Deployment | ✔ | ||
| Model Package | ✔ | ||
| Prediction Environment | ✔ | ||
| Project | ✔ | ||
| Registered Model | ✔ | ||
| Risk Management Framework | ✔ | ||
| Use Case | ✔ |