Roles and permissions¶
DataRobot employs many layers of security to help protect customer data—at the architecture, entity access, and authentication levels. The sections on this page provide details for roles and permissions at each level.
General access guidance¶
Access is comprised of roles and permissions. Roles categorize a user's access; permissions specify the function-based privileges associated with the role.
Role definitions¶
In general, role types have the following access:
Role | Access |
---|---|
Consumer/Observer | Read-only |
Editor/User | Read/Write |
Owner | Read/Write/Administer |
Role priority and sharing¶
Role-based access control (RBAC) controls access to the DataRobot application and is managed by organization administrators. The RBAC roles are named differently but covey the same read/write/admin permissions. The assigned role controls both what you can see when using the application and which objects you can access.
RBAC overrides sharing-based role permissions. For example, let's say you share with another user who was assigned the RBAC Viewer role (Read-only access) by the admin. You grant them User permissions (Read/Write access). However, because the Viewer role takes priority, the user is denied Write access.
A user can have multiple roles assigned for a single entity—the most permissive role takes precedence and is then updated according to RBAC. Consider:
-
A dataset is shared with an organization, with members assigned the consumer role. The dataset is then shared with a user in that organization and assigned the editor role. The user will have editor capabilities. Other organization members will be consumers.
-
A dataset is shared to a group, with members given owner permissions. You want one user in the group to have consumer access only. Remove that user from the group and reassign them individually to restrict their permissions.
Project roles¶
The following table describes the general capabilities allowed by each role. See also specific roles and privileges below.
Capability | Owner | User | Consumer |
---|---|---|---|
View everything | ✔ | ✔ | ✔ |
Launch IDEs | ✔ | ✔ | |
Make predictions | ✔ | ✔ | |
Create and edit feature lists | ✔ | ✔ | |
Set target | ✔ | ✔ | |
Delete jobs from queue | ✔ | ✔ | |
Run Autopilot | ✔ | ✔ | |
Share a project with others | ✔ | ✔ | |
Rename project | ✔ | ✔ | |
Delete project | ✔ | ||
Unlock holdout | ✔ | ||
Clone project | ✔ | ✔ |
Shared data connection and data asset roles¶
The user roles below represent three levels of permissions to support nuanced access across collaborative data connections and data sources (entities). When you share entities, you must assign a role to the user(s) you share with:
Note
Only an administrator can add database drivers.
User role | Description |
---|---|
Editor | An active user of an entity. This role has limitations based on the entity (read and write). |
Consumer | A passive user of an entity (read-only). |
Owner | The creator or assigned administrator of an entity. This role has the highest access and ability (read, write, administer). |
The following table indicates which role is required for tasks associated with the AI Catalog. The table refers to the following roles:
User role | Code |
---|---|
Consumer | C |
Consumer w/ data access | CA |
Editor | E |
Editor w/ data access | EA |
Owner | O |
Task | Permission |
---|---|
Data store/Data connections | |
View data connections | C, CA, E, EA, O |
Test connections | C, CA, E, EA, O |
Create new data sources from a data connection | E, EA, O |
List schemas and tables | E, EA, O |
Edit and rename data connection | E, EA, O |
Delete data connection | O |
Dataset/Data asset | |
View metadata and collaborators | C, CA, E, EA, O |
Share | Collaborators can share with others, assigning a role as high as their own role. For example, a Consumer can share and assign the Consumer role but not the Editor role. The Owner role can assign any available roles. |
Download data sample | CA, EA, O |
Download dataset | CA, EA, O |
View sample data | CA, EA, O |
Use dataset for project creation | CA, EA, O |
Use dataset for custom model training | CA, EA, O |
Use dataset for predictions | CA, EA, O |
Modify metadata | E, EA, O |
Create a new version (remote or snapshot)* | EA, O |
Reload** | EA, O |
Delete dataset | O |
* "Remote" refers to information on where to find data (e.g., a URL link); "snapshot" is actual data
** If the dataset is "remote," it is converted to a snapshot
Deployment roles¶
The following table defines the deployment permissions for each deployment role:
Capability | Owner | User | Consumer |
---|---|---|---|
Consume predictions | ✔ | ✔ | ✔* |
Get data via API | ✔ | ✔ | |
View deployment in inventory | ✔ | ✔ | |
Replace model | ✔ | ||
Edit deployment metadata | ✔ | ||
Delete deployment | ✔ | ||
Add user to deployment | ✔ | ✔ | |
Change permission levels of users | ✔ | ✔** | |
Remove users from shared deployment | ✔*** | ✔ |
* Consumers can make predictions using the deploy API route, but the deployment will not be part of their deployment inventory.
** To Consumer or User only.
*** Can remove self only if there is another user with the Owner role.
Shared deployment job roles¶
Every user has full access to job definitions and batch jobs they created; however, shared job definitions and batch jobs are subject to role-based access controls.
The following table defines the shared prediction job definition and monitoring job definition permissions for each deployment role:
Capability | Owner | User | Consumer |
---|---|---|---|
View prediction jobs and job definitions | ✔ | ✔ | |
View monitoring jobs and job definitions | ✔ | ✔ | |
Run prediction job definitions | ✔ | ✔ | |
Run monitoring job definitions | ✔ | ✔ | |
Clone prediction job definitions | ✔ | ✔ | |
Clone monitoring job definitions | ✔ | ✔ | |
Edit prediction job definitions | ✔ | ||
Edit monitoring job definitions | ✔ | ||
Delete prediction job definitions | ✔ | ||
Delete monitoring job definitions | ✔ |
The following table defines the shared batch job permissions for each deployment role:
Capability | Owner | User | Consumer |
---|---|---|---|
View batch jobs and logs | ✔ | ✔ | |
Run batch jobs again | ✔ | ✔ | |
Create batch job definitions from jobs | ✔ | ✔ | |
Edit batch job definitions from jobs | ✔ | ||
Abort batch jobs | ✔ |
Model Registry roles¶
The following table defines the permissions for each model package role:
Option | Description | Availability |
---|---|---|
View a model package | View the metadata for a model package, including the model target, prediction type, creation date, and more. | Owner, User, Consumer |
Deploy a model package | Creates a new deployment with the selected model package. | Owner, User, Consumer |
Share a model package | Provides sharing capabilities independent of project permissions. | Owner, User, Consumer |
Permanently archive a model package | Provides sharing capabilities independent of project permissions. | Owner |
Custom Model and Environment roles¶
The following tables define the permissions for each custom model or environment role:
Note
There isn't an editor role for custom environments, only for custom models.
Environment Roles and Permissions¶
Capability | Owner | Consumer |
---|---|---|
Use and view the environment | ✔ | ✔ |
Update metadata and add new versions of the environment | ✔ | |
Delete the environment | ✔ |
Model roles and permissions¶
Capability | Owner | Editor | Consumer |
---|---|---|---|
Use and view the model | ✔ | ✔ | ✔ |
Update metadata and add new versions of the model | ✔ | ✔ | |
Delete the model | ✔ | ✔ |
*All roles can share an application by sharing the application link with an embedded authorization token.
No-Code AI App roles¶
The following table defines the permissions for each role supported for Automated Applications.
Capability | Owner | Editor | Consumer |
---|---|---|---|
Make predictions | ✔ | ✔ | ✔ |
Deactivate an application | ✔ | ✔ | |
Share an application to other DataRobot licensed users | ✔ | ||
Delete an application | ✔ | ||
Upgrade an application | ✔ | ✔ | |
Update an application's settings | ✔ | ✔ |
GenAI roles¶
Working with Generative AI (GenAI) in DataRobot can include creating vector databases, creating and comparing LLM blueprints in the playground, preparing LLM blueprints for deployment, working with metrics, and bringing your own LLM.
The following table describes GenAI component-related user permissions. All roles (Consumer, Editor, Owner) refer to the user's role in the Use Case; access to various function are based on the Use Case roles. For example, because sharing is handled on the Use Case level, you cannot share only a vector database (vector databases do not define any sharing rules).
Permissions for GenAI functions
Function | Use Case Consumer | Use Case Editor | Use Case Owner |
---|---|---|---|
Vector database | |||
Vector database creators | |||
Create vector database | ✘ | ✔ | ✔ |
Create vector database version | ✘ | ✔ | ✔ |
Edit vector database info | ✘ | ✔ | ✔ |
Delete vector database | ✘ | ✔ | ✔ |
Vector database non-creators | |||
Edit vector database info | ✘ | ✘ | ✔ |
Delete vector database | ✘ | ✘ | ✔ |
Playground | |||
Playground creators | |||
Create playground | ✘ | ✔ | ✔ |
Rename playground | ✘ | ✔ | ✔ |
Edit playground description | ✘ | ✔ | ✔ |
Delete playground | ✘ | ✔ | ✔ |
Playground non-creators | |||
Edit playground description | ✘ | ✘ | ✔ |
Delete playground | ✘ | ✘ | ✔ |
Playground → Assessment tab | |||
Configure assessment | ✘ | ✔ | ✔ |
Enable/disable assessment metrics | ✘ | ✔ | ✔ |
Playground → Tracing tab | |||
Download log | ✔ | ✔ | ✔ |
Upload to AI Catalog | ✔ | ✔ | ✔ |
LLM blueprint created by others (shared Use Case) | |||
Configure | ✘ | ✘ | ✘ |
Send prompts (from Configuration) | ✘ | ✘ | ✘ |
Generate aggregated metrics | ✘ | ✔ | ✔ |
Create conversation (from Comparison) | ✘ | ✘ | ✘ |
Upvote/downvote responses | ✔ | ✔ | ✔ |
Star/favorite | ✘ | ✘ | ✘ |
Copy to new LLM blueprint | ✘ | ✔ | ✔ |
Delete | ✘ | ✘ | ✘ |
Register | ✘ | ✘ | ✘ |