Skip to content

On-premise users: click in-app to access the full platform documentation for your version of DataRobot.

Role-based access control

Role-based access control (RBAC) controls access to the DataRobot application by assigning users roles with designated privileges. Role-based permissions and role-role relationships make it simple to assign the appropriate permissions the specific ways in which users intend to use the application.

You can assign a role to specific users in User Permissions, or to all members in a group in Group Permissions. The assigned role controls both what the user sees when using the application and which objects they have access to. RBAC is additive, so a user's permissions will be the sum of all permissions set at the user and group level.

Additive user roles

Permissions can be set for a group of people and for individual users. A user's permissions will be equal to the union of:

  • The permissions that are set for that user.
  • The permissions that are set for the group(s) to which they belong.

For example, say the role assigned to you at a group level allows A but not B, and the role assigned to you at a user level allows B but not A. In this case, you have access to both A (granted at the group level) and B (granted at the user level).

Although the group does not have access to B, individual users may still have access to B, and to revoke access to A, it must be removed for the entire group or individual users must be removed from the group.

The following roles can be assigned:

  • Data Scientist
  • Viewer
  • MLOps Admin
  • Apps Consumer
  • Apps Admin
  • Project Admin
  • Prediction-only
  • Data Consumer
  • Data Admin

The following objects also use the RBAC framework in the DataRobot application:

  • Projects
  • Deployments
  • Database Connectivity
  • Datasets
  • Dataset metadata
  • Custom Models and Environments
  • Execution Environments
  • AI Applications
  • Model Packages

The sections below describe the permissions applied for each role provided with Role-based access control.

Tiers of access

Each role is granted a different degree of access for the various object types available within the application:

  • Read access to an object allows the user to access that area of the application for viewing but they cannot create these objects.

  • Write access to an object type allows the user to create objects in that area of the application. There are no restrictions applied with write access aside from administrative permissions.

  • Admin access to an object type grants a user access to all objects of a given type that belong to the user's organization. For example, if a user has admin access to projects, they can view every project created within their organization and make edits to them.

  • No Access disables a user's access to an object type. This is indicated by the red "X" label displayed for a given permission. They will be unable to access that part of the application, create that type of object, or gain access to any of the objects of that type.

Data Scientist

Access: Can build or add models in the platform, both using AutoML and creating custom or remote models.

Notes: Cannot perform any actions that will break production systems. This type of user can also build AI applications.

Object Admin Read Write
Application
Custom Environment
Custom Model
Dataset Data
Dataset Info
Deployment
Entitlement Definition
Entitlement Set
Model Package
Prediction Environment
Project
Registered Model

Viewer

Access: Can view any object across the system that they have access to, but cannot perform any actions beyond viewing datasets.

Object Admin Read Write
Application
Custom Environment
Custom Model
Dataset Data
Dataset Info
Deployment
Entitlement Definition
Entitlement Set
Model Package
Prediction Environment
Project
Registered Model

MLOps Admin

Access: Can access every MLOps object on the system—deployments, model packages, custom models, and custom environments.

Useful for: Debugging and reporting usage and activity for any MLOps object created in their organization.

Object Admin Read Write
Application
Custom Environment
Custom Model
Dataset Data
Dataset Info
Deployment
Entitlement Definition
Entitlement Set
Model Package
Prediction Environment
Project
Registered Model

Apps Consumer

Access: Can consume the DataRobot AI-powered applications that are shared with them to help make business decisions.

Object Admin Read Write
Application
Custom Environment
Custom Model
Dataset Data
Dataset Info
Deployment
Entitlement Definition
Entitlement Set
Model Package
Prediction Environment
Project
Registered Model

Apps Admin

Access: Can access every AI Application created across the system with admin permissions.

Useful for: Debugging and reporting on usage and activity for any AI Application created in their organization.

Object Admin Read Write
Application
Custom Environment
Custom Model
Dataset Data
Dataset Info
Deployment
Entitlement Definition
Entitlement Set
Model Package
Prediction Environment
Project
Registered Model

Project Admin

Access: Can access every modeling project created across the system.

Useful for: Debugging and reporting on usage and activity for any modeling project created in their organization.

Object Admin Read Write
Application
Custom Environment
Custom Model
Dataset Data
Dataset Info
Deployment
Entitlement Definition
Entitlement Set
Model Package
Prediction Environment
Project
Registered Model

Prediction-only

Access: Can make predictions on a specified deployment and no other.

Object Admin Read Write
Application
Custom Environment
Custom Model
Dataset Data
Dataset Info
Deployment
Entitlement Definition
Entitlement Set
Model Package
Prediction Environment
Project
Registered Model

Data Consumer

Access: Can consume the datasets created across the system.

Notes: To restrict users from being able to upload local files to a project directly, combine this role with the "Enable AI Catalog as File Source Limitation" feature flag.

Object Admin Read Write
Application
Custom Environment
Custom Model
Dataset Data
Dataset Info
Deployment
Entitlement Definition
Entitlement Set
Model Package
Prediction Environment
Project
Registered Model

Data Admin

Access: Can access every dataset created across the system with admin permissions, including all metadata associated with each dataset.

Useful for: Debugging and reporting on usage and activity for any data asset pulled into the AI Catalog.

Object Admin Read Write
Application
Custom Environment
Custom Model
Dataset Data
Dataset Info
Deployment
Entitlement Definition
Entitlement Set
Model Package
Prediction Environment
Project
Registered Model

Updated August 6, 2024