User Roles and Permissions
You can use a preset role or create your own roles with custom permissions.
Role-Based Access Control (RBAC)
deepset AI Platform offers role-based access control at two levels: organization and workspace. Roles are scoped at each level and define what users can access and manage, enabling precise control over assets.
The deepset AI Platform includes preset roles at both the organization and workspace levels. You can also define custom roles at the workspace level to set specific permissions.
Preset Roles
Preset roles are predefined roles you can assign to users. You can also use them as a starting point when creating custom roles. You can't edit preset roles.
Organization Preset Roles
The following preset roles grant permissions at the organization level:
| Role | Scope | Permissions |
|---|---|---|
| Admin | Organization | - Can perform tasks and manage users and workspaces at the organization level. - Has write access to all workspaces in the organization. - Can change roles of other organization members. - Cannot change their own role. - Can manage organization-wide secrets, integrations, and API keys. - Can view usage statistics. - Can create custom roles. - Can import custom components. |
| Member | Organization | - Must be granted explicit access to workspaces to be able to perform tasks. - Can view organization-wide secrets, integrations and roles. - No permissions on other organization-wide assets like usage statistics, custom components or API keys. |
Workspace Preset Roles
The following preset roles grant permissions at the workspace level:
| Role | Scope | Permissions |
|---|---|---|
| Editor | Workspace | - Has write access to all assets within a workspace - No permissions to manage workspace users |
| Search user | Workspace | - Can use Playground, including adding feedback, modifying query time parameters - Can use Jobs, including creating, running, and sharing |
Custom Roles
Organization Admins can create roles with custom permissions. Custom roles apply only at the workspace level. You can't create roles with organization-wide permissions.
Permissions
When creating custom roles, you can either use a preset role and its permissions as a starting point, or you can choose the permissions from scratch. The following table explains available permissions. Read & write permissions include everything in read-only, plus additional actions.
| Asset | Access type | Explanation |
|---|---|---|
| Feedback | No access | Feedback options are inactive. |
| Read & write | - Can add, update, and view feedback. | |
| Feedback Management | No access | Feedback options are inactive. |
| Read-only | - Can view feedback, feedback statistics and export feedback across pipelines via API | |
| Read & write | - Can add, update, and delete feedback tags. - Can delete feedback items. | |
| Jobs | No access | The feature is hidden. |
| Read-only | - Can view jobs and job results on the Jobs page - Can download job results | |
| Read & write | - Can create, run, share, view, update, and delete jobs. | |
| Shared Prototypes | No access | The share option is inactive. |
| Read-only | - Can list active share prototypes within a workspace via API | |
| Read & write | - Can share pipeline prototypes. - Can update and delete shared prototypes. | |
| Pipelines | No access | The feature is hidden. |
| Read-only | - Can view pipelines on the Pipelines page. - Can view pipeline details on the Pipeline Details page. - Can open a pipeline in Pipeline Builder in view-only mode. - Can run searches in Playground and Prompt Explorer - Can activate pipelines. | |
| Read & write | - Can create, update, share, and delete pipelines. - Can configure pipeline service level. - Can deploy and undeploy pipelines. - Can duplicate pipelines. - Can use pipeline templates. - Can debug pipelines using the remote tunnel. - Can update prompts in the pipeline using Prompt Explorer. | |
| Pipeline Templates | No access | The feature is hidden. |
| Read-only | - Can view templates and their details. | |
| Prompts | No access | The feature is hidden. |
| Read-only | - Can view and use custom prompts in the prompt hub in Prompt Explorer. | |
| Read & write | - Can create, update, and delete custom prompts in the prompt hub in Prompt Explorer. | |
| Search history | No access | The feature is inactive. |
| Read-only | - Can view search history. | |
| Read & write | - Can delete search history via API | |
| Files | No access | The feature is hidden. |
| Read-only | - Can view a list of files in a workspace. - Can view file metadata - Can view files - Can download files - Can see file references in generated answers. | |
| Read & write | - Can upload, delete, and download files. - Can add and modify file metadata. | |
| Indexes | No access | The feature is hidden. |
| Read-only | - Can view all indexes in the workspace - Can view index details on the Index Details page - Can open an index in Pipeline Builder in view-only mode - Can view names of indexed files - Can export documents as CSV | |
| Read & write | - Can create, update, and delete indexes. - Can enable and disable indexes. - Can use index templates | |
| Groundedness | Read-only | - Can view the Groundedness page |
| Secrets & Integrations | Read-only | - Can view secrets and integrations of a workspace |
| Read & write | - Can add and delete secrets -Can connect and disconnect to an integration | |
| API Keys | Read & write | - Create, configure, modify and delete API Keys in a workspace |
| Workspace statistics | Read-only | - Can view the homepage |
Examples
Prompt Engineer
To create a custom Prompt Engineer role that:
- Can create, update, save, and delete prompts
- Can test prompts in Prompt Explorer
- Can view file references in generated answers
- Can add feedback to generated answers
- Cannot update prompts in pipelines
You would need the following permissions:
| Asset | Access Type |
|---|---|
| Pipelines | Read |
| Files | Read |
| Prompts | Read & write |
| Feedback | Read & write |
Updated 2 days ago