User Roles and Permissions

You can use a preset role or create your own roles with custom permissions.

Role-Based Access Control (RBAC)

deepset AI Platform offers role-based access control at two levels: organization and workspace. Roles are scoped at each level and define what users can access and manage, enabling precise control over assets.

The deepset AI Platform includes preset roles at both the organization and workspace levels. You can also define custom roles at the workspace level to set specific permissions.

Preset Roles

Preset roles are predefined roles you can assign to users. You can also use them as a starting point when creating custom roles. You can't edit preset roles.

Organization Preset Roles

The following preset roles grant permissions at the organization level:

RoleScopePermissions
AdminOrganizationCan perform tasks and manage users and workspaces at the organization level.
- Has write access to all workspaces in the organization.
- Can change roles of other organization members.
- Cannot change their own role.
- Can manage organization-wide secrets, integrations, and API keys.
- Can view usage statistics.
- Can create custom roles.
- Can import custom components.
MemberOrganizationMust be granted explicit access to workspaces to be able to perform tasks.
- Can view organization-wide secrets, integrations and roles.
- Has no permissions on other organization-wide assets like usage statistics, custom components or API keys.

Workspace Preset Roles

The following preset roles grant permissions at the workspace level:

Role

Scope

Permissions

Editor

Workspace

  • Has write access to all assets within a workspace
    - Has no permissions to manage workspace users

Search user

Workspace

  • Can use Playground, including adding feedback and modifying query time parameters
    - Can use Jobs, including creating, running, and sharing

Custom Roles

Organization Admins can create roles with custom permissions. Custom roles apply only at the workspace level. You can't create roles with organization-wide permissions.

Permissions

When creating custom roles, you can either use a preset role and its permissions as a starting point, or you can choose the permissions from scratch. The following table explains available permissions. Read & write permissions include everything in read-only, plus additional actions.

Asset

Access type

Explanation

Feedback

No access

Feedback options are inactive.

Read & write

  • Can add, update, and view feedback.

Feedback Management

No access

Feedback options are inactive.

Read-only

Read & write

  • Can add, update, and delete feedback tags.
    - Can delete feedback items.

Jobs

No access

The feature is hidden.

Read-only

  • Can view jobs and job results on the Jobs page
    - Can download job results

Read & write

  • Can create, run, share, view, update, and delete jobs.

Shared Prototypes

No access

The share option is inactive.

Read-only

Read & write

  • Can share pipeline prototypes.
    - Can update and delete shared prototypes.

Pipelines

No access

The feature is hidden.

Read-only

  • Can view pipelines on the Pipelines page.
    - Can view pipeline details on the Pipeline Details page.
    - Can open a pipeline in Pipeline Builder in view-only mode.
    - Can run searches in Playground and Prompt Explorer
    - Can activate pipelines.

Read & write

  • Can create, update, share, and delete pipelines.
    - Can configure pipeline service level.
    - Can deploy and undeploy pipelines.
    - Can duplicate pipelines.
    - Can use pipeline templates.
    - Can debug pipelines using the remote tunnel.
    - Can update prompts in the pipeline using Prompt Explorer.

Pipeline Templates

No access

The feature is hidden.

Read-only

  • Can view templates and their details.

Prompts

No access

The feature is hidden.

Read-only

  • Can view and use custom prompts in the prompt hub in Prompt Explorer.

Read & write

  • Can create, update, and delete custom prompts in the prompt hub in Prompt Explorer.

Search history

No access

The feature is inactive.

Read-only

  • Can view search history.

Read & write

Files

No access

The feature is hidden.

Read-only

  • Can view a list of files in a workspace.
    - Can view file metadata
    - Can view files
    - Can download files
    - Can see file references in generated answers.

Read & write

  • Can upload, delete, and download files.
    - Can add and modify file metadata.

Indexes

No access

The feature is hidden.

Read-only

  • Can view all indexes in the workspace
    - Can view index details on the Index Details page
    - Can open an index in Pipeline Builder in view-only mode
    - Can view names of indexed files
    - Can export documents as CSV

Read & write

  • Can create, update, and delete indexes.
    - Can enable and disable indexes.
    - Can use index templates

Groundedness

Read-only

  • Can view the Groundedness page

Secrets & Integrations

Read-only

  • Can view secrets and integrations of a workspace

Read & write

  • Can add and delete secrets
    -Can connect and disconnect to an integration

API Keys

Read & write

  • Create, configure, modify and delete API Keys in a workspace

Workspace statistics

Read-only

  • Can view the homepage

Examples

Prompt Engineer

To create a custom Prompt Engineer role that:

  • Can create, update, save, and delete prompts
  • Can test prompts in Prompt Explorer
  • Can view file references in generated answers
  • Can add feedback to generated answers
  • Cannot update prompts in pipelines

You would need the following permissions:

AssetAccess Type
PipelinesRead
FilesRead
PromptsRead & write
FeedbackRead & write