User Roles and Permissions
You can use a preset role or create your own roles with custom permissions.
Role-Based Access Control (RBAC)
deepset AI Platform offers role-based access control at two levels: organization and workspace. Roles are scoped at each level and define what users can access and manage, enabling precise control over assets.
The deepset AI Platform includes preset roles at both the organization and workspace levels. You can also define custom roles at the workspace level to set specific permissions.
Preset Roles
Preset roles are predefined roles you can assign to users. You can also use them as a starting point when creating custom roles. You can't edit preset roles.
Organization Preset Roles
The following preset roles grant permissions at the organization level:
Role | Scope | Permissions |
---|---|---|
Admin | Organization | Can perform tasks and manage users and workspaces at the organization level. - Has write access to all workspaces in the organization. - Can change roles of other organization members. - Cannot change their own role. - Can manage organization-wide secrets, integrations, and API keys. - Can view usage statistics. - Can create custom roles. - Can import custom components. |
Member | Organization | Must be granted explicit access to workspaces to be able to perform tasks. - Can view organization-wide secrets, integrations and roles. - Has no permissions on other organization-wide assets like usage statistics, custom components or API keys. |
Workspace Preset Roles
The following preset roles grant permissions at the workspace level:
Role | Scope | Permissions |
---|---|---|
Editor | Workspace |
|
Search user | Workspace |
|
Custom Roles
Organization Admins can create roles with custom permissions. Custom roles apply only at the workspace level. You can't create roles with organization-wide permissions.
Permissions
When creating custom roles, you can either use a preset role and its permissions as a starting point, or you can choose the permissions from scratch. The following table explains available permissions. Read & write permissions include everything in read-only, plus additional actions.
Asset | Access type | Explanation |
---|---|---|
Feedback | No access | Feedback options are inactive. |
Read & write |
| |
Feedback Management | No access | Feedback options are inactive. |
Read-only |
| |
Read & write |
| |
Jobs | No access | The feature is hidden. |
Read-only |
| |
Read & write |
| |
Shared Prototypes | No access | The share option is inactive. |
Read-only |
| |
Read & write |
| |
Pipelines | No access | The feature is hidden. |
Read-only |
| |
Read & write |
| |
Pipeline Templates | No access | The feature is hidden. |
Read-only |
| |
Prompts | No access | The feature is hidden. |
Read-only |
| |
Read & write |
| |
Search history | No access | The feature is inactive. |
Read-only |
| |
Read & write |
| |
Files | No access | The feature is hidden. |
Read-only |
| |
Read & write |
| |
Indexes | No access | The feature is hidden. |
Read-only |
| |
Read & write |
| |
Groundedness | Read-only |
|
Secrets & Integrations | Read-only |
|
Read & write |
| |
API Keys | Read & write |
|
Workspace statistics | Read-only |
|
Examples
Prompt Engineer
To create a custom Prompt Engineer role that:
- Can create, update, save, and delete prompts
- Can test prompts in Prompt Explorer
- Can view file references in generated answers
- Can add feedback to generated answers
- Cannot update prompts in pipelines
You would need the following permissions:
Asset | Access Type |
---|---|
Pipelines | Read |
Files | Read |
Prompts | Read & write |
Feedback | Read & write |
Updated 8 days ago