You can configure and manage roles, permissions and teams for different users in your Adaptive Engine deployment. This allows you to cater the set of actions each user is allowed to perform on the platform according to their responsility or intended use, following the principle of least privilege.

  • Permissions grant a user the ability to perform a given action; for example the use_case:adapt permission allows a user to fine-tune models. See List of all permissions.

  • Roles are named sets of permissions, which you can directly assign to users, or set as default for new users added to a team. There are several default roles available in Adaptive Engine, but you can also create your own roles with client.roles.create(). You can change a user’s role with client.users.update().

  • Teams are groups of users that have access to use cases owned by their group, and all their associated resources - such as interactions, evaluation/training jobs, and attached models. User A must be in team X to see and interact with team X’s use cases and resources. You can create a new team with client.teams.create(), and add a user to a team with client.users.update().

Users can be part of multiple teams, and have a different role in each team.

There is a reserved admin team in every Adaptive Engine deployment; members of the admin teams that are assigned admin or platform_admin role are the only users who can perform a set of global operations - namely creating new roles, teams, and adding/removing users to/from any team. You can specify the emails of seed admin user(s) in the values.yaml files of the Adaptive Helm chart, as well as the default role and team that new users will be assigned on first sign up (see below). This can later be changed by an admin user with client.users.update().

auth:
  # One of [admin, platform_admin, power_user, read-only, inference, annotator]
  default_role: admin
  # New users that sign up will be part of a default team; you must not set `default_team: admin` if you specify admin users below
  default_team: default
  # List of email addresses for admins; on sign up, these will be added to both the `default_team` with `defaul_role`,
  # and to `admin` team with `platorm_admin` role
  admins: []

List of all permissions

In each resource category tab, you will find the permission key, followed by a description of its scope.

  • admin:manage_roles
    • list all roles (user can be in any team)
    • create new role (user must be in admin team)
  • admin:manage_teams
    • list all teams (user can be in any team)
    • create new team (user must be in admin team).
  • admin:manage_users
    • list all users (user can in any team), update user team/role (only for users in same team)
    • global update user/team role (user must be in admin team)

Default roles

Role key: admin

A user with Admin role is granted all permissions. It can be assigned to users in any team. However, an Admin user is only able to create teams or roles if the user is also in the admin team.