- Each role can have multiple permissions across different resource types
- Permissions define what actions can be performed on specific resources
- Roles can be assigned to users to grant them the associated permissions
Available Permissions
AI Gateway
Provider Account (Model/Virtual Model/Guardrail Group)
Provider Account (Model/Virtual Model/Guardrail Group)
| Permission | Description |
|---|---|
| Create Provider Account | Allows creation of new provider accounts |
| Delete Provider Account | Allows deleting existing provider accounts |
| Manage Provider Account | Allows updating provider account configuration |
| Read Provider Account | Allows viewing provider account details |
| Use Integrations | Allows using integrations associated with provider accounts |
MCP/Virtual MCP Server
MCP/Virtual MCP Server
| Permission | Description |
|---|---|
| Create MCP Server | Allows creation of new MCP servers |
| Delete MCP Server | Allows deleting existing MCP servers |
| Manage MCP Server | Allows updating MCP server configuration |
| Read MCP Server | Allows viewing MCP server details |
| Use MCP Server | Allows using MCP server for operations |
Agent
Agent
| Permission | Description |
|---|---|
| Create Agent | Allows creation of new Agents |
| Delete Agents | Allows deleting existing Agents |
| Manage Agents | Allows updating Agents |
| Read Agents | Allows viewing Agents details |
Gateway Controls
Gateway Controls
| Permission | Description |
|---|---|
| List Gateway Controls | Allows listing and viewing gateway controls |
| Manage Gateway Controls | Allows creating, updating, and deleting gateway controls |
AI Engineering
Cluster
Cluster
| Permission | Description |
|---|---|
| Create Cluster | Allows creation of new clusters |
| Delete Cluster | Allows deleting existing clusters |
| Manage Clusters | Allows updating and configuring cluster settings |
| Read Cluster | Allows viewing cluster details and configuration |
Workspace
Workspace
| Permission | Description |
|---|---|
| Create Workspace | Allows creation of new workspaces |
| Delete Workspace | Allows deleting existing workspaces |
| Manage Workspace | Allows updating workspace configuration |
| Read Workspace | Allows viewing workspace details |
| List Workspaces | Allows listing and viewing all workspaces |
Application
Application
| Permission | Description |
|---|---|
| List Applications | Allows listing and viewing applications |
| Manage Applications | Allows creating, updating, and deleting applications |
Environment
Environment
| Permission | Description |
|---|---|
| List Environments | Allows listing and viewing environments |
| Manage Environments | Allows creating, updating, and deleting environments |
Policy
Policy
| Permission | Description |
|---|---|
| List Policies | Allows listing and viewing policies |
| Manage Policies | Allows creating, updating, and deleting policies |
Common
Role
Role
| Permission | Description |
|---|---|
| List Roles | Allows listing and viewing roles |
| Manage Roles | Allows creating, updating, and deleting roles |
User
User
| Permission | Description |
|---|---|
| List Users | Allows listing and viewing users |
| Manage Users | Allows creating, updating, and deleting users |
Team
Team
| Permission | Description |
|---|---|
| Create Team | Allows creation of new teams |
| Delete Team | Allows deleting existing teams |
| Manage Team | Allows updating team configuration and members |
| Read Team | Allows viewing team details and members |
Virtual Account
Virtual Account
| Permission | Description |
|---|---|
| Create Virtual Account | Allows creation of new virtual accounts |
| Read Virtual Account | Allows viewing virtual account details |
| Manage Virtual Account | Allows updating virtual account configuration and tokens |
| Delete Virtual Account | Allows deleting existing virtual accounts |
External Identity
External Identity
| Permission | Description |
|---|---|
| List External Identities | Allows listing and viewing external identities |
| Manage External Identities | Allows creating, updating, and deleting external identities |
Integrations
Integrations
| Permission | Description |
|---|---|
| Create Provider Account | Allows creation of new provider accounts |
| Delete Provider Account | Allows deleting existing provider accounts |
| Manage Provider Account | Allows updating provider account configuration |
| Read Provider Account | Allows viewing provider account details |
| Use Integrations | Allows using integrations associated with provider accounts |
Repository
Repository
| Permission | Description |
|---|---|
| Create Repository | Allows creation of new repositories |
| Delete Data | Allows deleting data within repositories |
| Delete Repository | Allows deleting existing repositories |
| Manage Repository | Allows updating repository configuration |
| Read Data | Allows reading data from repositories |
| Read Repository | Allows viewing repository details |
| Write Data | Allows writing data to repositories |
Secret Group
Secret Group
| Permission | Description |
|---|---|
| Create Secret Group | Allows creation of new secret groups |
| Delete Secret Group | Allows deleting existing secret groups |
| Manage Secret Group | Allows updating secret group configuration |
| Read Data | Allows reading secret values |
| Read Secret Group | Allows viewing secret group details |
| Write Data | Allows writing or updating secret values |
Global Settings
Global Settings
| Permission | Description |
|---|---|
| List Settings | Allows listing and viewing platform settings |
| Manage Settings | Allows updating platform settings |
Managing Default Roles
TrueFoundry allows customizing default roles for giving flexibility to Admins to decide. For example, we can update the Default team manager role to allow them manage their virtual accounts on their own.
Managing Custom Roles
Manage custom roles with fine-grained permissions on different resources at tenant level. These custom roles can then be assigned to Users.
Fill the form
A unique name to identify this role. Should follow the format as Alphanumeric
characters and hyphens.
A user-friendly readable display name for this Role.
A breif description about this role and its permissions.
Permissions for the role. Refer to Available Permissions to understand these Permissions.
- Permissions are applied to all the resources in the tenant.
- Provider Account should be used to give permissions for Models, Guardrails, and Integrations.
Example for read-only Platform User
Example for read-only Platform User
FAQ
How to allow Teams create and manage their Virtual Accounts without making them Admin?
How to allow Teams create and manage their Virtual Accounts without making them Admin?
You can achieve this by updating the default role for
Team Manager to allow them to create or manage their Virtual Account.Edit default Team Manager Role
Navigate to 
Access > Roles > Default Roles and click on Edit button for the default Team Manager role.Update Team Manager role
Update the permissions based on your requirements.
- Read Virtual Account: If you want to allow Team Managers view Virtual Accounts owned by their teams.
- Create Virtual Account: If you want to allow Team Managers create new Virtual Accounts owned by their teams.
- Manage Virtual Account: If you want to allow Team Managers update Virtual Accounts owned by their teams. This also includes permission to get the token.
- Delete Virtual Account: If you want to allow Team Managers delete Virtual Accounts owned by their teams.
How to allow Users create and manage their Virtual MCP Servers without making them Admin?
How to allow Users create and manage their Virtual MCP Servers without making them Admin?
You can achieve this by assigning a custom role to those
Users to allow them to create or manage their Virtual MCP Servers.Fill the form
Fill the form with required details and add 
Create MCP Server permission to allow just create a new MCP/Virtual MCP Server.This only allows the Users to create a new MCP Server. They cannot view or
update any existing MCP Server in the Account through this permission. User
can add themself as
MCP Server Manager using collaborator to update and
access the MCP Server while creating it first time.
How to allow all Users to view Gateway Controls like Rate limit, Routing config, etc without making them Admin?
How to allow all Users to view Gateway Controls like Rate limit, Routing config, etc without making them Admin?
You can achieve this by editing the default
Member role to allow them to view Gateway Controls.
