- Each role can have multiple permissions across different resource types
- Permissions define what actions can be performed on specific resources
- Roles can be assigned to users to grant them the associated permissions
Available Permissions
| Entity | Permission | Description |
|---|---|---|
| Organization Management & Access Control | ||
| Account | Create Account | Allows creation of new accounts in the tenant |
| Read Account | Allows viewing all existing accounts in the tenant | |
| Manage Account | Allows editing all existing accounts in the tenant | |
| Delete Account | Allows deleting any existing account in the tenant | |
| Role | List Roles | Allows listing and viewing roles |
| Manage Roles | Allows creating, updating, and deleting roles | |
| User | List Users | Allows listing and viewing users |
| Manage Users | Allows creating, updating, and deleting users | |
| Team | Create Team | Allows creation of new teams |
| Delete Team | Allows deleting existing teams | |
| Manage Team | Allows updating team configuration and members | |
| Read Team | Allows viewing team details and members | |
| Virtual Account | List Virtual Accounts | Allows listing and viewing virtual accounts |
| Manage Virtual Accounts | Allows creating, updating, and deleting virtual accounts | |
| External Identity | List External Identities | Allows listing and viewing external identities |
| Manage External Identities | Allows creating, updating, and deleting external identities | |
| AI Gateway | ||
| Provider Account (Models/Guardrails Group) | Create Provider Account | Allows creation of new provider accounts |
| Delete Provider Account | Allows deleting existing provider accounts | |
| Manage Provider Account | Allows updating provider account configuration | |
| Read Provider Account | Allows viewing provider account details | |
| Use Integrations | Allows using integrations associated with provider accounts | |
| MCP Server | Create MCP Server | Allows creation of new MCP servers |
| Delete MCP Server | Allows deleting existing MCP servers | |
| Manage MCP Server | Allows updating MCP server configuration | |
| Read MCP Server | Allows viewing MCP server details | |
| Use MCP Server | Allows using MCP server for operations | |
| Gateway Controls | List Gateway Controls | Allows listing and viewing gateway controls |
| Manage Gateway Controls | Allows creating, updating, and deleting gateway controls | |
| Tracing Project | Create Tracing Project | Allows creation of new tracing projects |
| Delete Tracing Project | Allows deleting existing tracing projects | |
| Manage Tracing Project | Allows updating tracing project configuration | |
| Read Data | Allows reading tracing data | |
| Read Tracing Project | Allows viewing tracing project details | |
| Write Data | Allows writing tracing data | |
| Deployments | ||
| Cluster | Create Cluster | Allows creation of new clusters |
| Delete Cluster | Allows deleting existing clusters | |
| Manage Clusters | Allows updating and configuring cluster settings | |
| Read Cluster | Allows viewing cluster details and configuration | |
| Workspace | Create Workspace | Allows creation of new workspaces |
| Delete Workspace | Allows deleting existing workspaces | |
| Manage Workspace | Allows updating workspace configuration | |
| Read Workspace | Allows viewing workspace details | |
| List Workspaces | Allows listing and viewing all workspaces | |
| Application | List Applications | Allows listing and viewing applications |
| Manage Applications | Allows creating, updating, and deleting applications | |
| Provider Account | Create Provider Account | Allows creation of new provider accounts |
| Delete Provider Account | Allows deleting existing provider accounts | |
| Manage Provider Account | Allows updating provider account configuration | |
| Read Provider Account | Allows viewing provider account details | |
| Use Integrations | Allows using integrations associated with provider accounts | |
| Repository | Create Repository | Allows creation of new repositories |
| Delete Data | Allows deleting data within repositories | |
| Delete Repository | Allows deleting existing repositories | |
| Manage Repository | Allows updating repository configuration | |
| Read Data | Allows reading data from repositories | |
| Read Repository | Allows viewing repository details | |
| Write Data | Allows writing data to repositories | |
| Environment | List Environments | Allows listing and viewing environments |
| Manage Environments | Allows creating, updating, and deleting environments | |
| Policy | List Policies | Allows listing and viewing policies |
| Manage Policies | Allows creating, updating, and deleting policies | |
| Others | ||
| Settings | List Settings | Allows listing and viewing platform settings |
| Manage Settings | Allows updating platform settings | |
| Secret Group | Create Secret Group | Allows creation of new secret groups |
| Delete Secret Group | Allows deleting existing secret groups | |
| Manage Secret Group | Allows updating secret group configuration | |
| Read Data | Allows reading secret values | |
| Read Secret Group | Allows viewing secret group details | |
| Write Data | Allows writing or updating secret values |
Managing Custom Roles
Manage custom roles with fine-grained permissions on different resources at tenant level. These custom roles can then be assigned to Users.
1
Create custom role
Navigate to 
Access > Roles. Click on Create Role and select the
permissions for the role.- Permissions are applied to all the resources in the tenant.
- Provider Account should be used to give permissions for Models, Guardrails, and Integrations.
2
Assign Roles to user
Navigate to 
Access > Users. Select the user and click on Edit User. Pick
the role and Save Changes.User can be assigned to only one role at a time.