Role-Based Access Controls in ABV

7 min

the role based access control (rbac) in abv is based on organizations, projects, and roles organizations are the top level entities that contain projects projects group all abv data to allow for fine grained role based access control (rbac) roles define the permissions of users within an organization and project by default, users get assigned a role on the organizational level for more fine grained control, users can be assigned project roles this is useful when you want to differentiate permissions for different projects within the same organization api keys are used to authenticate with the abv api they are associated with a project and can be used to access the project's data programmatically api keys are not tied to a user access organizations and projects you can easily switch between organizations and projects using the dropdowns in the top navigation bar roles and scopes owner has all permissions admin can edit the project settings and grant access to other users member can view all metrics & create scores, but cannot configure the project viewer view only access to the project and organization, most of the configuration is hidden none no default access to the organization, to be used when user should have access to a single project only organization level scopes owner admin member viewer none abvcloudbilling\ crud organization\ crud apikeys organization\ delete organization\ update organizationmembers\ cud organizationmembers\ read projects\ create projects\ transfer org organization\ crud apikeys organization\ update organizationmembers\ cud organizationmembers\ read projects\ create projects\ transfer org organizationmembers\ read project level scopes owner admin member viewer none annotationqueueassignments\ cud annotationqueueassignments\ read annotationqueues\ cud annotationqueues\ read apikeys\ cud apikeys\ read auditlogs\ read automations\ cud automations\ read batchexports\ create batchexports\ read comments\ cud comments\ read dashboards\ cud dashboards\ read datasets\ cud evaldefaultmodel\ cud evaldefaultmodel\ read evaljob\ cud evaljob\ read evaljobexecution\ read evaltemplate\ cud evaltemplate\ read integrations\ crud llmapikeys\ create llmapikeys\ delete llmapikeys\ read llmapikeys\ update llmschemas\ cud llmschemas\ read llmtools\ cud llmtools\ read models\ cud objects\ bookmark objects\ publish objects\ tag project\ delete project\ read project\ update projectmembers\ cud projectmembers\ read promptexperiments\ cud promptexperiments\ read promptprotectedlabels\ cud prompts\ cud prompts\ read scoreconfigs\ cud scoreconfigs\ read scores\ cud tableviewpresets\ cud tableviewpresets\ read traces\ delete annotationqueueassignments\ cud annotationqueueassignments\ read annotationqueues\ cud annotationqueues\ read apikeys\ cud apikeys\ read auditlogs\ read automations\ cud automations\ read batchexports\ create batchexports\ read comments\ cud comments\ read dashboards\ cud dashboards\ read datasets\ cud evaldefaultmodel\ cud evaldefaultmodel\ read evaljob\ cud evaljob\ read evaljobexecution\ read evaltemplate\ cud evaltemplate\ read integrations\ crud llmapikeys\ create llmapikeys\ delete llmapikeys\ read llmapikeys\ update llmschemas\ cud llmschemas\ read llmtools\ cud llmtools\ read models\ cud objects\ bookmark objects\ publish objects\ tag project\ read project\ update projectmembers\ cud projectmembers\ read promptexperiments\ cud promptexperiments\ read promptprotectedlabels\ cud prompts\ cud prompts\ read scoreconfigs\ cud scoreconfigs\ read scores\ cud tableviewpresets\ cud tableviewpresets\ read traces\ delete annotationqueueassignments\ read annotationqueues\ cud annotationqueues\ read apikeys\ read automations\ read batchexports\ create batchexports\ read comments\ cud comments\ read dashboards\ cud dashboards\ read datasets\ cud evaldefaultmodel\ cud evaldefaultmodel\ read evaljob\ cud evaljob\ read evaljobexecution\ read evaltemplate\ cud evaltemplate\ read llmapikeys\ read llmschemas\ read llmtools\ read objects\ bookmark objects\ publish objects\ tag project\ read projectmembers\ read promptexperiments\ cud promptexperiments\ read prompts\ cud prompts\ read scoreconfigs\ cud scoreconfigs\ read scores\ cud tableviewpresets\ cud tableviewpresets\ read annotationqueues\ read automations\ read comments\ read dashboards\ read evaldefaultmodel\ read evaljob\ read evaljobexecution\ read evaltemplate\ read llmapikeys\ read llmschemas\ read llmtools\ read project\ read promptexperiments\ read prompts\ read scoreconfigs\ read tableviewpresets\ read managing users add a new user to an organization in the organization settings, you can add users via their email address and assign them a role they will receive an email notification and will be able to access the organization once they log in users who do not have a abv account yet, will be listed as pending invites until they sign up changing user roles any user with the members\ cud permission can change the role of a user in the organization settings this will affect the user's permissions across all projects in the organization users can only assign roles that are lower or equal to their own role managing projects add a new project any user with the projects\ create permission can create a new project within a abv organization transfer a project to another organization only users with the projects\ transfer organization permission can transfer a project to another organization this will remove the project from the current organization and add it to the new one access to the project will depend on the roles configured in the new organization during this process, no data will be lost, all project settings, data, and configurations will be transferred to the new organization the project remains fully operational as api keys, settings (except for access management), and data will remain unchanged and associated with the project all features (e g tracing, prompt management) will continue to work without any interruption project level roles where is this feature available? users by default inherit the role of the organization they are part of for more fine grained control, you can assign a user a role on the project level this is useful when you want to differentiate permissions for different projects within the same organization if a project level role is assigned, it will override the organization level role for that project if you want to give a user access to only certain projects within an organization, you can set their role to none on the organization level and then assign them a role on the project level