Roles, Policies & Permissions | Confident AI Docs

Overview

Confident AI uses role-based access control (RBAC). Access is granted by composing three building blocks — you bundle permissions into policies, bundle policies into roles, then assign roles to members:

Permissions are the atomic actions you can grant (e.g. traces:read). They are predefined by the platform, so you can only list them.
Policies are named bundles of permissions.
Roles are named bundles of policies that you assign to members.

Each building block exists independently at both the organization and project level. Organization-level roles govern access across the organization, while project-level roles govern access within a single project. To learn more about RBAC concepts, see RBAC.

All methods on this page require an Organization API Key. See the Quickstart to create a client.

Permissions

Permissions are read-only. List them to discover the ids to attach to policies.

Python

TypeScript

1 from confidentai import ConfidentAI
2 
3 client = ConfidentAI()
4 
5 org = client.organization()
6 project = client.project("clq9z3x1k0001la08f7t3g5p2")
7 
8 permissions = org.permissions.list()
9 project_permissions = project.permissions.list()

Policies

A policy bundles permissions together. Provide permission_ids from the permissions listing above.

List, Create, Update & Delete Policies

Each policy takes a name, a list of permission_ids, and an optional description.

Python

TypeScript

1 org = client.organization()
2 project = client.project("clq9z3x1k0001la08f7t3g5p2")
3 
4 # List
5 policies = org.policies.list()
6 project_policies = project.policies.list()
7 
8 # Create
9 policy = org.policies.create(
10     "Dataset Editor",
11     permission_ids=["5e9a1c3d-7b2f-4e8a-9c1d-3a6b5f0e2d4c", "8d2c4f6a-1e3b-4c7d-9a5e-2b8f1d0c6a3e"],
12     description="Can edit datasets",
13 )
14 
15 # Update
16 policy = org.policies.update(
17     "a17c4e2d-9b3f-4a6c-8d1e-2f5a9c3b7e0d",
18     name="Dataset Editor",
19     permission_ids=["5e9a1c3d-7b2f-4e8a-9c1d-3a6b5f0e2d4c", "8d2c4f6a-1e3b-4c7d-9a5e-2b8f1d0c6a3e", "2a7e9c1d-4b6f-4a8c-1d3e-7f5a9b2c0e4d"],
20 )
21 
22 # Delete
23 org.policies.delete("a17c4e2d-9b3f-4a6c-8d1e-2f5a9c3b7e0d")

Project-scoped policies use the same list, create, update, and delete operations as organization-scoped policies.

Roles

A role bundles policies together and is assigned to members. Provide policy_ids from the policies above.

List, Create, Update & Delete Roles

Each role takes a name, a list of policy_ids, and an optional description.

Python

TypeScript

1 org = client.organization()
2 project = client.project("clq9z3x1k0001la08f7t3g5p2")
3 
4 # List
5 roles = org.roles.list()
6 project_roles = project.roles.list()
7 
8 # Create
9 role = org.roles.create(
10     "Data Scientist",
11     policy_ids=["a17c4e2d-9b3f-4a6c-8d1e-2f5a9c3b7e0d"],
12     description="Read/write datasets and prompts",
13 )
14 
15 # Update
16 role = org.roles.update(
17     "b3f1c2a9-7d4e-4c1b-9a2f-1e6d8c0a4b7e",
18     name="Data Scientist",
19     policy_ids=["a17c4e2d-9b3f-4a6c-8d1e-2f5a9c3b7e0d", "c4f8a2e6-1d3b-4e9a-8c7d-5b2f1a0e6d3c"],
20 )
21 
22 # Delete
23 org.roles.delete("b3f1c2a9-7d4e-4c1b-9a2f-1e6d8c0a4b7e")

Project-scoped roles use the same list, create, update, and delete operations as organization-scoped roles.

Next Steps

With your roles defined, assign them to your team:

Members & Invitations

Assign roles to members and invitees.

RBAC

Understand the RBAC model in depth.