For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Trust CenterStatusSupportGet a demoPlatform
DocumentationEvals API ReferenceIntegrations & OTELPlatform SettingsSelf-HostingGuidesChangelog
DocumentationEvals API ReferenceIntegrations & OTELPlatform SettingsSelf-HostingGuidesChangelog
    • Platform Settings
    • Data Residency
    • RBAC
  • Project Settings
    • API Keys
    • Team Members
    • Roles & Permissions
    • Transformers
    • Integrations
    • Alerts
    • AI Connections
    • Model Costs
    • Data Usage
    • Evaluation Models
    • Evaluation Rules
    • Annotation Options
    • Classifiers
    • Data Sources
    • Data Retention
    • Audit Logs
  • Organization Settings
    • Projects
    • Users
    • Roles & Permissions
    • Model Credentials
    • SSO
    • Data Retention
    • Audit Logs
    • Feature Access
  • Admin SDK
    • Introduction
    • Quickstart
    • Organization
    • Projects
    • Members & Invitations
    • Roles, Policies & Permissions
    • API Keys
LogoLogo
Trust CenterStatusSupportGet a demoPlatform
On this page
  • Overview
  • Permissions
  • Policies
  • List, Create, Update & Delete Policies
  • Roles
  • List, Create, Update & Delete Roles
  • Next Steps
Admin SDK

Roles, Policies & Permissions

Define role-based access control in code.

Was this page helpful?
Previous

API Keys

Provision and rotate organization- and project-scoped API keys.

Next
Built with

Overview

Confident AI uses role-based access control (RBAC). Access is granted by composing three building blocks — you bundle permissions into policies, bundle policies into roles, then assign roles to members:

  • Permissions are the atomic actions you can grant (e.g. traces:read). They are predefined by the platform, so you can only list them.
  • Policies are named bundles of permissions.
  • Roles are named bundles of policies that you assign to members.

Each building block exists independently at both the organization and project level. Organization-level roles govern access across the organization, while project-level roles govern access within a single project. To learn more about RBAC concepts, see RBAC.

All methods on this page require an Organization API Key. See the Quickstart to create a client.

Permissions

Permissions are read-only. List them to discover the ids to attach to policies.

Python
TypeScript
1from confidentai import ConfidentAI
2
3client = ConfidentAI()
4
5org = client.organization()
6project = client.project("clq9z3x1k0001la08f7t3g5p2")
7
8permissions = org.permissions.list()
9project_permissions = project.permissions.list()

Policies

A policy bundles permissions together. Provide permission_ids from the permissions listing above.

List, Create, Update & Delete Policies

Each policy takes a name, a list of permission_ids, and an optional description.

Python
TypeScript
1org = client.organization()
2project = client.project("clq9z3x1k0001la08f7t3g5p2")
3
4# List
5policies = org.policies.list()
6project_policies = project.policies.list()
7
8# Create
9policy = org.policies.create(
10    "Dataset Editor",
11    permission_ids=["5e9a1c3d-7b2f-4e8a-9c1d-3a6b5f0e2d4c", "8d2c4f6a-1e3b-4c7d-9a5e-2b8f1d0c6a3e"],
12    description="Can edit datasets",
13)
14
15# Update
16policy = org.policies.update(
17    "a17c4e2d-9b3f-4a6c-8d1e-2f5a9c3b7e0d",
18    name="Dataset Editor",
19    permission_ids=["5e9a1c3d-7b2f-4e8a-9c1d-3a6b5f0e2d4c", "8d2c4f6a-1e3b-4c7d-9a5e-2b8f1d0c6a3e", "2a7e9c1d-4b6f-4a8c-1d3e-7f5a9b2c0e4d"],
20)
21
22# Delete
23org.policies.delete("a17c4e2d-9b3f-4a6c-8d1e-2f5a9c3b7e0d")

Project-scoped policies use the same list, create, update, and delete operations as organization-scoped policies.

Roles

A role bundles policies together and is assigned to members. Provide policy_ids from the policies above.

List, Create, Update & Delete Roles

Each role takes a name, a list of policy_ids, and an optional description.

Python
TypeScript
1org = client.organization()
2project = client.project("clq9z3x1k0001la08f7t3g5p2")
3
4# List
5roles = org.roles.list()
6project_roles = project.roles.list()
7
8# Create
9role = org.roles.create(
10    "Data Scientist",
11    policy_ids=["a17c4e2d-9b3f-4a6c-8d1e-2f5a9c3b7e0d"],
12    description="Read/write datasets and prompts",
13)
14
15# Update
16role = org.roles.update(
17    "b3f1c2a9-7d4e-4c1b-9a2f-1e6d8c0a4b7e",
18    name="Data Scientist",
19    policy_ids=["a17c4e2d-9b3f-4a6c-8d1e-2f5a9c3b7e0d", "c4f8a2e6-1d3b-4e9a-8c7d-5b2f1a0e6d3c"],
20)
21
22# Delete
23org.roles.delete("b3f1c2a9-7d4e-4c1b-9a2f-1e6d8c0a4b7e")

Project-scoped roles use the same list, create, update, and delete operations as organization-scoped roles.

Next Steps

With your roles defined, assign them to your team:

Members & Invitations

Assign roles to members and invitees.

RBAC

Understand the RBAC model in depth.