package determined.rbac.v1

Get desktop application:
View/edit binary Protocol Buffers messages

GroupRoleAssignment contains information about the groups belonging to a role.

Used in: api.v1.AssignRolesRequest, api.v1.RemoveAssignmentsRequest, RoleWithAssignments

• int32 group_id = 1

  The group id of the role assignment

• optional RoleAssignment role_assignment = 2

  The role and scope of the assignment.

Permission represents an action a user can take in the system

Used in: Role

• PermissionType id = 1

  The id of the permission

• string name = 2

  The name of the permission

• optional ScopeTypeMask scope_type_mask = 4

  Allowed scope types.

List of permissions types. Value of the enum has 9xxxx for global only permissions. Permissions on the same object share the thousands place value like 2001 and 2002.

Used in: Permission

• PERMISSION_TYPE_UNSPECIFIED = 0

  The permission type is unknown.

• PERMISSION_TYPE_ADMINISTRATE_USER = 91001

  Can create and update other users. Allows updating other users passwords making this permission give all other permissions effectively.

• PERMISSION_TYPE_ADMINISTRATE_OAUTH = 91002

  Ability to manage OAuth clients and settings.

• PERMISSION_TYPE_CREATE_EXPERIMENT = 2001

  Ability to create experiments.

• PERMISSION_TYPE_VIEW_EXPERIMENT_ARTIFACTS = 2002

  Ability to view experiment's model code, checkpoints, trials.

• PERMISSION_TYPE_VIEW_EXPERIMENT_METADATA = 2003

  Ability to view experiment's metadata such as experiment config, progress.

• PERMISSION_TYPE_UPDATE_EXPERIMENT = 2004

  Ability to update experiment and experiment's lifecycle.

• PERMISSION_TYPE_UPDATE_EXPERIMENT_METADATA = 2005

  Ability to update experiment's metadata.

• PERMISSION_TYPE_DELETE_EXPERIMENT = 2006

  Ability to delete experiment.

• PERMISSION_TYPE_CREATE_NSC = 3001

  Ability to create Notebooks, Shells, and Commands.

• PERMISSION_TYPE_VIEW_NSC = 3002

  Ability to view Notebooks, Shells, and Commands.

• PERMISSION_TYPE_UPDATE_NSC = 3003

  Ability to terminate Notebooks, Shells, and Commands.

• PERMISSION_TYPE_UPDATE_GROUP = 93001

  Ability to create, update, and add / remove users from groups.

• PERMISSION_TYPE_CREATE_WORKSPACE = 94001

  Ability to create workspaces.

• PERMISSION_TYPE_VIEW_WORKSPACE = 4002

  Ability to view workspace.

• PERMISSION_TYPE_UPDATE_WORKSPACE = 4003

  Ability to update workspace.

• PERMISSION_TYPE_DELETE_WORKSPACE = 4004

  Ability to delete workspace.

• PERMISSION_TYPE_SET_WORKSPACE_AGENT_USER_GROUP = 4005

  Ability to set workspace agent user group config.

• PERMISSION_TYPE_SET_WORKSPACE_CHECKPOINT_STORAGE_CONFIG = 4006

  Ability to set workspace checkpoint storage config.

• PERMISSION_TYPE_SET_WORKSPACE_DEFAULT_RESOURCE_POOL = 4007

  Ability to set workspace default resource pool.

• PERMISSION_TYPE_CREATE_PROJECT = 5001

  Ability to create projects.

• PERMISSION_TYPE_VIEW_PROJECT = 5002

  Ability to view projects.

• PERMISSION_TYPE_UPDATE_PROJECT = 5003

  Ability to update projects.

• PERMISSION_TYPE_DELETE_PROJECT = 5004

  Ability to delete projects.

• PERMISSION_TYPE_ASSIGN_ROLES = 6002

  Ability to assign roles to groups / users. If assigned at a workspace scope, can only assign roles to that workspace scope.

• PERMISSION_TYPE_VIEW_MODEL_REGISTRY = 7001

  Ability to view model registry.

• PERMISSION_TYPE_EDIT_MODEL_REGISTRY = 7002

  Ability to edit model registry.

• PERMISSION_TYPE_CREATE_MODEL_REGISTRY = 7003

  Ability to create model registry.

• PERMISSION_TYPE_DELETE_MODEL_REGISTRY = 7004

  Ability to delete model registry.

• PERMISSION_TYPE_DELETE_MODEL_VERSION = 7005

  Ability to delete model version.

• PERMISSION_TYPE_DELETE_OTHER_USER_MODEL_REGISTRY = 7006

  Ability to delete another user's model registry.

• PERMISSION_TYPE_DELETE_OTHER_USER_MODEL_VERSION = 7007

  Ability to delete another user's model version.

• PERMISSION_TYPE_VIEW_MASTER_LOGS = 8001

  Ability to view master logs.

• PERMISSION_TYPE_VIEW_CLUSTER_USAGE = 8002

  Ability to view detailed cluster usage info.

• PERMISSION_TYPE_UPDATE_AGENTS = 8003

  Ability to update agents.

• PERMISSION_TYPE_VIEW_SENSITIVE_AGENT_INFO = 8004

  Ability to view sensitive subset of agent info.

• PERMISSION_TYPE_VIEW_MASTER_CONFIG = 8005

  Ability to view master configs.

• PERMISSION_TYPE_UPDATE_MASTER_CONFIG = 8006

  Ability to update master configs.

• PERMISSION_TYPE_VIEW_EXTERNAL_JOBS = 8007

  Ability to view external jobs.

• PERMISSION_TYPE_CONTROL_STRICT_JOB_QUEUE = 8101

  Ability to control strict job queue.

• PERMISSION_TYPE_VIEW_TEMPLATES = 9001

  Ability to view templates.

• PERMISSION_TYPE_UPDATE_TEMPLATES = 9002

  Ability to update templates.

• PERMISSION_TYPE_CREATE_TEMPLATES = 9003

  Ability to create templates.

• PERMISSION_TYPE_DELETE_TEMPLATES = 9004

  Ability to delete templates.

• PERMISSION_TYPE_UPDATE_ROLES = 96001

  Ability to create and update role definitions.

• PERMISSION_TYPE_EDIT_WEBHOOKS = 97001

  Ability to create and delete webhooks.

• PERMISSION_TYPE_VIEW_WEBHOOKS = 97002

  Ability to view webhooks.

• PERMISSION_TYPE_MODIFY_RP_WORKSPACE_BINDINGS = 10001

  Ability to bind, unbind or overwrite resource pool workspace bindings.

• PERMISSION_TYPE_SET_WORKSPACE_NAMESPACE_BINDINGS = 11001

  Ability to bind, unbind, or overwrite namespace workspace bindings.

• PERMISSION_TYPE_SET_RESOURCE_QUOTAS = 11002

  Ability to set resource quotas on workspaces.

• PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS = 11003

  Ability to view resource quotas on workspaces.

• PERMISSION_TYPE_MODIFY_GLOBAL_CONFIG_POLICIES = 11004

  Ability to modify global config policies.

• PERMISSION_TYPE_MODIFY_WORKSPACE_CONFIG_POLICIES = 11005

  Ability to modify workspace config policies.

• PERMISSION_TYPE_VIEW_GLOBAL_CONFIG_POLICIES = 11006

  Ability to view global config policies.

• PERMISSION_TYPE_VIEW_WORKSPACE_CONFIG_POLICIES = 11007

  Ability to view workspace config policies.

• PERMISSION_TYPE_ADMINISTRATE_TOKEN = 12001

  Ability to administrate other users' tokens.

• PERMISSION_TYPE_UPDATE_TOKEN = 12002

  Ability to update one's own token.

• PERMISSION_TYPE_CREATE_TOKEN = 12003

  Ability to create one's own token

• PERMISSION_TYPE_CREATE_OTHER_TOKEN = 12004

  Ability to create another user's token

• PERMISSION_TYPE_VIEW_OTHER_TOKEN = 12005

  Ability to view another user's token

• PERMISSION_TYPE_VIEW_TOKEN = 12006

  Ability to view one's own token

Role contains information about a specific Role

Used in: api.v1.GetPermissionsSummaryResponse, api.v1.GetRolesAssignedToGroupResponse, api.v1.ListRolesResponse, api.v1.SearchRolesAssignableToScopeResponse, RoleAssignment, RoleWithAssignments

• int32 role_id = 1

  The id of the role being detailed

• string name = 2

  The string of the role being detailed

• repeated Permission permissions = 3

  The permissions granted to the role

• optional ScopeTypeMask scope_type_mask = 4

  Allowed scope types.

RoleAssignment contains information about the scope of the role.

Used in: GroupRoleAssignment, UserRoleAssignment

• optional Role role = 1

  The role of the assignment.

• optional int32 scope_workspace_id = 2

  The id of the workspace the role belongs to. Empty for cluster-wide scope.

• bool scope_cluster = 3

  Whether the role is assigned cluster-wide.

RoleAssignmentSummary is used to describe permissions a user has.

Used in: api.v1.GetPermissionsSummaryResponse, api.v1.GetRolesAssignedToGroupResponse

• int32 role_id = 1

  The id of the role being detailed

• repeated int32 scope_workspace_ids = 2

  List of workspace IDs to apply the role.

• bool scope_cluster = 3

  Whether the role is assigned cluster-wide.

RoleWithAssignments contains a detailed description of a role and the groups and users belonging to it.

Used in: api.v1.GetGroupsAndUsersAssignedToWorkspaceResponse, api.v1.GetRolesAssignedToUserResponse, api.v1.GetRolesByIDResponse

• optional Role role = 1

  The embedded Role.

• repeated GroupRoleAssignment group_role_assignments = 2

  The embedded GroupRoleAssignment.

• repeated UserRoleAssignment user_role_assignments = 3

  The embedded UserRoleAssignment.

ScopeTypeMask lists which scope types are allowed for the given Permission or Role. Scope type mask is a different way to represent `is_global` flag. Value mapping: is_global: true => {cluster: true, workspace: false} is_global: false => {cluster: true, workspace: true}

Used in: Permission, Role

• bool cluster = 1

  Whether this permission or role can be assigned globally, i.e. cluster-wide. Currently, all permissions can be assigned globally, so this is always true.

• bool workspace = 2

  Whether this permission or role can be assigned on a particular workspace. For example, `ADMINISTRATE_USER` permission will have this field set to false, since user creation can only be done at a cluster level, and it doesn't make sense for a single workspace.

UserRoleAssignment contains information about the users belonging to a role.

Used in: api.v1.AssignRolesRequest, api.v1.RemoveAssignmentsRequest, RoleWithAssignments

• int32 user_id = 1

  the user id of the role assignment

• optional RoleAssignment role_assignment = 2

  the role and scope of the assignment