Roles and Permissions
Organization and project visibility and membership combined with user roles define the user permissions and access.
Organization Roles
Organization Owner
Organization Owners have complete administrative control of the organization and all its contents. Organization Owners inherit project Owner permissions for all projects within the organization. This role should be limited, but, in general, it is a good idea to have at least two organization Owners.
Organization Maintainer
Organization Maintainers can add and remove users to the organization but are not able to view private projects that they are not members of, and they cannot add or remove Owners of the organization.
Organization Contributor
Organization Contributors are members of the organization with read and write access to projects based on project visibility and membership. Contributors cannot perform any organization-level tasks.
Project Roles
Project Owner
Project Owners have complete administrative control over the project.
Project Writer
Project Writers can create and edit resources (datasets, models, etc.) within the project.
Project Reader
Project Readers can view all of the contents of the project but cannot make any edits.
Permission Table
The following permission table provides an overview of the permissions a user has based on project visibility, membership, and role.
| Resource | Permission | Org Owner | Org Maintainer | Org Contributor | Project Owner | Project Writer | Project Reader |
|---|---|---|---|---|---|---|---|
| org | org_read | If public or org member | If public or org member | If public or org member | |||
| org | add_owner | ✅ | |||||
| org | remove_owner | ✅ | |||||
| org | org_update_settings | ✅ | |||||
| org | remove_user | ✅ | ✅ | ||||
| org | add_user | ✅ | ✅ | ||||
| org | project_create | ✅ | ✅ | ✅ | |||
| project | project_delete / _write | ✅ | ✅ | ||||
| project | project_update_settings | ✅ | ✅ | ||||
| project | add_owner | ✅ | ✅ | ||||
| project | remove_owner | ✅ | ✅ | ||||
| project | add_user | ✅ | ✅ | ||||
| project | remove_user | ✅ | ✅ | ||||
| project | secret_write | ✅ | ✅ | ✅ | |||
| project | secret_decrypt | ✅ | ✅ | ✅ | |||
| project | secret_list | ✅ | If public1 | If public1 | ✅ | ✅ | |
| project | project_read | ✅ | If public | If public | ✅ | ✅ | ✅ |
| project | dataset_create / _write | ✅ | If internal | If internal | ✅ | ✅ | |
| project | dataset_read | ✅ | If public | If public | ✅ | ✅ | ✅ |
| project | training_job_read | ✅ | If public | If public | ✅ | ✅ | ✅ |
| project | training_job_write / _create | ✅ | If internal | If internal | ✅ | ✅ | |
| project | annotation_task_read | ✅ | If public | If public | ✅ | ✅ | ✅ |
| project | annotation_task_write / _create | ✅ | If internal | If internal | ✅ | ✅ | |
| project | model_read | ✅ | If public | If public | ✅ | ✅ | ✅ |
| project | model_write / _create | ✅ | If internal | If internal | ✅ | ✅ | |
| project | inference_server_read | ✅ | If public | If public | ✅ | ✅ | ✅ |
| project | inference_server_write / _create | ✅ | If internal | If internal | ✅ | ✅ | |
| project | workspace_read | ✅ | If public | If public | ✅ | ✅ | ✅ |
| project | workspace_write / _create | ✅ | If internal | If internal | ✅ | ✅ |