---
title: Role-based access control
description: Admins can control access to the DataRobot application by assigning users roles with designated privileges.

---

# Role-based access control {: #role-based-access-control }

<a target="_blank" href="https://en.wikipedia.org/wiki/Role-based_access_control">Role-based access control</a> (RBAC) controls access to the DataRobot application by assigning users roles with designated privileges. Role-based permissions and role-role relationships make it simple to assign the appropriate permissions the specific ways in which users intend to use the application.

You can assign a role to specific users in [User Permissions](manage-users#rbac-for-users), or to all members in a group in [Group Permissions](manage-groups#rbac-for-groups). The assigned role controls both what the user sees when using the application and which objects they have access to. RBAC is additive, so a user's permissions will be the sum of all permissions set at the user and group level. 

??? ELI5 "Additive user roles"

    Permissions can be set for a group of people and for individual users. A user's permissions will be equal to the union of:

    - The permissions that are set for that user.
    - The permissions that are set for the group(s) to which they belong.

    For example, say the role assigned to you at a group level allows `A` but not `B`, and the role assigned to you at a user level allows `B` but not `A`. In this case, you have access to both `A` (granted at the group level) and `B` (granted at the user level).

    Although the group does not have access to `B`, individual users may still have access to `B`, and to revoke access to `A`, it must be removed for the entire group or individual users must be removed from the group.
    
The following roles can be assigned:

* Data Scientist
* Viewer
* MLOps Admin
* Apps Consumer
* Apps Admin
* Project Admin
* Prediction-only
* Data Consumer
* Data Admin

The following objects also use the RBAC framework in the DataRobot application:

* Projects
* Deployments
* Database Connectivity
* Datasets
* Dataset metadata
* Custom Models and Environments
* Execution Environments
* AI Applications
* Model Packages

The sections below describe the permissions applied for each role provided with Role-based access control.

###  Tiers of access {: #tiers-of-access }

Each role is granted a different degree of access for the various object types available within the application:

* **Read** access to an object allows the user to access that area of the application for viewing but they cannot create these objects.

* **Write** access to an object type allows the user to create objects in that area of the application. There are no restrictions applied with write access aside from administrative permissions.

* **Admin** access to an object type grants a user access to all objects of a given type that belong to the user's organization. For example, if a user has admin access to projects, they can view every project created within their organization and make edits to them.

* **No Access** disables a user's access to an object type. This is indicated by the red "X" label displayed for a given permission. They will be unable to access that part of the application, create that type of object, or gain access to any of the objects of that type.

###  Data Scientist {: #data-scientist }

Access: Can build or add models in the platform, both using AutoML and creating custom or remote models.

Notes: Cannot perform any actions that will break production systems. This type of user can also build AI applications.

| Object       | Admin | Read        | Write        |
| ---------- | ----------- | ----| -----|
| Application      |         | ✔         | ✔         |
| Custom Environment      |         | ✔         |         |
| Custom Model      |         | ✔         | ✔         |
| Dataset Data      |         | ✔         | ✔         |
| Dataset Info      |         | ✔         | ✔         |
| Deployment      |         | ✔         |         |
| Model Package      |         | ✔         | ✔         |
| Prediction Environment      |         | ✔         |         |
| Project      |         | ✔         | ✔         |

###  Viewer {: #viewer }

Access: Can view any object across the system that they have access to, but cannot perform any actions beyond viewing datasets.

| Object       | Admin | Read        | Write        |
| ---------- | ----------- | ----| -----|
| Application      |         | ✔         |         |
| Custom Environment      |         | ✔         |         |
| Custom Model      |         | ✔         |         |
| Dataset Data      |         | ✔         |         |
| Dataset Info      |         | ✔         |         |
| Deployment      |         | ✔         |         |
| Model Package      |         | ✔         |         |
| Prediction Environment      |         | ✔         |         |
| Project      |         | ✔         |         |

###  MLOps Admin {: #mlops-admin }

Access: Can access every MLOps object on the system—deployments, model packages, custom models, and custom environments.

Useful for: Debugging and reporting usage and activity for any MLOps object created in their organization.

| Object       | Admin | Read        | Write        |
| ---------- | ----------- | ----| -----|
| Application      |         | ✔         | ✔         |
| Custom Environment      | ✔         | ✔         | ✔         |
| Custom Model      | ✔         | ✔         | ✔         |
| Dataset Data      |         | ✔         | ✔         |
| Dataset Info      |         | ✔         | ✔         |
| Deployment      | ✔         | ✔         | ✔         |
| Model Package      | ✔         | ✔         | ✔         |
| Prediction Environment      | ✔         | ✔         | ✔         |
| Project      |         | ✔         | ✔         |

###  Apps Consumer {: #apps-consumer }

Access: Can consume the DataRobot AI-powered applications that are shared with them to help make business decisions.

| Object       | Admin | Read        | Write        |
| ---------- | ----------- | ----| -----|
| Application      |         | ✔         |         |
| Custom Environment      |         |         |         |
| Custom Model      |         |         |         |
| Dataset Data      |         | ✔         |         |
| Dataset Info      |         | ✔         |         |
| Deployment      |         |         |         |
| Model Package      |         |         |         |
| Prediction Environment      |         |         |         |
| Project      |         |         |         |

###  Apps Admin {: #apps-admin }

Access: Can access every AI Application created across the system with admin permissions.

Useful for: Debugging and reporting on usage and activity for any AI Application created in their organization.

| Object       | Admin | Read        | Write        |
| ---------- | ----------- | ----| -----|
| Application      | ✔         | ✔         | ✔         |
| Custom Environment      |         |         |         |
| Custom Model      |         |         |         |
| Dataset Data      |         | ✔         | ✔         |
| Dataset Info      |         | ✔         | ✔         |
| Deployment      |         | ✔         | ✔         |
| Model Package      |         | ✔         | ✔         |
| Prediction Environment      |         |         |         |
| Project      |         | ✔         | ✔         |

###  Project Admin {: #project-admin }

Access: Can access every modeling project created across the system.

Useful for: Debugging and reporting on usage and activity for any modeling project created in their organization.

| Object       | Admin | Read        | Write        |
| ---------- | ----------- | ----| -----|
| Application      |         | ✔         | ✔         |
| Custom Environment      |         |         |         |
| Custom Model      |         |         |         |
| Dataset Data      |         | ✔         | ✔         |
| Dataset Info      |         | ✔         | ✔         |
| Deployment      |         |         |         |
| Model Package      |         |         |         |
| Prediction Environment      |         |         |         |
| Project      | ✔         | ✔         | ✔         |

###  Prediction-only {: #prediction-only }

Access: Can make predictions on a specified deployment and no other.

| Object       | Admin | Read        | Write        |
| ---------- | ----------- | ----| -----|
| Application      |         |         |         |
| Custom Environment      |         |         |         |
| Custom Model      |         |         |         |
| Dataset Data      |         | ✔         |         |
| Dataset Info      |         | ✔         |         |
| Deployment      |         | ✔         |         |
| Model Package      |         |         |         |
| Prediction Environment      |         | ✔         |         |
| Project      |         |         |         |

### Data Consumer {: #data-consumer }

Access: Can consume the datasets created across the system.

Notes: To restrict users from being able to upload local files to a project directly, combine this role with the "Enable AI Catalog as File Source Limitation" feature flag.

| Object       | Admin | Read        | Write        |
| ---------- | ----------- | ----| -----|
| Application      |         | ✔         | ✔         |
| Custom Environment      |         | ✔         |          |
| Custom Model      |         | ✔         | ✔         |
| Dataset Data      |         | ✔         |         |
| Dataset Info      |         | ✔         |         |
| Deployment      |         | ✔         | ✔         |
| Model Package      |         | ✔         | ✔         |
| Prediction Environment      |         | ✔         |         |
| Project      |         | ✔         | ✔         |

###  Data Admin {: #data-admin }

Access: Can access every dataset created across the system with admin permissions, including all metadata associated with each dataset.

Useful for: Debugging and reporting on usage and activity for any data asset pulled into the **AI Catalog**.

| Object       | Admin | Read        | Write        |
| ---------- | ----------- | ----| -----|
| Application      |         |         |         |
| Custom Environment      |         |         |         |
| Custom Model      |         |         |         |
| Dataset Data      | ✔         | ✔         | ✔         |
| Dataset Info      | ✔         | ✔         | ✔         |
| Deployment      |         |         |         |
| Model Package      |         |         |         |
| Prediction Environment      |         |         |         |
| Project      |         |         |         |
