Roles and Permissions
- This feature is exclusive to Enterprise Accounts.
- You can only manage roles and permissions within the StackSpot EDP Platform
Overview
Within Accounts, many people can work across the StackSpot Platform for different purposes. Therefore, they need other types of access and permissions. In StackSpot, the Policy-Based Access Control (PBAC), Attribute-Based Access Control (ABAC), and Role-Based Access Control (RBAC) are systems to create a powerful and flexible access control framework. This means the platform bases user permissions on the resources and the types of roles they hold. The system determines permissions based on the following:
- Resource Type
- Resource
- Action.
See below an overview of the main concepts for understanding roles and permissions:
Main Concepts
| Concept | Description | Example |
|---|---|---|
| Account Member | Users of your Account Organization. | - |
| Groups | Groups are a collection of several users with the same types of roles and resources, meaning the same permission level. | There can be a group with Studio Administrator and Content Creator permissions, five members, and one Studio called New-Studio as a resource. |
| Resource Type | Represents the entities from StackSpot where the resources came from. | StackSpot Platform, Account, Studio, Workspace. |
| Resource | Resources represent the objects that users interact with. | Plugins, Links, Stacks, Starters, and others. |
| Permissions | Permissions are a set of actions defined for one or more platform resources | permission to activate an Account and to create a Stack. |
| Roles | In StackSpot, roles categorize users, or groups of users. It defines users' account permissions, such as what data they can read or what account assets they can modify. By granting permissions to roles, any users associated with that role receive that permission. | In StackSpot AI, the default roles are: account_holder; ai_admin, ai_dev |
Roles
See the default StackSpot roles below:
| Role | Description |
|---|---|
| Account Holder | This role can execute any action within the StackSpot Platform. For example, Account Setup and Login, Creating Workspaces, and service credentials. |
| ai_admin | Manages the main functionalities of StackSpot AI, for example, creating and publishing a Stack AI to the Account, creating and publishing Knowledge Sources to the Account, adding Knowledge Sources to the Workspace, creating and publishing Quick Commands to the Account, sharing and managing Content, monitoring and Analytics, and testing with StackSpot AI in IDE. |
| admin_dev | Developers can create Personal Content on the platform and use the available Content in the Account. |
You can only manage roles and permissions within the StackSpot EDP Platform. For more details about configuring roles, see the StackSpot EDP Documentation.
Permissions
Permissions are a set of actions defined for one or more Resources on the platform. Resources represent the objects users interact with, such as Accounts, Workspaces, Quick Commands, and Knowledge Sources. The interactions with resources are called actions and depend on their Resource Type.
Resource Types represent the entities from StackSpot where the resources came from. The entities are the StackSpot Platform (as a whole), Account, and Workspace.
Based on that, see below some permission examples:
- Permission to create a Knowledge Source;
- Permission to create a Stack AI.
See the tables below to view the permissions in the StackSpot AI Platform according to Resource Type:
Resource type: StackSpot Platform
Management roles require permissions from this Resource Type, which is why it considers Accounts and Workspaces as resources.
| Resource | Action | Decription |
|---|---|---|
| Account | create, update, enable, turn off | A role with permissions for this resource in this resource type can create, update, enable, or deactivate an Account. |
| Workspace | create, update, delete, view | Management of Workspaces in the StackSpot context. The ability to create, update (change the name, description, and settings of the AI Stack), and delete a Workspace in the StackSpot platform. |
Resource type: Account
The permissions from this Resource Type concern StackSpot actions users can do with Account resources.
| Resource | Action | Description |
|---|---|---|
| Custom Quick Commands/Remote Quick Commands | publish, update, delete | Manage Custom Quick Commands / Remote Quick Commands in the account context. Ability to publish, update (change the name, description, Content, and settings), and update personal Custom quick commands / Remote Quick Commands on the Account in the StackSpot AI platform. |
| Knowledge source | publish, update, delete | Manage Knowledge Sources in the Account Context. Ability to create, update (change the name, description, and settings of the AI Stack), and delete a Knowledge Source on the Account in the StackSpot AI platform. |
| Personal Access Token | view, create | Management of Knowledge Sources in the Account context. Ability to create, update (change the name, description, and settings of the AI Stack), and delete a Knowledge Source in the StackSpot AI platform. |
| Credentials | view, create, update, delete, associate, disassociate | It can view, create, update, and delete credentials. You can also associate credentials with groups and disassociate credentials with groups. |
| Members | associate, create, update, view | Users with these permissions can associate roles with members, create new members, update member information, or view members. |
| Roles | create, update, delete, associate, disassociate, view | - |
| Member | associate, create, update, view | - |
| Stack AI | publish, update, delete | Management of Stack AI content in the Account context. Ability to promote, update (change the name, description, and settings of the AI Stack), and delete a Stack AI published on the Account in the StackSpot AI platform. |
Resource type: Workspace
The permissions from this resource type are actions users can take with Workspace resources.
| Resource | Description | Action |
|---|---|---|
| Knowledge source (AI Platform resource) | associate, disassociate | Knowledge Sources management in Workspaces. Ability to associate/disassociate a Knowledge Source to a Workspace in the StackSpot AI platform. |
You can only manage roles and permissions within the StackSpot EDP Platform. For more information on configuring roles, see the StackSpot EDP Documentation.