Roles and Permissions
caution
-
You can only manage roles and permissions within the StackSpot EDP Platform
-
Enterprise Account: It has access to all StackSpot AI features.
Overview
Within Accounts, many people can work across the StackSpot Platform for different purposes. Therefore, they need other types of access and permissions. In StackSpot, the Policy-Based Access Control (PBAC), Attribute-Based Access Control (ABAC), and Role-Based Access Control (RBAC) are systems to create a powerful and flexible access control framework. This means the platform bases user permissions on the resources and the types of roles they hold. The system determines permissions based on the following:
- Resource Type
- Resource
- Action.
See below an overview of the main concepts for understanding roles and permissions:
Main Concepts
| Concept | Description | Example |
|---|---|---|
| Account Member | Users of your Account Organization. | - |
| Groups | Groups are a collection of several users with the same types of roles and resources, meaning the same permission level. | There can be a group with an Administrator and a Spot user. |
| Resource Type | Represents the entities from StackSpot where the resources came from. | StackSpot Platform, Account, Spot. |
| Resource | Resources represent the objects that users interact with. | Plugins, Links, Stacks, Starters, and others. |
| Permissions | Permissions are a set of actions defined for one or more platform resources | permission to activate an Account and to create a Stack. |
| Roles | In StackSpot, roles categorize users, or groups of users. It defines users' account permissions, such as what data they can read or what account assets they can modify. By granting permissions to roles, any users associated with that role receive that permission. | In StackSpot AI, the default roles are: account_holder; ai_admin, ai_dev |
Roles
See the default StackSpot roles below:
| Role | Description | Permisssions |
|---|---|---|
| Account Holder | This role can execute any action within the StackSpot Platform. For example, Account Setup and Login, Creating Spots, and service credentials. | It has all the roles. |
| ai_admin | Manages the main functionalities of StackSpot AI, for example, creating and publishing a Stack AI to the Account, creating and publishing Knowledge Sources to the Account, adding Knowledge Sources to the Spot, creating and publishing Quick Commands to the Account, sharing and managing Content, monitoring and Analytics, and testing with StackSpot AI in IDE. | studio:create; studio:update; studio:delete; studio:view; studio:change_visibility; studio:associate_workspace; studio:disassociate_workspace; studio:view_private; plugin:publish; plugin:unpublish; plugin:deprecate; plugin:download; static_link:create; static_link:delete; action:publish; action:unpublish; action:deprecate; action:download; stack:publish; stack:unpublish; stack:deprecate; stack:view; stack:update; stack:setup; starter:deprecate; stack_ai:create; stack_ai:update; stack_ai:delete; custom_quick_command:publish; custom_quick_command:unplublish; stack:associate; stack:disassociate; stack:view; workspace:view; api:publish; api:unpublish; environment:create; environment:update; account_context:update; account_context:view; account_context:update; account_workflow:update; account_context:update; account_context:update; account_workflow:view; product:update; product:delete; cloud_provider:create; cloud_provider:update; stack_ai:associate; stack_ai:disassociate; knowledge_source:associate; knowledge_source:disassociate; custom_quick_command:associate; custom_quick_command:disassociate; report:download_studio; report:download_account; dashboard:view_studio; finops_reports:view; finops_billing:download; finops_saving_plans:request; finops_saving_plans:cancel; finops_forecast:view; support:view; support:open; support:close; support:view_org; guardrail_status:view; guardrail_status:create; api:associate; api:disassociate; api:grant_access; api:view_grant_access; knowledge_source:create; knowledge_source:update; knowledge_source:delete; custom_quick_command:create; custom_quick_command:update; custom_quick_command:delete; external_invite:associate; external_invite:disassociate; pat:view; pat:create; finops_reports:view; finops_contract:create; finops_contract:view; finops_contract:update; finops_billing_account:create; finops_billing_account:view; finops_billing_account:update; finops_allocation_cost:view; finops_export:download; custom_quick_command:execute; knowledge_source:publish; user_scm:view; user_scm:delete; plugin:publish; action:publish; knowledge_source:set_default; knowledge_source:publish; stack_ai:publish; custom_quick_command:publish; resource:create; resource:delete; ai-agent:create; ai-agent:delete; ai-agent:update; ai-agent:view; ai-agent:edit; ai-agent:run;ai-agent:grant_access; custom_quick_command:view; custom_quick_command:edit; custom_quick_command:grant_access; stack_ai:view; stack_ai:edit; stack_ai:grant_access;knowledge_source:view; knowledge_source:edit; knowledge_source:grant_access; account_variable:view; ai-agent:publish; workflow:download; workflow:unpublish; workflow:deprecate; extension:view; member:view_secret; member:update_secret; member:delete_secret; member:create_secret; account:view_secret; account:update_secret; account:delete_secret; account:create_secret; rate_limit_sc:view; rate_limit_sc:update; ai:view; toolkit:grant_access; toolkit:edit; toolkit:view; toolkit:update; toolkit:delete; toolkit:publish; toolkit:create; spot:view_secret; spot:view_secret; spot:update_secret; spot:delete_secret; spot:create_secret. |
| ai_dev | Developers can create Personal Content on the platform and use the available Content in the Account. | studio:view; action:download; stack:view; workspace:view; application:delete; application:deploy; application:rollback; shared_infra:deploy; shared_infra:rollback; connection_interface:create; connection_interface:view; automatic_connection_interface:view; workspace_workflow:view; stack_ai:associate; stack_ai:disassociate; knowledge_source:associate; knowledge_source:disassociate; custom_quick_command:associate; custom_quick_command:disassociate; report:download_account; cloud_resource:view; report:download_studio; dashboard:view_studio; support:view; support:open; support:close; managed_cloud_account:view; support:close; managed_cloud_account:view;custom_quick_command:update;custom_quick_command:delete; pat:view;pat:create; custom_quick_command:execute; user_scm:view; user_scm:delete; knowledge_source:update; knowledge_source:create; knowledge_source:delete; stack_ai:update; stack_ai:create; stack_ai:delete; ai-agent:create; ai-agent:delete; ai-agent:update; ai-agent:view; ai-agent:edit; ai-agent:grant_access; custom_quick_command:view; custom_quick_command:edit; custom_quick_command:grant_access; stack_ai:view; stack_ai:edit; stack_ai:grant_access; knowledge_source:view; knowledge_source:edit; knowledge_source:grant_access; account_variable:view; extension:view; member:view_secret; member:create_secret; workspace:view_secret; account:view_secret; ai:view; toolkit:grant_access; toolkit:edit; toolkit:view; toolkit:update; toolkit:delete; toolkit:publish; toolkit:create; spot:view_secret. |
You can only manage roles and permissions within the StackSpot EDP Platform. For more details about configuring roles, see the StackSpot EDP Documentation.
Permissions
Permissions are a set of actions defined for one or more Resources on the platform. Resources represent the objects users interact with, such as Accounts, Spots, Quick Commands, and Knowledge Sources. The interactions with resources are called actions and depend on their Resource Type.
Resource Types represent the entities from StackSpot where the resources came from. The entities are the StackSpot Platform (as a whole), Account, and Spots.
Based on that, see below some permission examples:
- Permission to create a Knowledge Source;
- Permission to create a Stack AI.
See the tables below to view the permissions in the StackSpot AI Platform according to Resource Type:
Resource type: StackSpot Platform
Management roles require permissions from this Resource Type, which is why it considers Accounts and Spots as resources.
| Resource | Action | Description |
|---|---|---|
| Account | create, update, enable, turn off | A role with permissions for this resource in this resource type can create, update, enable, or deactivate an Account. |
| Spots | create, update, delete, view | Management of Spots in the StackSpot context. The ability to create, update (change the name, description, and settings of the AI Stack), and delete a Spots in the StackSpot platform. |
Resource type: Account
The permissions from this Resource Type concern StackSpot actions users can do with Account resources.
| Resource | Action | Description |
|---|---|---|
| Knowledge source (AI Platform resource) | create, update, delete, set as default, publish, edit, grant access | Management of Knowledge Sources in the Account context. Ability to create, update (change the name, description, and settings of the AI Stack) and delete a Knowledge Source in the StackSpot AI platform. |
| Quick Commands IDE (AI Platform resource) | create, update, delete, publish, view, grant access | Management of Quick Commands IDE in the Account context. Ability to create, update (change the name, description, and settings of the AI Stack) and delete a Quick Commands IDE in the StackSpot AI platform. |
| Personal Access Token | view, create | Management of Knowledge Sources in the Account context. Ability to create, update (change the name, description, and settings of the AI Stack), and delete a Knowledge Source in the StackSpot AI platform. |
| Credentials | view, create, update, delete, associate, disassociate | It can view, create, update, and delete credentials. You can also associate credentials with groups and disassociate credentials with groups. |
| Members | associate, create, update, view | Users with these permissions can associate roles with members, create new members, update member information, or view members. |
| Roles | create, update, delete, associate, disassociate, view | - |
| Stack AI | publish, update, delete, edit, grant access | Manage Stack AI content within the Account context. Ability to promote, update (change the name, description, and settings of a Stack AI), edit, grant access, and delete a published Stack AI in the StackSpot AI platform Account. |
Resource Type: AI Agent
Permissions for this resource type are related to actions users can perform with AI Agent in the StackSpot Account.
| Resource | Action | Description |
|---|---|---|
| AI Agent | view, create, delete, update, execute, edit, publish | Allows you to view, create, delete, update, execute, publish, and edit AI Agents. |
Resource Type: Toolkit
Permissions for this resource type are related to actions users can perform with Toolkits in the StackSpot Account.
| Resource | Action | Description |
|---|---|---|
| Toolkit | view, create, delete, update, grant access, edit, publish | Allows you to view, create, delete, update, grant access, edit, and publish Toolkits. |
You can only manage roles and permissions within the StackSpot EDP Platform. For more information on configuring roles, see the StackSpot EDP Documentation.