Permissions

Bedrock provides functionality to assign permissions on the first class objects i.e. Pipelines, Models, Endpoints and Environment.

All the child objects inherit the permissions from the parent object as shown in the table below:

Parent object

Child object

Pipeline

Pipeline runs (permissions inherited from Pipeline)

Model

Model versions (permissions inherited from Model)

Endpoint

Model servers (permissions inherited from Endpoint)

Environment

NA

Permission levels

Any collaborator added to an object can be assigned either of these two roles:

  • Admin

  • Editor

Creators of objects are assigned the 'Admin' role by default. Further collaborators added to the object can be assigned 'Admin' or 'Editor' roles. Users can only see objects they are collaborators on.

The permissions chart for both types of roles are explained in the table below for every object:

Object

Permission to

Admin role

Editor role

Pipeline (Training, Batch scoring)

View Pipeline

Run Pipeline

Delete Pipeline

View collaborators in a Pipeline

Add collaborators to a Pipeline

Remove collaborators from a Pipeline

Model

View Model

Deploy Model as Model Server

Delete Model

View collaborators in a Model

Add collaborator to Model

Remove collaborator from Model

Endpoint

View Endpoint

Deploy (Model Server) to Endpoint

Undeploy (Model Server) from Endpoint

Delete Endpoint

View collaborators in an Endpoint

Add collaborator to Endpoint

Remove collaborator from Endpoint

Environment

View Environment

Run Pipeline in an Environment

Deploy Model Server in an Environment

View collaborators in an Environment

Add collaborator to Environment

Remove collaborator from Environment

View/add/remove collaborators

You can add individual users or entire Teams as collaborators of an object. You can add or view collaborators of an object by clicking on the 'Actions' icon in the list, or in the upper-right corner of the object details page, as shown in the screenshots below:

An 'Admin' for an object can remove collaborators by clicking 'Remove' in the 'Add collaborator' pop-up, as shown in the screenshot below:

You can also add Team as collaborators to an object. You can find more info about this here.

Permissions needed to perform actions in Bedrock

All major actions performed in Bedrock touch multiple objects, e.g. to run a Training Pipeline and write to a Model requires permissions on three objects:

  • Training Pipeline: for which the run is going to be submitted

  • Model: to which the trained Model Version is written

  • Environment: where the Training Pipeline run is executed

To perform an action in Bedrock a user requires permissions on every object that action touches. Required permissions for major actions in Bedrock are summarised below:

Action

Objects

Run a Training Pipeline and write to a Model

Training Pipeline

Model

Environment

Run a Batch scoring Pipeline by using a Model

Batch scoring Pipeline

Model

Environment

Deploy a Model as Model Server to an Endpoint

Model

Endpoint

Environment

Undeploy a Model Server from an Endpoint

Endpoint

Environment