IAM Overview

Securely manage system access, establish hierarchical boundaries, and provision scoped memberships across Infralo.

Identity & Access Management (IAM) in Infralo provides tenant-wide control over authentication, user onboarding, and granular resource authorization.

The platform separates access boundaries into two main levels: Global (Tenant) and Workspace scopes.

       Tenant (Organization)


            Global Users ── (Superadmin, Admin, Member)


            Workspaces


         Workspace Members ── (Owner, Admin, Member)


         Scoped Resources ── (Models, Deployments, API Keys)

What is User Management?

User management in Infralo handles the onboarding, authentication, and lifecycle of users within a single tenant. Whether logging in via standard credentials (basic authentication) or through enterprise Single Sign-On (SSO/OIDC), every user is assigned a distinct identity and profile.

User profiles are managed globally at the tenant level, allowing platform administrators to disable, edit, or delete accounts across the entire organization.

Global Users vs. Workspace Members

Infralo makes a clear architectural distinction between platform-level users and workspace-scoped memberships:

Global Users

  • Scope: Tenant-wide.
  • Definition: Any registered account in your organization's registry.
  • Purpose: Manages system-wide resources (e.g., adding global LLMs, auditing logs, managing runtime modules) and creating new workspaces.
  • Role Association: Assigned a Global Role (superadmin, admin, or member).

Workspace Members

  • Scope: Workspace-specific.
  • Definition: A Global User who has been explicitly added or synced to a specific workspace.
  • Purpose: Manages and uses resources isolated inside that workspace (e.g., creating deployments, managing workspace API keys, enabling whitelisted models).
  • Role Association: Assigned a Workspace Role (owner, admin, or member) within that specific workspace. A single user can be a member globally, but hold the owner role in a specific workspace they created.

Relationship with Roles & Permissions

Infralo implements Role-Based Access Control (RBAC):

  1. Permissions: The smallest unit of access control (e.g., View Logs, Create API Keys). Permissions are defined in the backend and enforced at the gateway and API endpoints.
  2. Roles: Named collections of permissions. Instead of assigning individual permissions to users, you assign roles.
  3. Hierarchy:
    • Global Roles govern platform administration and tenant settings. They represent the maximum possible operations a user can execute.
    • Workspace Roles govern access inside individual workspaces. A user's effective permissions within a workspace are determined by their Workspace Role, restricted by any platform-wide constraints.

For the full catalog of roles and their mapping to permissions, see the Roles & Permissions reference.

Regex Replacement

Apply user-defined regular expression substitution rules to requests and LLM responses.

User Management Lifecycle

Learn how user accounts are provisioned, activated, scoped within workspaces, suspended, or permanently removed in Infralo.

On this page

What is User Management?Global Users vs. Workspace MembersGlobal UsersWorkspace MembersRelationship with Roles & Permissions