Identity & Access Management

Roles & Permissions

Master reference of Infralo's Role-Based Access Control (RBAC) model, including global roles, workspace roles, and granular permission definitions.

Infralo uses Role-Based Access Control (RBAC) to enforce security policies. A user's capabilities are determined by a combination of their Global Role (which governs platform-wide operations) and their Workspace Role (which governs actions within a specific workspace).

Global Roles

Global Roles are assigned to users at the tenant (organization) level. They dictate a user's access to system administration, platform settings, and global registries.

RoleIdentifierScopeDescription
SuperadminsuperadminTenant-wideFull administrative access across all tenants, users, and resources in the system.
AdminadminTenant-wideAdministrative access to manage users, global models, runtime modules, system settings, and global observability.
MembermemberTenant-wideDefault role for standard users. Allows creating new workspaces and viewing basic tenant properties.

Global Roles Permission Matrix

Feature AreaSuperadminAdminMember
Tenants AdministrationFull AccessFull AccessView Only
Users AdministrationFull AccessFull AccessNo Access
Global Models CatalogFull AccessFull AccessNo Access
Workspace CreationYesYesYes
Global Telemetry & LogsFull AccessFull AccessNo Access
Runtime Module PluginsFull AccessFull AccessNo Access
Audit LogsFull AccessView OnlyNo Access
System Roles MappingView OnlyView OnlyView Only

Workspace Roles

Workspace Roles determine what a user can do inside a specific workspace. A global user can hold different roles in different workspaces (for example, being the Owner of a development workspace but only a Member of a production workspace).

RoleIdentifierDescription
OwnerownerFull control and ownership over the workspace. Only the Owner can delete the workspace or modify ownership.
AdminadminAdministrative access to configure the workspace, manage members, whitelist models, create deployments, and generate API keys.
MembermemberStandard developer access. Allows viewing workspace settings, calling whitelisted models/deployments, and checking workspace logs.

Workspace Roles Permission Matrix

Feature AreaOwnerAdminMember
Workspace SettingsFull AccessView & UpdateView Only
Workspace DeletionYesNoNo
Workspace MembersFull AccessManage MembersView Members
Workspace API KeysFull AccessFull AccessView Only
Workspace Models WhitelistFull AccessFull AccessView Only
Deployments (Load Balancers)Full AccessFull AccessView Only
Workspace Logs & MetricsFull AccessFull AccessFull Access

Granular Permissions Reference

Below is the master list of all individual permissions enforced by Infralo's gateway and API services.

CategoryPermissionCode KeyDescription
Tenants AdministrationView TenantsTENANT_VIEWAllows viewing global tenants information.
Tenants AdministrationUpdate TenantsTENANT_UPDATEAllows modifying global tenants configuration.
Tenants AdministrationDelete TenantsTENANT_DELETEAllows deleting global tenants.
Users AdministrationView UsersUSER_VIEWAllows viewing the global users registry.
Users AdministrationCreate UsersUSER_CREATEAllows inviting or creating new global users.
Users AdministrationUpdate UsersUSER_UPDATEAllows editing global user details and roles.
Users AdministrationDelete UsersUSER_DELETEAllows deleting global users.
Workspace SettingsCreate WorkspacesWORKSPACE_CREATEAllows creating new workspaces in the tenant.
Workspace SettingsView WorkspacesWORKSPACE_VIEWAllows viewing workspace details and overview.
Workspace SettingsUpdate WorkspacesWORKSPACE_UPDATEAllows updating workspace name, description, and gateway configurations.
Workspace SettingsDelete WorkspacesWORKSPACE_DELETEAllows deleting workspaces and cleaning up their associated resources.
Workspace MembersView Workspace MembersWORKSPACE_USER_VIEWAllows viewing workspace members and their roles.
Workspace MembersInvite Workspace MembersWORKSPACE_USER_CREATEAllows inviting new members to the workspace.
Workspace MembersUpdate Workspace MembersWORKSPACE_USER_UPDATEAllows updating workspace member roles.
Workspace MembersRemove Workspace MembersWORKSPACE_USER_DELETEAllows removing members from the workspace.
Workspace API KeysView API KeysWORKSPACE_API_KEY_VIEWAllows viewing workspace API keys.
Workspace API KeysCreate API KeysWORKSPACE_API_KEY_CREATEAllows creating new workspace API keys.
Workspace API KeysUpdate API KeysWORKSPACE_API_KEY_UPDATEAllows editing workspace API key permissions and settings.
Workspace API KeysDelete API KeysWORKSPACE_API_KEY_DELETEAllows deleting or revoking workspace API keys.
Global ModelsView Global LLMsGLOBAL_LLM_VIEWAllows viewing the global catalog of LLMs.
Global ModelsCreate Global LLMsGLOBAL_LLM_CREATEAllows adding new LLMs to the global catalog.
Global ModelsUpdate Global LLMsGLOBAL_LLM_UPDATEAllows editing global LLMs settings, providers, and limits.
Global ModelsDelete Global LLMsGLOBAL_LLM_DELETEAllows deleting LLMs from the global catalog.
Workspace ModelsView Workspace LLMsWORKSPACE_LLM_VIEWAllows viewing LLMs whitelisted for the workspace.
Workspace ModelsEnable Workspace LLMsWORKSPACE_LLM_CREATEAllows linking global LLMs to the workspace.
Workspace ModelsUpdate Workspace LLMsWORKSPACE_LLM_UPDATEAllows toggling workspace LLMs status.
Workspace ModelsDisable Workspace LLMsWORKSPACE_LLM_DELETEAllows unlinking LLMs from the workspace.
DeploymentsView DeploymentsDEPLOYMENT_VIEWAllows viewing workspace load-balanced deployments.
DeploymentsCreate DeploymentsDEPLOYMENT_CREATEAllows creating new deployments and load-balancer configurations.
DeploymentsUpdate DeploymentsDEPLOYMENT_UPDATEAllows editing workspace load-balancer configurations and routing rules.
DeploymentsDelete DeploymentsDEPLOYMENT_DELETEAllows deleting deployments.
Deployment ModelsView Deployment LLMsDEPLOYMENT_LLM_VIEWAllows viewing LLM configurations attached to deployments.
Deployment ModelsAdd Deployment LLMsDEPLOYMENT_LLM_CREATEAllows attaching models to deployments.
Deployment ModelsUpdate Deployment LLMsDEPLOYMENT_LLM_UPDATEAllows configuring weights and states for deployment models.
Deployment ModelsRemove Deployment LLMsDEPLOYMENT_LLM_DELETEAllows removing models from deployments.
Global ObservabilityView Global LogsGLOBAL_LOGS_VIEWAllows viewing system-wide gateway request logs.
Global ObservabilityView Global TracesGLOBAL_TRACING_VIEWAllows viewing global traces.
Global ObservabilityView Global MetricsGLOBAL_METRICS_VIEWAllows viewing system-wide analytics, reliability, and cost dashboards.
Workspace ObservabilityView Workspace LogsWORKSPACE_LOGS_VIEWAllows viewing workspace-specific gateway request logs.
Workspace ObservabilityView Workspace TracesWORKSPACE_TRACING_VIEWAllows viewing workspace traces.
Workspace ObservabilityView Workspace MetricsWORKSPACE_METRICS_VIEWAllows viewing workspace-scoped metrics, cost, and usage data.
Security & AuditView Audit LogsAUDIT_LOGS_VIEWAllows viewing security audit logs.
Runtime ModulesView Runtime ModulesGLOBAL_RUNTIME_MODULE_VIEWAllows viewing the catalog of runtime plugins/modules.
Runtime ModulesCreate Runtime ModulesGLOBAL_RUNTIME_MODULE_CREATEAllows creating new runtime plugins.
Runtime ModulesUpdate Runtime ModulesGLOBAL_RUNTIME_MODULE_UPDATEAllows editing global runtime plugins.
Runtime ModulesDelete Runtime ModulesGLOBAL_RUNTIME_MODULE_DELETEAllows deleting runtime plugins.
Roles ManagementView RolesROLE_VIEWAllows viewing global and workspace roles and their permissions mapping.

User Management Lifecycle

Learn how user accounts are provisioned, activated, scoped within workspaces, suspended, or permanently removed in Infralo.

SSO / OIDC Integration

Configure OpenID Connect (OIDC) Single Sign-On (SSO) to federate authentication and map provider claims to Infralo permissions.

On this page

Global RolesGlobal Roles Permission MatrixWorkspace RolesWorkspace Roles Permission MatrixGranular Permissions Reference