Categories

Versions

You are viewing the RapidMiner Hub documentation for version 2024.0 - Check here for latest version

Special roles and groups

RapidMiner Server provides a set of special roles which are automatically assigned to some of AI Hub's default groups. They serve a pre-defined purpose, for example users within such a group are granted additional permissions. The following page explains all available special roles and default assignment of those roles via default groups within RapidMiner Server.

Roles

Role name Description Default
aihub:projects:create allowed to create projects indirect via group
aihub:projects:deployment-creation allowed to create deployments indirect via group
aihub:deployment-creation-connections allowed to include connections while creating deployments indirect via group
aihub:queues:create allowed to create queues indirect via group
aihub:schedule allowed to schedule processes indirect via group
aihub:sync allows to list and download sync-able files of /sync of AI Hub backend (e.g., used in Job Agents service account) no (only for aihub-jobagent)
aihub:impersonate impersonate other users (e.g., used in Job Agents service account, allowed to call /auth/impersonate of AI Hub backend) no (only for aihub-jobagent)
aihub:license-reporter allowed to report to License Proxy yes (only for service accounts reporting to License Proxy)
aihub:admin administration tasks (queues, projects and schedules) no
aihub:endpoint:admin endpoint administration tasks no

Default Roles

See Default column in Roles section.

In addition, the aihub-backend client's service account requires

  • the realm-management -> impersonation (for working impersonation)
  • the realm-management -> view-users (for retrieving a list of groups and users)
  • the realm-management -> manage-users (for creating groups and users during migration)

roles to be assigned.

Groups

Role name Description Default
users standard for all (new) users yes
admin has role aihub:admin no

Default Groups

  • See Default in Groups section.

Special Scopes

For RapidMiner Server to work correctly, the groups Client Scope is required to be assigned to all related clients in Keycloak.

RapidMiner Server relies on the groups claim for managing permissions internally.