Special roles and groups
RapidMiner Server provides a set of special roles which are automatically assigned to some of AI Hub's default groups. They serve a pre-defined purpose, for example users within such a group are granted additional permissions. The following page explains all available special roles and default assignment of those roles via default groups within RapidMiner Server.
Roles
Role name | Description | Default |
---|---|---|
aihub:projects:create |
allowed to create projects | indirect via group |
aihub:projects:deployment-creation |
allowed to create deployments | indirect via group |
aihub:deployment-creation-connections |
allowed to include connections while creating deployments | indirect via group |
aihub:queues:create |
allowed to create queues | indirect via group |
aihub:schedule |
allowed to schedule processes | indirect via group |
aihub:sync |
allows to list and download sync-able files of /sync of AI Hub backend (e.g., used in Job Agents service account) |
no (only for aihub-jobagent ) |
aihub:impersonate |
impersonate other users (e.g., used in Job Agents service account, allowed to call /auth/impersonate of AI Hub backend) |
no (only for aihub-jobagent ) |
aihub:license-reporter |
allowed to report to License Proxy | yes (only for service accounts reporting to License Proxy) |
aihub:admin |
administration tasks (queues, projects and schedules) | no |
aihub:endpoint:admin |
endpoint administration tasks | no |
Default Roles
See Default
column in Roles section.
In addition, the aihub-backend
client's service account requires
- the
realm-management -> impersonation
(for working impersonation) - the
realm-management -> view-users
(for retrieving a list of groups and users) - the
realm-management -> manage-users
(for creating groups and users during migration)
roles to be assigned.
Groups
Role name | Description | Default |
---|---|---|
users |
standard for all (new) users | yes |
admin |
has role aihub:admin |
no |
Default Groups
- See
Default
in Groups section.
Special Scopes
For RapidMiner Server to work correctly, the groups
Client Scope is required to be assigned to all related clients in Keycloak.
RapidMiner Server relies on the groups
claim for managing permissions internally.