Special roles and groups

RapidMiner Server provides a set of special roles which are automatically assigned to some of AI Hub's default groups. They serve a pre-defined purpose, for example users within such a group are granted additional permissions. The following page explains all available special roles and default assignment of those roles via default groups within RapidMiner Server.


Role name Description Default
aihub:projects:create allowed to create projects indirect via group
aihub:projects:deployment-creation allowed to create deployments indirect via group
aihub:deployment-creation-connections allowed to include connections while creating deployments indirect via group
aihub:queues:create allowed to create queues indirect via group
aihub:schedule allowed to schedule processes indirect via group
aihub:sync allows to list and download sync-able files (e.g. used in Job Agents service account) no (only for aihub-jobagent)
aihub:impersonate impersonate other users (e.g. used in Job Agents service account) no (only for aihub-jobagent)
aihub:admin miscellaneous tasks no
  • aihub:admin
    • allows management of most features including queues, projects and schedules
  • aihub:impersonate
    • allows to impersonate a user calling the /auth/impersonate endpoint
  • aihub:sync
    • allows listing and download sync-able files using the /sync endpoints

Default Roles

See Default column in Roles section.

In addition, the aihub-backend client's service account requires

  • the realm-management -> impersonation (for working impersonation)
  • the realm-management -> view-users (for retrieving a list of groups and users)
  • the realm-management -> manage-users (for creating groups and users during migration)

roles to be assigned.


Role name Description Default
users standard for all (new) users yes
admin has role aihub:admin no

Default Groups

  • See Default in Groups section.

Special Scopes

For RapidMiner Server to work correctly, the groups Client Scope is required to be assigned to all related clients in Keycloak.

RapidMiner Server relies on the groups claim for managing permissions internally.