Aizen Security

Aizen uses JupyterLab to provide a notebook-based console from which users can access the Aizen platform and execute Aizen commands, provided that those users have been granted the appropriate privileges. JupyterLab is configured to use LDAP/Active Directory or OAuth for authentication. Aizen uses role-based access controls (RBAC) to secure access to the Aizen platform.

Users

The admin user, which is determined during installation, can grant other users with the appropriate Aizen roles so that those users can log in to and use the Aizen Jupyter console.

Roles

Aizen has a set of predefined roles. Users must be assigned one or more of these roles to be able to execute various commands in the Aizen Jupyter console.

Role Name	When Applied	To Whom	Privileges	Scope
AIZEN_ADMIN	Aizen installation	Admin user	Grant or revoke the PROJECT_CREATOR and PROJECT_ADMIN roles	System
PROJECT_ADMIN	Project creation (project creator) or grant role command (other users)	Project creator or a user granted this role	All privileges, can execute all Aizen commands for the current project	Project
PROJECT_CREATOR	Grant role command	A user granted this role	Create projects, grant project-level roles to other users	System
PROJECT_EXECUTOR	Grant role command	A user granted this role	All project-level privileges except granting or revoking privileges to or from other users and deleting information (objects or jobs)	Project
PROJECT_READER	Grant role command	A user granted this role	Read-only privileges, cannot start, stop, delete, or alter data	Project

AIZEN_ADMIN

• This is an administrative role only to be used during the initial setup. The LDAP user ID that is designated as the admin account during Aizen core installation is automatically granted this role.

• Users with the AIZEN_ADMIN role will be able to grant or revoke the PROJECT_CREATOR role to or from another user.

• Additionally, the AIZEN_ADMIN role can grant the PROJECT_ADMIN role to a user.

PROJECT_ADMIN

• This role has all privileges and can execute all Aizen commands for the current project.

• They can grant or revoke privileges to additional users.

• When a project is created, the user that creates the project is automatically granted the PROJECT_ADMIN role for that project.

• Applies to a specific project. This role is granted at the project level.

PROJECT_CREATOR

• Users with this role are allowed to create projects.

• They can grant project-level roles to other users who need project access.

• Applies system wide and NOT specific to a project.

PROJECT_EXECUTOR

• Applies to a specific project. This role is granted at the project level.

• This role has all project-level privileges with these exceptions:

  • Cannot grant or revoke privileges from other users.

  • Cannot delete any information (objects/jobs).

PROJECT_READER

• Applies to a specific project. This role is granted at the project level.

• It is a read-only role. This role has no ability to start, stop, delete, or manipulate data.