Aizen Security

Aizen uses JupyterLab to provide a notebook-based console from which users can access the Aizen platform and execute Aizen commands, provided that those users have been granted the appropriate privileges. JupyterLab is configured to use LDAP/Active Directory or OAuth for authentication. Aizen uses role-based access controls (RBAC) to secure access to the Aizen platform.

Users

The admin user, which is determined during installation, can grant other users with the appropriate Aizen roles so that those users can log in to and use the Aizen Jupyter console.

Roles

Aizen has a set of predefined roles. Users must be assigned one or more of these roles to be able to execute various commands in the Aizen Jupyter console.

Role Name

When Applied

To Whom

Privileges

Scope

AIZEN_ADMIN

Aizen installation

Admin user

Grant or revoke the PROJECT_CREATOR and PROJECT_ADMIN roles

System

PROJECT_ADMIN

Project creation (project creator) or grant role command (other users)

Project creator or a user granted this role

All privileges, can execute all Aizen commands for the current project

Project

PROJECT_CREATOR

Grant role command

A user granted this role

Create projects, grant project-level roles to other users

System

PROJECT_EXECUTOR

Grant role command

A user granted this role

All project-level privileges except granting or revoking privileges to or from other users and deleting information (objects or jobs)

Project

PROJECT_READER

Grant role command

A user granted this role

Read-only privileges, cannot start, stop, delete, or alter data

Project

AIZEN_ADMIN

This is an administrative role only to be used during the initial setup. The LDAP user ID that is designated as the admin account during Aizen core installation is automatically granted this role.
Users with the AIZEN_ADMIN role will be able to grant or revoke the PROJECT_CREATOR role to or from another user.
Additionally, the AIZEN_ADMIN role can grant the PROJECT_ADMIN role to a user.

PROJECT_ADMIN

This role has all privileges and can execute all Aizen commands for the current project.
They can grant or revoke privileges to additional users.
When a project is created, the user that creates the project is automatically granted the PROJECT_ADMIN role for that project.
Applies to a specific project. This role is granted at the project level.

PROJECT_CREATOR

Users with this role are allowed to create projects.
They can grant project-level roles to other users who need project access.
Applies system wide and NOT specific to a project.

PROJECT_EXECUTOR

Applies to a specific project. This role is granted at the project level.
This role has all project-level privileges with these exceptions:
- Cannot grant or revoke privileges from other users.
- Cannot delete any information (objects/jobs).

PROJECT_READER

Applies to a specific project. This role is granted at the project level.
It is a read-only role. This role has no ability to start, stop, delete, or manipulate data.

PreviousManaging Users and Roles NextAdding Users

Last updated 3 months ago

Roles

Aizen has a set of predefined roles. Users must be assigned one or more of these roles to be able to execute various commands in the Aizen Jupyter console.

Role Name

When Applied

To Whom

Privileges

Scope

AIZEN_ADMIN

Aizen installation

Admin user

Grant or revoke the PROJECT_CREATOR and PROJECT_ADMIN roles

System

PROJECT_ADMIN

Project creation (project creator) or grant role command (other users)

Project creator or a user granted this role

All privileges, can execute all Aizen commands for the current project

Project

PROJECT_CREATOR

Grant role command

A user granted this role

Create projects, grant project-level roles to other users

System

PROJECT_EXECUTOR

Grant role command

A user granted this role

All project-level privileges except granting or revoking privileges to or from other users and deleting information (objects or jobs)

Project

PROJECT_READER

Grant role command

A user granted this role

Read-only privileges, cannot start, stop, delete, or alter data

Project

AIZEN_ADMIN

This is an administrative role only to be used during the initial setup. The LDAP user ID that is designated as the admin account during Aizen core installation is automatically granted this role.

Users with the AIZEN_ADMIN role will be able to grant or revoke the PROJECT_CREATOR role to or from another user.

Additionally, the AIZEN_ADMIN role can grant the PROJECT_ADMIN role to a user.

PROJECT_ADMIN

This role has all privileges and can execute all Aizen commands for the current project.

They can grant or revoke privileges to additional users.

When a project is created, the user that creates the project is automatically granted the PROJECT_ADMIN role for that project.

Applies to a specific project. This role is granted at the project level.

PROJECT_CREATOR

Users with this role are allowed to create projects.

They can grant project-level roles to other users who need project access.

Applies system wide and NOT specific to a project.

PROJECT_EXECUTOR

Applies to a specific project. This role is granted at the project level.

This role has all project-level privileges with these exceptions:

Cannot grant or revoke privileges from other users.
Cannot delete any information (objects/jobs).

PROJECT_READER

Applies to a specific project. This role is granted at the project level.

It is a read-only role. This role has no ability to start, stop, delete, or manipulate data.