# Aizen Security Aizen uses JupyterLab to provide a notebook-based console from which users can access the Aizen platform and execute Aizen commands, provided that those users have been granted the appropriate privileges. JupyterLab is configured to use LDAP/Active Directory or OAuth for authentication. Aizen uses role-based access controls (RBAC) to secure access to the Aizen platform. ## Users The admin user, which is determined during installation, can grant other users with the appropriate Aizen roles so that those users can log in to and use the Aizen Jupyter console. ## Roles Aizen has a set of predefined roles. Users must be assigned one or more of these roles to be able to execute various commands in the Aizen Jupyter console.
Role NameWhen AppliedTo WhomPrivilegesScope
AIZEN_ADMINAizen installationAdmin userGrant or revoke the PROJECT_CREATOR and PROJECT_ADMIN rolesSystem
PROJECT_ADMINProject creation (project creator) or grant role command (other users)Project creator or a user granted this roleAll privileges, can execute all Aizen commands for the current projectProject
PROJECT_CREATORGrant role commandA user granted this roleCreate projects, grant project-level roles to other usersSystem
PROJECT_EXECUTORGrant role commandA user granted this roleAll project-level privileges except granting or revoking privileges to or from other users and deleting information (objects or jobs)Project
PROJECT_READERGrant role commandA user granted this roleRead-only privileges, cannot start, stop, delete, or alter dataProject
**AIZEN\_ADMIN** * This is an administrative role only to be used during the initial setup. The LDAP user ID that is designated as the admin account during Aizen core installation is automatically granted this role. * Users with the AIZEN\_ADMIN role will be able to grant or revoke the PROJECT\_CREATOR role to or from another user. * Additionally, the AIZEN\_ADMIN role can grant the PROJECT\_ADMIN role to a user. **PROJECT\_ADMIN** * This role has all privileges and can execute all Aizen commands for the current project. * They can grant or revoke privileges to additional users. * When a project is created, the user that creates the project is automatically granted the PROJECT\_ADMIN role for that project. * Applies to a specific project. This role is granted at the project level. **PROJECT\_CREATOR** * Users with this role are allowed to create projects. * They can grant project-level roles to other users who need project access. * Applies system wide and NOT specific to a project. **PROJECT\_EXECUTOR** * Applies to a specific project. This role is granted at the project level. * This role has all project-level privileges with these exceptions: * Cannot grant or revoke privileges from other users. * Cannot delete any information (objects/jobs). **PROJECT\_READER** * Applies to a specific project. This role is granted at the project level. * It is a read-only role. This role has no ability to start, stop, delete, or manipulate data. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aizen-corp.gitbook.io/docs/getting-started/managing-users-and-roles/aizen-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.