# Role-Based Access Control

### Overview of Role-Based Access Control

Fiddler supports Role-Based Access Control (RBAC) using resources and roles. This documentation outlines the resources, roles, and permissions available in Fiddler, enabling you to manage access control for your organization.

### Understanding Resources

Resources are entities within Fiddler that users can access and interact with. There are two main resource types:

#### Organization Resources

* Organization: Represents your entire Fiddler setup, including projects and users.
* Settings: General information, login details, notification settings, and integration configurations.
* Users: Individual users with accounts in your Fiddler organization.
* Teams: Groups of users within your organization.
  * Each user can be a member of zero or more teams.
  * Team roles are associated with project roles, i.e., teams can be granted\
    **Project Viewer**, **Project Writer**, or **Project Admin** permissions for a project.
* Evaluators: Predefined and custom metrics used to assess model or application outputs.
* Global Agentic Custom Metrics: Organization-wide custom metrics for GenAI applications.

#### Project Resources

* Projects: Contain models, data, and configurations for a specific ML application.
* Models: Machine learning models onboarded to Fiddler for monitoring and explainability.
* Project Settings: Configurations related to project access and user permissions.
* Alerts: Notifications generated by Fiddler based on monitoring data.
* Charts & Dashboards: Visualizations of your model performance and data insights.
* Application: GenAI applications for agentic workflows.
* Evaluator Rules: Rules that define which evaluators run against application spans and how inputs are mapped.
* Project-Scoped Agentic Custom Metrics: Project-scoped custom metrics for GenAI applications.

### Understanding Roles

Roles define the level of access a user has to Fiddler resources:

#### Organization Roles

* Org Admin: Has access to manage users, teams, projects, and organization settings. However, this role cannot access the project data unless explicitly given access by the Project Admin.
* Org Member: Limited access to organization settings and cannot create projects.

#### Project Roles

* Project Admin: Manages all aspects of a project, including models, settings, alerts, and user access (except deleting the project).
* Project Writer: Can view and edit most project details (models, settings, alerts), but cannot delete the project or invite other users.
* Project Viewer: Can view project details and model content, but cannot edit anything except charts and dashboards (read-only access).

### Understanding Permissions

#### Permission types

Permission types are used in combination with resources and roles to define the access control rules in Fiddler. Fiddler's RBAC access control uses the following permission types to define the level of access a user has to resources:

* List: This permission allows users to view a list of resources but does not grant access to view details or interact with them in any way. For example, a user with the "List" permission for projects can see a list of project names, but cannot view project details or settings.
* Read: This permission enables users to view details of a resource, but does not grant access to edit or modify the resource in any way.
* Create: This permission allows users to create new resources, such as projects, models, or alerts.
* Edit: This permission enables users to modify existing resources, such as updating project settings or editing model configurations.
* Delete: This permission allows users to delete resources, such as projects or models.

#### Organization Level permissions

* Org Admin: Full access to organization settings and resources.
* Org Member: Limited access to organization settings.

**Legend:** ✅ = Granted ❌ = Not Granted N/A = Not Implemented

<table data-full-width="true"><thead><tr><th>Resource</th><th>Role</th><th>List</th><th>Read</th><th>Create</th><th>Edit</th><th>Delete</th></tr></thead><tbody><tr><td>Org Settings: General, Credentials, Email, PagerDuty, Webhook</td><td>Admin</td><td>❌</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Member</td><td>❌</td><td>✅</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Org Settings / Access / Teams &#x26; Invitations</td><td>Admin</td><td>❌</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Member</td><td>❌</td><td>❌</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Org Settings / Access / Users</td><td>Admin</td><td>❌</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Member</td><td>❌</td><td>✅</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Project</td><td>Admin</td><td>✅</td><td>❌</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Member</td><td>❌</td><td>❌</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Project / Project Settings</td><td>Admin</td><td>❌</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Member</td><td>❌</td><td>❌</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Evaluators</td><td>Admin</td><td>✅</td><td>✅</td><td>✅</td><td>N/A</td><td>N/A</td></tr><tr><td></td><td>Member</td><td>✅</td><td>✅</td><td>✅</td><td>N/A</td><td>N/A</td></tr><tr><td>Global Agentic Custom Metrics</td><td>Admin</td><td>✅</td><td>✅</td><td>✅</td><td>N/A</td><td>✅</td></tr><tr><td></td><td>Member</td><td>✅</td><td>✅</td><td>✅</td><td>N/A</td><td>❌</td></tr></tbody></table>

#### Project Level permissions

An “Org Admin” or “Org Member” user can have the following access to the Projects

* Project Admin: Full access to project resources.
* Project Writer: Limited access to project resources, excluding deletion and user invitation.
* Project Viewer: Read-only access to project resources.

<table data-full-width="true"><thead><tr><th>Resource</th><th>Role</th><th>Read</th><th>Create</th><th>Edit</th><th>Delete</th></tr></thead><tbody><tr><td>Project</td><td>Admin</td><td>✅</td><td>❌</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Project / Project Settings</td><td>Admin</td><td>✅</td><td>❌</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Project / Models: Schema, Artifact, Baseline, Dataset, Custom Metric, Segments</td><td>Admin</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Project / Model / Alerts</td><td>Admin</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Project / Bookmarks</td><td>Admin</td><td>✅</td><td>✅</td><td>❌</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>✅</td><td>❌</td><td>✅</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>✅</td><td>❌</td><td>✅</td></tr><tr><td>Project / Charts</td><td>Admin</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td>Project / Dashboards</td><td>Admin</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td>Model Deployment</td><td>Admin</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Application</td><td>Admin</td><td>✅</td><td>✅</td><td>N/A</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>✅</td><td>N/A</td><td>✅</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>❌</td><td>N/A</td><td>❌</td></tr><tr><td>Evaluator Rules</td><td>Admin</td><td>✅</td><td>✅</td><td>N/A</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>✅</td><td>N/A</td><td>✅</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>❌</td><td>N/A</td><td>❌</td></tr><tr><td>Project-Scoped Agentic Custom Metrics</td><td>Admin</td><td>✅</td><td>✅</td><td>N/A</td><td>✅</td></tr><tr><td></td><td>Writer</td><td>✅</td><td>✅</td><td>N/A</td><td>❌</td></tr><tr><td></td><td>Viewer</td><td>✅</td><td>❌</td><td>N/A</td><td>❌</td></tr></tbody></table>

### Getting Started

* The default "Org Admin" role is created during Fiddler installation.
* Assign roles to users and teams to control access to resources.
* Use the permissions matrix to understand the access levels for each role.

Click [here](/reference/settings.md#access) for more information on teams.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fiddler.ai/reference/access-control/role-based-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.