Special roles and groups
RapidMiner Server provides a set of special roles which are automatically assigned to some of AI Hub's default groups. They serve a pre-defined purpose, for example users within such a group are granted additional permissions. The following page explains all available special roles and default assignment of those roles via default groups within RapidMiner Server.
Roles
| Role name | Description | Default | 
|---|---|---|
| aihub:projects:create | allowed to create projects | indirect via group | 
| aihub:projects:deployment-creation | allowed to create deployments | indirect via group | 
| aihub:deployment-creation-connections | allowed to include connections while creating deployments | indirect via group | 
| aihub:queues:create | allowed to create queues | indirect via group | 
| aihub:schedule | allowed to schedule processes | indirect via group | 
| aihub:sync | allows to list and download sync-able files (e.g. used in Job Agents service account) | no (only for aihub-jobagent) | 
| aihub:impersonate | impersonate other users (e.g. used in Job Agents service account) | no (only for aihub-jobagent) | 
| aihub:admin | miscellaneous tasks | no | 
- aihub:admin- allows management of most features including queues, projects and schedules
 
- aihub:impersonate- allows to impersonate a user calling the /auth/impersonateendpoint
 
- allows to impersonate a user calling the 
- aihub:sync- allows listing and download sync-able files using the /syncendpoints
 
- allows listing and download sync-able files using the 
Default Roles
See Default column in Roles section.
In addition, the aihub-backend client's service account requires
- the realm-management -> impersonation(for working impersonation)
- the realm-management -> view-users(for retrieving a list of groups and users)
- the realm-management -> manage-users(for creating groups and users during migration)
roles to be assigned.
Groups
| Role name | Description | Default | 
|---|---|---|
| users | standard for all (new) users | yes | 
| admin | has role aihub:admin | no | 
Default Groups
- See Defaultin Groups section.
Special Scopes
For RapidMiner Server to work correctly, the groups Client Scope is required to be assigned to all related clients in Keycloak.
RapidMiner Server relies on the groups claim for managing permissions internally.
