Permissions Management
Learn how to manage user access and permissions across different layers of the Prisme.ai platform
Prisme.ai implements a comprehensive, multi-layered authorization system that ensures secure access control across the platform. This guide explains how permissions work at each level and provides instructions for effective permission management.
Understanding the Authorization Model
Prisme.ai’s authorization system operates at four distinct layers:
Super Admins
Technical or management users with platform-wide access configured at the infrastructure level
Workspace Roles
Developer and manager permissions assigned on a workspace-by-workspace basis
SSO Access
End-user access controls configured for each workspace with SSO integration
Product Roles
Fine-grained permissions assigned to user groups within individual products
Key Concepts and Terminology
Before diving into permission details, it’s important to understand the distinction between two fundamental concepts:
Workspaces are dedicated environments where you can build, manage, and run agents, as well as implement all custom or project-specific logic.
- Accessible via the AI Builder section in the left-hand menu
- Similar to software management projects or team workspaces in traditional environments
- Designed for tech teams to create, configure, and maintain AI-powered applications
- Contain automations, blocks, pages, and other reusable development resources
- Centralize all activity: end-user interactions, audit logs, and execution traces
Workspaces are the foundation of Prisme.ai’s AI Builder. They empower teams to design, test, and deploy custom AI solutions tailored to their unique business needs.
Workspaces are dedicated environments where you can build, manage, and run agents, as well as implement all custom or project-specific logic.
- Accessible via the AI Builder section in the left-hand menu
- Similar to software management projects or team workspaces in traditional environments
- Designed for tech teams to create, configure, and maintain AI-powered applications
- Contain automations, blocks, pages, and other reusable development resources
- Centralize all activity: end-user interactions, audit logs, and execution traces
Workspaces are the foundation of Prisme.ai’s AI Builder. They empower teams to design, test, and deploy custom AI solutions tailored to their unique business needs.
Products are user-facing applications built on workspaces.
- Listed below AI Builder in the left menu
- Web pages, applications, or APIs designed for end users
- End users interact with products but typically don’t have access to underlying workspaces
- Represent the “production” deployments of applications
Products are what your end users will interact with, while the workspaces are where you build and configure these products.
Understanding this distinction is crucial because permissions are applied differently at the workspace level versus the product level.
Super Admins
Super Admins have the highest level of access across the entire Prisme.ai platform.
Capabilities and Scope
Capabilities and Scope
Super Admins can:
- Access, share, and update every existing workspace
- View all events, configurations, and automations
- Manage all aspects of the platform
- Install, update, and configure Prisme.ai products
This is the most powerful role and essentially makes the user an owner of every workspace.
Configuration
Configuration
Super Admin access is configured at the infrastructure level:
Option 1: Environment Variable
Set the SUPER_ADMIN_EMAILS environment variable in the api-gateway microservice:
Option 2: Helm Configuration
Configure via the api-gateway.config.admins helm value in the prismeai-core chart:
Best Practices
Best Practices
While Super Admins have extensive privileges, we recommend:
- Limiting the number of Super Admin accounts to minimize security risks
- Using Super Admin accounts primarily for installation, updates, and platform configuration
- For day-to-day operations, Super Admins should share important workspaces (AI Knowledge, AI Store…) with secondary accounts that have more limited permissions
- Regularly review and audit the list of Super Admin accounts
Important Note: Although Super Admins manage all workspaces, they might not automatically have admin access to all products since products can have their own permission layer. However, Super Admins can always grant themselves the necessary product permissions from the workspace level.
Workspace Roles
Workspace roles control who can access and modify specific workspaces in Prisme.ai.
Available Roles
Available Roles
Workspaces support various roles with different permission levels:
- Owner: Full control over the workspace, including sharing with others
- Editor: Can modify workspace content but has limited administrative capabilities
- Custom Roles: Additional roles can be defined with specialized permissions
Each role determines what actions a user can perform within the workspace.
What Workspace Roles Control
What Workspace Roles Control
Users with workspace access can:
- Update workspace configuration and secrets
- Search through activity events for debugging or auditing
- Modify automations and pages to develop new features
- Access the workspace’s development environment
- Deploy changes to associated products
These permissions are critical for developers and administrators who need to build and maintain applications.
Managing Workspace Roles
Managing Workspace Roles
To share a workspace with other users:
- Navigate to the workspace in the AI Builder section
- Click on the “Share” button in the workspace header
- Enter the email address of the user
- Select the appropriate role from the dropdown
- Click “Add” to grant access
You can also modify or revoke existing permissions from this same interface.
SSO Access
SSO (Single Sign-On) access controls which end users can access product pages when authenticating through your identity provider.
How SSO Access Works
How SSO Access Works
Prisme.ai products like AI Knowledge and AI Store use custom security rules to automatically grant access to authenticated SSO users.
These rules:
- Are configured at the workspace level
- Typically grant access only to the user-facing pages
- Can be customized to provide different levels of access based on user attributes
- Allow end users to access products without requiring individual account setup
Configuring SSO Access
Configuring SSO Access
To configure SSO access for a product:
- Access the product’s workspace through AI Builder
- Navigate to the workspace settings
- Look for the Security or SSO section
- Configure the authentication providers
- Define rules for automatic role assignment based on user attributes
For example, you might create rules that assign specific roles based on group membership in your identity provider :
With this security rules, every user authenticated with yourOwnSso will automatically have user role, defining the {{user.role}} == "user" variable and giving access to every pages with a users label.
See RBAC for more advanced rules
While SSO rules typically only grant access to user-facing pages, they can be configured to provide full workspace access, similar to owner roles, if needed.
Product Roles
Product roles provide fine-grained control over what users can do within specific Prisme.ai products.
Understanding Product Roles
Understanding Product Roles
Unlike workspace roles, which control access to development environments, product roles determine:
- What features users can access within a product
- What actions they can perform
- What data they can view or modify
These roles are managed through AI Governance and apply to the end-user experience of the products.
Example Product Roles
Example Product Roles
Different products come with predefined roles. For example, in AI Knowledge:
- Product Admin: Can access analytics, all existing projects, and create new ones
- Knowledge User: Can only access shared projects and cannot create new ones
Product role capabilities are specific to each product and provide targeted permission controls.
Important Note: Even users with the Product Admin role cannot change the product’s configuration (e.g., LLM providers, models, rate limits) unless they also have access to the corresponding workspace.
Managing Product Roles through AI Governance
Managing Product Roles through AI Governance
AI Governance allows admins to:
- Enable or disable users
- Update basic user information
- Manage user groups
- Assign product roles to users or groups
To access these features:
- Navigate to AI Governance in the left menu
- Select “Users & Permissions”
- Find the user or create a new user
- Assign the appropriate product roles
To grant management access to AI Governance itself, a Manager role must be assigned from the same “Users & Permissions” page.
Permission Management Best Practices
Least Privilege Principle
Assign only the minimum permissions needed
- Grant users only the access they need to perform their jobs
- Regularly review and revoke unnecessary permissions
- Use time-limited access when possible for temporary needs
Role-Based Access Control
Organize permissions by role, not individual users
- Create roles that align with job functions
- Assign users to appropriate roles
- Modify role definitions rather than creating one-off permissions
Regular Audits
Review permissions periodically
- Schedule regular permission reviews
- Check for outdated access after role changes
- Audit Super Admin accounts especially carefully
Document Access Policies
Create clear permission guidelines
- Document which roles have access to what resources
- Establish approval processes for elevated access
- Provide clear procedures for requesting access changes
Understanding Permission Interactions
When a user attempts to perform an action in Prisme.ai, their permissions are evaluated across multiple layers:
Authentication Validation
First, the system verifies the user is properly authenticated, either through:
- Local username/password
- SSO provider credentials
- API key or token validation
Super Admin Check
If the user is a Super Admin, they generally have full access to all workspaces but might still need specific product roles.
Workspace Permission Evaluation
For workspace access:
- The system checks if the user has been explicitly granted a role
- It evaluates any SSO-based role assignments
- It determines the specific capabilities based on the assigned role
Product Permission Evaluation
For product features:
- The system verifies product-specific roles assigned in AI Governance
- It checks any group memberships that might grant additional permissions
- It enforces feature and data access based on these roles
Remember that workspace access and product access are separate layers. A user might have admin rights to a product without having access to its underlying workspace, or vice versa.
Common Permission Scenarios
Platform Administrator
Platform Administrator
Description: Technical staff responsible for platform management
Recommended Permissions:
- Super Admin status
- Access to all critical workspaces (AI Knowledge, AI Store, etc.)
- Product Admin roles in key products
- Manager role in AI Governance
This configuration provides full system access for platform maintenance and administration.
Developer
Developer
Description: Technical staff building applications and integrations
Recommended Permissions:
- Editor role in specific workspaces
- Limited or no Super Admin access
- Basic product access for testing
- No AI Governance admin roles
This setup allows developers to build and modify applications without unnecessary administrative access.
Department Manager
Department Manager
Description: Business stakeholder overseeing the use of specific products
Recommended Permissions:
- Product Admin role in relevant products
- No workspace access (unless they need to make configuration changes)
- No Super Admin access
- Limited AI Governance access
This configuration allows managers to administer their department’s products without access to development environments.
End User
End User
Description: Regular staff using AI products
Recommended Permissions:
- SSO access to product pages
- Product-specific user roles
- No workspace access
- No AI Governance access
This setup provides the appropriate access for day-to-day product usage without any administrative capabilities.
Troubleshooting Permission Issues
User Cannot Access a Workspace
User Cannot Access a Workspace
Possible Causes:
- User has not been explicitly granted a workspace role
- SSO configuration is not correctly mapping to workspace roles
- User’s email address might be misspelled in the permissions
Resolution Steps:
- Check if the user appears in the workspace sharing settings
- Verify the user’s email address matches exactly
- Check SSO configuration and attribute mapping
- Try explicitly granting a workspace role
User Cannot Access Product Features
User Cannot Access Product Features
Possible Causes:
- User lacks the necessary product role
- Product configuration is restricting access
- User might not be in the required group
Resolution Steps:
- Check the user’s product roles in AI Governance
- Verify group memberships
- Check product-specific access settings
- Assign the appropriate product role
Super Admin Cannot Access a Product
Super Admin Cannot Access a Product
Possible Causes:
- Product has specific role requirements beyond Super Admin status
- Product configuration issue
Resolution Steps:
- Access the product’s workspace
- Check the product configuration
- Modify settings or grant necessary product roles
- If needed, update the user’s permissions in AI Governance