Understanding the Authorization Model
Prisme.ai’s authorization system operates at four distinct layers:Super Admins
Technical or management users with platform-wide access configured at the infrastructure level
Workspace Roles
Developer and manager permissions assigned on a workspace-by-workspace basis
SSO Access
End-user access controls configured for each workspace with SSO integration
Product Roles
Fine-grained permissions assigned to user groups within individual products
Key Concepts and Terminology
Before diving into permission details, it’s important to understand the distinction between two fundamental concepts:Workspaces are dedicated environments where you can build, manage, and run agents, as well as implement all custom or project-specific logic.
- Accessible via the AI Builder section in the left-hand menu
- Similar to software management projects or team workspaces in traditional environments
- Designed for tech teams to create, configure, and maintain AI-powered applications
- Contain automations, blocks, pages, and other reusable development resources
- Centralize all activity: end-user interactions, audit logs, and execution traces
Super Admins
Super Admins have the highest level of access across the entire Prisme.ai platform.Capabilities and Scope
Capabilities and Scope
Super Admins can:
- Access, share, and update every existing workspace
- View all events, configurations, and automations
- Manage all aspects of the platform
- Install, update, and configure Prisme.ai products
Configuration
Configuration
Super Admin access is configured at the infrastructure level:Option 1: Environment VariableSet the Option 2: Helm ConfigurationConfigure via the
SUPER_ADMIN_EMAILS environment variable in the api-gateway microservice:api-gateway.config.admins helm value in the prismeai-core chart:Best Practices
Best Practices
While Super Admins have extensive privileges, we recommend:
- Limiting the number of Super Admin accounts to minimize security risks
- Using Super Admin accounts primarily for installation, updates, and platform configuration
- For day-to-day operations, Super Admins should share important workspaces (AI Knowledge, AI Store…) with secondary accounts that have more limited permissions
- Regularly review and audit the list of Super Admin accounts
Workspace Roles
Workspace roles control who can access and modify specific workspaces in Prisme.ai.Available Roles
Available Roles
Workspaces support various roles with different permission levels:
- Owner: Full control over the workspace, including sharing with others
- Editor: Can modify workspace content but has limited administrative capabilities
- Custom Roles: Additional roles can be defined with specialized permissions
What Workspace Roles Control
What Workspace Roles Control
Users with workspace access can:
- Update workspace configuration and secrets
- Search through activity events for debugging or auditing
- Modify automations and pages to develop new features
- Access the workspace’s development environment
- Deploy changes to associated products
Managing Workspace Roles
Managing Workspace Roles
To share a workspace with other users:
- Navigate to the workspace in the AI Builder section
- Click on the “Share” button in the workspace header
- Enter the email address of the user
- Select the appropriate role from the dropdown
- Click “Add” to grant access
SSO Access
SSO (Single Sign-On) access controls which end users can access product pages when authenticating through your identity provider.How SSO Access Works
How SSO Access Works
Prisme.ai products like AI Knowledge and AI Store use custom security rules to automatically grant access to authenticated SSO users.These rules:
- Are configured at the workspace level
- Typically grant access only to the user-facing pages
- Can be customized to provide different levels of access based on user attributes
- Allow end users to access products without requiring individual account setup
Configuring SSO Access
Configuring SSO Access
To configure SSO access for a product:With this security rules, every user authenticated with
See RBAC for more advanced rules
- Access the product’s workspace through AI Builder
- Navigate to the workspace settings
- Look for the Security or SSO section
- Configure the authentication providers
- Define rules for automatic role assignment based on user attributes
yourOwnSso will automatically have user role, defining the {{user.role}} == "user" variable and giving access to every pages with a users label.See RBAC for more advanced rules
While SSO rules typically only grant access to user-facing pages, they can be configured to provide full workspace access, similar to owner roles, if needed.
Product Roles
Product roles provide fine-grained control over what users can do within specific Prisme.ai products.Understanding Product Roles
Understanding Product Roles
Unlike workspace roles, which control access to development environments, product roles determine:
- What features users can access within a product
- What actions they can perform
- What data they can view or modify
Example Product Roles
Example Product Roles
Different products come with predefined roles. For example, in AI Knowledge:
- Product Admin: Can access analytics, all existing projects, and create new ones
- Knowledge User: Can only access shared projects and cannot create new ones
Managing Product Roles through AI Governance
Managing Product Roles through AI Governance
AI Governance allows admins to:
- Enable or disable users
- Update basic user information
- Manage user groups
- Assign product roles to users or groups
- Navigate to AI Governance in the left menu
- Select “Users & Permissions”
- Find the user or create a new user
- Assign the appropriate product roles
Permission Management Best Practices
Least Privilege Principle
Assign only the minimum permissions needed
- Grant users only the access they need to perform their jobs
- Regularly review and revoke unnecessary permissions
- Use time-limited access when possible for temporary needs
Role-Based Access Control
Organize permissions by role, not individual users
- Create roles that align with job functions
- Assign users to appropriate roles
- Modify role definitions rather than creating one-off permissions
Regular Audits
Review permissions periodically
- Schedule regular permission reviews
- Check for outdated access after role changes
- Audit Super Admin accounts especially carefully
Document Access Policies
Create clear permission guidelines
- Document which roles have access to what resources
- Establish approval processes for elevated access
- Provide clear procedures for requesting access changes
Understanding Permission Interactions
When a user attempts to perform an action in Prisme.ai, their permissions are evaluated across multiple layers:1
Authentication Validation
First, the system verifies the user is properly authenticated, either through:
- Local username/password
- SSO provider credentials
- API key or token validation
2
Super Admin Check
If the user is a Super Admin, they generally have full access to all workspaces but might still need specific product roles.
3
Workspace Permission Evaluation
For workspace access:
- The system checks if the user has been explicitly granted a role
- It evaluates any SSO-based role assignments
- It determines the specific capabilities based on the assigned role
4
Product Permission Evaluation
For product features:
- The system verifies product-specific roles assigned in AI Governance
- It checks any group memberships that might grant additional permissions
- It enforces feature and data access based on these roles
Remember that workspace access and product access are separate layers. A user might have admin rights to a product without having access to its underlying workspace, or vice versa.
Common Permission Scenarios
Platform Administrator
Platform Administrator
Description: Technical staff responsible for platform managementRecommended Permissions:
- Super Admin status
- Access to all critical workspaces (AI Knowledge, AI Store, etc.)
- Product Admin roles in key products
- Manager role in AI Governance
Developer
Developer
Description: Technical staff building applications and integrationsRecommended Permissions:
- Editor role in specific workspaces
- Limited or no Super Admin access
- Basic product access for testing
- No AI Governance admin roles
Department Manager
Department Manager
Description: Business stakeholder overseeing the use of specific productsRecommended Permissions:
- Product Admin role in relevant products
- No workspace access (unless they need to make configuration changes)
- No Super Admin access
- Limited AI Governance access
End User
End User
Description: Regular staff using AI productsRecommended Permissions:
- SSO access to product pages
- Product-specific user roles
- No workspace access
- No AI Governance access
Troubleshooting Permission Issues
User Cannot Access a Workspace
User Cannot Access a Workspace
Possible Causes:
- User has not been explicitly granted a workspace role
- SSO configuration is not correctly mapping to workspace roles
- User’s email address might be misspelled in the permissions
- Check if the user appears in the workspace sharing settings
- Verify the user’s email address matches exactly
- Check SSO configuration and attribute mapping
- Try explicitly granting a workspace role
User Cannot Access Product Features
User Cannot Access Product Features
Possible Causes:
- User lacks the necessary product role
- Product configuration is restricting access
- User might not be in the required group
- Check the user’s product roles in AI Governance
- Verify group memberships
- Check product-specific access settings
- Assign the appropriate product role
Super Admin Cannot Access a Product
Super Admin Cannot Access a Product
Possible Causes:
- Product has specific role requirements beyond Super Admin status
- Product configuration issue
- Access the product’s workspace
- Check the product configuration
- Modify settings or grant necessary product roles
- If needed, update the user’s permissions in AI Governance