Learn how to manage user access and permissions across different layers of the Prisme.ai platform
Prisme.ai implements a comprehensive, multi-layered authorization system that ensures secure access control across the platform. This guide explains how permissions work at each level and provides instructions for effective permission management.
Before diving into permission details, it’s important to understand the distinction between two fundamental concepts:
Workspaces are dedicated environments where you can build, manage, and run agents, as well as implement all custom or project-specific logic.
Accessible via the AI Builder section in the left-hand menu
Similar to software management projects or team workspaces in traditional environments
Designed for tech teams to create, configure, and maintain AI-powered applications
Contain automations, blocks, pages, and other reusable development resources
Centralize all activity: end-user interactions, audit logs, and execution traces
Workspaces are the foundation of Prisme.ai’s AI Builder. They empower teams to design, test, and deploy custom AI solutions tailored to their unique business needs.
Workspaces are dedicated environments where you can build, manage, and run agents, as well as implement all custom or project-specific logic.
Accessible via the AI Builder section in the left-hand menu
Similar to software management projects or team workspaces in traditional environments
Designed for tech teams to create, configure, and maintain AI-powered applications
Contain automations, blocks, pages, and other reusable development resources
Centralize all activity: end-user interactions, audit logs, and execution traces
Workspaces are the foundation of Prisme.ai’s AI Builder. They empower teams to design, test, and deploy custom AI solutions tailored to their unique business needs.
Products are user-facing applications built on workspaces.
Listed below AI Builder in the left menu
Web pages, applications, or APIs designed for end users
End users interact with products but typically don’t have access to underlying workspaces
Represent the “production” deployments of applications
Products are what your end users will interact with, while the workspaces are where you build and configure these products.
Understanding this distinction is crucial because permissions are applied differently at the workspace level versus the product level.
While Super Admins have extensive privileges, we recommend:
Limiting the number of Super Admin accounts to minimize security risks
Using Super Admin accounts primarily for installation, updates, and platform configuration
For day-to-day operations, Super Admins should share important workspaces (AI Knowledge, AI Store…) with secondary accounts that have more limited permissions
Regularly review and audit the list of Super Admin accounts
Important Note: Although Super Admins manage all workspaces, they might not automatically have admin access to all products since products can have their own permission layer. However, Super Admins can always grant themselves the necessary product permissions from the workspace level.
With this security rules, every user authenticated with yourOwnSso will automatically have user role, defining the {{user.role}} == "user" variable and giving access to every pages with a users label.
See RBAC for more advanced rules
While SSO rules typically only grant access to user-facing pages, they can be configured to provide full workspace access, similar to owner roles, if needed.
Product roles provide fine-grained control over what users can do within specific Prisme.ai products.
Unlike workspace roles, which control access to development environments, product roles determine:
What features users can access within a product
What actions they can perform
What data they can view or modify
These roles are managed through AI Governance and apply to the end-user experience of the products.
Different products come with predefined roles. For example, in AI Knowledge:
Product Admin: Can access analytics, all existing projects, and create new ones
Knowledge User: Can only access shared projects and cannot create new ones
Product role capabilities are specific to each product and provide targeted permission controls.
Important Note: Even users with the Product Admin role cannot change the product’s configuration (e.g., LLM providers, models, rate limits) unless they also have access to the corresponding workspace.
AI Governance allows admins to:
Enable or disable users
Update basic user information
Manage user groups
Assign product roles to users or groups
To access these features:
Navigate to AI Governance in the left menu
Select “Users & Permissions”
Find the user or create a new user
Assign the appropriate product roles
To grant management access to AI Governance itself, a Manager role must be assigned from the same “Users & Permissions” page.
When a user attempts to perform an action in Prisme.ai, their permissions are evaluated across multiple layers:
1
Authentication Validation
First, the system verifies the user is properly authenticated, either through:
Local username/password
SSO provider credentials
API key or token validation
2
Super Admin Check
If the user is a Super Admin, they generally have full access to all workspaces but might still need specific product roles.
3
Workspace Permission Evaluation
For workspace access:
The system checks if the user has been explicitly granted a role
It evaluates any SSO-based role assignments
It determines the specific capabilities based on the assigned role
4
Product Permission Evaluation
For product features:
The system verifies product-specific roles assigned in AI Governance
It checks any group memberships that might grant additional permissions
It enforces feature and data access based on these roles
Remember that workspace access and product access are separate layers. A user might have admin rights to a product without having access to its underlying workspace, or vice versa.
