Skip to main content
Prisme.ai implements a comprehensive, multi-layered authorization system that ensures secure access control across the platform. This guide explains how permissions work at each level and provides instructions for effective permission management.

Understanding the Authorization Model

Prisme.ai’s authorization system operates at four distinct layers:

Super Admins

Technical or management users with platform-wide access configured at the infrastructure level

Workspace Roles

Developer and manager permissions assigned on a workspace-by-workspace basis

SSO Access

End-user access controls configured for each workspace with SSO integration

Product Roles

Fine-grained permissions assigned to user groups within individual products

Key Concepts and Terminology

Before diving into permission details, it’s important to understand the distinction between two fundamental concepts:
  • Workspaces
  • Products
Workspaces are dedicated environments where you can build, manage, and run agents, as well as implement all custom or project-specific logic.
  • Accessible via the AI Builder section in the left-hand menu
  • Similar to software management projects or team workspaces in traditional environments
  • Designed for tech teams to create, configure, and maintain AI-powered applications
  • Contain automations, blocks, pages, and other reusable development resources
  • Centralize all activity: end-user interactions, audit logs, and execution traces
Workspaces are the foundation of Prisme.ai’s AI Builder. They empower teams to design, test, and deploy custom AI solutions tailored to their unique business needs.
Understanding this distinction is crucial because permissions are applied differently at the workspace level versus the product level.

Super Admins

Super Admins have the highest level of access across the entire Prisme.ai platform.
Super Admins can:
  • Access, share, and update every existing workspace
  • View all events, configurations, and automations
  • Manage all aspects of the platform
  • Install, update, and configure Prisme.ai products
This is the most powerful role and essentially makes the user an owner of every workspace.
Super Admin access is configured at the infrastructure level:Option 1: Environment VariableSet the SUPER_ADMIN_EMAILS environment variable in the api-gateway microservice:
SUPER_ADMIN_EMAILS=admin1@example.com,admin2@example.com
Option 2: Helm ConfigurationConfigure via the api-gateway.config.admins helm value in the prismeai-core chart:
api-gateway:
  config:
    admins:
      - admin1@example.com
      - admin2@example.com
While Super Admins have extensive privileges, we recommend:
  • Limiting the number of Super Admin accounts to minimize security risks
  • Using Super Admin accounts primarily for installation, updates, and platform configuration
  • For day-to-day operations, Super Admins should share important workspaces (AI Knowledge, AI Store…) with secondary accounts that have more limited permissions
  • Regularly review and audit the list of Super Admin accounts
Important Note: Although Super Admins manage all workspaces, they might not automatically have admin access to all products since products can have their own permission layer. However, Super Admins can always grant themselves the necessary product permissions from the workspace level.

Workspace Roles

Workspace roles control who can access and modify specific workspaces in Prisme.ai.
Workspaces support various roles with different permission levels:
  • Owner: Full control over the workspace, including sharing with others
  • Editor: Can modify workspace content but has limited administrative capabilities
  • Custom Roles: Additional roles can be defined with specialized permissions
Each role determines what actions a user can perform within the workspace.
Users with workspace access can:
  • Update workspace configuration and secrets
  • Search through activity events for debugging or auditing
  • Modify automations and pages to develop new features
  • Access the workspace’s development environment
  • Deploy changes to associated products
These permissions are critical for developers and administrators who need to build and maintain applications.
To share a workspace with other users:
  1. Navigate to the workspace in the AI Builder section
  2. Click on the “Share” button in the workspace header
  3. Enter the email address of the user
  4. Select the appropriate role from the dropdown
  5. Click “Add” to grant access
You can also modify or revoke existing permissions from this same interface.

SSO Access

SSO (Single Sign-On) access controls which end users can access product pages when authenticating through your identity provider.
Prisme.ai products like AI Knowledge and AI Store use custom security rules to automatically grant access to authenticated SSO users.These rules:
  • Are configured at the workspace level
  • Typically grant access only to the user-facing pages
  • Can be customized to provide different levels of access based on user attributes
  • Allow end users to access products without requiring individual account setup
To configure SSO access for a product:
  1. Access the product’s workspace through AI Builder
  2. Navigate to the workspace settings
  3. Look for the Security or SSO section
  4. Configure the authentication providers
  5. Define rules for automatic role assignment based on user attributes
For example, you might create rules that assign specific roles based on group membership in your identity provider :
authorizations:
  roles:
    user:
      auth:
        yourOwnSso: {}
  rules:
    - role: user
      action:
        - read
      subject: pages
      conditions:
        labels: users
With this security rules, every user authenticated with yourOwnSso will automatically have user role, defining the {{user.role}} == "user" variable and giving access to every pages with a users label.
See RBAC for more advanced rules
While SSO rules typically only grant access to user-facing pages, they can be configured to provide full workspace access, similar to owner roles, if needed.

Product Roles

Product roles provide fine-grained control over what users can do within specific Prisme.ai products.
Unlike workspace roles, which control access to development environments, product roles determine:
  • What features users can access within a product
  • What actions they can perform
  • What data they can view or modify
These roles are managed through AI Governance and apply to the end-user experience of the products.
Different products come with predefined roles. For example, in AI Knowledge:
  • Product Admin: Can access analytics, all existing projects, and create new ones
  • Knowledge User: Can only access shared projects and cannot create new ones
Product role capabilities are specific to each product and provide targeted permission controls.Important Note: Even users with the Product Admin role cannot change the product’s configuration (e.g., LLM providers, models, rate limits) unless they also have access to the corresponding workspace.
AI Governance allows admins to:
  • Enable or disable users
  • Update basic user information
  • Manage user groups
  • Assign product roles to users or groups
To access these features:
  1. Navigate to AI Governance in the left menu
  2. Select “Users & Permissions”
  3. Find the user or create a new user
  4. Assign the appropriate product roles
To grant management access to AI Governance itself, a Manager role must be assigned from the same “Users & Permissions” page.

Permission Management Best Practices

Least Privilege Principle

Assign only the minimum permissions needed
  • Grant users only the access they need to perform their jobs
  • Regularly review and revoke unnecessary permissions
  • Use time-limited access when possible for temporary needs

Role-Based Access Control

Organize permissions by role, not individual users
  • Create roles that align with job functions
  • Assign users to appropriate roles
  • Modify role definitions rather than creating one-off permissions

Regular Audits

Review permissions periodically
  • Schedule regular permission reviews
  • Check for outdated access after role changes
  • Audit Super Admin accounts especially carefully

Document Access Policies

Create clear permission guidelines
  • Document which roles have access to what resources
  • Establish approval processes for elevated access
  • Provide clear procedures for requesting access changes

Understanding Permission Interactions

When a user attempts to perform an action in Prisme.ai, their permissions are evaluated across multiple layers:
1

Authentication Validation

First, the system verifies the user is properly authenticated, either through:
  • Local username/password
  • SSO provider credentials
  • API key or token validation
2

Super Admin Check

If the user is a Super Admin, they generally have full access to all workspaces but might still need specific product roles.
3

Workspace Permission Evaluation

For workspace access:
  • The system checks if the user has been explicitly granted a role
  • It evaluates any SSO-based role assignments
  • It determines the specific capabilities based on the assigned role
4

Product Permission Evaluation

For product features:
  • The system verifies product-specific roles assigned in AI Governance
  • It checks any group memberships that might grant additional permissions
  • It enforces feature and data access based on these roles
Remember that workspace access and product access are separate layers. A user might have admin rights to a product without having access to its underlying workspace, or vice versa.

Common Permission Scenarios

Description: Technical staff responsible for platform managementRecommended Permissions:
  • Super Admin status
  • Access to all critical workspaces (AI Knowledge, AI Store, etc.)
  • Product Admin roles in key products
  • Manager role in AI Governance
This configuration provides full system access for platform maintenance and administration.
Description: Technical staff building applications and integrationsRecommended Permissions:
  • Editor role in specific workspaces
  • Limited or no Super Admin access
  • Basic product access for testing
  • No AI Governance admin roles
This setup allows developers to build and modify applications without unnecessary administrative access.
Description: Business stakeholder overseeing the use of specific productsRecommended Permissions:
  • Product Admin role in relevant products
  • No workspace access (unless they need to make configuration changes)
  • No Super Admin access
  • Limited AI Governance access
This configuration allows managers to administer their department’s products without access to development environments.
Description: Regular staff using AI productsRecommended Permissions:
  • SSO access to product pages
  • Product-specific user roles
  • No workspace access
  • No AI Governance access
This setup provides the appropriate access for day-to-day product usage without any administrative capabilities.

Troubleshooting Permission Issues

Possible Causes:
  • User has not been explicitly granted a workspace role
  • SSO configuration is not correctly mapping to workspace roles
  • User’s email address might be misspelled in the permissions
Resolution Steps:
  1. Check if the user appears in the workspace sharing settings
  2. Verify the user’s email address matches exactly
  3. Check SSO configuration and attribute mapping
  4. Try explicitly granting a workspace role
Possible Causes:
  • User lacks the necessary product role
  • Product configuration is restricting access
  • User might not be in the required group
Resolution Steps:
  1. Check the user’s product roles in AI Governance
  2. Verify group memberships
  3. Check product-specific access settings
  4. Assign the appropriate product role
Possible Causes:
  • Product has specific role requirements beyond Super Admin status
  • Product configuration issue
Resolution Steps:
  1. Access the product’s workspace
  2. Check the product configuration
  3. Modify settings or grant necessary product roles
  4. If needed, update the user’s permissions in AI Governance