# Access rules

Access rules provide user authorization to system resources and entities. It is managed using Role-based access control (RBAC) which is a policy-neutral access control mechanism defined around roles and privileges. The components of RBAC make it simple to manage access to system resources and entities. For more information, see [Access control](https://docs.run.ai/v2.19/admin/runai-setup/access-control/rbac/#role-based-access-control).

## List the access rules.

> Retrieve a list of access rules.

```json
{"openapi":"3.0.3","info":{"title":"Runai API","version":"2.19"},"tags":[{"name":"Access rules","description":"Access rules provide user authorization to system resources and entities.\nIt is managed using Role-based access control (RBAC) which is a policy-neutral \naccess control mechanism defined around roles and privileges. \nThe components of RBAC make it simple to manage access to system resources and entities.\nFor more information, see [Access control](https://docs.run.ai/v2.19/admin/runai-setup/access-control/rbac/#role-based-access-control).\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"parameters":{"SubjectTypeOptional":{"name":"subjectType","in":"query","required":false,"description":"The type of resource we want to filter by.","schema":{"type":"string"}},"SubjectIdOptional":{"name":"subjectIdFilter","in":"query","required":false,"description":"Part of the subject id that we want to filter by.","deprecated":true,"schema":{"type":"string"}},"SubjectIds":{"name":"subjectIds","in":"query","required":false,"description":"The ids of the subjects to filter the response for.","explode":false,"schema":{"type":"array","items":{"type":"string"}}},"Limit":{"name":"limit","in":"query","required":false,"description":"The maximum number of entries to return.","schema":{"type":"integer","format":"int32","default":50,"minimum":1,"maximum":500}},"Offset":{"name":"offset","in":"query","required":false,"description":"The offset of the first item returned in the collection.","schema":{"type":"integer","format":"int32"}},"LastUpdated":{"name":"lastUpdated","in":"query","required":false,"description":"Filter by last update time.","schema":{"type":"string"}},"IncludeDeleted":{"name":"includeDeleted","in":"query","required":false,"description":"True to include deleted objects in the result.","schema":{"type":"boolean","default":false}},"FilterByCluster":{"name":"clusterId","in":"query","description":"Filter using the Universally Unique Identifier (UUID) of the cluster.","required":false,"schema":{"type":"string","format":"uuid"}},"ScopeTypeOptionalQueryDeprecated":{"name":"scopeType","in":"query","required":false,"description":"The type of resource we want to filter by.","deprecated":true,"schema":{"type":"string"}},"ScopeIdOptional":{"name":"scopeId","in":"query","required":false,"description":"The scope resource id that we want to filter by.","schema":{"type":"string"}},"RoleId":{"name":"roleId","in":"query","required":false,"description":"The role id we want to filter by.","deprecated":true,"schema":{"type":"integer","format":"int32","minimum":1}},"SortOrder":{"name":"sortOrder","in":"query","required":false,"description":"Sort results in descending or ascending order.","schema":{"type":"string","enum":["asc","desc"],"default":"asc"}},"AccessRulesSort":{"name":"sortBy","in":"query","required":false,"description":"Sort results by a parameter.","schema":{"$ref":"#/components/schemas/AccessRulesSortFilterFields"}},"AccessRulesFilter":{"name":"filterBy","in":"query","required":false,"description":"Filter results by a parameter. Use the format field-name operator value. Operators are == Equals, != Not equals, <= Less than or equal, >= Greater than or equal, =@ contains, !@ Does not contains, =^ Starts with and =$ Ends with. Dates are in ISO 8601 timestamp format and available for operators ==, !=, <= and >=.","schema":{"type":"array","items":{"type":"string","pattern":"^(subjectId|subjectType|roleId|scopeId|scopeType|roleName|scopeName|createdAt|deletedAt|createdBy)(==|!=|<=|>=|=@|!@|=\\^|=\\$).+$"}},"explode":false}},"schemas":{"AccessRulesSortFilterFields":{"type":"string","enum":["subjectId","subjectType","roleId","scopeId","scopeType","roleName","scopeName","createdAt","deletedAt","createdBy"]},"AccessRules":{"type":"array","items":{"$ref":"#/components/schemas/AccessRule"}},"AccessRule":{"allOf":[{"$ref":"#/components/schemas/AccessRuleCreationFields"},{"$ref":"#/components/schemas/EnrichmentDataFields"},{"$ref":"#/components/schemas/MetadataFields"},{"required":["tenantId"]}]},"AccessRuleCreationFields":{"type":"object","required":["subjectId","subjectType","roleId","scopeId","scopeType"],"properties":{"subjectId":{"type":"string"},"subjectType":{"$ref":"#/components/schemas/SubjectType"},"roleId":{"type":"integer","format":"int32"},"scopeId":{"type":"string"},"scopeType":{"$ref":"#/components/schemas/ScopeType"},"clusterId":{"$ref":"#/components/schemas/ClusterId"}}},"SubjectType":{"type":"string","enum":["user","app","group"]},"ScopeType":{"type":"string","enum":["system","tenant","cluster","department","project"]},"ClusterId":{"description":"The id of the cluster.","type":"string","format":"uuid"},"EnrichmentDataFields":{"type":"object","required":["roleName","scopeName"],"properties":{"roleName":{"type":"string"},"scopeName":{"type":"string"}}},"MetadataFields":{"type":"object","required":["id","createdAt","updatedAt","createdBy"],"properties":{"id":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"updatedAt":{"type":"string","format":"date-time"},"deletedAt":{"type":"string","nullable":true,"format":"date-time"},"tenantId":{"$ref":"#/components/schemas/TenantId"},"createdBy":{"type":"string"}}},"TenantId":{"description":"The id of the tenant.","type":"integer","format":"int32"},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403Forbidden":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/access-rules":{"get":{"summary":"List the access rules.","description":"Retrieve a list of access rules.","operationId":"get_access_rules","tags":["Access rules"],"parameters":[{"$ref":"#/components/parameters/SubjectTypeOptional"},{"$ref":"#/components/parameters/SubjectIdOptional"},{"$ref":"#/components/parameters/SubjectIds"},{"$ref":"#/components/parameters/Limit"},{"$ref":"#/components/parameters/Offset"},{"$ref":"#/components/parameters/LastUpdated"},{"$ref":"#/components/parameters/IncludeDeleted"},{"$ref":"#/components/parameters/FilterByCluster"},{"$ref":"#/components/parameters/ScopeTypeOptionalQueryDeprecated"},{"$ref":"#/components/parameters/ScopeIdOptional"},{"$ref":"#/components/parameters/RoleId"},{"$ref":"#/components/parameters/SortOrder"},{"$ref":"#/components/parameters/AccessRulesSort"},{"$ref":"#/components/parameters/AccessRulesFilter"}],"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"type":"object","required":["totalRecords","displayRecords","accessRules"],"properties":{"totalRecords":{"type":"integer"},"displayRecords":{"type":"integer"},"accessRules":{"$ref":"#/components/schemas/AccessRules"}}}}}},"401":{"$ref":"#/components/responses/401Unauthorized"},"403":{"$ref":"#/components/responses/403Forbidden"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```

## Create an access rule.

> Use to bind a predefined role to a subject (user, group or application) in a scope.

```json
{"openapi":"3.0.3","info":{"title":"Runai API","version":"2.19"},"tags":[{"name":"Access rules","description":"Access rules provide user authorization to system resources and entities.\nIt is managed using Role-based access control (RBAC) which is a policy-neutral \naccess control mechanism defined around roles and privileges. \nThe components of RBAC make it simple to manage access to system resources and entities.\nFor more information, see [Access control](https://docs.run.ai/v2.19/admin/runai-setup/access-control/rbac/#role-based-access-control).\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"schemas":{"AccessRuleCreationFields":{"type":"object","required":["subjectId","subjectType","roleId","scopeId","scopeType"],"properties":{"subjectId":{"type":"string"},"subjectType":{"$ref":"#/components/schemas/SubjectType"},"roleId":{"type":"integer","format":"int32"},"scopeId":{"type":"string"},"scopeType":{"$ref":"#/components/schemas/ScopeType"},"clusterId":{"$ref":"#/components/schemas/ClusterId"}}},"SubjectType":{"type":"string","enum":["user","app","group"]},"ScopeType":{"type":"string","enum":["system","tenant","cluster","department","project"]},"ClusterId":{"description":"The id of the cluster.","type":"string","format":"uuid"},"AccessRule":{"allOf":[{"$ref":"#/components/schemas/AccessRuleCreationFields"},{"$ref":"#/components/schemas/EnrichmentDataFields"},{"$ref":"#/components/schemas/MetadataFields"},{"required":["tenantId"]}]},"EnrichmentDataFields":{"type":"object","required":["roleName","scopeName"],"properties":{"roleName":{"type":"string"},"scopeName":{"type":"string"}}},"MetadataFields":{"type":"object","required":["id","createdAt","updatedAt","createdBy"],"properties":{"id":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"updatedAt":{"type":"string","format":"date-time"},"deletedAt":{"type":"string","nullable":true,"format":"date-time"},"tenantId":{"$ref":"#/components/schemas/TenantId"},"createdBy":{"type":"string"}}},"TenantId":{"description":"The id of the tenant.","type":"integer","format":"int32"},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"400BadRequest":{"description":"Bad request.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403Forbidden":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404NotFound":{"description":"The specified resource was not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/access-rules":{"post":{"summary":"Create an access rule.","description":"Use to bind a predefined role to a subject (user, group or application) in a scope.","operationId":"create_access_rule","tags":["Access rules"],"requestBody":{"description":"The access rule to create.","required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AccessRuleCreationFields"}}}},"responses":{"201":{"description":"Created","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AccessRule"}}}},"400":{"$ref":"#/components/responses/400BadRequest"},"401":{"$ref":"#/components/responses/401Unauthorized"},"403":{"$ref":"#/components/responses/403Forbidden"},"404":{"$ref":"#/components/responses/404NotFound"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```

## Get an access rule.

> Use to retrieve the details of an access rule by id.

```json
{"openapi":"3.0.3","info":{"title":"Runai API","version":"2.19"},"tags":[{"name":"Access rules","description":"Access rules provide user authorization to system resources and entities.\nIt is managed using Role-based access control (RBAC) which is a policy-neutral \naccess control mechanism defined around roles and privileges. \nThe components of RBAC make it simple to manage access to system resources and entities.\nFor more information, see [Access control](https://docs.run.ai/v2.19/admin/runai-setup/access-control/rbac/#role-based-access-control).\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"parameters":{"AccessRuleId":{"name":"accessRuleId","in":"path","required":true,"description":"The id of the access rule to retrieve","schema":{"type":"integer","format":"int32","minimum":0}}},"schemas":{"AccessRuleById":{"allOf":[{"$ref":"#/components/schemas/AccessRule"},{"properties":{"scopePath":{"type":"string","nullable":true}}}]},"AccessRule":{"allOf":[{"$ref":"#/components/schemas/AccessRuleCreationFields"},{"$ref":"#/components/schemas/EnrichmentDataFields"},{"$ref":"#/components/schemas/MetadataFields"},{"required":["tenantId"]}]},"AccessRuleCreationFields":{"type":"object","required":["subjectId","subjectType","roleId","scopeId","scopeType"],"properties":{"subjectId":{"type":"string"},"subjectType":{"$ref":"#/components/schemas/SubjectType"},"roleId":{"type":"integer","format":"int32"},"scopeId":{"type":"string"},"scopeType":{"$ref":"#/components/schemas/ScopeType"},"clusterId":{"$ref":"#/components/schemas/ClusterId"}}},"SubjectType":{"type":"string","enum":["user","app","group"]},"ScopeType":{"type":"string","enum":["system","tenant","cluster","department","project"]},"ClusterId":{"description":"The id of the cluster.","type":"string","format":"uuid"},"EnrichmentDataFields":{"type":"object","required":["roleName","scopeName"],"properties":{"roleName":{"type":"string"},"scopeName":{"type":"string"}}},"MetadataFields":{"type":"object","required":["id","createdAt","updatedAt","createdBy"],"properties":{"id":{"type":"integer","format":"int32"},"createdAt":{"type":"string","format":"date-time"},"updatedAt":{"type":"string","format":"date-time"},"deletedAt":{"type":"string","nullable":true,"format":"date-time"},"tenantId":{"$ref":"#/components/schemas/TenantId"},"createdBy":{"type":"string"}}},"TenantId":{"description":"The id of the tenant.","type":"integer","format":"int32"},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403Forbidden":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404NotFound":{"description":"The specified resource was not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/access-rules/{accessRuleId}":{"get":{"summary":"Get an access rule.","description":"Use to retrieve the details of an access rule by id.","operationId":"get_access_rule","tags":["Access rules"],"parameters":[{"$ref":"#/components/parameters/AccessRuleId"}],"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AccessRuleById"}}}},"401":{"$ref":"#/components/responses/401Unauthorized"},"403":{"$ref":"#/components/responses/403Forbidden"},"404":{"$ref":"#/components/responses/404NotFound"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```

## Delete an access rule.

> Use to delete the subject permissions assigned by access rule id.

```json
{"openapi":"3.0.3","info":{"title":"Runai API","version":"2.19"},"tags":[{"name":"Access rules","description":"Access rules provide user authorization to system resources and entities.\nIt is managed using Role-based access control (RBAC) which is a policy-neutral \naccess control mechanism defined around roles and privileges. \nThe components of RBAC make it simple to manage access to system resources and entities.\nFor more information, see [Access control](https://docs.run.ai/v2.19/admin/runai-setup/access-control/rbac/#role-based-access-control).\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"parameters":{"AccessRuleId":{"name":"accessRuleId","in":"path","required":true,"description":"The id of the access rule to retrieve","schema":{"type":"integer","format":"int32","minimum":0}}},"responses":{"204NoContent":{"description":"No Content."},"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403Forbidden":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404NotFound":{"description":"The specified resource was not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}}},"paths":{"/api/v1/authorization/access-rules/{accessRuleId}":{"delete":{"summary":"Delete an access rule.","description":"Use to delete the subject permissions assigned by access rule id.","operationId":"delete_access_rule","tags":["Access rules"],"parameters":[{"$ref":"#/components/parameters/AccessRuleId"}],"responses":{"204":{"$ref":"#/components/responses/204NoContent"},"401":{"$ref":"#/components/responses/401Unauthorized"},"403":{"$ref":"#/components/responses/403Forbidden"},"404":{"$ref":"#/components/responses/404NotFound"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```

## Count access rules.

> Use to retrieve the number of access rules.

```json
{"openapi":"3.0.3","info":{"title":"Runai API","version":"2.19"},"tags":[{"name":"Access rules","description":"Access rules provide user authorization to system resources and entities.\nIt is managed using Role-based access control (RBAC) which is a policy-neutral \naccess control mechanism defined around roles and privileges. \nThe components of RBAC make it simple to manage access to system resources and entities.\nFor more information, see [Access control](https://docs.run.ai/v2.19/admin/runai-setup/access-control/rbac/#role-based-access-control).\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"parameters":{"IncludeDeleted":{"name":"includeDeleted","in":"query","required":false,"description":"True to include deleted objects in the result.","schema":{"type":"boolean","default":false}},"AccessRulesFilter":{"name":"filterBy","in":"query","required":false,"description":"Filter results by a parameter. Use the format field-name operator value. Operators are == Equals, != Not equals, <= Less than or equal, >= Greater than or equal, =@ contains, !@ Does not contains, =^ Starts with and =$ Ends with. Dates are in ISO 8601 timestamp format and available for operators ==, !=, <= and >=.","schema":{"type":"array","items":{"type":"string","pattern":"^(subjectId|subjectType|roleId|scopeId|scopeType|roleName|scopeName|createdAt|deletedAt|createdBy)(==|!=|<=|>=|=@|!@|=\\^|=\\$).+$"}},"explode":false}},"responses":{"400BadRequest":{"description":"Bad request.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403Forbidden":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}}},"paths":{"/api/v1/authorization/access-rules/count":{"get":{"summary":"Count access rules.","description":"Use to retrieve the number of access rules.","operationId":"count_access_rules","tags":["Access rules"],"parameters":[{"$ref":"#/components/parameters/IncludeDeleted"},{"$ref":"#/components/parameters/AccessRulesFilter"}],"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"type":"object","required":["count"],"properties":{"count":{"type":"integer","format":"int64"}}}}}},"400":{"$ref":"#/components/responses/400BadRequest"},"401":{"$ref":"#/components/responses/401Unauthorized"},"403":{"$ref":"#/components/responses/403Forbidden"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://run-ai-docs.nvidia.com/api/2.19/authentication-and-authorization/access-rules.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.