> For the complete documentation index, see [llms.txt](https://run-ai-docs.nvidia.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://run-ai-docs.nvidia.com/self-hosted/2.24/infrastructure-setup/authentication/overview.md). # Authentication and Authorization NVIDIA Run:ai authentication and authorization enables a streamlined experience for the user with precise controls covering the data each user can see and the actions each user can perform in the NVIDIA Run:ai platform. Authentication verifies user identity during login, and authorization assigns the user with specific permissions according to the assigned [access rules](/self-hosted/2.24/infrastructure-setup/authentication/accessrules.md). Authenticated access is required to use all aspects of the NVIDIA Run:ai interfaces, including the NVIDIA Run:ai platform, the NVIDIA Run:ai Command Line Interface (CLI) and APIs. ## Authentication There are multiple methods to authenticate and access NVIDIA Run:ai. ### Single Sign-On (SSO) NVIDIA Run:ai supports three methods to set up SSO: * [SAML](/self-hosted/2.24/infrastructure-setup/authentication/sso/saml.md) * [OpenID Connect (OIDC)](/self-hosted/2.24/infrastructure-setup/authentication/sso/openidconnect.md) * [OpenShift](/self-hosted/2.24/infrastructure-setup/authentication/sso/openshift.md) When using SSO, it is highly recommended to manage at least one local user, as a breakglass account (an emergency account), in case access to SSO is not possible. ### Username and Password Username and password access can be used when SSO integration is not possible. ### Secret Key (for Application Programmatic Access) Secret is the authentication method for [Service accounts](/self-hosted/2.24/infrastructure-setup/authentication/service-accounts.md). Service accounts use the NVIDIA Run:ai APIs to perform automated tasks including scripts and pipelines based on their assigned [access rules](/self-hosted/2.24/infrastructure-setup/authentication/accessrules.md). ## Authorization The NVIDIA Run:ai platform uses Role Based Access Control (RBAC) to manage authorization. Once a user or service account is authenticated, they can perform actions according to their assigned access rules. ### Role Based Access Control (RBAC) in NVIDIA Run:ai While Kubernetes RBAC is limited to a single cluster, NVIDIA Run:ai expands the scope of Kubernetes RBAC, making it easy for administrators to manage access rules across multiple clusters. RBAC at NVIDIA Run:ai is configured using access rules. An access rule is the assignment of a [role](/self-hosted/2.24/infrastructure-setup/authentication/roles.md) to a [subject in a scope](/self-hosted/2.24/platform-management/aiinitiatives/adapting-ai-initiatives.md#scopes-in-an-organization): `` is a `` in a ``. * **Subject** * A user, group, or service account assigned with the role * **Role** * A set of permissions that can be assigned to subjects. Roles at NVIDIA Run:ai are system defined and cannot be created, edited or deleted. * A permission is a set of actions (view, edit, create and delete) over a NVIDIA Run:ai entity (e.g. projects, workloads, users). For example, a role might allow a user to create and read Projects, but not update or delete them * **Scope** * A scope is part of an organization in which a set of permissions (roles) is effective. Scopes include Projects, Departments, Clusters, Account (all clusters). Below is an example of an access rule: **** is a **Department admin** in **Department: A** ![](/files/nO9QOgWG7lLCQAOSrPQr) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://run-ai-docs.nvidia.com/self-hosted/2.24/infrastructure-setup/authentication/overview.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.