# Authentication and Authorization NVIDIA Run:ai authentication and authorization enables a streamlined experience for the user with precise controls covering the data each user can see and the actions each user can perform in the NVIDIA Run:ai platform. Authentication verifies user identity during login, and authorization assigns the user with specific permissions according to the assigned [access rules](https://run-ai-docs.nvidia.com/self-hosted/infrastructure-setup/authentication/accessrules). Authenticated access is required to use all aspects of the NVIDIA Run:ai interfaces, including the NVIDIA Run:ai platform, the NVIDIA Run:ai Command Line Interface (CLI) and APIs. ## Authentication There are multiple methods to authenticate and access NVIDIA Run:ai. ### Single Sign-On (SSO) NVIDIA Run:ai supports three methods to set up SSO: * [SAML](https://run-ai-docs.nvidia.com/self-hosted/infrastructure-setup/authentication/sso/saml) * [OpenID Connect (OIDC)](https://run-ai-docs.nvidia.com/self-hosted/infrastructure-setup/authentication/sso/openidconnect) * [OpenShift](https://run-ai-docs.nvidia.com/self-hosted/infrastructure-setup/authentication/sso/openshift) When using SSO, it is highly recommended to manage at least one local user, as a breakglass account (an emergency account), in case access to SSO is not possible. ### Username and Password Username and password access can be used when SSO integration is not possible. ### Secret Key (for Application Programmatic Access) Secret is the authentication method for [Service accounts](https://run-ai-docs.nvidia.com/self-hosted/infrastructure-setup/authentication/service-accounts). Service accounts use the NVIDIA Run:ai APIs to perform automated tasks including scripts and pipelines based on their assigned [access rules](https://run-ai-docs.nvidia.com/self-hosted/infrastructure-setup/authentication/accessrules). ## Authorization The NVIDIA Run:ai platform uses Role Based Access Control (RBAC) to manage authorization. Once a user or service account is authenticated, they can perform actions according to their assigned access rules. ### Role Based Access Control (RBAC) in NVIDIA Run:ai While Kubernetes RBAC is limited to a single cluster, NVIDIA Run:ai expands the scope of Kubernetes RBAC, making it easy for administrators to manage access rules across multiple clusters. RBAC at NVIDIA Run:ai is configured using access rules. An access rule is the assignment of a [role](https://run-ai-docs.nvidia.com/self-hosted/infrastructure-setup/authentication/roles) to a [subject in a scope](https://run-ai-docs.nvidia.com/self-hosted/platform-management/aiinitiatives/adapting-ai-initiatives#scopes-in-an-organization): `` is a `` in a ``. * **Subject** * A user, group, or service account assigned with the role * **Role** * A set of permissions that can be assigned to subjects. Roles at NVIDIA Run:ai are system defined and cannot be created, edited or deleted. * A permission is a set of actions (view, edit, create and delete) over a NVIDIA Run:ai entity (e.g. projects, workloads, users). For example, a role might allow a user to create and read Projects, but not update or delete them * **Scope** * A scope is part of an organization in which a set of permissions (roles) is effective. Scopes include Projects, Departments, Clusters, Account (all clusters). Below is an example of an access rule: **** is a **Department admin** in **Department: A** ![](https://3353130086-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FN20As4prCx0T4ulkEZIr%2Fuploads%2Fgit-blob-a3f57b31c214d58a31d229abf3cb9d69ddc5f81b%2Fauth-rbac.png?alt=media)