Roles

A role defines a set of permissions that can be assigned to a subject in a scope, determining which actions the subject is allowed to perform on NVIDIA Run:ai entities such as projects, workloads, and users. Each permission represents an allowed action including view, create, edit, and delete on a specific entity.

Related permissions are grouped into permission sets, which bundle actions for a particular functional area (for example, managing workloads). These permission sets act as reusable building blocks that simplify role definition and ensure consistent access control across the platform.

NVIDIA Run:ai provides predefined roles for common use cases and allows administrators to create custom roles to meet specific organizational requirements.

Roles Table

The Roles table can be found under Access in the NVIDIA Run:ai platform.

The Roles table displays a list of roles available to users in the NVIDIA Run:ai platform. Both predefined and custom roles will be displayed in the table.

The Roles table consists of the following columns:

Column

Description

Role

The name of the role

Created by

The name of the role creator

Creation time

The timestamp when the role was created

Customizing the Table View

Filter - Click ADD FILTER, select the column to filter by, and enter the filter values
Search - Click SEARCH and type the value to search by
Sort - Click each column header to sort by
Column selection - Click COLUMNS and select the columns to display in the table
Download table - Click MORE and then Click Download as CSV. Export to CSV is limited to 20,000 rows.

Reviewing a Role

To review a role click the role name on the table
In the role form review the following:
- Role name The name of the role
- Entity A system-managed object that can be viewed, edited, created or deleted by a user based on their assigned role and scope
- Actions The actions that the role assignee is authorized to perform for each entity
  - View - If checked, an assigned user with this role can view instances of this type of entity within their defined scope
  - Edit - If checked, an assigned user with this role can change the settings of an instance of this type of entity within their defined scope
  - Create - If checked, an assigned user with this role can create new instances of this type of entity within their defined scope
  - Delete - If checked, an assigned user with this role can delete instances of this type of entity within their defined scope

Roles in NVIDIA Run:ai

NVIDIA Run:ai supports the following roles and their permissions. Under each role is a detailed list of the actions that the role assignee is authorized to perform for each entity.

Note

Legacy roles are deprecated and will be removed in a future release. Review the new predefined roles to determine whether they meet your requirements, or create a custom role using the API.

L1 researcher, L2 researcher, ML engineer → consider using AI practitioner
Data source administrator, Data volume administrator → consider using Data & storage administrator
Research manager → consider using Project administrator

AI practitioner

Compute resource administrator Legacy

Credentials administrator Legacy

Data and storage administrator

Data source administrator Legacy

Data volume administrator Legacy

Department administrator

Department viewer

Editor

Environment administrator Legacy

L1 researcher Legacy

L2 researcher Legacy

ML engineer Legacy

Project administrator

Research manager Legacy

System administrator

Template administrator Legacy

Viewer

Custom Roles (API Only)

Administrators can create and manage custom roles to meet specific organizational access requirements using the Roles API.

A custom role defines access by combining one or more permission sets, which together determine the actions that can be performed across NVIDIA Run:ai resources. By selecting the appropriate permission sets, administrators can tailor roles to match their organization’s access model while maintaining consistent and controlled authorization across the platform.

Note

Custom roles can be created and managed via API only. Once created, they are available for viewing in the Roles grid and can be selected when assigning access rules in the UI and API.

Permission Sets

Permission sets are the building blocks of both predefined and custom roles. They represent the complete set of privileges required for a role to perform specific operations across NVIDIA Run:ai resources.

A permission set is constructed from a collection of permissions. Each permission within a permission set defines:

a resource type, and
the allowed actions on that resource: create, read, update, or delete

The Permission sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. Permission sets may overlap in the resource types or actions they include. For more details, see the Permissions API.

Permission Set Naming and Scope

Permission sets are designed to group actions logically, following a clear pattern to define scope. To view the complete list of permission sets and understand how each is defined, see the Permissions API:

Edit Access (EditAccess) - These sets grant full CRUD (Create, Read, Update, Delete) permissions over the specified resource type, along with Read access to any associated data or dependencies required for management. For example, workspaceEditAccess grants full permissions to create, read, update, and delete workspaces, and read access all related data and resources required for their management, such as:
- workloads
- workload-properties
- nodepools-minimal
- clusters-minimal
- projects
- templates
- environments
- compute-resources
- pvc-assets
Read Access (ReadAccess) - These sets grant only view permissions for the specific resource and its related components. For example, workloadReadAccess grants permissions to read workloads, and read access all related data and resources associated with them, such as:
- workspaces
- trainings
- inferences
- workload-properties
- nodepools-minimal
- clusters-minimal
- projects

Creating a Custom Role

Requirements for Custom Roles

Custom roles must meet the following requirements:

UI access permissions - To allow a custom role to access the NVIDIA Run:ai user interface, include the following permission sets:
- settingsReadAccess
- accountReadAccess
- brandingSettingsReadAccess
- securitySettingsReadAccess
Kubernetes (cluster) permissions - Kubernetes permissions are required only if the role needs direct access to the Kubernetes cluster. If cluster access is required, the custom role must include a kubernetesPermissions object. This ensures the role inherits Kubernetes cluster-level permissions from an existing predefined NVIDIA Run:ai role.

Steps for Creating a Custom Role

Identify the required permission sets:
- Determine the capabilities the new role needs (e.g., managing training jobs, viewing clusters, etc.).
- Retrieve the full catalog of available permission set identifiers (name and id) using the GET /v1/api/permission-sets endpoint. This provides the list of all valid IDs (e.g., inferenceEditAccess, workloadReadAccess) to populate the permissionSets array in your request body.
- Include settingsReadAccess, accountReadAccess, brandingSettingsReadAccess and securitySettingsReadAccess to allow the custom role access the NVIDIA Run:ai user interface.
(Optional) Identify the Kubernetes predefined role ID. The custom role must inherit its underlying Kubernetes cluster permissions from an existing NVIDIA Run:ai predefined role if the role needs to access the Kubernetes cluster directly:
- Retrieve the list of all available predefined roles using the GET /v2/authorization/roles endpoint.
- Select the unique ID (a string identifier, e.g., "12") of the predefined role that grants the appropriate level of cluster access for your custom role.
- This ID will populate the predefinedRole field under the kubernetesPermissions object.
Construct and send the API request. Use the POST /v2/authorization/roles endpoint to create the role.

Example: MLOps Role

This example demonstrates a role that can fully manage inference workloads and access related monitoring information.

{
  "name": "MLOps",
  "description": "Fully manage inference workloads, and access other relevant information for monitoring",
  "permissionSets": [
    { "name": "inferenceEditAccess", "id": "<permissionSetId>" },
    { "name": "templatesEditAccess", "id": "<permissionSetId>" },
    { "name": "dataAndStorageReadAccess", "id": "<permissionSetId>" },
    { "name": "nodesReadAccess", "id": "<permissionSetId>" },
    { "name": "clustersReadAccess", "id": "<permissionSetId>" },
    { "name": "settingsReadAccess", "id": "<permissionSetId>" },
    { "name": "accountReadAccess", "id": "<permissionSetId>" }
  ],
  "kubernetesPermissions": {
    "predefinedRole": "12" 
  }
}

Enabling / Disabling Custom Roles

Administrators can control whether it is available for use by enabling or disabling it:

Enabled - Can be assigned to users and used in access rules.
Disabled - Remain defined in the system but cannot be assigned to users or used in access rules.

Troubleshooting Common Issues

Can't delete role

Description: The role cannot be deleted.

Mitigation:

Verify that the role is not assigned to any users.
If the role is currently in use, disable the role first, and then delete it.

Permissions not taking effect

Description: The selected permission sets are not taking effect.

Mitigation:

Ensure that the role is enabled.
Verify that the user has been assigned the role.
Check for conflicting permissions granted by other roles assigned to the user.

Cluster permissions not working

Description: Cluster-level permissions are not taking effect.

Mitigation:

Verify that the required ClusterRole exists in all relevant clusters.
Confirm that the cluster version is 2.21 or later.
Ensure that the cluster is properly connected to the tenant.

PreviousSet Up SSO with OpenShift NextService Accounts (formerly applications)

Last updated 10 days ago

Good afternoon

hashtagRoles Table

hashtagCustomizing the Table View

hashtagReviewing a Role

hashtagRoles in NVIDIA Run:ai

hashtagCustom Roles (API Only)

hashtagPermission Sets

hashtagPermission Set Naming and Scope

hashtagCreating a Custom Role

hashtagRequirements for Custom Roles

hashtagSteps for Creating a Custom Role

hashtagEnabling / Disabling Custom Roles

hashtagTroubleshooting Common Issues

Roles Table

Customizing the Table View

Reviewing a Role

Roles in NVIDIA Run:ai

Custom Roles (API Only)

Permission Sets

Permission Set Naming and Scope

Creating a Custom Role

Requirements for Custom Roles

Steps for Creating a Custom Role

Enabling / Disabling Custom Roles

Troubleshooting Common Issues