Arthur Standard Access Control Overview

In both SaaS and On-prem installations, Arthur ships with a build-in access control system that can be used to manage users, permissions, and access to organizations. This system has different capabilities than the SSO based paradigm. If your installation is using SSO, please see the Arthur SSO Access Control Overview.

Authentication

Users authenticate to Arthur using a username and password, which is set when their account is created and can be changed later in the UI. Users can also use the login API endpoint to retrieve a token for use with Arthur APIs.

Applications and automated systems can authenticate with Arthur using API keys, which can be created in the Arthur UI from the organization menu in the upper right corner then clicking on Manage API Keys.

Note

Note: it is not recommended to use API-keys for non-automated use cases as they are not tied to user identities and can obscure who is performing actions. As a best practice, use API keys minimally only in the systems that need automated access, and be sure to create a rotation practice to ensure safe keeping.

Authorization (RBAC)

The Arthur standard access control system uses role-based access control (RBAC) with a set of pre-defined roles. The available roles for users are User, Model Owner, Administrator, and SuperAdmin. If enrolled in multiple organizations, the user can have a different role in each organization.

• User: Has read-only access to the models and data within the organization.

• Model Owner: Can onboard new models in the enrolled organization as well as send data including reference data, inferences, and ground truth.

• Administrator: Organization level administrator that has access to manage users and models within the organization.

• Super Admin: Has full access to all data, models, and actions on the platform. Can create new organizations and manage users. Only available on-prem.

Note

If your installation uses SSO, you can take advantage of creating custom roles to fine-tune user access to Arthur resources. See Custom RBAC for more information.

Adding Users to an Organization in the UI

To complete this section, you must have the “Administrator” role in your organization.

In the upper right corner, click on the organization menu, then click “Manage Members”. From this screen, you can enter the emails of additional users to add to the organization, manage the roles of existing users, and remove users from the organization.

Note

In order for email-based user invites to work, your installation must have an email integration set up. If not, you can use the Arthur API to create user accounts directly in your organization.

Adding Users to an Organization in the API

Arthur also supports managing users via automated workflows using the REST API. In order to create a user in your organization, you will need to have Administrator privileges in that organization, or have access to the superadmin user for your Arthur on-prem installation. The following APIs are helpful for managing users:

• Create a New User

• Update User/Change User Password

• Send an Email Invite to a New User

Switching Between Organizations

If a user is invited to multiple organizations, they will have the ability to switch between them in the UI. User can click on the organization menu in the upper right corner, and choose one of the other available organizations from that menu to switch to it. If no other organizations appear, that user does not have access to any other organizations.