Browse docs
--- title: "Enterprise RBAC" description: "Role-based access control for Aurora Enterprise with fine-grained permissions, custom roles, predefined roles, and row-level scoping." icon: "user-shield" ---
Overview
Enterprise RBAC extends the OSS identity system with fine-grained permission enforcement across every Aurora resource. While OSS supports role definitions, Enterprise enforces those permissions at the API and dashboard level — users see and can act on only what their roles allow.
Requirements
RBAC requires the Enterprise identity capability for user and role management, and the Enterprise rbac capability for permission enforcement. Both are included automatically when edition.name: enterprise.
Predefined Roles
System roles (Admin, Operator, Viewer) cannot be deleted or modified.
Custom Roles
Define custom roles with granular permissions:
curl -X POST http://your-aurora-host/admin/api/v1/identity/roles \
-H "Authorization: Bearer $AURORA_MASTER_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "support-operator",
"description": "Can inspect usage and audit data"
}'Permission Levels
- Resource-level — Control access to models, providers, keys, users, guardrails, workflows, budgets, audit logs, settings
- Action-level — Specify
create,read,update,deletepermissions per resource - Scope-level — Restrict access to own resources, team resources, or all resources
Attaching Permissions
curl -X POST http://your-aurora-host/admin/api/v1/identity/roles/{roleId}/permissions \
-H "Authorization: Bearer $AURORA_MASTER_KEY" \
-H "Content-Type: application/json" \
-d '{"permission_id": "{permissionId}"}'Removing Permissions
curl -X DELETE "http://your-aurora-host/admin/api/v1/identity/roles/{roleId}/permissions/{permissionId}" \
-H "Authorization: Bearer $AURORA_MASTER_KEY"User Management
Create users and assign roles:
# Create user
curl -X POST http://your-aurora-host/admin/api/v1/identity/users \
-H "Authorization: Bearer $AURORA_MASTER_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": "operator@company.test",
"display_name": "Operator",
"password": "initial-password"
}'
# Assign role
curl -X POST http://your-aurora-host/admin/api/v1/identity/users/{userId}/roles \
-H "Authorization: Bearer $AURORA_MASTER_KEY" \
-H "Content-Type: application/json" \
-d '{"role_id": "{roleId}"}'Check a user's effective permissions:
curl -H "Authorization: Bearer $AURORA_MASTER_KEY" \
http://your-aurora-host/admin/api/v1/identity/users/{userId}/permissionsAdmin API Reference
For endpoint reference see the Admin API section.
Scope Levels
Row-level scoping ensures operators see only what their role entitles them to:
Dashboard
Role and user management are available in the admin dashboard at Identity -> Roles and Identity -> Users.
Related
- Identity and Tenants — Tenant management and OIDC SSO
- Users — User lifecycle automation
- OSS Roles — Base roles documentation