For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Get Started
Docs & GuidesAPI Reference
Docs & GuidesAPI Reference
  • Introduction
    • Overview
    • Why Coactive
    • Release Notes
  • Getting started
    • Accepted Media Formats
    • Cloud Storage Access (Beta)
  • Administration
    • User Roles (RBAC)
    • Ingestion Observability (Beta)
  • Core Features
    • Agentic Search
    • Intelligent Search
    • Concepts
    • Query Engine
  • Experimental
  • Deep Dives
    • Analyzing Concepts with SQL
    • Analyzing Dynamic Tags with SQL
    • The Power of Visual Data
    • Metadata Generation for Videos
    • Programmatically Retrieve SQL results
Get Started
LogoLogo
On this page
  • Overview
  • Organization Level Roles:
  • Organization Level Permissions
  • Dataset Level Roles:
  • Dataset-Level Permissions
  • How Members Are Added and Assigned Roles
  • Removing Members & Revoking Access
  • Authentication & API Access
  • System Credentials
  • Personal Credentials
  • Best Practices for Access Management
Administration

RBAC Guide

Was this page helpful?
Edit this page
Previous

Ingestion Observability (Beta)

Next
Built with

Overview

Coactive’s Role-Based Access Control (RBAC) system ensures secure and structured access to datasets and administrative functions. Access is managed at the organization level and the dataset level:

Organization Level Roles:

  • System Admin: Handles access management and credentialing for the entire organization. They can manage member accounts, assign roles, create and manage datasets, and control API access. System Admins are responsible for the overall security and governance of the platform, ensuring that members have appropriate access levels.
  • Member: A standard member of the organization who cannot manage other members or alter any organization-wide settings.

Organization Level Permissions

The following table outlines permissions specific to System Admins and Members at the organizational level:

PermissionsSystem AdminMember
Manage member accounts (invite/remove)✅
Manage System API credentials✅
Add new datasets✅
Assign dataset roles✅
View all dataset names in the organization✅
View datasets they are assigned to and the associated member list✅✅

Dataset Level Roles:

A dataset is a structured collection of images and videos that can be searched, analyzed, and enriched with metadata. There is no limit to the number of datasets an organization can create. Each member can be assigned one of three roles within a dataset, and their role may vary across different datasets.

  • Dataset Admin: Full control over a dataset, including the ability to modify assets and assign dataset-level roles to other members within a dataset.
  • Dataset Editor: Can create concepts and dynamic tags, but cannot modify dataset contents or manage dataset access.
  • Dataset Viewer: Can view dataset contents and run queries, but cannot modify assets.

Dataset-Level Permissions

Permissions at the dataset level are managed separately and apply based on dataset-specific roles:

PermissionsDataset AdminDataset EditorDataset Viewer
Assign dataset roles to members✅
Delete assets or dataset(s)✅
Add assets to a dataset✅
Delete dynamic tags/concepts✅✅
Create dynamic tags/concepts✅✅
Search✅✅✅
Run SQL queries✅✅✅

How Members Are Added and Assigned Roles

  • System Admins invite members to the organization and assign them dataset-level roles.
  • The Dataset Admin can then assign dataset-level roles or grant members access to the created datasets.

Removing Members & Revoking Access

When a member is removed from the organization:

  • They lose access to all datasets they were part of.
  • If they are the only Dataset Admin for a dataset, they will need to be replaced by the System Admin.
  • The removal is immediate and affects both API and UI access.

Authentication & API Access

Coactive supports two types of credentials:

System Credentials

  • Use Case: Used for programmatic access to the Coactive APIs.
  • Managed by System Admins: These credentials enable automation and broader system interactions and are not visible to users with the “Member” role.
  • Expiration: These credentials never expire but will be invalidated if they are deleted
  • Limit: Orgs can only have a maximum of 10 system credentials at a time.

Personal Credentials

  • Use Case: API access for individual members.
  • Generation: Members must generate their personal credential token through the UI. This token can be exchanged for an access token for authenticating API calls.
  • Refresh Token: At most one token issued per member.
    • Security Note: Coactive does not store personal refresh tokens. Members must securely store them upon generation.
  • Expiration:
    • Idle expiration: If unused for 30 days, the token expires.
    • Absolute expiration: Valid for 3 months from the generation date.
  • Regeneration: Members can regenerate their personal credentials if needed. The user’s existing token will be invalidated.

Best Practices for Access Management

  • Follow Least Privilege Principle: Assign the lowest level of access required for a member to perform their role.
  • Store Personal Credentials Securely: Members should manage their refresh tokens properly as they cannot be retrieved after creation.
  • Review Member Access Periodically: Regularly audit member roles and dataset permissions to ensure alignment with business needs.

For additional guidance, contact Coactive support here: https://www.coactive.ai/contact.