RBAC Guide
Overview
Coactive’s Role-Based Access Control (RBAC) system ensures secure and structured access to datasets and administrative functions. Access is managed at the organization level and the dataset level:
Organization Level Roles:
- System Admin: Handles access management and credentialing for the entire organization. They can manage member accounts, assign roles, create and manage datasets, and control API access. System Admins are responsible for the overall security and governance of the platform, ensuring that members have appropriate access levels.
- Member: A standard member of the organization who cannot manage other members or alter any organization-wide settings.
Organization Level Permissions
The following table outlines permissions specific to System Admins and Members at the organizational level:
Dataset Level Roles:
A dataset is a structured collection of images and videos that can be searched, analyzed, and enriched with metadata. There is no limit to the number of datasets an organization can create. Each member can be assigned one of three roles within a dataset, and their role may vary across different datasets.
- Dataset Admin: Full control over a dataset, including the ability to modify assets and assign dataset-level roles to other members within a dataset.
- Dataset Editor: Can create concepts and dynamic tags, but cannot modify dataset contents or manage dataset access.
- Dataset Viewer: Can view dataset contents and run queries, but cannot modify assets.
Dataset-Level Permissions
Permissions at the dataset level are managed separately and apply based on dataset-specific roles:
How Members Are Added and Assigned Roles
- System Admins invite members to the organization and assign them dataset-level roles.
- The Dataset Admin can then assign dataset-level roles or grant members access to the created datasets.
Removing Members & Revoking Access
When a member is removed from the organization:
- They lose access to all datasets they were part of.
- If they are the only Dataset Admin for a dataset, they will need to be replaced by the System Admin.
- The removal is immediate and affects both API and UI access.
Authentication & API Access
Coactive supports two types of credentials:
System Credentials
- Use Case: Used for programmatic access to the Coactive APIs.
- Managed by System Admins: These credentials enable automation and broader system interactions and are not visible to users with the “Member” role.
- Expiration: These credentials never expire but will be invalidated if they are deleted
- Limit: Orgs can only have a maximum of 10 system credentials at a time.
Personal Credentials
- Use Case: API access for individual members.
- Generation: Members must generate their personal credential token through the UI. This token can be exchanged for an access token for authenticating API calls.
- Refresh Token: At most one token issued per member.
- Security Note: Coactive does not store personal refresh tokens. Members must securely store them upon generation.
- Expiration:
- Idle expiration: If unused for 30 days, the token expires.
- Absolute expiration: Valid for 3 months from the generation date.
- Regeneration: Members can regenerate their personal credentials if needed. The user’s existing token will be invalidated.
Best Practices for Access Management
- Follow Least Privilege Principle: Assign the lowest level of access required for a member to perform their role.
- Store Personal Credentials Securely: Members should manage their refresh tokens properly as they cannot be retrieved after creation.
- Review Member Access Periodically: Regularly audit member roles and dataset permissions to ensure alignment with business needs.
For additional guidance, contact Coactive support here: https://www.coactive.ai/contact.