Understand Roles and Permissions
Explains the different roles a user can be assigned to and their permissions on the platform
Platform Features
The following roles are managed on Unique’s IDP and include access and permissions for platform features. However, permissions and access to content/spaces are not part of this overview but specified in the Spaces concept (Spaces documentation will follow soon).
Zitadel Key | Zitadel Display name | Zitadel Group | Unique Capabilities | Capabilities and functionalities |
|---|---|---|---|---|
chat.chat.basic Live | chat with limit to input | chat | Chatting interface w/ potential limit to the chat input |
Default settings for end user to chat with the application |
chat.knowledge.read Live | view knowledge base | knowledge-base | View central knowledge base |
|
chat.knowledge.write Live | upload knowledge base | knowledge-base | Upload central knowledge centre |
|
chat.data.admin live | chat.data.admin | admin | Can see all user feedback and and user prompts analytics |
|
chat.feedback.read Live | read chat-feedback | admin | Can see aggregated analytics (e.g. monthly active users, prompts per space) and upload and download benchmarking |
|
chat.admin.all Live | configure assistant | admin | Has access to many APIs for performing configurations. But has no access to APIs getting actual data like messages or documents.
|
This is an admin role that should only be granted to a few selected users. |
chat.debug.read Live | debugging | admin | Can see debugging infos |
|
admin.user-management.write Live | Manage groups for users | admin | Can see user management section |
|
admin.space.write Live | Configure spaces | admin | Can see space management section and the AI module templates section |
|
admin.app-repository.write Live | Manage app repository | admin | Can see apps management section |
|
connector.admin.read BETA | View MCP configs | admin | View MCP connector configurations |
|
connector.admin.write BETA | Manage MCP configs | admin | Create and modify MCP connector configurations |
|
Additional roles that are not listed on this page but are shown in the Unique IDP can be ignored.
Content and Spaces
Access to content and spaces is fully managed on the Unique platform and outside of the IDP. As a Space Manger with the role admin.space.write you can decide which user groups have access to which space. Only the user groups assigned to a space can view the space (Spaces documentation will follow soon).
Add new roles to existing tenants
When a new chat role is created they are not automatically distributed to existing tenants. Therefore an IDP owner of this existing tenant has to add the new role to the existing tenant. This is done by following these steps:
On Cluster IAM level go to projects / owned projects / Unique Apps
Navigate to “Roles”, there you see an overview of all the roles that are possible to distribute on that tenant in the moment. Compare this list to the one above in the Platform Features section.
If a role is missing navigate to “+New”
Add the new role. The needed information is displayed in the list above
The new role will appear in the Project Roles
The new role then needs to be granted to the organizations that require it. Navigate to the Project Grants section, select a grant (by clicking on it) and adjust the grant to include the newly created role.
Author | @Abimbola Idowu |
|---|