:orphan:

.. _aizenroles:

Aizen roles
===========

Aizen has a set of predefined roles. The users must have one or more of these roles to execute various commands in Jupyter notebook

* **AIZEN_ADMIN**

  * This is an adminitrative role only to be used duing the initial setup. The LDAP user id desginated as the admin account during Aizen core component install is automatically granted this role
  * Users with this role will be able to grant and revoke PROJECT_CREATOR role to and from another user
  * Additionally, AIZEN_ADMIN can grant PROJECT_ADMIN role to a user

- **PROJECT_ADMIN**

  * Has all the privileges and can execute all aizen commands for the current project
  * Can grant/revoke privileges to additional users
  * When project is created, the user that creates the project is automatically granted PROJECT_ADMIN role

* **PROJECT_CREATOR**

  * Users with this role are allowed to create projects
  * Can grant project level roles to other users who need project access

- **PROJECT_EXECUTOR**

  * Applies to a specific project and this role is granted at project level
  * Has all project level privileges except the following exceptions:
    
    * Cannot grant/revoke privileges from other users
    * Cannot delete any information (objects/jobs)

* **PROJECT_READER**

  * Applies to a specific project and this role is granted at project level
  * Is a **READ** only role. This role has no ability to start/stop/delete/manipulate data