Access Control
Organization and project hierarchy, role-based permissions, and user management.
This guide covers Tensorlake’s access control system, including user roles and permissions for both dashboard users and programmatic API access. The system manages access through a hierarchical structure of organizations and projects, with role-based permissions that apply to both human users and API keys.
Dashboard users interact with organizations and projects through Tensorlake Cloud dashboard, while developers can also use API keys for programmatic access. API keys operate at the project level with project-member permissions, making them ideal for integrating Tensorlake into applications and automated workflows.
Entities and Relationships
Organizations
Organizations are the top-level entity in our system. Each organization can contain multiple projects and has its own set of members. Organizations implement a role-based access control system with two distinct roles: admin and member. These roles determine what actions users can perform within the organization and its projects.
Projects
Projects exist within organizations and serve as containers for related resources that require similar access control. Unlike team-based structures, projects are designed to group resources that should be protected and accessed in a consistent manner. This resource-centric approach allows for fine-grained access control based on the nature of the resources rather than organizational hierarchy.
API Keys
API Keys function exclusively at the project level and have the same permissions as project members. They can:
- Access project resources and data
- Make API calls within the project scope
- Cannot perform any administrative actions
API Keys are ideal for service accounts, automated processes, and integrations that need programmatic access to project resources.
Membership Rules
Project membership is tied to organization membership. A user must first be a member of an organization before they can be added to any projects within that organization. This hierarchical structure ensures proper access control across your resources.
API keys have the same permissions as project members. This means they can access project resources but cannot perform administrative actions that are reserved for project admins.
Roles and Permissions
The following table categorizes permissions by functional area to clearly show what each role can do:
Organization Management Permissions
Permission | Org Admin | Org Member | Project Admin | Project Member | API Key |
---|---|---|---|---|---|
Create new projects | ✅ | ❌ | ❌ | ❌ | ❌ |
Invite users to organization | ✅ | ❌ | ❌ | ❌ | ❌ |
View organization members | ✅ | ✅ | ❌ | ❌ | ❌ |
Manage organization member roles | ✅ | ❌ | ❌ | ❌ | ❌ |
Remove members from organization | ✅ | ❌ | ❌ | ❌ | ❌ |
Project Access Control Permissions
Permission | Org Admin | Org Member | Project Admin | Project Member | API Key |
---|---|---|---|---|---|
Access all projects automatically | ✅ | ❌ | ❌ | ❌ | ❌ |
Add organization members to a project | ✅ | ❌ | ✅ | ❌ | ❌ |
Remove members from a project | ✅ | ❌ | ✅ | ❌ | ❌ |
Change project member roles | ✅ | ❌ | ✅ | ❌ | ❌ |
View projects they are members of | ✅ | ✅ | ✅ | ✅ | N/A |
Resource Access Permissions
Permission | Org Admin | Org Member | Project Admin | Project Member | API Key |
---|---|---|---|---|---|
View project resources* | ✅ | ❌ | ✅ | ✅ | ✅ |
Manage project resources* | ✅ | ❌ | ✅ | ❌ | ❌ |
Create API keys for a project | ✅ | ❌ | ✅ | ❌ | ❌ |
Create Webhooks for a project | ✅ | ❌ | ✅ | ❌ | ❌ |
*Project resources include Files, Datasets, and Webhooks. API Keys are specific to a project and user.
Organization Roles in Detail
Organization Admin
Organization admins have complete control over the organization. They have full access to all projects within the organization, regardless of whether they are explicitly added as project members. Organization admins are the only users who can create new projects, invite users to join the organization, manage the roles of organization members, and remove members from the organization.
Organization Member
Organization members have limited access within the organization. They can view the member list of the organization but can only access projects to which they have been explicitly added. Their permissions within accessible projects are determined by their project role.
Project Roles in Detail
Project Admin
Project admins have management capabilities within their specific project. They can add existing organization members to their project, remove members from the project, and change the roles of project members. However, project admins cannot invite new users to the organization—this capability is reserved for organization admins.
Project Member
Project members have basic access to the project resources according to the system’s permission model. They can view and interact with the project but cannot modify membership or roles.
Invitation Process
User invitations can only be created by organization admins. When creating an invitation, the admin specifies the invitee’s email address, organization role, and a default project and project role.
Upon invitation creation, an email is sent to the invitee with a unique link. After the invitee authenticates and accepts the invitation, the system verifies that the account email matches the invitation email. Once verified, the user is added to the organization with the specified role and to the default project contained in the invitation.
Invitations expire 7 days after creation. The invitation can only be accepted if the account accepting it has the same email as the invitation.
Usage Guidelines
Projects should be used strategically to group resources that require similar access control patterns. Rather than organizing by teams or departments, consider organizing projects based on resource types, security requirements, or functional boundaries.
Consider the following best practices:
- Create projects based on resource sensitivity and access requirements
- Group resources that are commonly accessed together in the same project
- Use projects to implement the principle of least privilege by limiting access to only necessary resources
- Regularly audit project membership and permissions
- Rotate API keys periodically for enhanced security
Frequently Asked Questions
What's the difference between organization and project roles?
What's the difference between organization and project roles?
Organization roles (admin/member) control access to organization-wide functions like creating projects and inviting users. Project roles (admin/member) control access to specific project resources and project-level management.
Can I be an organization member but a project admin?
Can I be an organization member but a project admin?
Yes, your organization role and project roles are independent. An organization member can be a project admin for specific projects they’re added to.
How do I add someone to my organization?
How do I add someone to my organization?
Only organization admins can invite new users. Go to your organization settings and create an invitation with the user’s email, organization role, and default project assignment.
Can API keys perform administrative actions?
Can API keys perform administrative actions?
No, API keys have the same permissions as project members. They can access project resources but cannot manage users, create projects, or perform administrative functions.
What happens if an invitation expires?
What happens if an invitation expires?
Invitations expire after 7 days. If expired, an organization admin will need to create a new invitation for the user.
Can I be removed from an organization I created?
Can I be removed from an organization I created?
Yes, as long as there is one Organization admin, other admins can be removed or changed to be a member, regardless of if they made the Organization.
How do I know which projects I have access to?
How do I know which projects I have access to?
Organization admins automatically have access to all projects. Organization members can only see and access projects they’ve been explicitly added to. To find out which projects
you have acces to, go to the organization and click on the dropdown menu to select a project. You can also get a full list by going to
https://cloud.tensorlake.ai/organizations/[YOUR_ORG_ID]]/projects
.
Can project members create API keys?
Can project members create API keys?
Yes, both project admins and project members can create API keys for their projects. Only organization admins and project admins can manage other aspects of projects.
What's the best way to organize projects?
What's the best way to organize projects?
Organize projects based on resource sensitivity and access requirements rather than team structure. Group resources that need similar access controls and are commonly used together. Datasets, files, API keys, and Webhooks are organized by project.
How often should I audit project permissions?
How often should I audit project permissions?
Regularly review project membership, especially when team members change roles or leave. Also rotate API keys periodically for enhanced security.