Access Control

SeeMe.ai provides comprehensive role-based access control (RBAC) for managing who can access your AI resources.

Overview

graph TD
    subgraph "Organization"
        O[Organization]
        OM[Org Members]
        T[Teams]
        TM[Team Members]
        P[Projects]
        PM[Project Members]
    end

    subgraph "Resources"
        M[Models]
        D[Datasets]
        W[Workflows]
        G[Graphs]
    end

    O --> OM
    O --> T
    T --> TM
    T --> P
    P --> PM
    P --> M
    P --> D
    P --> W
    P --> G

Key Concepts

Concept	Description
Organization	Top-level container for all resources
Team	Group of users within an organization
Project	Container for related models, datasets, workflows
Role	Set of permissions (org_admin, team_lead, etc.)
Permission	Specific action (models:read, datasets:write)
Visibility	Who can see a resource (private, team, org, public)
Access Grant	Explicit permission given to user/role

Permission Hierarchy

Organization
├── org_owner (full control)
├── org_admin (manage members, teams)
└── org_member (basic access)
    │
    Team
    ├── team_lead (manage team, projects)
    └── team_member (access team resources)
        │
        Project
        ├── project_admin (full project control)
        ├── project_editor (read + write)
        └── project_viewer (read only)

Resource Visibility

Control who can see and access resources:

Visibility	Who Can Access
`private`	Only explicit grants
`project`	All project members
`team`	All team members
`org`	All organization members
`public`	Anyone (including anonymous)

Setting Visibility

## Set model visibility
client.update_model(
    model_id=model.id,
    visibility="team"  # private, project, team, org, public
)

# Set dataset visibility
client.update_dataset(
    dataset_id=dataset.id,
    visibility="org"
)

Access Control Sections

Roles & Permissions Access Grants API Keys Time-Based Access

Quick Start: Share a Model

With Specific Users

# Grant read access to a user
client.create_access_grant(
    resource_type="model",
    resource_id=model.id,
    user_id="user-uuid",
    permissions=["read", "predict"]
)

With a Team

# Make model visible to entire team
client.update_model(
    model_id=model.id,
    visibility="team"
)

With External Users (API Key)

# Create scoped API key for partners
api_key = client.create_api_key(
    name="Partner Integration",
    scopes=["models:predict"],
    model_ids=[model.id],  # Limit to specific model
    expires_in_days=30
)

print(f"Share this key: {api_key.key}")

Default Roles

Organization Roles

Role	Permissions
org_owner	Full control, billing, delete org
org_admin	Manage members, teams, projects
org_member	Create projects, basic read access

Team Roles

Role	Permissions
team_lead	Manage team members, create projects
team_member	Access team resources

Project Roles

Role	Permissions
project_admin	Full project control
project_editor	Read + write access
project_viewer	Read-only access

Share Roles

Role	Permissions
share_viewer	Read-only access to shared resource
share_editor	Read + write access to shared resource

Permission Reference

Model Permissions

models:read - View model details
models:write - Update model settings
models:delete - Delete models
models:predict - Run inference
models:download - Download model files

Dataset Permissions

datasets:read - View dataset
datasets:write - Modify dataset
datasets:delete - Delete dataset
datasets:annotate - Add annotations
datasets:download - Export data

Workflow Permissions

workflows:read - View workflow
workflows:write - Modify workflow
workflows:delete - Delete workflow
workflows:execute - Run workflow

Graph Permissions

graphs:read - View graph
graphs:write - Modify graph
graphs:delete - Delete graph
graphs:query - Execute queries

Best Practices

Use roles, not individual permissions - Easier to manage
Principle of least privilege - Grant minimum needed access
Use project/team visibility - More maintainable than individual grants
Audit access regularly - Review who has access to what
Set expiration on API keys - Rotate credentials periodically

Common Scenarios

Consulting Engagement

# Create time-limited access for external consultant
client.create_access_grant(
    resource_type="project",
    resource_id=project.id,
    user_email="consultant@external.com",
    role="project_editor",
    expires_at="2024-03-31T23:59:59Z"
)

Production API Integration

# Create minimal API key for production
api_key = client.create_api_key(
    name="Production Inference",
    scopes=["models:predict"],
    model_ids=[prod_model.id],
    organization_id=org.id
)

Team Onboarding

# Invite team member with appropriate role
client.invite_team_member(
    team_id=team.id,
    email="newmember@company.com",
    role="team_member"
)