Administrators assign roles to users based on assignments and responsibilities. Set these roles in the application or map them from your identity provider if you have SSO integration enabled. If you start with a completely new Domino installation, the first user to log in is assigned the SysAdmin and Practitioner roles.
The available roles are:
-
SysAdmin - Administers instance with full administrative access.
-
CloudAdmin - Administers Domino Cloud instance with limited administrative access (Domino Cloud only).
-
ProjectManager - Manages organizations and project tags.
-
SupportStaff - Manages compute-related functionality.
-
Practitioner - Uses compute and file storage.
-
ReadOnlySupportStaff - View compute-related configuration.
-
Librarian - Manages project library.
-
LimitedAdmin - SysAdmin without access to projects and data.
-
LicenseReviewer - Views license-related content.
-
Lite User - A user with no role. See Lite User.
-
GovernanceAdmin - Manages policies with Domino Governance. See GovernanceAdmin role.
|
Tip
| LimitedAdmin and LicenseReviewer roles do not grant any permissions to Projects or Data. |
By default, all new users are assigned the Practitioner role.
When multiple roles are assigned to a user, permissions are additive. To grant users roles, you must be a SysAdmin or a CloudAdmin. SysAdmins can grant any role to any user. CloudAdmins can grant the CloudAdmin and Practitioner roles to CloudAdmins and Practitioners.
-
In the Admin application, click Users.
-
Search for the username to grant permissions.
-
Click Edit and select the roles.
-
Click Save.
Experiment management actions
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian | Limited Admin | License Reviewer |
|---|---|---|---|---|---|---|---|
Register a new experiment or a new run of an experiment | ✓ | ✓ | |||||
View/list/search experiments and runs (including metadata and artifacts) | ✓ | ✓ | ✓ | ||||
Delete (archive) an experiment or experiment run | ✓ | ✓ | |||||
Update an experiment or experiment run (includes logging artifacts, adding tags, etc.) | ✓ | ✓ |
Model registry actions
| Permission | Launcher user | Results consumer | Contributor | Project owner | SysAdmin | CloudAdmin |
|---|---|---|---|---|---|---|
Register a new model or a new version of a model | ✓ | ✓ | ✓ | ✓ | ||
Archive a registered model version | Owning user only | ✓ | ✓ | ✓ | ||
Update a registered model version | ✓ | ✓ | ✓ | ✓ | ||
View / list / search registered models and their versions | ✓ | ✓ | ✓ | ✓ | ✓ | |
Deploy a model as a Domino endpoint | ✓ | ✓ | ✓ | ✓ | ||
Export a model as a Domino endpoint Image | ✓ | ✓ | ✓ | ✓ | ||
Download model artifacts | ✓ | ✓ | ✓ | ✓ |
Domino endpoint actions
| Permission | Practitioner | SysAdmin | CloudAdmin | SupportStaff | ReadOnlySupportStaff | Librarian | Limited Admin | License Reviewer |
|---|---|---|---|---|---|---|---|---|
Create Domino endpoint | ✓ | |||||||
Be a Domino endpoint "Owner" | ✓ | |||||||
Be a Domino endpoint "Editor" | ✓ | ✓ | ✓ | ✓ | ||||
Be a Domino endpoint "Viewer" | ✓ | |||||||
Stop a model version | ✓ | ✓ | ✓ | ✓ | ||||
View model settings | ✓ | ✓ | ✓ | ✓ | ✓ | |||
Edit model settings | ✓ | ✓ | ✓ | ✓ | ||||
Promote a model version to Prod | ✓ |
Dataset actions
See Dataset permissions and Dataset Roles for more information.
| Permission | Practitioner | SysAdmin | CloudAdmin | SupportStaff | ReadOnlySupportStaff | Librarian | Limited Admin | License Reviewer |
|---|---|---|---|---|---|---|---|---|
Create Dataset | ✓ | |||||||
Mount/Unmount Dataset | ✓ | |||||||
Delete Dataset Snapshot | ✓ | ✓ | ✓ | |||||
List All Datasets on Global Data Page | ✓ | ✓ | ✓ | |||||
List All Datasets and Snapshots in Admin Application | ✓ | ✓ | ✓ | |||||
Permanently Delete Datasets and Snapshots from the Admin Application | ✓ | ✓ | ✓ | |||||
Cancel Delete Requests within the time set by | ✓ | ✓ | ✓ | |||||
Edit Any Dataset Permissions | ✓ | ✓ | ✓ |
Environment actions
|
Note
| As a reminder, your organization incurs costs when anyone creates or stores environments. |
| Permission | Practitioner | SysAdmin | CloudAdmin | SupportStaff | ReadOnlySupportStaff | Librarian | Limited Admin | License Reviewer |
|---|---|---|---|---|---|---|---|---|
List and View Environment | ✓ | ✓ | ✓ | ✓ | ✓ | |||
Create Environment | ✓ | ✓ | ✓ | |||||
Edit Environment | ✓ | ✓ | ✓ | ✓ |
Administrator actions
| Permission | Lite User | Practitioner | SysAdmin | CloudAdmin | SupportStaff | ReadOnlySupportStaff | Librarian | Limited Admin | License Reviewer |
|---|---|---|---|---|---|---|---|---|---|
View Admin UI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
Edit Settings in Admin UI | ✓ | ✓ | ✓ | ||||||
Edit Configuration records | ✓ | ||||||||
Edit Users | ✓ | ✓ | |||||||
Edit Feature Flags | ✓ | ✓ | |||||||
Create Global Environments | ✓ | ✓ | |||||||
Edit Global Environments | ✓ | ✓ | |||||||
View Usage Reports | ✓ | ✓ | ✓ | ✓ | |||||
Create Notifications | ✓ | ✓ | ✓ | ||||||
Edit Hardware Tiers | ✓ | # | ✓ | ||||||
Run MongoDB Queries | ## | ||||||||
Manage Executions | ✓ | ✓ | |||||||
View Datasets in Admin UI | ✓ | ✓ | ✓ | ||||||
Manage Datasets in Admin UI | ✓ | ✓ | ✓ | ||||||
Use Cost Monitoring | ✓ | ✓ | |||||||
Configure Cost Budgets and Alerts | ✓ | ✓ |
|
Note
|
|
Organization actions
| Permission | Lite User | Practitioner | SysAdmin | CloudAdmin | SupportStaff | ReadOnlySupportStaff | Librarian | Limited Admin | License Reviewer |
|---|---|---|---|---|---|---|---|---|---|
Create Organizations | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
Organization Owner Can Add/Remove Members To/From the Organization | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Organization Owner Can Make Another User an Owner of the Organization | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Add/Remove Members To/From Any Organization | ✓ | ✓ | |||||||
Can Make Another User an Owner of Any Organization | ✓ | ✓ | |||||||
Select Hardware Tiers Available to Members of the Organization | ✓ | ✓ | ✓ |
|
Note
| You cannot delete organizations after you create them. |
Project Manager Role
When Project Managers are members of organizations, their role grants them owner-level access to all projects that are owned by other members of the organizations. This allows the Project Manager to see these projects and their assets in the Projects Portfolio and Assets Portfolio.
The Project Manager might also have the ability to add users to these organizations, thereby gaining contributor access to those users' projects. For this reason, the Project Manager must be treated as a highly privileged role, similar to System Administrator.
CloudAdmin role
CloudAdmins are given most of the access SysAdmins have, but not all. CloudAdmins are only available on Domino Cloud.
-
Manage configuration records
-
Manage feature flags
-
Manage email configuration
-
Manage search index
-
Manage API keys
-
Run MongoDB commands
-
View Kubernetes dashboard
-
Restart Nucleus
CloudAdmins can only manage users with the Practitioner or CloudAdmin roles. Users with any other roles cannot be managed by CloudAdmins. CloudAdmins can only assign the Practitioner or CloudAdmin roles.
Lite User role
A user with no roles is called a Lite User or, in some contexts, a Results Consumer. They have restricted feature access and may have a different licensing status.
Lite Users have permission to do the following:
-
View the project list.
-
View files in a project.
-
View Workspace history.
-
View Job history.
-
Be added as collaborators of Domino endpoints.
-
View Apps.
-
View and run Launchers (if permitted in project settings).
-
List and view Environments.
-
View experiments.
Data Analyst role
The Data Analyst role is for users who have some technical background and coding experience in Python and R, but who do not need access to all the MLOps features of Domino. For more information, see Data Analyst role.
GovernanceAdmin role
The GovernanceAdmin role has permission to do the following:
-
View bundles.
-
View approvals.
-
Query audit events.
-
View policy overviews.
-
Manage policies evidence templates.
For more information, see Domino Governance policies.