Administrators assign roles to users based on assignments and responsibilities. Set these roles in the application or map them from your identity provider if you have SSO integration enabled. If you start with a completely new Domino installation, the first user to log in is assigned the SysAdmin and Practitioner roles.
The available roles are:
-
SysAdmin - Administers instance with full administrative access.
-
ProjectManager - Manages organizations and project tags.
-
SupportStaff - Manages compute-related functionality.
-
Practitioner - Uses compute and file storage.
-
ReadOnlySupportStaff - View compute-related configuration.
-
Librarian - Manages project library.
-
Lite User - A user with no role. See Lite User.
By default, all new users are assigned the Practitioner role. You can change this with central configuration options.
When multiple roles are assigned to a user, permissions are additive. To grant users roles, you must be a SysAdmin.
-
In the Admin application, click Users.
-
Search for the username to grant permissions.
-
Click Edit and select the roles.
-
Click Save.
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
Create Project | ✓ | ||||
View Project List | ✓ | ✓ | ✓ | ✓ | ✓ |
Fork Project | ✓ | ||||
Archive Project | ✓ | ✓ | ✓ |
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
List and View Files | ✓ | ✓ | ✓ | ✓ | |
Edit Files | ✓ | ||||
Upload Files | ✓ |
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
Start Workspace | ✓ | ||||
Stop Workspace | ✓ | ✓ | ✓ | ||
Open Workspace | ✓ | ||||
View Workspace History | ✓ | ✓ | ✓ | ✓ | ✓ |
Archive Workspace | ✓ | ✓ |
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
Start Job | ✓ | ✓ | |||
Stop Job | ✓ | ✓ | ✓ | ||
View Job History | ✓ | ✓ | ✓ | ||
Create Scheduled Job | ✓ | ||||
Edit Scheduled Job | ✓ | ✓ | |||
Delete Scheduled Job | ✓ | ✓ |
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
View Project Settings | ✓ | ✓ | ✓ | ✓ | ✓ |
Edit Project Settings | ✓ | ✓ | ✓ | ✓ |
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
Create model API | ✓ | ||||
Be a model API "Owner" | ✓ | ||||
Be a model API "Editor" | ✓ | ✓ | ✓ | ||
Be a model API "Viewer" | ✓ | ||||
Stop a model version | ✓ | ✓ | ✓ | ||
View model settings | ✓ | ✓ | ✓ | ✓ | |
Edit model settings | ✓ | ✓ | ✓ | ||
Promote a model version to Prod | ✓ |
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
Publish or Start App | ✓ | ||||
Stop App | ✓ | ✓ | ✓ | ||
View App | ✓ | ✓ | ✓ |
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
View Launchers | ✓ | ✓ | ✓ | ||
Create or Edit Launcher | ✓ | ||||
Delete Launcher | ✓ | ||||
Run Launcher | ✓ |
See Dataset permissions for more information.
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
Create Dataset | ✓ | ||||
Mount/Unmount Dataset | ✓ | ||||
Delete Dataset Snapshot | ✓ | ✓ |
|
Note
| SysAdmins must also have the Practitioner role to create environments. Your organization incurs costs when anyone creates or stores environments. |
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
List and View Environment | ✓ | ✓ | ✓ | ✓ | |
Create Environment | ✓ | ✓ | ✓ | ||
Edit Environment | ✓ | ✓ | ✓ |
| Permission | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|
View Admin UI | ✓ | ✓ | ✓ | ||
Edit Settings in Admin UI | ✓ |
| Permission | Lite User | Practitioner | SysAdmin | SupportStaff | ReadOnlySupportStaff | Librarian |
|---|---|---|---|---|---|---|
Create Organizations | ✓ | ✓ | ✓ | ✓ | ✓ | |
Organization Owner Can Add/Remove Members To/From the Organization | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Organization Owner Can Make Another User an Owner of the Organization | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Add/Remove Members To/From Any Organization | ✓ | |||||
Can Make Another User an Owner of Any Organization | ✓ | |||||
Select Hardware Tiers Available to Members of the Organization | ✓ |
|
Note
| You cannot delete organizations after you create them. |
When Project Managers are members of organizations, their role grants them owner-level access to all projects that are owned by other members of the organizations. This allows the Project Manager to see these projects and their assets in the Projects Portfolio and Assets Portfolio.
The Project Manager might also have the ability to add users to these organizations, thereby gaining contributor access to those users' projects. For this reason, the Project Manager must be treated as a highly privileged role, similar to System Administrator.
A user with no roles is called a Lite User or, in some contexts, a Results Consumer. They have restricted feature access and may have a different licensing status.
Lite Users have permission to do the following:
-
View the project list.
-
View files in a project.
-
View Workspace history.
-
View Job history.
-
Be added as collaborators of model APIs.
-
View Apps.
-
View and run Launchers (if permitted in project settings).
-
List and view Environments.
-
View experiments.