RBAC Management#
RBAC (Role-Based Access Control) Management allows superadmins to define roles with fine-grained permissions and assign them to users. With RBAC, you can control which actions specific users are allowed to perform on various resources throughout the Backend.AI system.
RBAC Management is only available to superadmins and requires Backend.AI Manager version 26.4.0 or later.
To access the RBAC Management page, click RBAC Management in the Admin Settings section of the sidebar menu.

Role List#
The Role List page displays all roles in a table format. You can filter, search, and sort roles using the controls at the top of the page.
- Status filter: A segmented control to toggle between Active and Inactive roles. Active is selected by default.
- Name search: A property filter to search roles by name or filter by source (System or Custom). The filter input adapts to the selected property — for example, the Source filter exposes the available values (System / Custom) as a typed selector rather than a free-form text box, while the Name filter accepts free text.
- Create Role: A button to create a new custom role.
The table displays the following columns:
- Role Name: The name of the role. Click the name to open the role detail drawer.
- Description: A brief description of the role's purpose.
- Scope Type: The scope type of the role's first assigned scope, with a
+Nindicator when the role has multiple scopes. - Scope ID: The raw scope ID of the role's first assigned scope, with a
+Nindicator when the role has multiple scopes. - Source: Indicates whether the role is System (pre-defined) or Custom (user-created).
- Created At: The date and time when the role was created.
- Updated At: The date and time when the role was last modified.
You can sort the table by clicking the Role Name, Created At, or Updated At column headers.
System vs Custom Roles#
Roles are categorized into two source types:
- System: Automatically generated roles. You cannot edit their name or description, but you can manage their user assignments and permissions.
- Custom: Roles created by superadmins. These are fully editable, including name, description, assignments, scopes, and permissions.
Create a Role#
Creating a role requires you to define its scopes upfront. A scope binds the role to a specific resource entity (such as a domain, project, or user) so that every permission you later add to the role is confined to the scopes defined here.
To create a new custom role:
- Click the Create Role button at the top right of the Role List page
- In the creation modal, fill in the following fields:
- Role Name (required): Enter a unique name for the role
- Description (optional): Enter a description of the role's purpose
- Scope Type / Target (required, at least one): For each scope row, select a Scope Type and then choose the specific Target within that scope type. Click Add to add more scope rows, or the delete icon to remove a row. You must add at least one scope.
- Click OK to create the role

Scopes are defined at role creation time and cannot be edited afterwards through the role detail drawer. Plan the scopes carefully before creating the role.
Scope Types#
The following scope types are available when creating a role:
- Domain: Select from a list of active domains
- Project: Select a project (with domain filtering)
- User: Search for a user by email or name
View Role Details#
To view detailed information about a role, click the role name in the table. A detail drawer opens on the right side of the page.
The drawer header displays the role name and provides an Edit button for custom roles. The detail section shows the following metadata:
- Source: System or Custom
- Status: Active or Inactive
- Created At: The creation timestamp
- Updated At: The last modification timestamp
- Description: The role's description
Below the metadata, three tabs are available: Scopes, Permissions, and Role Assignments.

Edit a Role#
To edit a custom role's name or description:
- Open the role detail drawer by clicking a role name in the table
- Click the Edit button (pencil icon) in the drawer header
- Modify the Role Name and/or Description in the edit modal
- Click OK to save the changes

The Edit button is only available for Custom roles. System roles cannot have their name or description modified. Scopes cannot be modified after role creation in either case.
View Role Scopes#
The Scopes tab in the role detail drawer lists the scope entries that were assigned to the role at creation time. Each entry constrains the set of targets that permissions on this role can reference.

The table displays the following columns:
- Scope Type: The type of the scope entry (e.g., Domain, Project, User).
- Target: The human-readable name of the scope target (e.g., the domain name, project name, or user email).
- Scope ID: The UUID of the scope target.
Use the filter control at the top to narrow down scope entries by Scope Type.
Scopes are read-only in this tab. To change a role's scopes, you must create a new role with the desired scopes.
Manage Permissions#
The Permissions tab in the role detail drawer shows the fine-grained permissions configured for the role.

Understanding Permissions#
Each permission consists of four components:
- Scope Type: The type of resource that the permission targets (e.g., Domain, Project, User)
- Target: The specific entity within the scope type (e.g., a specific domain name, a specific project)
- Permission Type: The category of resource the permission controls, filtered based on the selected scope type
- Permission: The operation allowed on the resource. Only valid operations for the selected permission type are shown. Operations are grouped into two categories:
- Direct: Create, Read, Update, Soft Delete, Hard Delete
- Delegate to Others: Delegate All, Delegate Read, Delegate Update, Delegate Soft Delete, Delegate Hard Delete
The combined Scope Type / Target of each permission is inherited from the role's scope entries. When you add a permission, you can only pick from the scopes that were defined when the role was created. To broaden a role's reach, create a new role with additional scopes.
Permission Examples#
Here are some common permission configurations to help you understand how the four components work together. The Scope Type / Target column shows the role-level scope that the permission reuses.
| Scenario | Scope Type / Target | Permission Type | Permission |
|---|---|---|---|
| Allow a user to create storage folders in a specific project | Project / my-project | VFolder | Create |
| Allow a user to view all sessions in a domain | Domain / default | Session | Read |
| Allow a user to manage model serving endpoints | Domain / default | Endpoint | Create, Read, Update |
| Allow a user to delete container images | Domain / default | Image | Soft Delete |
Add a Permission#
- Open the role detail drawer and select the Permissions tab
- Click the Add Permission button
- In the modal, fill in the following fields:
- Scope Type / Target: Select one of the scope entries that were assigned to the role. The dropdown lists only scopes that have at least one actionable entity. The target is shown by its resolved, localized name (for example, the domain or project's display name) rather than its raw UUID, so you can recognize the scope at a glance.
- Permission Type: Select the entity type. Only valid types for the selected scope type are shown. Permission type labels (such as Role Assignment) are localized to match your UI language.
- Permission: Select the operation (e.g., Create, Read, Update, Soft Delete, Hard Delete, or delegation operations)
- Click Add to create the permission

The filter controls in the permissions list now use input types tailored to each filter property — selectors for enumerated values (such as Permission Type, Permission), and free text for name-style fields — making it faster to narrow the list to the entries you care about.
If a role was created without any scopes (for example, a legacy role imported from an earlier version), the Add Permission modal falls back to showing separate Scope Type and Target fields so that administrators can still configure the permission target.
Remove a Permission#
- In the Permissions tab, click the Remove Permission button next to the permission you want to remove
- A small confirmation popup appears anchored to the button. Click OK to confirm, or Cancel to dismiss.
Removing a permission from a role only detaches it from the role's permission set — the role itself, its scopes, and its user assignments are kept. You can add the same permission back later from the same tab, so this action is treated as reversible and uses a lightweight popup confirmation rather than a typed-name confirmation modal.
Manage User Assignments#
The Role Assignments tab in the role detail drawer shows which users are assigned to the role.

Add Users to a Role#
- Open the role detail drawer and select the Role Assignments tab
- Click the Add User button
- In the modal, search for users by email or name
- Select one or more users using the checkboxes
- Click Add to assign the selected users to the role

Revoke Users from a Role#
- In the Role Assignments tab, click the revoke (trash) icon button next to the user you want to remove
- A Revoke User confirmation modal opens. Type
Permanently Deleteinto the input field exactly as shown — the Revoke User button stays disabled until the entered text matches. Click Revoke User to confirm, or Cancel to dismiss.

Revoking a user removes only that user's assignment to this role; the role itself and its other assignments remain unchanged.
Revoking a user from a role cannot be undone. The confirmation modal requires you to type Permanently Delete before the Revoke User button is enabled.
Grant Project Admin Authority#
Creating a project also creates a dedicated role named project-<project_id>-admin, where <project_id> is the UUID of that project. Assigning a user to this role grants them Project Admin authority over that specific project — they can manage the project's users, sessions, deployments, and storage folders without holding system-wide superadmin privileges.

To grant Project Admin authority to a user:
- Open the Role List and locate the
project-<project_id>-adminrole for the target project. Use the property filter to search by role name (e.g. enterproject-to narrow the list). - Click the role name to open the role detail view.
- Follow Add Users to a Role on this role to assign the user.

The user gains Project Admin authority immediately. The next time they open the header's project dropdown they will see the project-admin badge next to the corresponding project, and the project-admin sidebar entries described in the Project Admin Features chapter.
To revoke Project Admin authority, follow Revoke Users from a Role on the same project-<project_id>-admin role.