RBAC Controls
PaletteAI enforces role-based access control (RBAC) across the UI. Actions such as creating, editing, or deleting resources are available only to users whose role includes the required permissions. If a button or action described below is not visible, your role likely does not grant the necessary access. Contact your administrator to request access. editing, or deleting resources — are only available to users whose role grants the corresponding permission. If a button or action described below is not displayed, your role likely does not include the required permission. Contact your administrator to request access.
App Deployments
App deployment actions use the aiworkloads resource. Creating, editing, and deleting app and model deployments require permissions in this group. Cloning requires the create permission.
| Action | Required Permission |
|---|---|
| Create an app deployment | spectrocloud.com/aiworkloads:create |
| Clone an app deployment | spectrocloud.com/aiworkloads:create |
| Edit an app deployment | spectrocloud.com/aiworkloads:update |
| Delete an app deployment | spectrocloud.com/aiworkloads:delete |
Model Deployments
Model deployment actions require the same permissions as app deployments.
| Action | Required Permission |
|---|---|
| Create a model deployment | spectrocloud.com/aiworkloads:create |
| Clone a model deployment | spectrocloud.com/aiworkloads:create |
| Edit a model deployment | spectrocloud.com/aiworkloads:update |
| Delete a model deployment | spectrocloud.com/aiworkloads:delete |
Profile Bundles
Creating, cloning, or adding a new revision to a profile bundle requires the create permission.
| Action | Required Permission |
|---|---|
| Create a profile bundle | spectrocloud.com/profilebundles:create |
| Clone a profile bundle | spectrocloud.com/profilebundles:create |
| Create a new version | spectrocloud.com/profilebundles:create |
| Delete a profile bundle | spectrocloud.com/profilebundles:delete |
Workload Profiles
Workload profiles do not support editing. To make changes, clone the profile or delete and recreate it. Creating, cloning, or adding a new revision to a workload profile requires the create permission.
| Action | Required Permission |
|---|---|
| Create a workload profile | spectrocloud.com/workloadprofiles:create |
| Clone a workload profile | spectrocloud.com/workloadprofiles:create |
| Create a new version | spectrocloud.com/workloadprofiles:create |
| Delete a workload profile | spectrocloud.com/workloadprofiles:delete |
Definitions
Creating, cloning, or adding versions to a definition requires the create permission for that
definition type. Deleting a definition requires the delete permission. Only project-namespace
definitions can be deleted; system-namespace definitions cannot.
| Action | Required Permission |
|---|---|
| Create, clone, or add a version to a Component Definition | spectrocloud.com/componentdefinitions:create |
| Create, clone, or add a version to a Trait Definition | spectrocloud.com/traitdefinitions:create |
| Delete a Component Definition | spectrocloud.com/componentdefinitions:delete |
| Delete a Trait Definition | spectrocloud.com/traitdefinitions:delete |
Projects
Project management encompasses the entire lifecycle of a project and its settings, including compute configurations and integrations.
| Action | Required Permission |
|---|---|
| Create a project | spectrocloud.com/projects:create |
| Create a compute config | spectrocloud.com/computeconfigs:create |
| Create project-level settings | spectrocloud.com/settings:create |
| Edit a compute config | spectrocloud.com/computeconfigs:update |
| Edit any project setting | spectrocloud.com/projects:update |
| Add, edit, or delete an integration within a settings resource | spectrocloud.com/settings:update |
| Switch the active settings ref for a project | spectrocloud.com/projects:update |
| Delete a settings resource | spectrocloud.com/settings:delete |
| Delete a project | spectrocloud.com/projects:delete |
| Delete a compute config | spectrocloud.com/computeconfigs:delete |
Compute Pools
Compute pools support editing basic metadata (name, description, annotations, and labels) and the autoscaling policy through the Compute Pool Settings drawer on the detail page. The associated profile bundle can be updated from the Profile Bundle tab.
| Action | Required Permission |
|---|---|
| Create a compute pool | spectrocloud.com/computepools:create |
| Clone a compute pool | spectrocloud.com/computepools:create |
| Edit compute pool settings | spectrocloud.com/computepools:update |
| Update the profile bundle | spectrocloud.com/computepools:update |
| Delete a compute pool | spectrocloud.com/computepools:delete |
Variables
All project-level variable management actions require the same permission.
| Action | Required Permission |
|---|---|
| Add a variable | spectrocloud.com/variablesets:update |
| Edit a variable | spectrocloud.com/variablesets:update |
| Delete a variable | spectrocloud.com/variablesets:update |
| Bulk edit variables | spectrocloud.com/variablesets:update |
Repositories
Repository permissions are scoped to the repository type. Helm and OCI repositories use separate permission resources, so a user may have access to one type but not the other.
Helm Repositories
| Action | Required Permission |
|---|---|
| Add a Helm repository | source.toolkit.fluxcd.io/helmrepositories:create |
| Edit a Helm repository | source.toolkit.fluxcd.io/helmrepositories:update |
| Delete a Helm repository | source.toolkit.fluxcd.io/helmrepositories:delete |
OCI Repositories
| Action | Required Permission |
|---|---|
| Add an OCI repository | source.toolkit.fluxcd.io/ocirepositories:create |
| Edit an OCI repository | source.toolkit.fluxcd.io/ocirepositories:update |
| Delete an OCI repository | source.toolkit.fluxcd.io/ocirepositories:delete |