UI Action Permissions Reference
PaletteAI enforces Role-Based Access Control (RBAC) across the UI. Each create, edit, or delete action is available only to users whose role includes the required permission. If an action listed below is not visible in the UI, your role does not include the permission. Contact your administrator to request access. For the full list of permissions granted to each PaletteAI role, refer to the Role Permissions reference.
App Deployments
App deployment actions use the aiworkloads resource. Creating, editing, and deleting app and model deployments require permissions in this group. Cloning requires the create permission.
| Action | Required Permission |
|---|---|
| Create an app deployment | spectrocloud.com/aiworkloads:create |
| Clone an app deployment | spectrocloud.com/aiworkloads:create |
| Edit an app deployment | spectrocloud.com/aiworkloads:update |
| Delete an app deployment | spectrocloud.com/aiworkloads:delete |
Model Deployments
Model deployment actions require the same permissions as app deployments.
| Action | Required Permission |
|---|---|
| Create a model deployment | spectrocloud.com/aiworkloads:create |
| Clone a model deployment | spectrocloud.com/aiworkloads:create |
| Edit a model deployment | spectrocloud.com/aiworkloads:update |
| Delete a model deployment | spectrocloud.com/aiworkloads:delete |
Profile Bundles
Creating, cloning, or adding a new revision to a profile bundle requires the create permission.
| Action | Required Permission |
|---|---|
| Create a profile bundle | spectrocloud.com/profilebundles:create |
| Clone a profile bundle | spectrocloud.com/profilebundles:create |
| Create a new version | spectrocloud.com/profilebundles:create |
| Delete a profile bundle | spectrocloud.com/profilebundles:delete |
Workload Profiles
Workload profiles do not support editing. To make changes, clone the profile or delete and recreate it. Creating, cloning, or adding a new revision to a workload profile requires the create permission.
| Action | Required Permission |
|---|---|
| Create a workload profile | spectrocloud.com/workloadprofiles:create |
| Clone a workload profile | spectrocloud.com/workloadprofiles:create |
| Create a new version | spectrocloud.com/workloadprofiles:create |
| Delete a workload profile | spectrocloud.com/workloadprofiles:delete |
Definitions
Creating, cloning, or adding versions to a definition requires the create permission for that
definition type. Deleting a definition requires the delete permission. Only project-namespace
definitions can be deleted; system-namespace definitions cannot.
| Action | Required Permission |
|---|---|
| Create, clone, or add a version to a Component Definition | spectrocloud.com/componentdefinitions:create |
| Create, clone, or add a version to a Trait Definition | spectrocloud.com/traitdefinitions:create |
| Delete a Component Definition | spectrocloud.com/componentdefinitions:delete |
| Delete a Trait Definition | spectrocloud.com/traitdefinitions:delete |
Projects
Project management encompasses the entire lifecycle of a project and its settings, including compute configurations and integrations.
| Action | Required Permission |
|---|---|
| Create a project | spectrocloud.com/projects:create |
| Create a compute config | spectrocloud.com/computeconfigs:create |
| Create project-level settings | spectrocloud.com/settings:create |
| Edit a compute config | spectrocloud.com/computeconfigs:update |
| Edit any project setting | spectrocloud.com/projects:update |
| Add, edit, or delete an integration within a settings resource | spectrocloud.com/settings:update |
| Switch the active settings ref for a project | spectrocloud.com/projects:update |
| Delete a settings resource | spectrocloud.com/settings:delete |
| Delete a project | spectrocloud.com/projects:delete |
| Delete a compute config | spectrocloud.com/computeconfigs:delete |
Compute Pools
Compute pools support editing basic metadata (name, description, annotations, and labels) and the autoscaling policy through the Compute Pool Settings drawer on the detail page. The associated profile bundle can be updated from the Profile Bundle tab.
| Action | Required Permission |
|---|---|
| Create a compute pool | spectrocloud.com/computepools:create |
| Clone a compute pool | spectrocloud.com/computepools:create |
| Edit compute pool settings | spectrocloud.com/computepools:update |
| Update the profile bundle | spectrocloud.com/computepools:update |
| Delete a compute pool | spectrocloud.com/computepools:delete |
Variables
All project-level variable management actions require the same permission.
| Action | Required Permission |
|---|---|
| Add a variable | spectrocloud.com/variablesets:update |
| Edit a variable | spectrocloud.com/variablesets:update |
| Delete a variable | spectrocloud.com/variablesets:update |
| Bulk edit variables | spectrocloud.com/variablesets:update |
Repositories
Repository permissions are scoped to the repository type. Helm and OCI repositories use separate permission resources, so a user may have access to one type but not the other.
Helm Repositories
| Action | Required Permission |
|---|---|
| Add a Helm repository | source.toolkit.fluxcd.io/helmrepositories:create |
| Edit a Helm repository | source.toolkit.fluxcd.io/helmrepositories:update |
| Delete a Helm repository | source.toolkit.fluxcd.io/helmrepositories:delete |
OCI Repositories
| Action | Required Permission |
|---|---|
| Add an OCI repository | source.toolkit.fluxcd.io/ocirepositories:create |
| Edit an OCI repository | source.toolkit.fluxcd.io/ocirepositories:update |
| Delete an OCI repository | source.toolkit.fluxcd.io/ocirepositories:delete |