User Management & RBAC

Last updated:

Tyk AI Studio includes a comprehensive system for managing users, their authentication methods, and controlling their access to platform resources using Groups and Role-Based Access Control (RBAC).

Purpose

The User Management & RBAC system provides administrators with the tools to:

  • Manage the lifecycle of user accounts.
  • Define how users authenticate (UI sessions, API keys).
  • Organize users into logical groups.
  • Grant fine-grained access to Tyk AI Studio resources (LLMs, Tools, Data Sources, Chat Experiences) based on group membership.
  • Assign platform-level permissions using roles.

Core Concepts

  • User: Represents an individual interacting with Tyk AI Studio. Users are typically identified by an email address or username and can be created manually by administrators, via invitation, self-registration (if enabled), or provisioned through SSO Integration.
  • Authentication: The process of verifying a user’s identity.
    • Session-based: For users logging into the Tyk AI Studio UI (using username/password or SSO).
    • API Key: For applications or scripts interacting with Tyk AI Studio APIs (like the Proxy).
  • API Key: A unique, long-lived token generated by a user. Applications use this key (typically in an Authorization: Bearer <key> header) to authenticate requests on behalf of the user who generated it.
  • Group: A collection of users. Groups are the primary mechanism for assigning access rights to resources. A user can belong to multiple groups.
  • Resource: Any entity within Tyk AI Studio whose access needs to be controlled. This includes:
  • Role: Defines a set of broad, platform-level permissions. Common roles include:
    • Admin: Full access to configure and manage the Tyk AI Studio platform.
    • Standard User: Access to use assigned resources (e.g., chat, query LLMs) but limited or no administrative capabilities.
  • RBAC (Role-Based Access Control): Tyk AI Studio’s access control model. Access is granted primarily by assigning resource access to Groups, and then adding Users to those Groups. Roles provide overarching platform permissions.
  • User Entitlements: The complete set of permissions a specific user has at any given time. This is calculated based on their assigned Role and the combined permissions granted through all the Groups they belong to. Systems like the Proxy check these entitlements before allowing an action.

User Lifecycle Management (Admin)

Administrators manage users via the UI or API:

  • Creation: Create user accounts manually, send invitations, or manage users provisioned via SSO.

  • Group Assignment: Add or remove users from various Groups.

  • Role Assignment: Assign a primary Role (e.g., Admin, Standard) to each user.

  • Status Management: Activate or deactivate user accounts.

  • API Key Management: Admins may have visibility into user API keys (though users typically generate their own).

    Placeholder: User Management UI

Group Management (Admin)

Groups are central to managing permissions:

  • Creation/Deletion: Create and manage groups (e.g., “Developers”, “Sales Team”, “Product Docs Users”).

  • User Assignment: Add/remove users from groups.

  • Resource Assignment: Grant access to specific LLM Configurations, Tool Catalogues, or Data Source Catalogues to the group. Any user in that group inherits this access.

    Placeholder: Group Management UI

Authentication Methods

  • UI Login: Users access the web interface by logging in with their credentials (username/password) or via a configured SSO Provider. This establishes a browser session.
  • API Key Authentication:
    1. A user generates an API Key via their profile settings in the UI.
    2. The user securely provides this key to their application or script.
    3. The application includes the key in the Authorization header for requests to Tyk AI Studio APIs:
      Authorization: Bearer <your-ai-sudio-api-key>
      
    4. Tyk AI Studio validates the key and associates the request with the user who generated it.

Access Control Flow Example (API Request)

When an application makes a request to the Proxy using an API Key:

  1. Key Validation: Tyk AI Studio validates the API Key.
  2. User Identification: The system identifies the User associated with the key.
  3. Group Membership: The system determines all Groups the User belongs to.
  4. Resource Check: The request targets a specific resource (e.g., an LLM Configuration via its routeId).
  5. Permission Verification: Tyk AI Studio checks if any of the user’s Groups have been granted access to the requested resource.
  6. Entitlement Check: Additional checks based on the user’s Role and specific entitlements might occur (e.g., budget checks, model restrictions).
  7. Access Granted/Denied: If all checks pass, the request proceeds; otherwise, it’s denied (e.g., 401 Unauthorized or 403 Forbidden).