NVIDIA Run:ai

Access rules

Access rules provide user authorization to system resources and entities. It is managed using Role-based access control (RBAC) which is a policy-neutral access control mechanism defined around roles and privileges. The components of RBAC make it simple to manage access to system resources and entities. For more information, see Access control.

Create an access rule.

Use to bind a predefined role to a subject (user, group or application) in a scope.

SecuritybearerAuth
Request
Request Body schema: application/json
required

The access rule to create.

subjectId
required
string

The unique identifier of the subject (e.g., user, group, or app).

subjectType
required
string

The subject assigned to the access rule. Valid values: user, group, app.

Enum: "user" "app" "group"
roleId
required
integer <int32>

The numeric ID of the assigned role.

scopeId
required
string

The unique identifier of the scope.

scopeType
required
string

The type of scope the access rule applies to. Valid values: system, tenant, cluster, department, project.

Enum: "system" "tenant" "cluster" "department" "project"
clusterId
string <uuid> (ClusterId)

The id of the cluster.

Responses
201

Created

400

Bad request.

401

Unauthorized

403

Forbidden

404

The specified resource was not found

500

unexpected error

503

unexpected error

post/api/v1/authorization/access-rules
Request samples
application/json
{
  • "subjectId": "user@run.ai",
  • "subjectType": "user",
  • "roleId": 53142648,
  • "scopeId": "a418ed33-9399-48c0-a890-122cadd13bfd",
  • "scopeType": "system",
  • "clusterId": "71f69d83-ba66-4822-adf5-55ce55efd210"
}
Response samples
application/json
{
  • "subjectId": "user@run.ai",
  • "subjectType": "user",
  • "roleId": 53142648,
  • "scopeId": "a418ed33-9399-48c0-a890-122cadd13bfd",
  • "scopeType": "system",
  • "clusterId": "71f69d83-ba66-4822-adf5-55ce55efd210",
  • "roleName": "admin",
  • "scopeName": "tenant-x",
  • "id": 32,
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z",
  • "deletedAt": "2019-08-24T14:15:22Z",
  • "tenantId": 1001,
  • "createdBy": "user@run.ai",
  • "status": {
    }
}

List the access rules.

Retrieve a list of access rules.

SecuritybearerAuth
Request
query Parameters
subjectType
string

The type of resource we want to filter by.

Example: subjectType=user
subjectIdFilter
string
Deprecated

Part of the subject id that we want to filter by.

Example: subjectIdFilter=some.user
subjectIds
Array of strings

The ids of the subjects to filter the response for.

Example: subjectIds=some.user@run.ai
limit
integer <int32> [ 1 .. 500 ]
Default: 50

The maximum number of entries to return.

offset
integer <int32>

The offset of the first item returned in the collection.

Example: offset=100
lastUpdated
string

Filter by last update time.

Example: lastUpdated=2021-12-14T16:04:15.099Z
includeDeleted
boolean
Default: false

True to include deleted objects in the result.

Example: includeDeleted=false
clusterId
string <uuid>

Filter using the Universally Unique Identifier (UUID) of the cluster.

Example: clusterId=d73a738f-fab3-430a-8fa3-5241493d7128
scopeType
string
Deprecated

The type of resource we want to filter by.

Example: scopeType=project
scopeId
string

The scope resource id that we want to filter by.

Example: scopeId=2
roleId
integer <int32> >= 1
Deprecated

The role id we want to filter by.

sortOrder
string
Default: "asc"

Sort results in descending or ascending order.

Enum: "asc" "desc"
sortBy
string (AccessRulesSortFilterFields)

Sort results by a parameter.

Enum: "subjectId" "subjectType" "roleId" "scopeId" "scopeType" "roleName" "scopeName" "createdAt" "deletedAt" "createdBy" "phase"
filterBy
Array of strings

Filter results by a parameter. Use the format field-name operator value. Operators are == Equals, != Not equals, <= Less than or equal, >= Greater than or equal, =@ contains, !@ Does not contains, =^ Starts with and =$ Ends with. Dates are in ISO 8601 timestamp format and available for operators ==, !=, <= and >=.

Example: filterBy=name!=some-access-rule-name,createdAt>=2023-01-01T00:00:00Z
search
string

Filter results by a free text search.

Example: search=test project
Responses
200

Executed successfully.

401

Unauthorized

403

Forbidden

500

unexpected error

503

unexpected error

get/api/v1/authorization/access-rules
Response samples
application/json
{
  • "totalRecords": 1,
  • "displayRecords": 1,
  • "accessRules": [
    ]
}

Get an access rule.

Use to retrieve the details of an access rule by id.

SecuritybearerAuth
Request
path Parameters
accessRuleId
required
integer <int32> >= 0

The id of the access rule to retrieve

Example: 32
Responses
200

Executed successfully.

401

Unauthorized

403

Forbidden

404

The specified resource was not found

500

unexpected error

503

unexpected error

get/api/v1/authorization/access-rules/{accessRuleId}
Response samples
application/json
{
  • "subjectId": "user@run.ai",
  • "subjectType": "user",
  • "roleId": 53142648,
  • "scopeId": "a418ed33-9399-48c0-a890-122cadd13bfd",
  • "scopeType": "system",
  • "clusterId": "71f69d83-ba66-4822-adf5-55ce55efd210",
  • "roleName": "admin",
  • "scopeName": "tenant-x",
  • "id": 32,
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z",
  • "deletedAt": "2019-08-24T14:15:22Z",
  • "tenantId": 1001,
  • "createdBy": "user@run.ai",
  • "status": {
    },
  • "scopePath": "runai/production-cluster/dep-42/prj-73"
}

Delete an access rule.

Use to delete the subject permissions assigned by access rule id.

SecuritybearerAuth
Request
path Parameters
accessRuleId
required
integer <int32> >= 0

The id of the access rule to retrieve

Example: 32
Responses
204

No Content.

401

Unauthorized

403

Forbidden

404

The specified resource was not found

500

unexpected error

503

unexpected error

delete/api/v1/authorization/access-rules/{accessRuleId}
Response samples
application/json
{
  • "code": 401,
  • "message": "Issuer is not familiar."
}

Count access rules.

Use to retrieve the number of access rules.

SecuritybearerAuth
Request
query Parameters
includeDeleted
boolean
Default: false

True to include deleted objects in the result.

Example: includeDeleted=false
filterBy
Array of strings

Filter results by a parameter. Use the format field-name operator value. Operators are == Equals, != Not equals, <= Less than or equal, >= Greater than or equal, =@ contains, !@ Does not contains, =^ Starts with and =$ Ends with. Dates are in ISO 8601 timestamp format and available for operators ==, !=, <= and >=.

Example: filterBy=name!=some-access-rule-name,createdAt>=2023-01-01T00:00:00Z
search
string

Filter results by a free text search.

Example: search=test project
Responses
200

Executed successfully.

400

Bad request.

401

Unauthorized

403

Forbidden

500

unexpected error

503

unexpected error

get/api/v1/authorization/access-rules/count
Response samples
application/json
{
  • "count": 1
}

Delete Multiple Access Rules

SecuritybearerAuth
Request
Request Body schema: application/json
ids
required
Array of strings <uuid> (IdsList) non-empty

List of ids to perform the action on.

action
required
string (AccessRulesBatchAction)

Specifies the operation to perform. Must be set to "delete".

Enum: "delete" "validate_delete"
Responses
200

Request completed successfully.

400

Bad request.

401

Unauthorized

403

Forbidden

500

unexpected error

503

unexpected error

post/api/v1/authorization/access-rules/batch
Request samples
application/json
{
  • "ids": [
    ],
  • "action": "delete"
}
Response samples
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "succeeded": [
    ],
  • "failed": [
    ]
}

Create Multiple Access Rules

Creates a batch of access rules in a single operation. Requires a list of access rule objects, each specifying the subject, role, and scope. Returns the result of the operation, including which rules were successfully created and any that failed, along with error messages if applicable.

SecuritybearerAuth
Request
Request Body schema: application/json
required
object

An array of access rule objects, each containing the role, subject, cluster, and scope to apply.

Responses
200

Request completed successfully.

400

Bad request.

401

Unauthorized

403

Forbidden

500

unexpected error

503

unexpected error

post/api/v1/authorization/access-rules/batch-create
Request samples
application/json
{
  • "payload": {
    }
}
Response samples
application/json
{
  • "succeeded": [
    ],
  • "failed": [
    ]
}
➔ Next to Permissions