Identity and Access Management
Identity and Access Management (IAM) is a comprehensive framework within the TIR AI Platform that controls who can access your resources and what actions they can perform. IAM enables organizations to manage projects with fine-grained access control, ensuring that users only have the permissions necessary for their role.
Overview
TIR organizes access around the following structure:
- Projects — Workspaces where AI/ML resources (notebooks, endpoints, datasets, etc.) are created and managed.
- Services — Resources and tools that exist within a project.
Each user is assigned a role at either the account level or project level, which determines their permissions within that scope.
User Types
| Type | Description |
|---|---|
| Owner | The Owner is the primary account authority with unrestricted access to all organizational resources, projects, and user management functions. This role has ultimate control over the account and cannot be modified, reassigned, or removed by any other role. |
| User | A User is any identity provisioned with access to the account. Users operate under assigned roles, which define their permissions, access scope, and allowed actions across the platform. |
IAM Hierarchy
TIR follows a hierarchical Role-Based Access Control (RBAC) model. Access is structured across two primary levels: account-level and project-level, with permissions cascading downward.
Hierarchy Structure
Role Classification
Account-Level Role
Admin
The Admin role operates at the account level and has organization-wide visibility and control across all projects, users, and resources. This role is responsible for account administration and governance.
Project-Level Roles
All project-level roles fall under the User category and are scoped to individual projects.
Project Manager — Has full control over assigned projects, including project creation, configuration, and user management within the project scope.
Project Lead — Assists in managing project operations. Can manage project members but is restricted to assigning the Member role only.
Member — Operates within a project with permissions defined by assigned policies. Access is limited and granular.
Roles
Admin
The Admin role is an account-level role that provides broad visibility and management capabilities across the organization. Admins are responsible for user management, project administration, and overall operational oversight.
Permissions:
- Full access to all projects within the account
- Ability to create and manage projects
- Invite users and assign roles (excluding Admin role assignment)
- Add, update, or remove members across any project
- Manage resource access and configurations across projects
Restrictions:
- Cannot create, modify, or remove other Admin users
- Cannot modify or remove the Owner role
Project Manager
The Project Manager role is a project-scoped role with elevated operational authority. Project Managers hold full administrative control over their assigned projects and are also authorized to initiate new projects within the account.
Permissions:
- Full access to all resources within their assigned projects
- Ability to create new projects within the account
- Add and manage project members at the Project Lead or Member level
- Assign and update access policies for project members
- Manage project settings, including name and description
Restrictions:
- Cannot access or manage projects they are not assigned to
- Cannot add users at the Project Manager level or above
Project Lead
The Project Lead role is a project-scoped role designed for users who require operational control without full administrative authority. Project Leads can manage day-to-day project operations — including resources, settings, and policies — but are restricted to onboarding users at the Member level only.
Permissions:
- Full access to resources within their assigned project
- Invite and add users to the project at the Member role level
- Assign and update access policies for Members within the project
- Manage project settings, including name and description
- Use all services available within the project
Restrictions:
- Cannot create new projects
- Cannot add users at the Project Lead level or above
- Cannot access or manage projects they are not assigned to
Member
The Member role is a policy-driven, project-scoped role intended for contributors who require access to specific services within a project. All resource access is strictly governed by the policy assigned at the time of onboarding.
Permissions:
- Access to TIR services and operations as defined by their assigned policy
- Ability to use and interact with resources within the scope of their policy
Restrictions:
- Cannot add or manage other users
- Cannot access services outside the scope of their assigned policy
- Cannot modify project settings or membership
Every Member must be assigned a policy. Policies define which TIR services and operations the member can access within the project. See Policies to learn how to create and manage them.
Role Permissions at a Glance
| Capability | Admin | Project Manager | Project Lead | Member |
|---|---|---|---|---|
| Access all projects | ✓ | — | — | — |
| Create projects | ✓ | ✓ | — | — |
| Invite users to the account | ✓ (below Admin) | ✓ (Lead or Member) | ✓ (Member only) | — |
| Edit or remove existing users | ✓ (not Admins or Owner) | — | — | — |
| Manage project settings | ✓ | ✓ | ✓ | — |
| Create and manage policies | ✓ | ✓ | ✓ | — |
| Use project services | ✓ | ✓ | ✓ | ✓ (per policy) |
Next Steps
- IAM Panel — Manage users, send invitations, and assign roles
- Project Settings — Manage projects, members, policies, and resource usage
- Audit Logs — View event history across all TIR services