# Project-based Authentication In large enterprises with multiple teams and departments, it's often necessary to restrict resources to specific users or groups, ensuring that the right people have access to the appropriate resources. In Seldon Enterprise Platform, this can be achieved by defining namespace or project-based access controls within an `OPA` policy `ConfigMap` called `seldon-deploy-policies`. This setup allows granting users or groups access to specific deployments or models within a namespace or project. For example, a data science team may have access to all models within a specific project, while a DevOps team may have access across all namespaces. ## Prerequisites * Install [PostgreSQL](/seldon-enterprise-platform/production-environment/postgresql/managed-postgresql.md). * Configure [Authentication ](/seldon-enterprise-platform/architecture/authentication.md). * Enable [Open Policy Agent authorization](/seldon-enterprise-platform/production-environment/authorization.md), along with project-based auth. ## Policies Setup In this demo, you can use an OIDC provider for authentication, with two pre-configured users, `alice` and `bob`, who both belong to the `data-scientist` group. You need to set up the following permissions: * Members of the `data-scientist` group should have read-write access to all namespaces. * All users should have read-write access to the default project. * User `alice` should have read-write access to the iris and income projects. * User `bob` should have read-only access to the income project. These permissions are reflected in the following `seldon-deploy-policies` ConfigMap: ```yaml apiVersion: v1 kind: ConfigMap metadata: name: seldon-deploy-policies namespace: seldon-system data: data: |- { "role_grants": { "data-scientist": [ { "action": "read", "resource": "namespace/*" }, { "action": "write", "resource": "namespace/*" } ], "system-admin": [ { "resource": "system/iam", "action": "write" }, { "resource": "system/iam", "action": "read" } ] }, "user_grants": { "*": [ { "action": "read", "resource": "project/default" }, { "action": "write", "resource": "project/default" } ], "service-account-sd-api": [ { "resource": "namespace/*", "action": "write" }, { "resource": "namespace/*", "action": "read" }, { "action": "read", "resource": "project/*" }, { "action": "write", "resource": "project/*" } ], "alice": [ { "action": "read", "resource": "project/iris" }, { "action": "write", "resource": "project/iris" }, { "action": "read", "resource": "project/income" }, { "action": "write", "resource": "project/income" } ], "bob": [ { "action": "read", "resource": "project/income" } ], "admin": [ { "action": "read", "resource": "project/*" }, { "action": "write", "resource": "project/*" }, { "resource": "namespace/*", "action": "write" }, { "resource": "namespace/*", "action": "read" }, { "resource": "system/iam", "action": "write" }, { "resource": "system/iam", "action": "read" } ] } } ``` ## Confirm Policies Are Working 1. Log in as `alice`. 2. Go to the **Model Catalog** page and create the following models. For more details, see [Model Catalog](/seldon-enterprise-platform/demos/general/model-catalog.md): | | Name | URI | Project | Artifact type | | - | ------ | -------------------------------------------------------------------------- | ------- | ------------- | | 1 | Iris | `gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn` | default | SciKit Learn | | 2 | Iris | `gs://seldon-models/scv2/samples/mlserver_1.6.0/iris-sklearn` | iris | SciKit Learn | | 2 | Income | `gs://seldon-models/scv2/samples/mlserver_1.6.0/income-sklearn/classifier` | income | SciKit Learn | Your Model Catalog page should look similar to the following: ![Model Catalog page showing all three newly created models](/files/vPftWtrK7QbMhHiqQMvN) 3. Create a `Seldon ML Pipeline` from each of these models using the **Deploy** option in the **Model Catalog** page. Make sure to set the deployment type as `Seldon ML Pipeline` in the **Deployment Creation Wizard**. The pipeline names could be: * `iris-default` * `iris-iris` * `income` Your **Overview** page should look similar to the following now: ![Overview page showing all three newly created Seldon Deployments](/files/eKYHunkoJ2jtV2ls0UWg) 4. Log out from the `alice` profile and log in as `bob`. 5. Confirm you only see the deployments `income` and `iris-default`, because `bob` does not have any access to the `iris` project, ![Overview page showing only the deployments using models in the default and income projects](/files/GCqFTMNkzMsRa1MtkfOT) 6. Navigate to the **Model Catalog** page and verify that you only see the models in the `default` and `income` projects, but not the `iris` project. ![Model Catalog page showing only the models in the default and income projects](/files/efNfYVhzNZCnwJn6slyx) 7. Verify that you cannot delete or modify the `income` model in the **Model Catalog**, because `bob` has only `read` permissions on the `income` project. ![Bob cannot delete the model that is part of the income project due to lack of permissions](/files/3Ax177L9BZwaEaB7qyUR) ![Bob cannot modify the model that is part of the income project due to lack of permissions](/files/ucEoFTTWHok4NVIEUeyQ) 8. In the **Overview** page, click the `income` deployment, and in the **Dashboard** page, confirm that you cannot delete or modify the deployment. ![Bob cannot delete the deployment that is part of the income project due to lack of permissions](/files/c5fmAxCwoNrVpBZ5G73c) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.seldon.ai/seldon-enterprise-platform/demos/general/project-based-auth.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.