Skip to main content

User Roles and Permissions

Overview

This document presents a comprehensive breakdown of roles and permissions within the AGENT platform. Roles ensure smooth collaboration, resource allocation, and data management.

Let's delve into the specifics of each role and their associated permissions.

Roles

The AGENT Platform has five user roles, each with specific permissions and goals. They are as follows:

RoleDescription
Platform AdminAs the platform's overseer, the Platform Admin holds the highest level of authority and governs all aspects of user roles and permissions.
Dataset AdminThe dataset admin is pivotal in data management and resource allocation. They are responsible for managing datasets and allocating Privacy Budgets for both datasets and teams.
Team AdminResponsible for managing teams and Privacy Budgets for users, the Team Admin ensures smooth collaboration and resource utilisation within their designated teams.
User/MemberUsers can create datasets and teams, utilise datasets, consume allocated Privacy Budgets, and contribute to projects and data analysis.
Role Assigning

When member users create a dataset or team, the corresponding role is assigned to them automatically. For example, if they create a dataset, they become the Dataset Admin for that particular dataset, holding its corresponding permissions.

Roles are not mutually exclusive, meaning users can hold multiple roles simultaneously, with varying degrees of permission. See the following example diagram:

Roles Diagram

Roles Diagram

The diagram illustrates how Users can hold multiple roles and manage teams and datasets simultaneously. They can also analyze other datasets and be members of different teams.

Permissions

The tables in the sections below describe the permissions available for each user role, which serve as a cornerstone for understanding the various user roles and their corresponding access levels. They are presented separately for each feature of the platform. The symbols in the tables denote:

SymbolMeaning
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Allowed for a user within their own profile
Allowed for team
Allowed for team
Allowed within a team

Datasets

When it comes to Datasets, the Dataset Admin is the central figure. The Dataset Admin holds permission to edit and manage datasets, answers Privacy Budget requests, and delegates Privacy Budgets to teams. Member users can create a dataset and receive the Dataset Admin Role.

The following table showcases the permissions for Datasets:

Platform AdminDataset AdminTeam AdminUser member
Add a new dataset
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed
Allowed
Delete a dataset
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Read a dataset
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Read a public dataset
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed
Allowed
Update variable dataset information
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
View all of the sessions which accessed the data
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Read the source of the dataset details
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Update source of the dataset details
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Read changes that were made to the dataset
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Delegate Privacy Budget to teams and users
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Read the Privacy Budget to teams and users
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Update people's Privacy Budget
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Remove the Privacy Budget delegated to people
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Read the Privacy Budget requests coming in
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Update (accept/reject) requests
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Read dataset admins
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Update dataset admins
Allowed
Allowed
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed

Teams

The Team Admins hold most permissions to manage teams. They can delete and edit teams, delegate the Privacy Budget to their team members, and more.

The following table showcases the permissions for Teams:

Platform AdminDataset AdminTeam AdminUser member
Create a new team
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed
Allowed
Delete a team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Search for a team using name/slug
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed
Allowed
Read team details
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Update team details
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Read session Privacy Budget spends
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Add a user to a team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
See the users in a team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Remove a user from a team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Read datasets accessible to the team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Allowed for team
Allowed for team
Read the code executed by a user
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Give a team new permissions
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Read the permissions of a team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Remove a permission from a team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Assign Privacy Budgets to users in the team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Read the Privacy Budgets of users in the team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Update the Privacy Budgets for users in the team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Remove Privacy Budgets from users in the team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Create Privacy Budget request for the team
Not allowed
Not allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Read Privacy Budget requests made for the team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Cancel Privacy Budget requests for the team
Not allowed
Not allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Read budget requests made by users of the team for Privacy Budget via team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Approve/reject Privacy Budget requests from the users
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Read the changes made on the team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed
Read the sessions made for the team
Allowed
Allowed
Not allowed
Not allowed
Allowed
Allowed
Not allowed
Not allowed

Users

The Platform Admins can add and remove users from the platform. Members can also manage their accounts, edit their variable information, and read their account details.

The following table showcases the permissions for User:

Platform AdminDataset AdminTeam AdminUser member
Add a new user
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Delete a user
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Search for a user (only name and email)
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed
Allowed
Read user details
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Update variable user information
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Create a password
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Change password
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Delete password (i.e. switch to SSO) (only if SSO exists)
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Create SSO
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Remove SSO
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Read a users notification
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Update a notification (mark as read/seen)
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Read the teams a user is a member of
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Read the sessions the user made
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Read the changes the user did
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Read the Privacy Budgets that the user has
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Create a Privacy Budget request for a user
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Read the Privacy Budget requests
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Terminate a Privacy Budget requestT
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
See a 2fa request
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Update it as accept/reject
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self
Read user permissions
Allowed
Allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed for self
Allowed for self