Access Controls
Access Controls govern who can do what within SensibleAI portfolio solutions. They ensure users can only access the resources they need, perform the actions they're authorized for, and stay within allocated limits—maintaining security and operational governance across your organization.
What Are Access Controls?
Access controls in Xperiflow manage authorization through a flexible, layered system. Rather than simple binary yes/no permissions, Xperiflow uses a sophisticated model that can express nuanced rules like "User A can run up to 5 jobs in Project X but only read data in Project Y" using permissions.
This enables organizations to:
-
Protect sensitive resources — Control who can view, modify, or delete data
-
Manage resource consumption — Set limits on jobs, memory, and CPU usage
-
Delegate responsibilities — Grant appropriate access levels to different teams
-
Maintain compliance — Enforce governance policies across all operations
Core Concepts
The access control system is built on four interconnected concepts:
Identities — Who
An Identity represents someone or something that can be granted access. Xperiflow supports two types:
Type | Description |
|---|---|
User | An individual person in the system |
Group | A collection of users with shared access needs |
Groups can contain users and other groups, allowing hierarchical access structures like departments, teams, or project groups.
Roles — Bundles of Permissions
A Role is a named collection of permissions. Rather than assigning individual permissions to each user, you assign roles—making access management scalable and consistent.
Xperiflow provides built-in system roles:
Role | Capabilities |
|---|---|
Viewer | Read-only access |
Editor | Read and write access |
Manager | Read, write, and delete access |
Admin | Full system access |
Organizations can also create custom roles tailored to specific job functions.
Permissions — What
A Permission defines a specific capability or limit. Xperiflow supports two categories:
Existential Permissions — Control whether an action is allowed:
-
Read — View resources and data
-
Write — Create and modify resources
-
Delete — Remove resources
Limit Permissions — Control how much of something can be used:
-
Job Limit — Maximum concurrent jobs
-
Memory Limit — Maximum memory per operation
-
CPU Limit — Maximum CPU allocation
-
Project Limit — Maximum projects accessible
-
Scheduled Job Limit — Maximum scheduled jobs
Scopes — Where
A Scope defines the boundary within which a role assignment applies. Access granted at one scope doesn't automatically extend to others.
Scope Type | Description |
|---|---|
Global | Applies across the entire system |
App | Applies to a specific application environment (e.g., DEV, PROD) |
Solution | Applies to a specific solution (e.g., Studio) |
AppSolution | Applies to a specific solution within a specific app (e.g., DEV - Studio) |
Project | Applies to a specific project |
How Access Is Determined
When a user attempts an action, Xperiflow evaluates their access using RSI Relations—Role-Scope-Identity associations that bind the three concepts together.
Users must have an RSI assignment for their user to interact with SensibleAI Forecast, SensibleAI Studio, or SensibleAI Studio Powered solutions.
Inheritance and Resolution
Access is evaluated hierarchically:
-
Identity hierarchy — Users inherit permissions from their groups
-
Scope hierarchy — Child scopes can inherit from parent scopes
-
Permission resolution — When multiple permissions apply, all constraints must be satisfied
For example, if a group has a 15-job limit and an individual user within that group has a 1-job limit, the user can only run 1 job—the more restrictive limit applies.
Key Takeaways
Concept | Purpose |
|---|---|
Identities | Represent users and groups |
Roles | Bundle permissions for easy assignment |
Permissions | Define specific capabilities and limits |
Scopes | Constrain where access applies |
RSI Relations | Link identities to roles within scopes |
Access controls ensure your Xperiflow environment remains secure, governed, and appropriately partitioned across your organization's needs.