Role-based Access Controls (RBAC)
Role-based access control (RBAC) is based on Organizations, Teams and Internal User Roles
Organizations
are the top-level entities that contain Teams.Team
- A Team is a collection of multipleInternal Users
Internal Users
- users that can create keys, make LLM API calls, view usage on LiteLLMRoles
define the permissions of anInternal User
Virtual Keys
- Keys are used for authentication to the LiteLLM API. Keys are tied to aInternal User
andTeam
Roles​
Admin Roles
proxy_admin
: admin over the platformproxy_admin_viewer
: can login, view all keys, view all spend. Cannot create keys/delete keys/add new users
Organization Roles
org_admin
: admin over the organization. Can create teams and users within their organization
Internal User Roles
internal_user
: can login, view/create/delete their own keys, view their spend. Cannot add new users.internal_user_viewer
: can login, view their own keys, view their own spend. Cannot create/delete keys, add new users.
Onboarding Organizations​
1. Creating a new Organization​
Any user with role=proxy_admin
can create a new organization
Usage
API Reference for /organization/new
curl --location 'http://0.0.0.0:4000/organization/new' \
--header 'Authorization: Bearer sk-1234' \
--header 'Content-Type: application/json' \
--data '{
"organization_alias": "marketing_department",
"models": ["gpt-4"],
"max_budget": 20
}'
Expected Response
{
"organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23",
"organization_alias": "marketing_department",
"budget_id": "98754244-3a9c-4b31-b2e9-c63edc8fd7eb",
"metadata": {},
"models": [
"gpt-4"
],
"created_by": "109010464461339474872",
"updated_by": "109010464461339474872",
"created_at": "2024-10-08T18:30:24.637000Z",
"updated_at": "2024-10-08T18:30:24.637000Z"
}
2. Adding an org_admin
to an Organization​
Create a user (ishaan@berri.ai) as an org_admin
for the marketing_department
Organization (from step 1)
Users with the following roles can call /organization/member_add
proxy_admin
org_admin
only within their own organization
curl -X POST 'http://0.0.0.0:4000/organization/member_add' \
-H 'Authorization: Bearer sk-1234' \
-H 'Content-Type: application/json' \
-d '{"organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23", "member": {"role": "org_admin", "user_id": "ishaan@berri.ai"}}'
Now a user with user_id = ishaan@berri.ai
and role = org_admin
has been created in the marketing_department
Organization
Create a Virtual Key for user_id = ishaan@berri.ai
. The User can then use the Virtual key for their Organization Admin Operations
curl --location 'http://0.0.0.0:4000/key/generate' \
--header 'Authorization: Bearer sk-1234' \
--header 'Content-Type: application/json' \
--data '{
"user_id": "ishaan@berri.ai"
}'
Expected Response
{
"models": [],
"user_id": "ishaan@berri.ai",
"key": "sk-7shH8TGMAofR4zQpAAo6kQ",
"key_name": "sk-...o6kQ",
}
3. Organization Admin
- Create a Team​
The organization admin will use the virtual key created in step 2 to create a Team
within the marketing_department
Organization
curl --location 'http://0.0.0.0:4000/team/new' \
--header 'Authorization: Bearer sk-7shH8TGMAofR4zQpAAo6kQ' \
--header 'Content-Type: application/json' \
--data '{
"team_alias": "engineering_team",
"organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23"
}'
This will create the team engineering_team
within the marketing_department
Organization
Expected Response
{
"team_alias": "engineering_team",
"team_id": "01044ee8-441b-45f4-be7d-c70e002722d8",
"organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23",
}
Organization Admin
- Add an Internal User
​
The organization admin will use the virtual key created in step 2 to add an Internal User to the engineering_team
Team.
- We will assign role=
internal_user
so the user can create Virtual Keys for themselves team_id
is from step 3
curl -X POST 'http://0.0.0.0:4000/team/member_add' \
-H 'Authorization: Bearer sk-1234' \
-H 'Content-Type: application/json' \
-d '{"team_id": "01044ee8-441b-45f4-be7d-c70e002722d8", "member": {"role": "internal_user", "user_id": "krrish@berri.ai"}}'