files/arthur-docs-markdown/platform-management/access-control-overview/standard_access_control.md.txt

# Arthur Standard Access Control Overview

In both SaaS and On-prem installations, Arthur ships with a build-in access control system that can be used to manage
users, permissions, and access to organizations. This system has different capabilities than the SSO based paradigm. If
your installation is using SSO, please see the {doc}`sso-access-control/index`.

## Authentication

Users authenticate to Arthur using a username and password, which is set when their account is created and can be
changed later in the UI. Users can also use
the [login API endpoint](https://docs.arthur.ai/api-documentation/v3-api-docs.html#tag/auth/paths/~1login/post) to
retrieve a token for use with Arthur APIs.

Applications and automated systems can authenticate with Arthur using API keys, which can be created in the Arthur UI
from the organization menu in the upper right corner then clicking on Manage API Keys.

```{note}
Note: it is not recommended to use API-keys for non-automated use cases as they are not tied to user 
identities and can obscure who is performing actions. As a best practice, use API keys minimally only in the systems 
that need automated access, and be sure to create a rotation practice to ensure safe keeping.
```

![manage-api-keys](/_static/images/manage-api-keys.png "Organization Menu")

## Authorization (RBAC)

The Arthur standard access control system uses role-based access control (RBAC) with a set of pre-defined roles.
The available roles for users are `User`, `Model Owner`, `Administrator`, and `SuperAdmin`. If enrolled in multiple
organizations, the user can have a different role in each organization. For a full list of permissions for these 4
standard roles, please reference {doc}`here </platform-management/reference/permissions_by_standard_roles>`.

* `User`: Has read-only access to the models and data within the organization.
* `Model Owner`: Can onboard new models in the enrolled organization as well as send data including reference data,
  inferences, and ground truth.
* `Administrator`: Organization level administrator that has access to manage users and models within the organization.
* `Super Admin`: Has full access to all data, models, and actions on the platform. Can create new organizations and
  manage users. Only available on-prem.

```{note} 
If your installation uses SSO, you can take advantage of creating custom roles to fine-tune user 
access to Arthur resources. See {doc}`sso-access-control/custom_rbac` for more information.
```

## Adding Users to an Organization in the UI

To complete this section, you must have the "Administrator" role in your organization.

In the upper right corner, click on the organization menu, then click "Manage Members". From this screen, you can enter
the emails of additional users to add to the organization, manage the roles of existing users, and remove users from the
organization.

```{note}
In order for email-based user invites to work, your installation must have an email integration set up. If
not, you can use the
[Arthur API](https://docs.arthur.ai/api-documentation/v3-api-docs.html#tag/users/paths/~1users/post)
to create user accounts directly in your organization.
```

## Adding Users to an Organization in the API

Arthur also supports managing users via automated workflows using the REST API. In order to create a user in
your organization, you will need to have Administrator privileges in that organization, or have access to the superadmin
user for your Arthur on-prem installation. The following APIs are helpful for managing users:

- [Create a New User](https://docs.arthur.ai/api-documentation/v3-api-docs.html#tag/users/paths/~1users/post)
- [Update User/Change User Password](https://docs.arthur.ai/api-documentation/v3-api-docs.html#tag/users/paths/~1users~1%7Buser_id%7D/patch)
- [Send an Email Invite to a New User](https://docs.arthur.ai/api-documentation/v3-api-docs.html#tag/users/paths/~1users~1invite_users/post)


## Switching Between Organizations

If a user is invited to multiple organizations, they will have the ability to switch between them in the UI.
User can click on the organization menu in the upper right corner, and choose one of the other available organizations
from that menu to switch to it. If no other organizations appear, that user does not have access to any other
organizations.