Product DocumentationAPI and Python SDK ReferenceRelease Notes
Schedule a Demo
Schedule a Demo

Default Access Control

In both SaaS and On-prem installations, Arthur ships with a built-in access control system that can be used to manage users, permissions, and access to organizations. This system has different capabilities than the SSO-based paradigm. If your installation is using SSO, please see the Platform Access Control.


Users authenticate to Arthur using a username and password set when their account is created and can be changed later in the UI. Users can also use the Login API endpoint to retrieve a token with Arthur APIs.

Applications and automated systems can authenticate with Arthur using API keys, which can be created in the Arthur UI from the organization menu in the upper right corner, then clicking on Manage API Keys.


Note on using Session Keys

It is not recommended to use API-keys for non-automated use cases as they are not tied to user
identities and can obscure who is performing actions. As a best practice, use API keys minimally only in the systems that need automated access, and be sure to create a rotation practice to ensure safe keeping.

Authorization (RBAC)

The Arthur standard access control system uses role-based access control (RBAC) with a set of pre-defined roles. The available roles for users are User, Model Owner, Administrator, and SuperAdmin. If enrolled in multiple organizations, the user can have a different role in each organization. For a full list of permissions for these 4 standard roles, please reference Arthur Permissions by Standard Roles.

  • User: Has read-only access to the models and data within the organization.
  • Model Owner: Can onboard new models in the enrolled organization as well as send data, including reference data,
    inferences, and ground truth.
  • Administrator: Organization-level administrator that has access to manage users and models within the organization.
  • Super Admin: Has full access to all data, models, and actions on the platform. Can create new organizations and manage users. Only available on-prem.


Custom Roles

If your installation uses SSO, you can take advantage of creating custom roles to fine-tune user
access to Arthur resources. See the documentation on Custom RBAC for more information.

Adding Users to an Organization in the UI

To complete this section, you must have the "Administrator" role in your organization.

Click on the organization menu in the upper right corner and then "Manage Members." From this screen, you can enter the emails of additional users to add to the organization, manage the roles of existing users, and remove users from the organization.


In order for email-based user invites to work, your installation must have an email integration set up. If not, you can use the Arthur APIto create user accounts directly in your organization.

Adding Users to an Organization in the API

Arthur also supports managing users via automated workflows using the REST API. To create a user in your organization, you must have Administrator privileges or access to the super admin user for your Arthur on-prem installation. The following APIs are helpful for managing users:

Switching Between Organizations

If a user is invited to multiple organizations, they can switch between them in the UI. Users can click on the organization menu in the upper right corner and choose one of the other available organizations from that menu to switch to it. If no other organizations appear, that user cannot access any other organizations.