Role-based Access Controls (RBAC)
Role-based access control (RBAC) is based on Organizations, Teams and Internal User Roles
Organizationsare the top-level entities that contain Teams.Team- A Team is a collection of multipleInternal UsersInternal Users- users that can create keys, make LLM API calls, view usage on LiteLLMRolesdefine the permissions of anInternal UserVirtual Keys- Keys are used for authentication to the LiteLLM API. Keys are tied to aInternal UserandTeam
Roles
Admin Roles
proxy_admin: admin over the platformproxy_admin_viewer: can login, view all keys, view all spend. Cannot create keys/delete keys/add new users
Organization Roles
org_admin: admin over the organization. Can create teams and users within their organization
Internal User Roles
internal_user: can login, view/create/delete their own keys, view their spend. Cannot add new users.internal_user_viewer: can login, view their own keys, view their own spend. Cannot create/delete keys, add new users.
Onboarding Organizations
1. Creating a new Organization
Any user with role=proxy_admin can create a new organization
Usage
API Reference for /organization/new
curl --location 'http://0.0.0.0:4000/organization/new' \
--header 'Authorization: Bearer sk-1234' \
--header 'Content-Type: application/json' \
--data '{
"organization_alias": "marketing_department",
"models": ["gpt-4"],
"max_budget": 20
}'
Expected Response
{
"organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23",
"organization_alias": "marketing_department",
"budget_id": "98754244-3a9c-4b31-b2e9-c63edc8fd7eb",
"metadata": {},
"models": [
"gpt-4"
],
"created_by": "109010464461339474872",
"updated_by": "109010464461339474872",
"created_at": "2024-10-08T18:30:24.637000Z",
"updated_at": "2024-10-08T18:30:24.637000Z"
}
2. Adding an org_admin to an Organization
Create a user (ishaan@berri.ai) as an org_admin for the marketing_department Organization (from step 1)
Users with the following roles can call /organization/member_add
proxy_adminorg_adminonly within their own organization
curl -X POST 'http://0.0.0.0:4000/organization/member_add' \
-H 'Authorization: Bearer sk-1234' \
-H 'Content-Type: application/json' \
-d '{"organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23", "member": {"role": "org_admin", "user_id": "ishaan@berri.ai"}}'
Now a user with user_id = ishaan@berri.ai and role = org_admin has been created in the marketing_department Organization
Create a Virtual Key for user_id = ishaan@berri.ai. The User can then use the Virtual key for their Organization Admin Operations
curl --location 'http://0.0.0.0:4000/key/generate' \
--header 'Authorization: Bearer sk-1234' \
--header 'Content-Type: application/json' \
--data '{
"user_id": "ishaan@berri.ai"
}'
Expected Response
{
"models": [],
"user_id": "ishaan@berri.ai",
"key": "sk-7shH8TGMAofR4zQpAAo6kQ",
"key_name": "sk-...o6kQ",
}
3. Organization Admin - Create a Team
The organization admin will use the virtual key created in step 2 to create a Team within the marketing_department Organization
curl --location 'http://0.0.0.0:4000/team/new' \
--header 'Authorization: Bearer sk-7shH8TGMAofR4zQpAAo6kQ' \
--header 'Content-Type: application/json' \
--data '{
"team_alias": "engineering_team",
"organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23"
}'
This will create the team engineering_team within the marketing_department Organization
Expected Response
{
"team_alias": "engineering_team",
"team_id": "01044ee8-441b-45f4-be7d-c70e002722d8",
"organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23",
}
Organization Admin - Add an Internal User
The organization admin will use the virtual key created in step 2 to add an Internal User to the engineering_team Team.
- We will assign role=
internal_userso the user can create Virtual Keys for themselves team_idis from step 3
curl -X POST 'http://0.0.0.0:4000/team/member_add' \
-H 'Authorization: Bearer sk-1234' \
-H 'Content-Type: application/json' \
-d '{"team_id": "01044ee8-441b-45f4-be7d-c70e002722d8", "member": {"role": "internal_user", "user_id": "krrish@berri.ai"}}'