Access Control

Montag has an access control system that allows you to control access to various components of the system with rule sets

Access control in Montag works on a “deny” basis, meaning that if a user has a role that allows them to access a component, they will be able to access it. If they do not have a role that allows them to access a component, they will not be able to access it.

The access rules have four settings:

  • Read: Allows the user to read the component
  • Write: Allows the user to write to the component
  • Delete: Allows the user to delete the component
  • List: Allows the user to list the component
  • Show: Allows the user to show the component
  • Admin (*): Allows the user to administer the component

(*) Admin access is a special case, it allows the user to perform all actions on the component, including deleting it.

Access rules are applied to all UI components. For certain actions, it is important to allow users to list components but not read them so they can use them in objects that have dependencies (for example a chat-bot may need access to slack credentials, but you do not want the user to be able to read the credentials in question).


Montag provides two “roles” out of the box, these are provided in the ACL editor as:

  • Administator: This role has access to all components
  • AI Developer: This role has access only to the components required for using the AI Developer Portal

Sample Access Control Rule Set

An example access control rule set is shown below:

    "access_control":     "",
    "secrets":            "",
    "api_tokens":         "",
    "completions":        "",
    "model_roles":        "",
    "api_clients":        "l",
    "vector_dbs":         "l",
    "slack_clients":      "",
    "embeddings":         "",
    "learning_plans":     "l,s",
    "content_snippets":   "",
    "resource_expanders": "",
    "prompts":            "",
    "bots":               "",
    "ai_functions":       "",
    "scripts":            "",
    "workspaces":         "l",
    "namespaces":         "r,l,s",
    "privacytiers":       "r,l,s",
    "datasource":         "r,l,s",
    "application":        "r,l,w,s",
    "llm_config":         "",
    "embed_config":       "",
    "developer_dashboard": "r",
    "global": "r"