Skip to main content

Roles and Access Control for JWT

Introduction

You can configure DIAL to work with various identity service providers, where you can manage your users and user groups. In the DIAL Core Dynamic Settings, you can enable roles and configure their access to system resources.

Refer to About Roles to learn more.

Step 1: Configure IDP

For DIAL Chat users, you can define user groups/roles/pools (it depends on a specific IDP) in your identity service provider (IDP) which are then passed to DIAL Core in JWT.

Refer to Configure IDPs to view supported IDPs and learn how to configure them.

Step 2: Configure DIAL Core

Add Roles

You can then utilize user roles from the JWT claims to define roles in the DIAL Core dynamic settings as a userRoles parameter value. In the following example, we grant access to chat-gpt-35-turbo model for users with the operator user role. Using the same pattern, you can define user access to applications.

"models": {
    "chat-gpt-35-turbo": {
        "userRoles": [
            "operator"
            ]
        }
}

Refer to DIAL Core Dynamic Settings to view the description of all the supported configuration parameters.

IMPORTANT:

  • Always use roles from the JWT claims that you receive from your IDP.
  • If a user's IDP roles aren't explicitly mentioned in the DIAL configuration, a "default" role is applied.
  • If the "default" role is not defined or has no limits set, access to the resource is unrestricted.

Add Limits

In the roles section of the DIAL Core dynamic settings, you can configure token usage and sharing limits for roles that apply to specific system resources.

Effective role rule:

  • If a user has a role A and B from the IDP which are not mentioned in the roles section, limits from the default role apply.
  • If the default role is not defined in the roles section or does not have limits configured for it - the access is unlimited.

In this example, we define the operator role with limits for the chat-gpt-35-turbo model and sharing limits for applications and files.

"roles": {
    "operator": {
        "limits": {
            "chat-gpt-35-turbo": {
                "minute": "200000",
                "day": "10000000",
                "week": "10000000",
                "month": "10000000",
            }
        },
        "share": {
            "APPLICATION": {
                "invitation_ttl": "24",
                "max_accepted_users": "10"
                },
            "FILE": {
                "invitation_ttl": "24",
                "max_accepted_users": "10"
                }
        }
    }
}

Refer to DIAL Core Dynamic Settings to view the description of all the supported configuration parameters.