Skip to content
Managing Users and OAuth Clients

Managing Users and OAuth Clients in the RAI Console

This guide explains how to manage users and OAuth clients in the RAI Console.

Note that you can also manage users and OAuth clients through the CLI — see Managing Users and Managing OAuth Clients — and the RelationalAI SDKs.

Managing Users

When you log into the RAI Console as a user with admin permissions, a Settings icon appears on the left-hand side of the Console. Clicking the Settings icon opens the Settings page, where you can access the Users page to manage users and the OAuth Clients page to manage OAuth clients.

Using the Users Page

users-page

Here’s how to navigate the Users page:

  1. To access the Users page, click the Settings icon.

  2. You land on the Users page by default. A list of all previously added users appears.

  3. To rearrange users in ascending or descending alphabetical order, click the arrow next to the Email field.

  4. To see information about users and change their role or status, click the user’s email in the list.

  5. To search or filter users, type text or values into the Quick Filter field. Quick Filter conducts a search on all currently listed users and filters through the Email, Status, and Roles columns.

  6. To view whether a user is active or inactive, see the respective information under Status. To group users by their status, click Status.

  7. To view a user’s role, see the respective information under Role. To group users by their role, click Role.

  8. To view a user’s ID provider, see the respective information under ID Provider. By default, all RAI Console users have google-apps as their ID provider.

  9. To add a new user:

    1. Click + User in the top right-hand corner.

    2. In the window that opens, enter the user’s email under Email.

    3. Under Role, click the up-down arrow to select a role for the new user. See User Roles for more details.

    4. Click Create.

    The new user’s email now appears in the list. For more details on how new users can log in and get started with the RAI Console, see Quick Start.

  10. To delete a user:

    1. Click X next to the user you want to delete.

    2. In the Confirmation window that opens, click Delete. The user’s email then disappears from the list.

User Roles

The RAI Console supports three user roles: Admin, User, and Read only user.

User RoleDescription
UserRAI Console users with the User role can manage engines, databases, models, worksheets, and transactions.
AdminRAI Console users with the Admin role can do all of the above, as well as manage users and OAuth clients. OAuth client authorizations are needed when using SDKs.
Read only userRAI Console users with the Read only user role can only use existing engines and databases (not create or delete them), run read-only worksheets, and view transaction details. They can also view base relations and models, but not create them.

Changing User Roles

With admin permissions, you can change other users’ roles.

To do so:

  1. On the Users page, click the user whose role you want to change.
  2. In the window that opens, click the up-down arrow under the Role field and select a new role.
  3. Click Update.
change-user-role

Making a User Inactive

You can make users inactive, which prevents them from accessing the RAI Console.

To make a user inactive:

  1. On the Users page, click the user whose status you want to change.
  2. In the window that opens, click the up-down arrow under the Status field and choose Inactive.
  3. Click Update.
change-status

Managing OAuth Clients

Adding an OAuth Client

To manage OAuth clients, you need to access the OAuth Clients page.

Using the OAuth Clients Page

oauth-clients-page

Here’s how to access and navigate the OAuth Clients page:

  1. To access the OAuth Clients page, click the Settings icon.

  2. You land on the Users page by default. To access the OAuth Clients page, click OAuth Clients under Settings. A list of all previously added OAuth clients appears.

  3. To rearrange OAuth clients in ascending or descending alphabetical order, click the arrow next to the Name field.

  4. To view an OAuth client’s information, click the OAuth client’s name in the list. This redirects you to the Client page where you can view the client’s details, rotate secrets, and manage permissions.

    🔎

    To return to the list of OAuth clients, click the back arrow at the top of the page or click OAuth Clients under Settings.

  5. To search or filter OAuth clients, type text or values into the Quick Filter field. Quick Filter conducts a search on all currently listed OAuth clients and filters through the Name, ID, and Created On columns.

  6. To view an OAuth client’s ID, see the respective information under ID. To rearrange OAuth clients in ascending or descending order of their ID number, click ID.

  7. To view the date and time an OAuth Client was created, see the respective information under Created On. Note that you can see the full details of when an OAuth client was created by holding your pointer over the date. To rearrange OAuth clients by the date they were created, click Created On.

  8. To create a new OAuth client:

    1. Click + Client in the top right-hand corner. This redirects you to a new page.
    2. Under Name, enter a name for the OAuth client. The OAuth client name is a public identifier for your application. You should use a meaningful name that you can remember.
    3. Under Permissions, select the permissions you want to grant to the OAuth client by checking the respective boxes. You can also restrict permissions for OAuth clients. For example, you can allow OAuth clients to list engines or list databases, but not delete them.
    4. Click Save to create the OAuth client.

    The new OAuth client now appears in the list.

  9. To delete an OAuth client:

    1. Click X next to the OAuth client you want to delete.
    2. In the Confirmation window that opens, click Delete. The OAuth client then disappears from the list.

    You can also delete an OAuth Client from the Client page. See Deleting an OAuth Client.

Sharing OAuth Credentials

To share OAuth credentials:

  1. In the OAuth Clients page, click the name of the OAuth client for which you want to share credentials. This redirects you to the Client page.
  2. Click the Copy icon for both Client ID and Secret.
share-credentials
  1. Copy the client ID and secret to a text file and share the credentials in a secure manner.

The client secret is confidential and should only be used to authenticate your application and make requests through the SDK. You should not share the secret anywhere that is potentially unsecured, such as email, public code repositories, or web server files that can be viewed externally.

It’s also advisable to rotate the client secret regularly. See Rotationg OAuth Secrets.

Rotating OAuth Secrets

To rotate the secret for an OAuth client:

  1. In the OAuth Clients page, click the OAuth client for which you want to rotate the secret. This redirects you to the Client page.
  2. Click Rotate Secret.
  3. Use the Copy icon to the right of the Secret field to copy the secret to your SDK’s client configuration.
rotate-secret

Permissions for OAuth Clients

You can set the following permissions for OAuth clients:

AreaPermission NameExplanation
Transactioncancel:transactionCancel transactions.
Transactionlist:transactionList transactions.
Transactionread:transactionView details about transactions.
Transactionrun-read:transactionRun only read-only transactions.
Transactionrun:transactionRun write and read-only transactions.
Databasecreate:databaseCreate databases.
Databasedelete:databaseDelete databases.
Databaselist:databaseList databases.
Databaseupdate:databaseUpdate databases.
Enginecreate:engineCreate engines.
Enginedelete:engineDelete engine.
Enginelist:engineList engines.
Engineread:engineView details about engines.
OAuth clientcreate:oauth_clientCreate OAuth clients.
OAuth clientdelete:oauth_clientDelete OAuth clients.
OAuth clientlist:oauth_clientList OAuth clients.
OAuth clientread:oauth_clientView details about OAuth clients.
OAuth clientupdate:oauth_clientUpdate OAuth clients.
Usercreate:userCreate users.
Userdelete:userDelete users.
Userlist:userList users.
Userread:userView details about users.
Userupdate:userUpdate users.
Permissionlist:permissionList API permissions.
Rolelist:roleList roles.
Roleread:roleView details about roles.
Credits Usageread:credits_usageView details about credits usage.
OAuth client - Secretrotate:oauth_client_secretRotate OAuth client secrets.

Changing Permissions for an OAuth Client

You can change an OAuth client’s permissions at any time.

To do so:

  1. In the OAuth Clients page, click the OAuth client for which you want to change permissions. This redirects you to the Client page.
  2. Change permissions as needed by checking or unchecking the respective boxes.
  3. Click Save.
change-permissions

Configuring OAuth Clients for SDKs

In order to use OAuth, you need to create a configuration file on the machine on which you’re running your SDK.

To do so:

  1. Create a file called ~/.rai/config.
  2. Enter the following information in the file:
[default]
region = us-east
host = azure.relationalai.com
port = 443
client_id = qvG73z47SKxQV5sxMUMLSOCIGSDVe70u
client_secret = <your secret goes here>
ParameterBrief Explanation
regionEngine region — currently always us-east.
hostHost for RelationalAI — currently always azure.relationalai.com.
portPort for RelationalAI — currently always 443.
client_idYour OAuth client ID.
client_secretYour OAuth secret.

Deleting an OAuth Client

In addition to deleting an OAuth client from the OAuth Clients page, you can delete an OAuth client from the Client page:

  1. In the OAuth Clients page, click the OAuth client you want to delete. This redirects you to the Client page.
  2. Click X Delete in the top right-hand corner.
  3. In the Confirmation window that opens, click Delete.
delete-oauth-client

The OAuth client then disappears from the list in the OAuth Clients page.

Was this doc helpful?