Skip to content
RKGMS
RAI CONSOLE
Managing Users and OAuth Clients

Managing Users and OAuth Clients in the RAI Console

A short guide to managing users and OAuth clients in the RAI Console.

User Roles

The RAI Console has two types of user roles: Admin and User.

User RoleDescription
UserRAI Console users with the User role can manage databases, engines, models, queries, notebooks, and view transactions.
AdminRAI Console users with the Admin role can do all of the above, as well as manage users and OAuth clients. OAuth client authorizations are needed when using SDKs.

Managing Users

When you log into the RAI Console as a user with admin permissions, you will see a Settings icon on the left-hand side of the Console.

To manage users, click the Settings icon.

A list of all previously added users appears.

list of users

To see information about users and change their status or role, click the user’s name in the list.

The following page appears:

user detail

Adding Users

To add a user:

  1. Click Create.
create user button
  1. In the page that opens, enter the user’s email and select a role — User or Admin — for the user.
  2. Click Create to add the user.
create users detail

Users can now access the Console. After entering their email on the Console login page, users will be prompted to enter the password for their email account. On first use, users will be prompted to set up two-step verification using a one-time password application. For more details, see Logging into the RAI Console in Quick Start.

Deleting Users

To delete a user:

  1. Click the Settings icon.
  2. Click the user’s name.
  3. In the page that opens, click Delete.

Making a User Inactive

You can make users inactive, which prevents them from accessing the RAI Console.

To make a user inactive:

  1. Click the Settings icon.
  2. Click the user’s name.
  3. In the page that opens, change the user’s status from Active to Inactive.
  4. Click Save.

Granting a User Admin Permissions

You can give other users admin permissions.

To do so:

  1. Click the Settings icon.
  2. Click the user’s name.
  3. In the page that opens, change the user’s role from User to Admin.
  4. Click Save.

Managing OAuth Clients

To use RelationalAI SDKs, you will need to create and configure an OAuth client (opens in a new tab).

RelationalAI currently supports the following SDKs:

To manage OAuth clients:

  1. Click the Settings icon.
  2. In the left-hand pane, click OAuth Clients.

A list of all previously added OAuth clients appears.

To see information on OAuth clients, click the OAuth client’s name in the list.

list of oauth users

You can restrict permissions for OAuth clients. OAuth clients might only be able to list engines or list databases, but not delete them, for example.

Adding an OAuth Client

To add an OAuth client:

  1. Click the Settings icon.
  2. In the left-hand pane, click OAuth Clients.
  3. Click Create.
  4. In the page that opens, enter a name for the OAuth client and select permissions for the OAuth client. See Best Practices for Client Names and Secrets below.
  5. Click Save to add the OAuth client.
create user button

Deleting an OAuth Client

To delete an OAuth client:

  1. Click the Settings icon.
  2. In the left-hand pane, click OAuth Clients.
  3. Click the OAuth client that you want to delete.
  4. In the page that opens, click Delete.

Sharing OAuth Credentials

To share OAuth credentials:

  1. Click the Settings icon.
  2. In the left-hand pane, click OAuth Clients.
  3. Click the OAuth client for which you want to share credentials.
  4. In the page that opens, click the Copy icon for both Client ID and Secret.
list of oauth users
  1. Copy the client ID and secret to a text file and share the credentials in a secure manner.

Permissions for OAuth Clients

You can set the following permissions for OAuth clients:

AreaPermission NameExplanation
Credits Usageread:credits_usageView details about credits usage.
Databasecreate:databaseCreate databases.
Databasedelete:databaseDelete databases.
Databaselist:databaseList databases.
Databaseupdate:databaseUpdate databases.
Enginecreate:engineCreate engines.
Enginedelete:engineDelete engine.
Enginelist:engineList engines.
Engineread:engineView details about engines.
OAuth clientcreate:oauth_clientCreate OAuth clients.
OAuth clientdelete:oauth_clientDelete OAuth clients.
OAuth clientlist:oauth_clientList OAuth clients.
OAuth clientread:oauth_clientView details about OAuth clients.
OAuth clientupdate:oauth_clientUpdate OAuth clients.
OAuth client - Secretrotate:oauth_client_secretRotate OAuth clients secrets.
Permissionlist:permissionList API permissions.
Rolelist:roleList roles.
Roleread:roleView details about roles.
Transactioncancel:transactionCancel transactions.
Transactionlist:transactionList transactions.
Transactionread:transactionView details about transactions.
Transactionrun:transactionRun write and read-only transactions.
Transactionrun-read:transactionRun only read-only transactions.
Usercreate:userCreate users.
Userdelete:userDelete users.
Userlist:userList users.
Userread:userView details about users.
Userupdate:userUpdate users.

Changing Permissions for an OAuth Client

You can change an OAuth client’s permissions at any time.

To do so:

  1. Click the Settings icon.
  2. In the left-hand pane, click OAuth Clients.
  3. Click the OAuth client for which you want to change settings.
  4. In the page that opens, change permissions as needed.
  5. Click Save.
list of oauth users

Rotating OAuth Secrets

To rotate the secret for an OAuth client:

  1. Click the Settings icon.
  2. In the righ-hand pane, click OAuth Clients.
  3. Click the OAuth client.
  4. In the page that opens, click Rotate.
  5. Use the Copy icon to the right of the Secret field to copy the secret to your SDK’s client configuration.

Best Practices for Client Names and Secrets

The OAuth client name is a public identifier for your application. You should use a meaningful name that you can remember.

The client secret is confidential and should only be used to authenticate your application and make requests through the SDK. You should not share the secret anywhere that is potentially unsecured, such as email, public code repositories, or web server files that can be viewed externally.

🔎

You are advised to rotate the client secret regularly using the steps above.

Configuring OAuth Clients for SDKs

In order to use OAuth, you will need to create a configuration file on the machine on which you’re running your SDK.

To do so:

  1. Create a file called ~/.rai/config.
  2. Enter the following information in the file:
[default]
region = us-east
host = azure.relationalai.com
port = 443
client_id = qvG73z47SKxQV5sxMUMLSOCIGSDVe70u
client_secret = <your secret goes here>
ParameterBrief Explanation
regionEngine region — currently always us-east.
hostHost for RelationalAI — currently always azure.relationalai.com.
portPort for RelationalAI — currently always 443.
client_idYour OAuth client ID.
client_secretYour OAuth secret.
Was this doc helpful?