Role-based Access Controls (RBAC)
Role-based access control (RBAC) is based on Organizations, Teams and Internal User Roles
- Organizationsare the top-level entities that contain Teams.
- Team- A Team is a collection of multiple- Internal Users
- Internal Users- users that can create keys, make LLM API calls, view usage on LiteLLM
- Rolesdefine the permissions of an- Internal User
- Virtual Keys- Keys are used for authentication to the LiteLLM API. Keys are tied to a- Internal Userand- Team
Roles
Admin Roles
- proxy_admin: admin over the platform
- proxy_admin_viewer: can login, view all keys, view all spend. Cannot create keys/delete keys/add new users
Organization Roles
- org_admin: admin over the organization. Can create teams and users within their organization
Internal User Roles
- internal_user: can login, view/create/delete their own keys, view their spend. Cannot add new users.
- internal_user_viewer: can login, view their own keys, view their own spend. Cannot create/delete keys, add new users.
Onboarding Organizations
1. Creating a new Organization
Any user with role=proxy_admin can create a new organization
Usage
API Reference for /organization/new
curl --location 'http://0.0.0.0:4000/organization/new' \
    --header 'Authorization: Bearer sk-1234' \
    --header 'Content-Type: application/json' \
    --data '{
        "organization_alias": "marketing_department",
        "models": ["gpt-4"],
        "max_budget": 20
    }'
Expected Response
{
  "organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23",
  "organization_alias": "marketing_department",
  "budget_id": "98754244-3a9c-4b31-b2e9-c63edc8fd7eb",
  "metadata": {},
  "models": [
    "gpt-4"
  ],
  "created_by": "109010464461339474872",
  "updated_by": "109010464461339474872",
  "created_at": "2024-10-08T18:30:24.637000Z",
  "updated_at": "2024-10-08T18:30:24.637000Z"
}
2. Adding an org_admin to an Organization
Create a user (ishaan@berri.ai) as an org_admin for the marketing_department Organization (from step 1)
Users with the following roles can call /organization/member_add
- proxy_admin
- org_adminonly within their own organization
curl -X POST 'http://0.0.0.0:4000/organization/member_add' \
    -H 'Authorization: Bearer sk-1234' \
    -H 'Content-Type: application/json' \
    -d '{"organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23", "member": {"role": "org_admin", "user_id": "ishaan@berri.ai"}}'
Now a user with user_id = ishaan@berri.ai and role = org_admin has been created in the marketing_department Organization
Create a Virtual Key for user_id = ishaan@berri.ai. The User can then use the Virtual key for their Organization Admin Operations
curl --location 'http://0.0.0.0:4000/key/generate' \
        --header 'Authorization: Bearer sk-1234' \
        --header 'Content-Type: application/json' \
        --data '{
            "user_id": "ishaan@berri.ai"
    }'
Expected Response
{
  "models": [],
  "user_id": "ishaan@berri.ai",
  "key": "sk-7shH8TGMAofR4zQpAAo6kQ",
  "key_name": "sk-...o6kQ",
}
3. Organization Admin - Create a Team
The organization admin will use the virtual key created in step 2 to create a Team within the marketing_department Organization
curl --location 'http://0.0.0.0:4000/team/new' \
    --header 'Authorization: Bearer sk-7shH8TGMAofR4zQpAAo6kQ' \
    --header 'Content-Type: application/json' \
    --data '{
        "team_alias": "engineering_team",
        "organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23"
    }'
This will create the team engineering_team within the marketing_department Organization
Expected Response
{
  "team_alias": "engineering_team",
  "team_id": "01044ee8-441b-45f4-be7d-c70e002722d8",
  "organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23",
}
Organization Admin - Add an Internal User
The organization admin will use the virtual key created in step 2 to add an Internal User to the engineering_team Team. 
- We will assign role=internal_userso the user can create Virtual Keys for themselves
- team_idis from step 3
curl -X POST 'http://0.0.0.0:4000/team/member_add' \
    -H 'Authorization: Bearer sk-1234' \
    -H 'Content-Type: application/json' \
    -d '{"team_id": "01044ee8-441b-45f4-be7d-c70e002722d8", "member": {"role": "internal_user", "user_id": "krrish@berri.ai"}}'