Create acl

curl --request POST \
  --url https://api.braintrust.dev/v1/acl \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "object_type": "organization",
  "object_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "user_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "group_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "permission": "create",
  "restrict_object_type": "organization",
  "role_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
}
'

{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "object_type": "organization",
  "object_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "_object_org_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "user_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "group_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "permission": "create",
  "restrict_object_type": "organization",
  "role_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "created": "2023-11-07T05:31:56Z"
}

POST

acl

Create acl

curl --request POST \
  --url https://api.braintrust.dev/v1/acl \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "object_type": "organization",
  "object_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "user_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "group_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "permission": "create",
  "restrict_object_type": "organization",
  "role_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
}
'

{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "object_type": "organization",
  "object_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "_object_org_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "user_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "group_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "permission": "create",
  "restrict_object_type": "organization",
  "role_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "created": "2023-11-07T05:31:56Z"
}

Authorizations

Authorization

string

header

required

Most Braintrust endpoints are authenticated by providing your API key as a header Authorization: Bearer [api_key] to your HTTP request. You can create an API key in the Braintrust organization settings page.

Body

application/json

Any desired information about the new acl object

An ACL grants a certain permission or role to a certain user or group on an object.

ACLs are inherited across the object hierarchy. So for example, if a user has read permissions on a project, they will also have read permissions on any experiment, dataset, etc. created within that project.

To restrict a grant to a particular sub-object, you may specify restrict_object_type in the ACL, as part of a direct permission grant or as part of a role.

object_type

enum<string>

required

The object type that the ACL applies to

Available options:

organization,

project,

experiment,

dataset,

prompt,

prompt_session,

group,

role,

org_member,

project_log,

org_project

object_id

string<uuid>

required

The id of the object the ACL applies to

user_id

string<uuid> | null

Id of the user the ACL applies to. Exactly one of user_id and group_id will be provided

group_id

string<uuid> | null

Id of the group the ACL applies to. Exactly one of user_id and group_id will be provided

permission

enum<string> | null

Permission the ACL grants. Exactly one of permission and role_id will be provided

Available options:

create,

read,

update,

delete,

create_acls,

read_acls,

update_acls,

delete_acls

restrict_object_type

enum<string> | null

When setting a permission directly, optionally restricts the permission grant to just the specified object type. Cannot be set alongside a role_id.

Available options:

organization,

project,

experiment,

dataset,

prompt,

prompt_session,

group,

role,

org_member,

project_log,

org_project

role_id

string<uuid> | null

Id of the role the ACL grants. Exactly one of permission and role_id will be provided

Response

Returns the new acl object

An ACL grants a certain permission or role to a certain user or group on an object.

To restrict a grant to a particular sub-object, you may specify restrict_object_type in the ACL, as part of a direct permission grant or as part of a role.

string<uuid>

required

Unique identifier for the acl

object_type

enum<string>

required

The object type that the ACL applies to

Available options:

organization,

project,

experiment,

dataset,

prompt,

prompt_session,

group,

role,

org_member,

project_log,

org_project

object_id

string<uuid>

required

The id of the object the ACL applies to

_object_org_id

string<uuid>

required

The organization the ACL's referred object belongs to

user_id

string<uuid> | null

Id of the user the ACL applies to. Exactly one of user_id and group_id will be provided

group_id

string<uuid> | null

Id of the group the ACL applies to. Exactly one of user_id and group_id will be provided

permission

enum<string> | null

Permission the ACL grants. Exactly one of permission and role_id will be provided

Available options:

create,

read,

update,

delete,

create_acls,

read_acls,

update_acls,

delete_acls

restrict_object_type

enum<string> | null

When setting a permission directly, optionally restricts the permission grant to just the specified object type. Cannot be set alongside a role_id.

Available options:

organization,

project,

experiment,

dataset,

prompt,

prompt_session,

group,

role,

org_member,

project_log,

org_project

role_id

string<uuid> | null

Id of the role the ACL grants. Exactly one of permission and role_id will be provided

created

string<date-time> | null

Date of acl creation

List acls

Delete single acl

API reference

Authorizations

Body

Response