Applies to:
Update permission from their project access. This ensures all LLM traffic routes through organization-configured providers (like Bedrock) while blocking users from adding their own provider keys that could bypass security controls.
Configuration Steps
Step 1: Configure organization-level AI providers
Set up your approved AI provider credentials (e.g., Bedrock) at the organization level in Settings → AI providers. These credentials will be available to all projects and users.Step 2: Remove Update permission from non-admin users
Navigate to project settings and ensure non-admin users or permission groups do not have theUpdate permission. Users without Update permission cannot add or modify AI provider credentials at the project level.
Step 3: Create restricted permission groups
Create custom permission groups withRead, Create, and Delete permissions while excluding Update. Assign non-admin users to these groups to allow normal project work without AI provider modification capabilities.
Key Behaviors
- The
Updatepermission controls the ability to modify project resources, including adding AI providers - Organization-level AI provider credentials remain accessible to all users regardless of project permissions
- Project-level AI provider additions are disabled for users without
Updatepermission - Organization admins can always manage org-level credentials through Settings → AI providers