Roles and Access Control for Chat Users

You can configure AI DIAL to work with various identity service providers, where you can manage your users and user groups.

In the system configuration, you can then add rules and restrictions to manage access to your users to various system resources.

For chat users, you can define user groups/roles/pools (it depends on a specific IDP) in your identity service provider (IDP) which are then passed to AI DIAL in JWT. Refer to Auth to view supported IDPs and learn how to configure them.
You can then utilize user roles from the JWT claims to define roles in the AI DIAL configuration as a userRoles parameter value. In the following example, we grant access to chat-gpt-35-turbo model for users with the operator user role. Using the same pattern, you can define user access to applications, addons, assistants.

Important: you must always use roles from the JWT claims that you receive from your IDP.

Refer to settings to view parameters description and to configuration example to view the full example.
```
"models": {
    "chat-gpt-35-turbo": {
        "userRoles": [
            "operator"
            ]
        }
}
```
In the roles section of the configuration file, you can configure limits for roles that apply to specific system resources.

Effective role rule: If a user has a role A and B from the IDP which are not mentioned in the roles section, limits from the default role apply. If the default role is not defined in the roles section or does not have limits configured for it - the access is unlimited.
```
"roles": {
    "azure-group-name": {
        "limits": {
            "chat-gpt-35-turbo": {
                "minute": "200000",
                "day": "10000000"
            }
        }
    }
}
```
Refer to settings to view parameters description and to configuration example to view the full example.