Authorization | NVIDIA NeMo Platform

NeMo Platform authorization controls what authenticated users can do. Every API request is evaluated against the user’s token scopes and role bindings before it is allowed.

The authorization model has four building blocks:

Workspaces — the authorization boundary. All resources belong to a workspace.
Roles — permission bundles (Viewer, Editor, Admin) granted per workspace.
Role bindings — the link between a user, a role, and a workspace.
Scopes — token-level restrictions that limit what the token can do, independent of the user’s role.

Request → PDP → Scope check → Role binding check → Allow / Deny

For a request to succeed, both the scope check (does the token allow it?) and the role check (does the user have permission?) must pass.

For the full conceptual background, see Authorization Concepts. For the security architecture, see Security Model.

Key Pages

Roles & Permissions

Complete permission matrix — what each role can do.

Managing Access

Add users to workspaces, assign roles, manage members.

API Scopes

Token-level scope model and two-layer authorization.

Permissions Reference

Complete list of all permissions with role assignments.

Policy Engine

OPA / WASM policy engine internals and configuration.