> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://docs.nvidia.com/nemo-platform/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.nvidia.com/nemo-platform/_mcp/server.

# Authorization

NeMo Platform authorization controls what authenticated users can do. Every API request is evaluated against the user's token scopes and role bindings before it is allowed.

The authorization model has four building blocks:

1. **Workspaces** — the authorization boundary. All resources belong to a workspace.
2. **Roles** — permission bundles (Viewer, Editor, Admin) granted per workspace.
3. **Role bindings** — the link between a user, a role, and a workspace.
4. **Scopes** — token-level restrictions that limit what the token can do, independent of the user's role.

```text
Request → PDP → Scope check → Role binding check → Allow / Deny
```

For a request to succeed, both the scope check (does the token allow it?) and the role check (does the user have permission?) must pass.

For the full conceptual background, see [Authorization Concepts](/documentation/access-control/concepts). For the security architecture, see [Security Model](/documentation/access-control/security-model).

## Key Pages

Complete permission matrix — what each role can do.

Add users to workspaces, assign roles, manage members.

Token-level scope model and two-layer authorization.

Complete list of all permissions with role assignments.

OPA / WASM policy engine internals and configuration.