{
  "id": "auth",
  "title": "Authentication and RBAC",
  "url": "https://redis.io/docs/latest/operate/featureform/auth/",
  "summary": "Manage Feature Form auth and RBAC",
  "tags": [
    "docs",
    "operate",
    "featureform"
  ],
  "last_updated": "2026-04-20T15:33:16+02:00",
  "page_type": "content",
  "content_hash": "1daf7cde044cd258ea4677aa667f7afbe9afdfd0da094dbdb4572ffad81c6604",
  "sections": [
    {
      "id": "overview",
      "title": "Overview",
      "role": "overview",
      "text": "Feature Form separates deployment-wide administration from workspace-scoped actions. A workspace is the isolation boundary, but membership and permissions are managed separately through RBAC bindings."
    },
    {
      "id": "built-in-roles",
      "title": "Built-in roles",
      "role": "content",
      "text": "- `global_admin` for deployment-wide administration and workspace creation\n- `workspace_admin` for workspace setup, membership, apply, and audit\n- `operator` for operational workflows\n- `viewer` for read-only workspace visibility\n- `model` for constrained reads of feature views and training sets"
    },
    {
      "id": "typical-handoff",
      "title": "Typical handoff",
      "role": "content",
      "text": "1. A global admin creates the workspace.\n2. The global admin grants `workspace_admin` to the intended principal.\n3. That principal verifies access before registering providers or applying resources."
    },
    {
      "id": "scope-model",
      "title": "Scope model",
      "role": "content",
      "text": "- Global scope controls deployment-wide actions.\n- Workspace scope controls providers, secret providers, apply, graph, and audit inside one workspace.\n- Resource-constrained scope is used for limited serving or training-set access."
    },
    {
      "id": "create-a-workspace-and-grant-access",
      "title": "Create a workspace and grant access",
      "role": "content",
      "text": "Use this flow when a global admin is creating a new workspace and handing it off to the team that will manage it."
    },
    {
      "id": "1-create-the-workspace",
      "title": "1. Create the workspace",
      "role": "content",
      "text": "[code example]"
    },
    {
      "id": "2-verify-it-exists",
      "title": "2. Verify it exists",
      "role": "content",
      "text": "[code example]\n\nCapture the workspace ID from the result for later RBAC commands."
    },
    {
      "id": "3-grant-workspace-admin-access",
      "title": "3. Grant workspace-admin access",
      "role": "content",
      "text": "[code example]\n\nYou can also bind a group or service account instead of a user."
    },
    {
      "id": "4-verify-the-binding",
      "title": "4. Verify the binding",
      "role": "content",
      "text": "[code example]"
    },
    {
      "id": "notes",
      "title": "Notes",
      "role": "content",
      "text": "- Creating the workspace does not automatically grant workspace membership to other principals.\n- New workspaces create a built-in `env` secret provider, but it is still workspace-scoped.\n- In-memory state can make gRPC and REST behave like separate state domains. Use durable PostgreSQL-backed state for shared environments."
    },
    {
      "id": "join-an-existing-workspace",
      "title": "Join an existing workspace",
      "role": "content",
      "text": "Use this page when a workspace already exists and you need to confirm that the intended principal can proceed with setup, apply, or serving."
    },
    {
      "id": "1-verify-identity",
      "title": "1. Verify identity",
      "role": "content",
      "text": "[code example]"
    },
    {
      "id": "2-confirm-the-workspace-is-visible",
      "title": "2. Confirm the workspace is visible",
      "role": "content",
      "text": "[code example]"
    },
    {
      "id": "3-confirm-the-effective-binding",
      "title": "3. Confirm the effective binding",
      "role": "content",
      "text": "[code example]\n\nYou should see the expected user, group, or service-account binding for that workspace."
    },
    {
      "id": "common-failures",
      "title": "Common failures",
      "role": "content",
      "text": "- `permission denied` on provider or apply commands usually means missing workspace write access.\n- `workspace not found` usually means the wrong deployment, wrong transport, or wrong workspace name.\n- Missing resources after apply can indicate transport or state-backend mismatch in non-durable environments."
    }
  ],
  "examples": [
    {
      "id": "1-create-the-workspace-ex0",
      "language": "bash",
      "code": "ff workspace create demo-workspace \\\n  --description \"Workspace for the feature workflow docs path\"",
      "section_id": "1-create-the-workspace"
    },
    {
      "id": "2-verify-it-exists-ex0",
      "language": "bash",
      "code": "ff workspace get --name demo-workspace\nff workspace list",
      "section_id": "2-verify-it-exists"
    },
    {
      "id": "3-grant-workspace-admin-access-ex0",
      "language": "bash",
      "code": "ff rbac grant workspace_admin \\\n  --workspace <workspace-id> \\\n  --user alice@example.com",
      "section_id": "3-grant-workspace-admin-access"
    },
    {
      "id": "4-verify-the-binding-ex0",
      "language": "bash",
      "code": "ff rbac list --workspace <workspace-id>\nff rbac subjects --workspace <workspace-id>",
      "section_id": "4-verify-the-binding"
    },
    {
      "id": "1-verify-identity-ex0",
      "language": "bash",
      "code": "ff auth whoami\nff rbac whoami",
      "section_id": "1-verify-identity"
    },
    {
      "id": "2-confirm-the-workspace-is-visible-ex0",
      "language": "bash",
      "code": "ff workspace list\nff workspace get --name demo-workspace",
      "section_id": "2-confirm-the-workspace-is-visible"
    },
    {
      "id": "3-confirm-the-effective-binding-ex0",
      "language": "bash",
      "code": "ff rbac list --workspace <workspace-id>",
      "section_id": "3-confirm-the-effective-binding"
    }
  ]
}