Authorization rules differ depending on the role of a user, distinguishing between users with "full access", visitors (users without "full access"), and admins.
App authorization for users with full access
Access to apps is governed by the following rules:
ALL_USERSapps are visible to all signed-in users with "full access"; they are also visible on the "App Store" page; these are typically created via
h2o bundle import
ALL_USERSapps with the
ON_DEMANDinstance lifecycle are runnable by all signed-in users with "full access"
- In all other cases the app owner is the only authorized user to perform a particular action, including:
PRIVATEapps are only visible to/runnable by the owner; these are only visible on the "My Apps" page and are typically experimental versions created via
h2o bundle deploy
ALL_USERSapps with the
MANAGEDinstance lifecycle are only runnable by the app owner.
- The app owner can manage (view, run, update, delete, download) their apps via
h2o app ...or via the "My Apps" page
- Any user with "full access" can import new apps into the platform via
See CLI for details on managing apps.
Instance authorization for users with full access
Access to app instances is governed by the following rules:
PRIVATEinstances are only visible to the owner (and to an extent to the owner of the corresponding app, see below for details)
ALL_USERSinstances are visible to all signed-in users with "full access"
PUBLICinstances are visible to anyone on the Internet
- The instance owner can manage (view, update, terminate, see status/logs of) her instances via
h2o instanceor via the "My Instances" page
- App owner can see metadata, status, and logs of her app's instances via
h2o instanceor via the app detail page regardless of instance visibility; this is to facilitate troubleshooting; note that this does not include access to the app UI itself or any write access
Note that app/instance visibility can be modified by the owner, e.g., using
h2o (app|instance) update <id> -v <visibility>
or via the "My Apps"/"My Instances" page.
See CLI for details on managing app instances.
Tag authorization for users with full access
Access to tags is governed by the following rules:
- All users with "full access" can see all tags and tag assignments
- A tag can only be assigned/removed/updated by users having a role (as determined by the auth provider)
that is present in the tag's
Admin Roleslist; empty means any user with "full access" is allowed
- Currently, tags can only be created by admins
See CLI for details on managing tags.
Secret authorization for users with full access
Access to secrets is governed by the following rules:
- All users with "full access" can see all
ALL_USERSsecrets and their own
PRIVATEsecrets, but not secrets with visibility
APP(see App-scoped Secrets)
PRIVATEsecret can be created, updated, deleted by the user who created the secret
APPsecrets can only be created, updated or deleted by admins
See CLI for details on managing secrets.
Authorization for visitors
Visitors, a.k.a., users without "full access", have limited permissions within the platform:
- Visitors can only ever see their own instances, regardless of instance visibility (technically,
they can also access UI of the
PUBLICinstances, if given the URL)
- Visitors cannot see app logs, not even for their own instances
- Visitors cannot import apps into the platform
- Visitors can only see/run
ALL_USERSapps that have a tag which includes one of the visitor's roles (as determined by the auth provider) in the tag's
Visitor Roles; empty means no visitors are allowed
- Example: Visitor
RA, RC, tag
A1has no tags, app
TA, TBbut is
PRIVATE. In this case, user
UAcan see and run app
UBcannot see or run any apps.
- Example: Visitor
- Visitors cannot see tags or tag assignments
- Visitors cannot see secrets
Authorization for admins
The admin API gives admins read/write access to all apps/instances/tags.
Note that the admin API does not allow access to the app UI itself, meaning admins cannot access UI of
Similarly, admins cannot impersonate another user, e.g., for the purposes of importing/running an app.