The role-based access control (RBAC) in Phoenix is based on the following user roles:
admin - full control to the system, can administer users, system keys, etc.
member - a developer that can add traces, experiments, datasets, etc.
viewer - read-only access; cannot create, update, or delete most entities.
A user’s role controls their access via the UI as well as through the APIs.
For SSO (SAML), multi-level RBAC (account → organizations → spaces), and JIT user provisioning, see Arize AX.
User Management
API Key Management
Secrets Management
Evaluator Management
AI Provider Management
Custom AI providers store credentials, so they are managed by admins only.
Sandbox Management
Sandbox configurations can store provider API keys and environment variables, so they are managed by admins only.
Environment variables added to a sandbox configuration are mounted into the sandbox at runtime and are readable by any code that runs there. Because Members can test evaluators, and testing a code evaluator executes arbitrary code inside the sandbox, any user who can test evaluators can read these environment variables — even though only admins can create or edit the sandbox configuration itself.Treat environment variables mounted in sandboxes as visible to all admins and members. Do not store secrets in them that should be restricted from members.