🔐 Security Profiles

Configure user access to platform modules, Knowledge Nodes, DataApps, dashboards, and API collections.

🔐 Security Profile Overview

Security profiles in ARPIA are critical for maintaining a secure and compliant environment for data management and collaboration. These profiles provide a structured framework for controlling access and permissions, ensuring that organizational data is protected and only accessible to authorized individuals. Implementing robust security practices and leveraging configurable access controls promotes responsible and secure use of the ARPIA platform.

Security Profile Overview

🔑 How Security Profiles Work

A Security Profile is a named, reusable permission set that is assigned to users at the Workarea level. Rather than configuring permissions per individual user, administrators define profiles once and apply them across multiple users — keeping access management consistent and auditable.

Key characteristics:

  • Workarea-scoped — profiles apply within a specific Workarea; a user invited to multiple Workareas can hold a different profile in each.
  • Named and versioned — every profile has a human-readable name, a unique ID, and a full audit trail of permission changes.
  • Profile-grouped user list — the Users view groups users by their assigned profile, making it easy to see who has what access at a glance.

📋 The Security Profiles List

Navigate to Admin → Users & Security → Security Profiles to view all profiles in your Workarea.

Security Profiles list

Each row in the list shows:

ColumnDescription
ProfileProfile name and unique ID
CreatedTimestamp and creator
UsersNumber of users currently assigned to this profile
StatusActive or inactive
ActionsEdit Name, View Audit, Edit Permissions

From this view administrators can create new profiles using the + button, rename existing ones, review the change history, or update the permission set.

Default profile

When a Workarea is created for the first time, a Super User profile is automatically generated. This is the only system-created profile — all additional profiles are created and named by administrators according to their organization's needs.

Common profile archetypes

The following represent best practice access tiers commonly used in ARPIA deployments. Profile names are entirely up to each organization — what matters is the permission set behind the name, not the label itself.

ProfileTypical use case
End-UserConsumers of AI Apps and Dashboards only — no platform configuration access
Data AnalystAccess to Reasoning Knowledge, Query Tool, Data Objects, DataApps and Dashboards — no build or admin access
App DeveloperAccess to AI Apps Studio, Reasoning Flows, Data Workshop, Resources, AutoAPI, App Droplets — no security or billing access
Platform AdminFull platform module access including Security Settings and User Management — no billing or WorkArea creation
AI Governance OfficerAccess to AI Governance module, Reasoning Knowledge (read), Aerie, Policy Center, Risk & Compliance, Logs — observer/compliance role

🕵️ Profile Audit Trail

Every Security Profile maintains a complete version history accessible via View Audit. Each saved state of a profile is recorded with a timestamp and the email of the user who made the change.

Version selector

Selecting View Audit opens a modal listing all saved versions of the profile in reverse chronological order — each entry shows the exact date, time, and the administrator who saved that version.

Profile Audit version selector

Diff view

Selecting a version loads a side-by-side diff comparing the selected historical version (left) against the current configuration (right). Added permissions are highlighted in green. The diff also surfaces profile renames, marked with a RENAMED badge.

Profile Audit diff view showing permission changes

This makes it possible to answer precisely: what changed, when, and who made the change — down to the individual permission flag.

Compliance framework alignment

FrameworkRelevant Control AreaHow the Audit Trail Supports It
SOC 2 Type 2CC6.1, CC6.2, CC6.3 — Logical access controlsDemonstrates that access is granted, modified, and revoked with a traceable, attributed history
ISO/IEC 27001A.9 — Access controlProvides evidence of access management policy enforcement and change logging
ISO/IEC 420016.1, 8.4 — AI risk controls and operational processesSupports auditability of who has access to AI reasoning assets and governance modules
GDPRArticle 5(2), Article 25 — Accountability and data protection by designDocuments the access control decisions applied to personal data processing functions
HIPAA§164.312(a)(1) — Access control; §164.312(b) — Audit controlsProvides the timestamped, user-attributed access change log required for covered entity compliance
NIST AI RMFGOVERN 1.2, MANAGE 2.2 — Accountability and risk trackingSupports traceability of access decisions to AI platform components
DORAArticle 9 — ICT security; Article 13 — ICT change managementProvides a versioned, attributed record of permission changes as part of ICT change control evidence

⚙️ Permission Dimensions

Each profile is configured across five tabs. Permissions are additive — only what is explicitly enabled is accessible to the user.

1. Access to Dashboards

Controls access to Dashboard-type screens within AI Apps. When an AI App contains one or more Dashboard screens, those screens are surfaced here for granular access control.

Each app is listed with a (granted/total) counter showing how many of its Dashboard screens are currently enabled for this profile. Expanding an app reveals individual screen checkboxes, plus an "Access to all screens of this DataApp" master toggle for a quick full-access grant, and select-all / deselect-all bulk controls.

Because AI Apps can contain screens nested inside other screens or hidden from the main navigation, the list reflects the full screen inventory — not just top-level visible screens. An app with 0 granted screens remains in the list but its Dashboard screens are inaccessible to users under this profile.


2. Access to DataApps

Controls access to all non-Dashboard screen types within AI Apps — including Page Layout, AI Assistant, Calendar, Map, Data Forms Insights, Custom screens, and others.

Like the Dashboards tab, access is managed at the individual screen level. Each app shows a (granted/total) counter; expanding it reveals all screens with individual checkboxes, an "Access to all screens of this DataApp" master toggle, and bulk select/deselect controls.

The list grows in proportion to the number of apps and screens in the Workarea — a single app can contain dozens of screens including hidden and nested sub-screens. The counter makes it easy to audit which apps have partial vs. full access for a given profile.


3. Access to Reasoning Knowledge

Controls access to Knowledge Nodes at the node and group level. Nodes are displayed in collapsible groups (e.g. a group of 11 nodes shows as 0/11), and administrators can enable access to individual nodes within each group.

This is the most granular access layer in ARPIA — enabling precise control over which knowledge assets each profile can read and reason over.


4. MCP / API Collection

Controls which MCP and API Collections are exposed to users under this profile. Collections appear under Available Collections and can be enabled individually.


5. Administrative Settings

Controls access to platform modules and administrative capabilities. Permissions are organized into three categories:

Arpia AI Platform (21 flags)

PermissionDescription
Access to OrchestratorAccess to the AI Orchestrator module and its configuration
Access to ResourcesAccess to the Resources section (databases, storage, connections)
Access to DataApp StudioAccess to build and edit AI Apps in the AI Apps Studio
Access to Data SourcesAccess to configure and manage Data Sources
Access to Data ObjectsAccess to create and manage Data Objects (tables, views, triggers, functions)
Access to Data PipesAccess to create and manage Data Pipes
Access to Kubes ModelsAccess to Data Models (Kubes/Nodes) configuration
Access to AutoAPIAccess to create and manage AutoAPI endpoints
Access to App DropletsAccess to create and manage App Droplets
Access to Data FormsAccess to create and manage Data Forms
Access to Alert RulesAccess to create and manage Alert Rules
Access to IntegrationsAccess to configure third-party integrations
Access to Data WorkshopAccess to Reasoning Flows and Workshop Projects
Admin access to any workshop projectsGrants administrative access to all Workshop Projects in the Workarea, regardless of ownership
Access to WorkArea Migration ToolAccess to the tool for migrating Workarea content
Access to DataPoints ToolAccess to the DataPoints configuration tool
AI GovernanceAccess to the AI Governance module (Aerie, Policy Center, Risk & Compliance, Logs)
Access to ActionsAccess to create and manage Actions
Access to Node RequestsAccess to review and manage Knowledge Node access requests
Access to SPA StudioAccess to the Single Page Application (SPA) Studio
Build Personal ApplicationsAbility to build and deploy personal applications within the Workarea

Security Options (3 flags)

PermissionDescription
Access to Security SettingsAccess to the Security Profiles configuration section
Access to UsersAccess to the Users management section
Access to Users SessionsAccess to view and manage active user sessions

Other Options (6 flags)

PermissionDescription
Access to AI GovernanceAccess to AI Governance features from this context (cross-listed with platform flags)
Access to Support ChatAccess to the in-platform support chat
Access to Billing and AccountsAccess to billing information and account management
Create new WorkAreaAbility to create new Workareas
Access to edit workareaAbility to edit Workarea settings and configuration
Access to Screen SnapshotsAccess to the Screen Snapshots feature

🔗 Related