MLflow RBAC is surprisingly more about managing who can see what data than it is about outright permissions to run jobs.
Let’s see it in action. Imagine a small team working on a fraud detection model. They have a shared MLflow project, and within it, different experiments for different approaches.
# experiments.yaml
- name: /fraud-detection/baseline
tags:
team: fraud
model_type: logistic_regression
- name: /fraud-detection/deep_learning
tags:
team: fraud
model_type: cnn
- name: /fraud-detection/ensemble
tags:
team: fraud
model_type: ensemble
Now, let’s say the marketing team wants to see the results of the baseline model, but not the code or the training artifacts of the deep learning experiments.
Here’s how you’d configure that using MLflow’s RBAC, typically via a DatabricksFeatureStoreACL or similar configuration if you’re using Databricks, or by setting up an external authorization service for other deployments. For simplicity, let’s assume a Databricks-like environment where you can directly manage ACLs.
First, we grant the fraud_team all permissions on experiments tagged with team: fraud.
{
"workspace_id": "your_workspace_id",
"access_control_list": [
{
"principal": "users/fraud_team@example.com",
"permission_level": "CAN_MANAGE",
"resource_type": "EXPERIMENT",
"resource_id": "tag:team=fraud"
}
]
}
This means anyone in the fraud_team can create, delete, edit, and view experiments tagged with team: fraud. They can also read all runs and artifacts within those experiments.
Next, we want to grant the marketing_team read-only access to the results of the baseline experiment, but nothing else from the fraud-detection lineage.
{
"workspace_id": "your_workspace_id",
"access_control_list": [
{
"principal": "users/marketing_team@example.com",
"permission_level": "CAN_READ",
"resource_type": "EXPERIMENT",
"resource_id": "/fraud-detection/baseline"
}
]
}
This grants marketing_team the ability to view the /fraud-detection/baseline experiment, its runs, and their associated metrics and parameters. However, they cannot see the /fraud-detection/deep_learning or /fraud-detection/ensemble experiments, nor can they view or download the artifacts (like model files or plots) from the baseline experiment if they don’t have a CAN_MANAGE or CAN_EDIT role on it. The CAN_READ permission on an experiment primarily covers the metadata, metrics, and parameters of its runs. To access artifacts, a CAN_READ on the run itself is usually implied or explicitly needed depending on the exact MLflow deployment.
The core problem MLflow RBAC solves is segregating sensitive model IP and experimental progress. In an enterprise, you might have data scientists from different departments (e.g., finance, marketing, core product) all using a single MLflow instance. Without RBAC, they’d all see each other’s experiments, potentially revealing proprietary algorithms or unreleased product features. RBAC allows you to create logical boundaries, ensuring that only authorized personnel can access specific experiment trees or even individual runs.
Internally, MLflow (especially when integrated with platforms like Databricks) maps these principal (user or group) and resource (experiment, model registry, etc.) combinations to underlying access control mechanisms. The permission_level dictates the set of actions allowed. For experiments, this typically ranges from CAN_READ (view metrics, parameters, run metadata) to CAN_MANAGE (create, delete, edit experiments and their runs, including artifact access). The resource can be a specific experiment path, a wildcarded path (like tag:team=fraud), or even an entire registered model.
The exact granularity of artifact access versus run metadata access can be a point of confusion. While CAN_READ on an experiment grants visibility into its runs’ metrics and parameters, downloading the actual model files or large data dumps associated with a run often requires a CAN_READ on the run itself, or an explicit CAN_READ on the MODEL_VERSION if it’s registered. Many systems implicitly grant run-level read if experiment-level read is present, but it’s worth verifying in your specific setup.
The most surprising thing is how the tag-based resource selection works in conjunction with specific path-based selections. You can grant broad access to everything tagged team: fraud and then override that by denying specific sub-paths or granting more restrictive access to them for other teams. The system evaluates these rules in a specific order, and more specific rules often take precedence.
The next concept you’ll likely grapple with is managing access to the Model Registry, which has its own, albeit related, set of permissions for registering, transitioning, and staging models.