An overview on the permission structure for Cognito and RONIN.


There are two types of permissions that work together to ensure the right level of access for all of your RONIN users:

  1. Cognito Groups
  2. RONIN Project Groups

RONIN obtains user access tokens and top level groups from Cognito.

Cognito can be connected to third party identity providers such as Google, Facebook, OpenID and SAML.


The following three Cognito groups are managed via the AWS console.


As a member of the RONIN Admin group, I can…

  • Create projects and assign users to them
  • Manage project budgets and pause projects if necessary
  • Configure base operating systems and pre-configured software via the Service Catalogue
  • Do everything a RONIN Lower Admin can do

RONIN Lower Admin (previously RONIN Trial Admin)

As a member of the RONIN Lower Admin group, I can…

  • Access the Budget Management and Machine List screen to view information for projects I am a member of
  • Manage project budgets and pause projects if necessary for the projects I am an Admin of
  • Do everything a RONIN User can do

RONIN User (deprecated - no Cognito group is required for standard users)

As a member of the RONIN User group, I can...

  • Login to RONIN using my account sync'd from a connected Active directory or sent to me by RONIN
  • Be found in a RONIN user search
  • Access and/or administer projects that have been assigned to me
  • Log out


The following three RONIN Project groups are managed within RONIN via the project settings or permissions screens.

Project Admin

As a Project Admin within a RONIN project, I can...

  • Modify permissions for other users within my project, including adding additional Project Admins, Users, Viewer
  • Do everything a Project User can do

Note: Project Admins can be given the ability to manage project settings (budget, timeline, auto pause etc) if they are also added to the Cognito RONIN Lower Admin group.

Project User

As a Project User within a RONIN project, I can…

  • Launch, start, stop and terminate instances within my project
  • Choose the size of the machine I want to launch
  • Attach additional storage to my project’s instances
  • Backup my project’s storage
  • Package my research infrastructure to reproduce or share my work within my project
  • Create, manage and delete object storage (s3)
  • Do everything a Project View can do

Project View

As a Project Viewer within a RONIN project, I can...

  • Search for projects I have access to
  • View the project dashboard

Below we provide a comprehensive list of actions that are available in RONIN and their respective required permissions.


The following matrix can be used as a guide to help you determine what combination of Cognito and RONIN Project permissions would be suitable for differing roles within the institution. The lowest required permissions to achieve the listed actions are indicated in red, dark shading indicates permission levels that are too low to achieve the listed action.