How restricted environments work
By default, environments are unrestricted, meaning any organization member can modify deployments, autoscaling settings, and other configurations. When you mark an environment as restricted, only users you explicitly grant access can make changes. Restricted environments apply across all models and Chains in your organization. For example, if you restrict an environment namedproduction, that restriction applies to
every model and chain’s production environment, not just one specific model or chain.
If your organization uses teams, restricted environments are scoped to individual teams.
Team Admins can create and manage restricted environments for their team.
If your organization uses SCIM, an Organization Admin can also grant directory groups access to a restricted environment, in addition to individual users.
Permissions by access level
| Action | With access | Without access |
|---|---|---|
| View environment and configuration | ✅ | ✅ (read-only) |
| View metrics | ✅ | ✅ (read-only) |
| Call inference on models and chains | ✅ | ✅ |
| View logs | ✅ | ✅ |
| Modify deployment settings | ✅ | ❌ |
| Change autoscaling configurations | ✅ | ❌ |
| Promote deployments to the environment | ✅ | ❌ |
| Manage environment-specific settings | ✅ | ❌ |
Manage restricted environments
Only organization Admins can create or modify restricted environments. Members (non-admin users) can only create unrestricted environments and can’t change environment restrictions.From the environments page
- Sign in to your workspace at app.baseten.co, then open Settings and choose Environments.
- Select an existing environment to modify, or choose Create environment to create a new one.
- Set the access level to Restricted.
- Add users by searching by name or by email.
- Choose Save changes or Create environment.
From a model or chain
- Sign in to your workspace at app.baseten.co and choose Dedicated Inference in the sidebar, then select your model or chain.
- Select an existing environment to modify, or choose Add environment then Create environment to create a new one.
- Set the access level to Restricted.
- Add users by searching by name or by email.
- Choose Save changes or Create environment.
Only admins can create restricted environments, and all admins have implicit
access to every restricted environment. If an admin is later demoted to a member
role, they lose this implicit access and can be removed from the environment
like any other member.
With the management API
You can read and update restriction settings programmatically through the environment groups endpoints. Each environment group carries amanage_access object with its restriction state and the users granted access.
Regional environments
When you create a restricted environment, you can further work with Baseten to add regional restrictions that guarantee inference traffic stays within a designated geographic region. Contact support to configure regional restrictions for your environments. See Regional environments for more details.API behavior
Restricted environments apply the same permission checks to API and truss CLI operations as the UI. API keys inherit the permissions of their associated user. Attempting to modify a restricted environment with an API key associated with a user without access returns a403 Forbidden error.
This includes operations like:
- Promoting deployments through the promote endpoint.
- Updating autoscaling settings through the autoscaling endpoint.
- Modifying environment configurations through the update environment endpoint.