> ## Documentation Index > Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt > Use this file to discover all available pages before exploring further. # Restrict AI provider access using project permissions export const plans_0 = "Any" export const deployments_0 = "Any" export const data_plane_version_0 = undefined export const use_case_0 = undefined **Applies to:** * Plan - {plans_0} * Deployment - {deployments_0} * {data_plane_version_0} * {use_case_0} Summary Prevent non-admin users from adding AI provider credentials at the project level by removing the `Update` permission from their project access. This ensures all LLM traffic routes through organization-configured providers (like Bedrock) while blocking users from adding their own provider keys that could bypass security controls. ## Configuration Steps ### Step 1: Configure organization-level AI providers Set up your approved AI provider credentials (for example, Bedrock) at the organization level on the [AI providers](/admin/ai-providers#add-an-organization-level-provider) settings page. These credentials are available to all projects and users. ### Step 2: Remove Update permission from non-admin users In project settings, ensure non-admin users or permission groups do not have the `Update` permission. Users without `Update` cannot add or modify AI provider credentials at the project level. The **Project AI providers** section on the AI providers page is hidden for these users. ### Step 3: Create restricted permission groups Create custom permission groups with `Read`, `Create`, and `Delete` permissions while excluding `Update`. Assign non-admin users to these groups to allow normal project work without AI provider modification capabilities. ## Key Behaviors * The `Update` permission controls the ability to modify project resources, including adding AI providers. * Organization-level AI provider credentials remain accessible to all users regardless of project permissions. * Project-level AI provider additions are disabled for users without `Update` permission. * Organization admins can always manage org-level credentials on the [AI providers](/admin/ai-providers) settings page.