diff --git a/models/artifacts/download-and-use-an-artifact.mdx b/models/artifacts/download-and-use-an-artifact.mdx index 959986502a..3fd894f079 100644 --- a/models/artifacts/download-and-use-an-artifact.mdx +++ b/models/artifacts/download-and-use-an-artifact.mdx @@ -6,7 +6,7 @@ title: Download and use artifacts Download and use an artifact that is already stored on the W&B server or construct an artifact object and pass it in to for de-duplication as necessary. -Team members with view-only seats cannot download artifacts. +Team members with a Models **Viewer** seat cannot download artifacts. diff --git a/models/registry/aliases.mdx b/models/registry/aliases.mdx index a9e9b7a1c2..c8569f400e 100644 --- a/models/registry/aliases.mdx +++ b/models/registry/aliases.mdx @@ -33,7 +33,7 @@ Create one or more custom aliases for a specific artifact versions based on your - You might use aliases such as `dataset_version_v0`, `dataset_version_v1`, and `dataset_version_v2` to identify which dataset a model was trained on. - You might use a `best_model` alias to keep track of the best performing artifact model version. -Any user with a [**Member** or **Admin** registry role](/models/registry/configure_registry/#registry-roles) on a registry can add or remove a custom alias from a linked artifact in that registry. Users with the [**Restricted Viewer** or **Viewer** roles](/models/registry/configure_registry/#registry-roles) cannot add or remove aliases. +Any user with a [**Member** or **Admin** registry role](/models/registry/configure_registry/#registry-roles) on a registry can add or remove a custom alias from a linked artifact in that registry. Users with the [**Restricted viewer** or **Viewer** roles](/models/registry/configure_registry/#registry-roles) cannot add or remove aliases. [Protected aliases](/models/registry/aliases/#protected-aliases) provide a way to label and identify which artifact versions to protect from modification or deletion. @@ -88,7 +88,7 @@ with wandb.init(entity = "", project = "") as run: ### Protected aliases Use a [protected alias](/models/registry/aliases/#protected-aliases) to both label and identify artifact versions that should not be modified or deleted. For example, consider using a `production` protected alias to label and identify artifact versions that are in used in your organization's machine learning production pipeline. -[Registry admin](/models/registry/configure_registry/#registry-roles) users and [service accounts](/support/models/articles/what-is-a-service-account-and-why-is-it-) with the **Admin** role can create protected aliases and add or remove protected aliases from an artifact version. Users and service accounts with **Member**, **Viewer**, and **Restricted Viewer** roles cannot unlink a protected version or delete a collection that contains a protected alias. See [Configure registry access](/models/registry/configure_registry/) for details. +[Registry admin](/models/registry/configure_registry/#registry-roles) users and [service accounts](/support/models/articles/what-is-a-service-account-and-why-is-it-) with the **Admin** role can create protected aliases and add or remove protected aliases from an artifact version. Users and service accounts with **Member**, **Viewer**, and **Restricted viewer** roles cannot unlink a protected version or delete a collection that contains a protected alias. See [Configure registry access](/models/registry/configure_registry/) for details. Common protected aliases include: diff --git a/models/registry/configure_registry.mdx b/models/registry/configure_registry.mdx index c50686ff3c..fc3c2ac61e 100644 --- a/models/registry/configure_registry.mdx +++ b/models/registry/configure_registry.mdx @@ -39,7 +39,7 @@ Removing a user from a team also removes that user's access to the registry. ### Change the owner of a registry -A registry admin can designate any member as a registry's owner, including a **Restricted Viewer** or a **Viewer**. Registry ownership is primarily for accountability purposes and does not confer any additional permissions beyond those granted by the user's assigned role. +A registry admin can designate any member as a registry's owner, including a **Restricted viewer** or a **Viewer**. Registry ownership is primarily for accountability purposes and does not confer any additional permissions beyond those granted by the user's assigned role. To change the owner: 1. Navigate to the W&B Registry at https://wandb.ai/registry/. @@ -75,12 +75,12 @@ W&B automatically assigns a default **registry role** to a user or team when the | Entity | Default registry role
(Dedicated Cloud / Self-Managed) | Default registry role
(Multi-tenant Cloud) | |----------------------------------------|---------------------------------------------------------------------------|------------------------------------------------------------| -| Team | Restricted Viewer (Server v0.75.0+)
Viewer (Server v0.74.x and below) | Restricted Viewer | -| User or service account (non admin) | Restricted Viewer (Server v0.75.0+)
Viewer (Server v0.74.x and below) | Restricted Viewer | +| Team | Restricted viewer (Server v0.75.0+)
Viewer (Server v0.74.x and below) | Restricted viewer | +| User or service account (non admin) | Restricted viewer (Server v0.75.0+)
Viewer (Server v0.74.x and below) | Restricted viewer | | Service account (non admin) | Member1 | Member1 | | Org admin | Admin | Admin | -1: Service accounts cannot have **Viewer** or **Restricted Viewer** roles. +1: Service accounts cannot have **Viewer** or **Restricted viewer** roles. A registry admin can assign or modify roles for users and teams in the registry. See [Configure user roles in a registry](/models/registry/configure_registry/#configure-registry-roles) for more information. @@ -88,7 +88,7 @@ See [Configure user roles in a registry](/models/registry/configure_registry/#co ### Role permissions The following table lists each Registry role, along with the permissions provided by each role: -| Permission | Permission Group | Restricted Viewer
(Multi-tenant Cloud, by invitation) | Viewer | Member | Admin | +| Permission | Permission Group | Restricted viewer
(Multi-tenant Cloud, by invitation) | Viewer | Member | Admin | |-----------------------------------------------------------------------------------------------------------------------|------------------|------------------------------------------------------------|:------:|:------:|:-----:| | View a collection's details | Read | ✓ | ✓ | ✓ | ✓ | | View a linked artifact's details | Read | ✓ | ✓ | ✓ | ✓ | @@ -131,12 +131,12 @@ A user's effective role in a particular registry matches their _highest_ role am - A registry **Viewer** with the **Member** role in the team is effectively a **Member** of the registry. - A team **Viewer** with the **Member** role in a particular registry is effectively a **Member** of the registry. -### Restricted Viewer role details -The **Restricted Viewer** role is Generally Available (GA). For Dedicated Cloud and Self-Managed, Server v0.75.0 or newer is required. +### Restricted viewer role details +The **Restricted viewer** role is Generally Available (GA). For Dedicated Cloud and Self-Managed, Server v0.75.0 or newer is required. This role provides read-only access to registry artifacts without the ability to create, update, or delete collections, automations, or other registry resources. -Unlike a **Viewer**, a **Restricted Viewer**: +Unlike a **Viewer**, a **Restricted viewer**: - Cannot download artifact files or access file contents. - Cannot use artifacts with `wandb.Run.use_artifact()` in the W&B SDK. @@ -146,11 +146,11 @@ Unlike a **Viewer**, a **Restricted Viewer**: **SDK version requirement** -To use the W&B SDK to access artifacts as a **Restricted Viewer**, you must use W&B SDK version 0.19.9 or higher. Otherwise, some SDK commands will result in permission errors. +To use the W&B SDK to access artifacts as a **Restricted viewer**, you must use W&B SDK version 0.19.9 or higher. Otherwise, some SDK commands will result in permission errors. -When a **Restricted Viewer** uses the SDK, certain functions are not available or work differently. +When a **Restricted viewer** uses the SDK, certain functions are not available or work differently. The following methods are not available and result in permission errors: - [`Run.use_artifact()`](/models/ref/python/experiments/run/#method-runuse_artifact) @@ -166,9 +166,9 @@ The following methods are limited to artifact metadata: ### Cross-registry permissions -A user can have different roles in different registries. For example, a user can be a **Restricted Viewer** in Registry A but a **Viewer** in Registry B. In this case: +A user can have different roles in different registries. For example, a user can be a **Restricted viewer** in Registry A but a **Viewer** in Registry B. In this case: - The same artifact linked to both registries will have different access levels -- In Registry A, the user is a **Restricted Viewer** and cannot download files or use the artifact +- In Registry A, the user is a **Restricted viewer** and cannot download files or use the artifact - In Registry B, the user is a **Viewer** and can download files and use the artifact - In other words, access is determined by the registry in which the artifact is accessed diff --git a/platform/hosting/iam/access-management/manage-organization.mdx b/platform/hosting/iam/access-management/manage-organization.mdx index 63781ab67a..0f2481e3ae 100644 --- a/platform/hosting/iam/access-management/manage-organization.mdx +++ b/platform/hosting/iam/access-management/manage-organization.mdx @@ -51,8 +51,8 @@ The following table summarizes how seats work for Models and Weave: | Product | Seats | Cost based on | | ----- | ----- | ----- | -| Models | Pay per set | How many Models paid seats you have and how much usage you've accrued determines your overall subscription cost. You can assign each user one of three available seat types: Full, Viewer, or No-Access. | -| Weave | Free | Usage based | +| Models | Pay per set | How many Models paid seats you have, and how much usage you’ve accrued determines your overall subscription cost. Each user can be assigned one of the three available seat types: Full, Viewer, and No access | +| Weave | Free | Usage based | ### Invite a user @@ -64,8 +64,8 @@ Admins can invite users to their organization, as well as to specific teams with 2. In the upper right corner of the page, select the **User menu** dropdown. Within the **Account** section of the dropdown, select **Users**. 3. Select **Invite new user**. 4. In the modal that appears, provide the email or username of the user in the **Email or username** field. -5. Optional: Add the user to a team from the **Choose teams** dropdown menu. -6. From the **Select role** dropdown, select the role to assign to the user. You can change the user's role later. See the table listed in [Assign a role](#assign-or-update-a-team-members-role) for more information about possible roles. +5. (Recommended) Add the user to a team from the **Choose teams** dropdown menu. +6. From the **Select role** dropdown, select the organization role to assign to the user. You can change the user's role at a later time. See the table in [Assign or update a user's role](#assign-or-update-a-users-role) for possible roles. 7. Click the **Send invite** button. After you select the **Send invite** button, W&B sends an invite link to the user's email using a third-party email server. A user can access your organization once they accept the invite. @@ -74,8 +74,8 @@ After you select the **Send invite** button, W&B sends an invite link to the use 1. Navigate to `https://.io/console/settings/`. Replace `` with your organization name. 2. Select the **Add user** button. 3. Within the modal that appears, provide the email of the new user in the **Email** field. -4. Select a role to assign to the user from the **Role** dropdown. You can change the user's role later. See the table listed in [Assign a role](#assign-or-update-a-team-members-role) for more information about possible roles. -5. To have W&B send an invite link to the user's email using a third-party email server, check the **Send invite email to user** box. +4. Select a role to assign to the user from the **Role** dropdown. You can change the user's role at a later time. See the table in [Assign or update a user's role](#assign-or-update-a-users-role) for possible roles. +5. Check the **Send invite email to user** box if you want W&B to send an invite link using a third-party email server to the user's email. 6. Select the **Add new user** button. @@ -182,35 +182,33 @@ A user within an organization can have one of the following roles: | Role | Descriptions | | ----- | ----- | -| Admin | An instance admin who can add or remove other users to the organization, change user roles, manage custom roles, add teams, and more. W&B recommends having more than one admin in case your admin is unavailable. | -| Member | A regular user of the organization, invited by an instance admin. An organization member can't invite other users or manage existing users in the organization. | +| Admin | An organization admin who can add users to the organization or remove them, change user roles, manage custom roles, add teams and more. W&B recommends ensuring there is more than one admin in the event that your admin is unavailable. | +| Member | A regular user of the organization, invited by an instance admin. An organization member cannot invite other users or manage existing users in the organization. | | Viewer (Enterprise-only feature) | A view-only user of your organization, invited by an instance admin. A viewer only has read access to the organization and the underlying teams that they are a member of. | -| Custom Roles (Enterprise-only feature) | Custom roles let organization admins compose new roles by inheriting from the preceding View-Only or Member roles and adding additional permissions to achieve fine-grained access control. Team admins can then assign any of those custom roles to users in their respective teams. For more information, see [Add and manage custom roles](#add-and-manage-custom-roles). | +| Custom Roles (Enterprise-only feature) | Custom roles allow organization admins to compose new roles by inheriting from the preceding **Viewer** or **Member** organization roles, and adding additional permissions to achieve fine-grained access control. Team admins can then assign any of those custom roles to users in their respective teams. See also [Add and manage custom roles](#add-and-manage-custom-roles). | To change a user's role: 1. Navigate to https://wandb.ai/home. 2. In the upper right corner of the page, select the **User menu** dropdown. From the dropdown, choose **Users**. -3. Provide the name or email of the user in the search bar. -4. Select a role from the **TEAM ROLE** dropdown next to the name of the user. +3. Find the user in the list. You can filter by name or email in the search bar. +4. Select a role from the **ORG ROLE** dropdown next to the name of the user. ### Assign or update a user's access -While the organization role controls administrative actions, the seat type controls what a user can do within Models and Weave. Use this procedure when you need to change a user's product-level permissions independent of their organization role. - -A user within an organization has one of the following Model seat or Weave access types: full, viewer, or no access. +A user within an organization has a **Models seat** and **Weave access** level. Each is one of **Full**, **Viewer**, or **No access**. These are separate from the organization **Viewer** role, which controls organization-wide permissions. -| Seat type | Description | +| Seat or access level | Description | | ----- | ----- | -| Full | Users with this role type have full permissions to write, read, and export data for Models or Weave. | -| Viewer | A view-only user of your organization. A viewer only has read access to the organization and the underlying teams that they are a part of, and view-only access to Models or Weave. | -| No access | Users with this role have no access to the Models or Weave products. | +| Full | Full access to read, write, and export in Models or Weave for that user. | +| Viewer | Read-only access to Models or Weave for that user. | +| No access | No access to Models or Weave for that user. | -Model seat type and Weave access type are defined at the organization level and inherited by the team. To change a user's seat type, navigate to the organization settings and follow these steps: +Models seat and Weave access are defined at the organization level and inherited by the team. To change them, navigate to the organization user list and use the following steps: 1. For Multi-tenant Cloud users, navigate to your organization's settings at `https://wandb.ai/account-settings//settings`. Replace the values enclosed in angle brackets (`<>`) with your organization name. For Dedicated Cloud and Self-Managed deployments, navigate to `https://.wandb.io/org/dashboard`. 2. Select the **Users** tab. -3. From the **Role** dropdown, select the seat type you want to assign to the user. +3. From the **MODELS SEAT** and **WEAVE ACCESS** dropdowns for that user, select the levels you want to assign. The organization role and subscription type determine which seat types are available within your organization. @@ -271,7 +269,7 @@ Invite users to a team in your organization. Use the team's dashboard to invite 3. Select the **Users** tab. 4. Click **Invite a new user**. -5. Within the modal that appears, provide the email of the user in the **Email or username** field and select the role to assign to that user from the **Select a team** role dropdown. For more information about roles a user can have in a team, see [Assign or update a team member's role](#assign-or-update-a-team-members-role). +5. Within the modal that appears, provide the email of the user in the **Email or username** field and select the role to assign to that user from the **Select team role** dropdown. For more information about roles a user can have in a team, see [Team roles](#assign-or-update-a-team-members-role). 6. Click the **Send invite** button. By default, only a team or instance admin can invite members to a team. To change this behavior, see [Team settings](/platform/app/settings-page/teams#privacy). @@ -327,7 +325,7 @@ Custom roles let you tailor permissions beyond the built-in roles when the stand An Enterprise license is required to create or assign custom roles on Dedicated Cloud or Self-Managed deployments. -Organization admins can compose a new role based on either the View-Only or Member role and add additional permissions to achieve fine-grained access control. Team admins can assign a custom role to a team member. You create custom roles at the organization level but assign them at the team level. +Organization admins can compose a new role based on either the **Viewer** or **Member** predefined role and add additional permissions to achieve fine-grained access control. Team admins can assign a custom role to a team member. Custom roles are created at the organization level but are assigned at the team level. To create a custom role: