From 8a5e7595642013beb992d59ec11741e15745d9c1 Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Fri, 1 May 2026 14:19:25 -0700 Subject: [PATCH 1/2] Consistency pass for W&B seats and roles Fixes DOCS-2515 --- .../download-and-use-an-artifact.mdx | 2 +- models/registry/aliases.mdx | 4 +-- models/registry/configure_registry.mdx | 24 +++++++------- .../access-management/manage-organization.mdx | 32 +++++++++---------- release-notes/server-releases.mdx | 6 ++-- 5 files changed, 34 insertions(+), 34 deletions(-) diff --git a/models/artifacts/download-and-use-an-artifact.mdx b/models/artifacts/download-and-use-an-artifact.mdx index 959986502a..3fd894f079 100644 --- a/models/artifacts/download-and-use-an-artifact.mdx +++ b/models/artifacts/download-and-use-an-artifact.mdx @@ -6,7 +6,7 @@ title: Download and use artifacts Download and use an artifact that is already stored on the W&B server or construct an artifact object and pass it in to for de-duplication as necessary. -Team members with view-only seats cannot download artifacts. +Team members with a Models **Viewer** seat cannot download artifacts. diff --git a/models/registry/aliases.mdx b/models/registry/aliases.mdx index a9e9b7a1c2..c8569f400e 100644 --- a/models/registry/aliases.mdx +++ b/models/registry/aliases.mdx @@ -33,7 +33,7 @@ Create one or more custom aliases for a specific artifact versions based on your - You might use aliases such as `dataset_version_v0`, `dataset_version_v1`, and `dataset_version_v2` to identify which dataset a model was trained on. - You might use a `best_model` alias to keep track of the best performing artifact model version. -Any user with a [**Member** or **Admin** registry role](/models/registry/configure_registry/#registry-roles) on a registry can add or remove a custom alias from a linked artifact in that registry. Users with the [**Restricted Viewer** or **Viewer** roles](/models/registry/configure_registry/#registry-roles) cannot add or remove aliases. +Any user with a [**Member** or **Admin** registry role](/models/registry/configure_registry/#registry-roles) on a registry can add or remove a custom alias from a linked artifact in that registry. Users with the [**Restricted viewer** or **Viewer** roles](/models/registry/configure_registry/#registry-roles) cannot add or remove aliases. [Protected aliases](/models/registry/aliases/#protected-aliases) provide a way to label and identify which artifact versions to protect from modification or deletion. @@ -88,7 +88,7 @@ with wandb.init(entity = "", project = "") as run: ### Protected aliases Use a [protected alias](/models/registry/aliases/#protected-aliases) to both label and identify artifact versions that should not be modified or deleted. For example, consider using a `production` protected alias to label and identify artifact versions that are in used in your organization's machine learning production pipeline. -[Registry admin](/models/registry/configure_registry/#registry-roles) users and [service accounts](/support/models/articles/what-is-a-service-account-and-why-is-it-) with the **Admin** role can create protected aliases and add or remove protected aliases from an artifact version. Users and service accounts with **Member**, **Viewer**, and **Restricted Viewer** roles cannot unlink a protected version or delete a collection that contains a protected alias. See [Configure registry access](/models/registry/configure_registry/) for details. +[Registry admin](/models/registry/configure_registry/#registry-roles) users and [service accounts](/support/models/articles/what-is-a-service-account-and-why-is-it-) with the **Admin** role can create protected aliases and add or remove protected aliases from an artifact version. Users and service accounts with **Member**, **Viewer**, and **Restricted viewer** roles cannot unlink a protected version or delete a collection that contains a protected alias. See [Configure registry access](/models/registry/configure_registry/) for details. Common protected aliases include: diff --git a/models/registry/configure_registry.mdx b/models/registry/configure_registry.mdx index c50686ff3c..fc3c2ac61e 100644 --- a/models/registry/configure_registry.mdx +++ b/models/registry/configure_registry.mdx @@ -39,7 +39,7 @@ Removing a user from a team also removes that user's access to the registry. ### Change the owner of a registry -A registry admin can designate any member as a registry's owner, including a **Restricted Viewer** or a **Viewer**. Registry ownership is primarily for accountability purposes and does not confer any additional permissions beyond those granted by the user's assigned role. +A registry admin can designate any member as a registry's owner, including a **Restricted viewer** or a **Viewer**. Registry ownership is primarily for accountability purposes and does not confer any additional permissions beyond those granted by the user's assigned role. To change the owner: 1. Navigate to the W&B Registry at https://wandb.ai/registry/. @@ -75,12 +75,12 @@ W&B automatically assigns a default **registry role** to a user or team when the | Entity | Default registry role
(Dedicated Cloud / Self-Managed) | Default registry role
(Multi-tenant Cloud) | |----------------------------------------|---------------------------------------------------------------------------|------------------------------------------------------------| -| Team | Restricted Viewer (Server v0.75.0+)
Viewer (Server v0.74.x and below) | Restricted Viewer | -| User or service account (non admin) | Restricted Viewer (Server v0.75.0+)
Viewer (Server v0.74.x and below) | Restricted Viewer | +| Team | Restricted viewer (Server v0.75.0+)
Viewer (Server v0.74.x and below) | Restricted viewer | +| User or service account (non admin) | Restricted viewer (Server v0.75.0+)
Viewer (Server v0.74.x and below) | Restricted viewer | | Service account (non admin) | Member1 | Member1 | | Org admin | Admin | Admin | -1: Service accounts cannot have **Viewer** or **Restricted Viewer** roles. +1: Service accounts cannot have **Viewer** or **Restricted viewer** roles. A registry admin can assign or modify roles for users and teams in the registry. See [Configure user roles in a registry](/models/registry/configure_registry/#configure-registry-roles) for more information. @@ -88,7 +88,7 @@ See [Configure user roles in a registry](/models/registry/configure_registry/#co ### Role permissions The following table lists each Registry role, along with the permissions provided by each role: -| Permission | Permission Group | Restricted Viewer
(Multi-tenant Cloud, by invitation) | Viewer | Member | Admin | +| Permission | Permission Group | Restricted viewer
(Multi-tenant Cloud, by invitation) | Viewer | Member | Admin | |-----------------------------------------------------------------------------------------------------------------------|------------------|------------------------------------------------------------|:------:|:------:|:-----:| | View a collection's details | Read | ✓ | ✓ | ✓ | ✓ | | View a linked artifact's details | Read | ✓ | ✓ | ✓ | ✓ | @@ -131,12 +131,12 @@ A user's effective role in a particular registry matches their _highest_ role am - A registry **Viewer** with the **Member** role in the team is effectively a **Member** of the registry. - A team **Viewer** with the **Member** role in a particular registry is effectively a **Member** of the registry. -### Restricted Viewer role details -The **Restricted Viewer** role is Generally Available (GA). For Dedicated Cloud and Self-Managed, Server v0.75.0 or newer is required. +### Restricted viewer role details +The **Restricted viewer** role is Generally Available (GA). For Dedicated Cloud and Self-Managed, Server v0.75.0 or newer is required. This role provides read-only access to registry artifacts without the ability to create, update, or delete collections, automations, or other registry resources. -Unlike a **Viewer**, a **Restricted Viewer**: +Unlike a **Viewer**, a **Restricted viewer**: - Cannot download artifact files or access file contents. - Cannot use artifacts with `wandb.Run.use_artifact()` in the W&B SDK. @@ -146,11 +146,11 @@ Unlike a **Viewer**, a **Restricted Viewer**: **SDK version requirement** -To use the W&B SDK to access artifacts as a **Restricted Viewer**, you must use W&B SDK version 0.19.9 or higher. Otherwise, some SDK commands will result in permission errors. +To use the W&B SDK to access artifacts as a **Restricted viewer**, you must use W&B SDK version 0.19.9 or higher. Otherwise, some SDK commands will result in permission errors. -When a **Restricted Viewer** uses the SDK, certain functions are not available or work differently. +When a **Restricted viewer** uses the SDK, certain functions are not available or work differently. The following methods are not available and result in permission errors: - [`Run.use_artifact()`](/models/ref/python/experiments/run/#method-runuse_artifact) @@ -166,9 +166,9 @@ The following methods are limited to artifact metadata: ### Cross-registry permissions -A user can have different roles in different registries. For example, a user can be a **Restricted Viewer** in Registry A but a **Viewer** in Registry B. In this case: +A user can have different roles in different registries. For example, a user can be a **Restricted viewer** in Registry A but a **Viewer** in Registry B. In this case: - The same artifact linked to both registries will have different access levels -- In Registry A, the user is a **Restricted Viewer** and cannot download files or use the artifact +- In Registry A, the user is a **Restricted viewer** and cannot download files or use the artifact - In Registry B, the user is a **Viewer** and can download files and use the artifact - In other words, access is determined by the registry in which the artifact is accessed diff --git a/platform/hosting/iam/access-management/manage-organization.mdx b/platform/hosting/iam/access-management/manage-organization.mdx index ccd577a695..d306ba8640 100644 --- a/platform/hosting/iam/access-management/manage-organization.mdx +++ b/platform/hosting/iam/access-management/manage-organization.mdx @@ -44,7 +44,7 @@ The following table summarizes how seats work for Models and Weave: | Product |Seats | Cost based on | | ----- | ----- | ----- | -| Models | Pay per set | How many Models paid seats you have, and how much usage you’ve accrued determines your overall subscription cost. Each user can be assigned one of the three available seat types: Full, Viewer, and No-Access | +| Models | Pay per set | How many Models paid seats you have, and how much usage you’ve accrued determines your overall subscription cost. Each user can be assigned one of the three available seat types: Full, Viewer, and No access | | Weave | Free | Usage based | ### Invite a user @@ -58,7 +58,7 @@ admins can invite users to their organization, as well as specific teams within 3. Select **Invite new user**. 4. In the modal that appears, provide the email or username of the user in the **Email or username** field. 5. (Recommended) Add the user to a team from the **Choose teams** dropdown menu. -6. From the **Select role** dropdown, select the role to assign to the user. You can change the user's role at a later time. See the table listed in [Assign a role](#assign-or-update-a-team-members-role) for more information about possible roles. +6. From the **Select role** dropdown, select the organization role to assign to the user. You can change the user's role at a later time. See the table in [Assign or update a user's role](#assign-or-update-a-users-role) for possible roles. 7. Click the **Send invite** button. W&B sends an invite link using a third-party email server to the user's email after you select the **Send invite** button. A user can access your organization once they accept the invite. @@ -67,7 +67,7 @@ W&B sends an invite link using a third-party email server to the user's email af 1. Navigate to `https://.io/console/settings/`. Replace `` with your organization name. 2. Select the **Add user** button 3. Within the modal that appears, provide the email of the new user in the **Email** field. -4. Select a role to assign to the user from the **Role** dropdown. You can change the user's role at a later time. See the table listed in [Assign a role](#assign-or-update-a-team-members-role) for more information about possible roles. +4. Select a role to assign to the user from the **Role** dropdown. You can change the user's role at a later time. See the table in [Assign or update a user's role](#assign-or-update-a-users-role) for possible roles. 5. Check the **Send invite email to user** box if you want W&B to send an invite link using a third-party email server to the user's email. 6. Select the **Add new user** button. @@ -170,33 +170,33 @@ A user within an organization can have one of the following roles: | Role | Descriptions | | ----- | ----- | -| admin| A instance admin who can add or remove other users to the organization, change user roles, manage custom roles, add teams and more. W&B recommends ensuring there is more than one admin in the event that your admin is unavailable. | -| Member | A regular user of the organization, invited by an instance admin. A organization member cannot invite other users or manage existing users in the organization. | +| Admin | An organization admin who can add users to the organization or remove them, change user roles, manage custom roles, add teams and more. W&B recommends ensuring there is more than one admin in the event that your admin is unavailable. | +| Member | A regular user of the organization, invited by an instance admin. An organization member cannot invite other users or manage existing users in the organization. | | Viewer (Enterprise-only feature) | A view-only user of your organization, invited by an instance admin. A viewer only has read access to the organization and the underlying teams that they are a member of. | -|Custom Roles (Enterprise-only feature) | Custom roles allow organization admins to compose new roles by inheriting from the preceding View-Only or Member roles, and adding additional permissions to achieve fine-grained access control. Team admins can then assign any of those custom roles to users in their respective teams. See also [Add and manage custom roles](#add-and-manage-custom-roles)| +| Custom Roles (Enterprise-only feature) | Custom roles allow organization admins to compose new roles by inheriting from the preceding **Viewer** or **Member** organization roles, and adding additional permissions to achieve fine-grained access control. Team admins can then assign any of those custom roles to users in their respective teams. See also [Add and manage custom roles](#add-and-manage-custom-roles). | To change a user's role: 1. Navigate to https://wandb.ai/home. 2. In the upper right corner of the page, select the **User menu** dropdown. From the dropdown, choose **Users**. 4. Provide the name or email of the user in the search bar. -4. Select a role from the **TEAM ROLE** dropdown next to the name of the user. +4. Select a role from the **ORG ROLE** dropdown next to the name of the user. ### Assign or update a user's access -A user within an organization has one of the following model seat or weave access types: full, viewer, or no access. +A user within an organization has a **Models seat** and **Weave access** level. Each is one of **Full**, **Viewer**, or **No access**. These are separate from the organization **Viewer** role, which controls organization-wide permissions. -| Seat type | Description | +| Seat or access level | Description | | ----- | ----- | -| Full | Users with this role type have full permissions to write, read, and export data for Models or Weave. | -| Viewer | A view-only user of your organization. A viewer only has read access to the organization and the underlying teams that they are a part of, and view only access to Models or Weave. | -| No access | Users with this role have no access to the Models or Weave products. | +| Full | Full access to read, write, and export in Models or Weave for that user. | +| Viewer | Read-only access to Models or Weave for that user. | +| No access | No access to Models or Weave for that user. | -Model seat type and weave access type are defined at the organization level, and inherited by the team. If you want to change a user's seat type, navigate to the organization settings and follow the following steps: +Models seat and Weave access are defined at the organization level and inherited by the team. To change them, navigate to the organization user list and use the following steps: 1. For Multi-tenant Cloud users, navigate to your organization's settings at `https://wandb.ai/account-settings//settings`. Ensure to replace the values enclosed in angle brackets (`<>`) with your organization name. For Dedicated Cloud and Self-Managed deployments, navigate to `https://.wandb.io/org/dashboard`. 2. Select the **Users** tab. -3. From the **Role** dropdown, select the seat type you want to assign to the user. +3. From the **MODELS SEAT** and **WEAVE ACCESS** dropdowns for that user, select the levels you want to assign. The organization role and subscription type determines which seat types are available within your organization. @@ -252,7 +252,7 @@ Invite users to a team in your organization. Use the team's dashboard to invite 3. Select the **Users** tab. 4. Click **Invite a new user**. -5. Within the modal that appears, provide the email of the user in the **Email or username** field and select the role to assign to that user from the **Select a team** role dropdown. For more information about roles a user can have in a team, see [Team roles](#assign-or-update-a-team-members-role). +5. Within the modal that appears, provide the email of the user in the **Email or username** field and select the role to assign to that user from the **Select team role** dropdown. For more information about roles a user can have in a team, see [Team roles](#assign-or-update-a-team-members-role). 6. Click the **Send invite** button. By default, only a team or instance admin can invite members to a team. To change this behavior, refer to [Team settings](/platform/app/settings-page/teams#privacy). @@ -303,7 +303,7 @@ Remove a user from a team using the team's dashboard. W&B preserves runs created An Enterprise license is required to create or assign custom roles on Dedicated Cloud or Self-Managed deployments. -Organization admins can compose a new role based on either the View-Only or Member role and add additional permissions to achieve fine-grained access control. Team admins can assign a custom role to a team member. Custom roles are created at the organization level but are assigned at the team level. +Organization admins can compose a new role based on either the **Viewer** or **Member** predefined role and add additional permissions to achieve fine-grained access control. Team admins can assign a custom role to a team member. Custom roles are created at the organization level but are assigned at the team level. To create a custom role: diff --git a/release-notes/server-releases.mdx b/release-notes/server-releases.mdx index 54ab5a2aa1..0d2608bfa6 100644 --- a/release-notes/server-releases.mdx +++ b/release-notes/server-releases.mdx @@ -465,7 +465,7 @@ W&B v0.76 delivers a major boost to experiment insight and productivity, introdu - Fixed a bug where Parquet files for deleted runs were not completely garbage collected and the error `delete parquet history does not currently support partial deletes` was logged repeatedly. -W&B v0.75 enhances Registry with a new Restricted Viewer role, the ability to star registries, and programmatic Registry access control over SCIM. The new automation execution history view helps you to understand and debug your automations. Visualize config-driven effects with semantic coloring by config properties such as hyperparameters, view full-fidelity plots for system metrics, and more. +W&B v0.75 enhances Registry with a new Restricted viewer role, the ability to star registries, and programmatic Registry access control over SCIM. The new automation execution history view helps you to understand and debug your automations. Visualize config-driven effects with semantic coloring by config properties such as hyperparameters, view full-fidelity plots for system metrics, and more. ## Support and end of life - W&B Server v0.61 has reached end of life. @@ -485,8 +485,8 @@ Part of this change is included in Server v0.75: the left sidebar now indicates ## Features - **Registry access control updates:** - **Programmatic registry access control:** [Registry roles](/models/registry/configure_registry#details-about-registry-roles) are now included in the SCIM schema. While [creating](/platform/hosting/iam/scim#create-user) or updating a user, you can configure their Registry roles, and Registry roles are returned when you [retrieve a user](/platform/hosting/iam/scim#get-user). - - **Restrict Registry access:** Where you don't want to grant full Registry access, you can now grant a new Registry role, [Restricted Viewer](/models/registry/configure_registry). This role provides read-only access to registry artifacts without the ability to create, update, or delete collections, automations, or other registry resources. This is useful for sensitive or regulated registry content. - - [**Expanded Registry access:**](https://wandb.ai/wandb_fc/product-announcements-fc/reports/Registry-for-W-B-Models-viewers-Faster-discovery-cleaner-handoffs--VmlldzoxNDc4MzM5Mg) Now, any user with the Models **Viewer** role is also a full Registry **Member**, so they can browse, compare, and use models and artifacts by default. A Models **Viewer** can be assigned a different Registry role, like **Restricted Viewer**, **Viewer**, or **Admin**. This unlocks full Registry value for everyone in your organization. + - **Restrict Registry access:** Where you don't want to grant full Registry access, you can now grant a new Registry role, [Restricted viewer](/models/registry/configure_registry). This role provides read-only access to registry artifacts without the ability to create, update, or delete collections, automations, or other registry resources. This is useful for sensitive or regulated registry content. + - [**Expanded Registry access:**](https://wandb.ai/wandb_fc/product-announcements-fc/reports/Registry-for-W-B-Models-viewers-Faster-discovery-cleaner-handoffs--VmlldzoxNDc4MzM5Mg) Now, any user with the Models **Viewer** role is also a full Registry **Member**, so they can browse, compare, and use models and artifacts by default. A Models **Viewer** can be assigned a different Registry role, like **Restricted viewer**, **Viewer**, or **Admin**. This unlocks full Registry value for everyone in your organization. - **Starred registries:** To help you navigate Registry as you scale, you can now star registries. From the Registry landing page, hover over a registry's card, then click the star outline. From an individual registry page, click the star outline at the top of the page. Starred registries appear at the top of the Registry landing page in alphabetical order. ![Starred registries](/images/release-notes/v0-75-0/starred-registries.png) From 7dfa88793d1dbf302e22f5bcaea1d746a5c1e0bd Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Fri, 1 May 2026 15:10:13 -0700 Subject: [PATCH 2/2] Revert release note changes to avoid pinging the RSS feed --- release-notes/server-releases.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/release-notes/server-releases.mdx b/release-notes/server-releases.mdx index 0d2608bfa6..54ab5a2aa1 100644 --- a/release-notes/server-releases.mdx +++ b/release-notes/server-releases.mdx @@ -465,7 +465,7 @@ W&B v0.76 delivers a major boost to experiment insight and productivity, introdu - Fixed a bug where Parquet files for deleted runs were not completely garbage collected and the error `delete parquet history does not currently support partial deletes` was logged repeatedly. -W&B v0.75 enhances Registry with a new Restricted viewer role, the ability to star registries, and programmatic Registry access control over SCIM. The new automation execution history view helps you to understand and debug your automations. Visualize config-driven effects with semantic coloring by config properties such as hyperparameters, view full-fidelity plots for system metrics, and more. +W&B v0.75 enhances Registry with a new Restricted Viewer role, the ability to star registries, and programmatic Registry access control over SCIM. The new automation execution history view helps you to understand and debug your automations. Visualize config-driven effects with semantic coloring by config properties such as hyperparameters, view full-fidelity plots for system metrics, and more. ## Support and end of life - W&B Server v0.61 has reached end of life. @@ -485,8 +485,8 @@ Part of this change is included in Server v0.75: the left sidebar now indicates ## Features - **Registry access control updates:** - **Programmatic registry access control:** [Registry roles](/models/registry/configure_registry#details-about-registry-roles) are now included in the SCIM schema. While [creating](/platform/hosting/iam/scim#create-user) or updating a user, you can configure their Registry roles, and Registry roles are returned when you [retrieve a user](/platform/hosting/iam/scim#get-user). - - **Restrict Registry access:** Where you don't want to grant full Registry access, you can now grant a new Registry role, [Restricted viewer](/models/registry/configure_registry). This role provides read-only access to registry artifacts without the ability to create, update, or delete collections, automations, or other registry resources. This is useful for sensitive or regulated registry content. - - [**Expanded Registry access:**](https://wandb.ai/wandb_fc/product-announcements-fc/reports/Registry-for-W-B-Models-viewers-Faster-discovery-cleaner-handoffs--VmlldzoxNDc4MzM5Mg) Now, any user with the Models **Viewer** role is also a full Registry **Member**, so they can browse, compare, and use models and artifacts by default. A Models **Viewer** can be assigned a different Registry role, like **Restricted viewer**, **Viewer**, or **Admin**. This unlocks full Registry value for everyone in your organization. + - **Restrict Registry access:** Where you don't want to grant full Registry access, you can now grant a new Registry role, [Restricted Viewer](/models/registry/configure_registry). This role provides read-only access to registry artifacts without the ability to create, update, or delete collections, automations, or other registry resources. This is useful for sensitive or regulated registry content. + - [**Expanded Registry access:**](https://wandb.ai/wandb_fc/product-announcements-fc/reports/Registry-for-W-B-Models-viewers-Faster-discovery-cleaner-handoffs--VmlldzoxNDc4MzM5Mg) Now, any user with the Models **Viewer** role is also a full Registry **Member**, so they can browse, compare, and use models and artifacts by default. A Models **Viewer** can be assigned a different Registry role, like **Restricted Viewer**, **Viewer**, or **Admin**. This unlocks full Registry value for everyone in your organization. - **Starred registries:** To help you navigate Registry as you scale, you can now star registries. From the Registry landing page, hover over a registry's card, then click the star outline. From an individual registry page, click the star outline at the top of the page. Starred registries appear at the top of the Registry landing page in alphabetical order. ![Starred registries](/images/release-notes/v0-75-0/starred-registries.png)