diff --git a/assets/images/registry/add_team_registry.gif b/assets/images/registry/add_team_registry.gif new file mode 100644 index 000000000..80891d5fc Binary files /dev/null and b/assets/images/registry/add_team_registry.gif differ diff --git a/assets/images/registry/role_conflict.png b/assets/images/registry/role_conflict.png new file mode 100644 index 000000000..b01b11d4b Binary files /dev/null and b/assets/images/registry/role_conflict.png differ diff --git a/content/guides/models/registry/configure_registry.md b/content/guides/models/registry/configure_registry.md index c6585c491..6733bf168 100644 --- a/content/guides/models/registry/configure_registry.md +++ b/content/guides/models/registry/configure_registry.md @@ -7,107 +7,121 @@ title: Configure registry access weight: 3 --- - +A registry admin can [configure registry roles]({{< relref "configure_registry.md#configure-registry-roles" >}}), [add users]({{< relref "configure_registry.md#add-a-user-or-a-team-to-a-registry" >}}), or [remove users]({{< relref "configure_registry.md#remove-a-user-or-team-from-a-registry" >}}) from a registry by configuring the registry's settings. -Registry admins can limit who can access a registry by navigating to a registry's settings and assigning a user's role to [Admin, Member, or Viewer]({{< relref "#registry-roles-permissions" >}}). Users can have different roles in different registries. For example, a user can have a view role in "Registry A" and a member role in the "Registry B". +## Manage users + +### Add a user or a team + +Registry admins can add individual users or entire teams to a registry. To add a user or team to a registry: + +1. Navigate to the Registry at https://wandb.ai/registry/. +2. Select the registry you want to add a user or team to. +3. Click on the gear icon on the upper right hand corner to access the registry settings. +4. In the **Registry access** section, click **Add access**. +5. Specify one or more user names, emails, or the team names to the **Include users and teams** field. +6. Click **Add access**. + +{{< img src="/images/registry/add_team_registry.gif" alt="Animation of using the UI to add teams and individual users to a registry" >}} + +Learn more about [configuring user roles in a registry]({{< relref "configure_registry.md#configure-registry-roles" >}}), or [Registry role permissions]({{< relref "configure_registry.md#registry-role-permissions" >}}) . + +### Remove a user or team +A registry admin can remove individual users or entire teams from a registry. To remove a user or team from a registry: + +1. Navigate to the Registry at https://wandb.ai/registry/. +2. Select the registry you want to remove a user from. +3. Click on the gear icon on the upper right hand corner to access the registry settings. +4. Navigate to the **Registry access** section and type in the username, email, or team you want to remove. +5. Click the **Delete** button. {{% alert %}} -Only registry admins can [restrict visibility]({{< relref "#restrict-visibility-to-a-registry" >}}), [configure user roles]({{< relref "#configure-user-roles-in-a-registry" >}}), or [remove users]({{< relref "#remove-a-user-from-a-registry" >}}) from registries in an organization. +Removing a user from a team also removes that user's access to the registry. {{% /alert %}} -## Registry roles permissions +## Registry roles -A user within an organization can have different roles, and therefore permissions, for each registry in their organization. +Each user in a registry has a *registry role*, which determines what they can do in that registry. -{{% alert title="W&B role types" %}} -W&B has three different types of roles: Organization roles, [team roles]({{< relref "/guides/models/app/settings-page/teams.md#team-roles-and-permissions" >}}), and [registry roles]({{< relref "#registry-roles-permissions" >}}). +W&B automatically assigns a default registry role to a user or team when they are added to a registry. -Your role in a team has no impact or relationship on your role in any registry. -{{% /alert %}} +| Entity | Default registry role | +| ----- | ----- | +| Team | Viewer | +| User (non admin) | Viewer | +| Org admin | Admin | -The proceeding table lists the different roles a user can have and their permissions: +A registry admin can assign or modify roles for users and teams in a registry. +See [Configure user roles in a registry]({{< relref "configure_registry.md#configure-registry-roles" >}}) for more information. -| Permission | Permission Group | Viewer | Member | Admin | Owner | -|--------------------------------------------------------------- |------------------|--------|--------|-------|-------| -| View a collection’s details | Read | X | X | X | X | -| View a linked artifact’s details | Read | X | X | X | X | -| Usage: Consume an artifact in a registry with use_artifact | Read | X | X | X | X | -| Download a linked artifact | Read | X | X | X | X | -| Download files from an artifact’s file viewer | Read | X | X | X | X | -| Search a registry | Read | X | X | X | X | -| View a registry’s settings and user list | Read | X | X | X | X | -| Create a new automation for a collection | Create | | X | X | X | -| Turn on Slack notifications for new version being added | Create | | X | X | X | -| Create a new collection | Create | | X | X | X | -| Create a new custom registry | Create | | X | X | X | -| Edit collection card (description) | Update | | X | X | X | -| Edit linked artifact description | Update | | X | X | X | -| Add or delete a collection’s tag | Update | | X | X | X | -| Add or delete an alias from a linked artifact | Update | | X | X | X | -| Link a new artifact | Update | | X | X | X | -| Edit allowed types list for a registry | Update | | X | X | X | -| Edit custom registry name | Update | | X | X | X | -| Delete a collection | Delete | | X | X | X | -| Delete an automation | Delete | | X | X | X | -| Unlink an artifact from a registry | Delete | | X | X | X | -| Edit accepted artifact types for a registry | Admin | | | X | X | -| Change registry visibility (Organization or Restricted) | Admin | | | X | X | -| Add users to a registry | Admin | | | X | X | -| Assign or change a user's role in a registry | Admin | | | X | X | - - - -## Configure user roles in a registry -1. Navigate to the **Registry** App in the W&B App UI. -2. Select the registry you want to configure. -3. Click on the gear icon on the upper right hand corner. -4. Scroll to the **Registry members and roles** section. -5. Within the **Member** field, search for the user you want to edit permissions for. -6. Click on the user's role within the **Registry role** column. -7. From the dropdown, select the role you want to assign to the user. +{{% alert title="W&B role types" %}} +There are two different types of roles in W&B: [Team roles]({{< ref "/guides/models/app/settings-page/teams.md#team-role-and-permissions" >}}) and [Registry roles]({{< relref "configure_registry.md#configure-registry-roles" >}}). -{{< img src="/images/registry/configure_role_registry.gif" alt="" >}} +Your role in a team has no impact or relationship to your role in any registry. +{{% /alert %}} -## Remove a user from a registry -1. Navigate to the **Registry** App in the W&B App UI. -2. Select a core or custom registry. -3. Click on the gear icon on the upper right hand corner. -4. Scroll to the **Registry members and roles** section and type in the username of the member you want to remove. -5. Click the **Delete** button. +The proceeding table lists the different roles a user can have and their permissions: + + +| Permission | Permission Group | Viewer | Member | Admin | +|--------------------------------------------------------------- |------------------|--------|--------|-------| +| View a collection’s details | Read | X | X | X | +| View a linked artifact’s details | Read | X | X | X | +| Usage: Consume an artifact in a registry with use_artifact | Read | X | X | X | +| Download a linked artifact | Read | X | X | X | +| Download files from an artifact’s file viewer | Read | X | X | X | +| Search a registry | Read | X | X | X | +| View a registry’s settings and user list | Read | X | X | X | +| Create a new automation for a collection | Create | | X | X | +| Turn on Slack notifications for new version being added | Create | | X | X | +| Create a new collection | Create | | X | X | +| Create a new custom registry | Create | | X | X | +| Edit collection card (description) | Update | | X | X | +| Edit linked artifact description | Update | | X | X | +| Add or delete a collection’s tag | Update | | X | X | +| Add or delete an alias from a linked artifact | Update | | X | X | +| Link a new artifact | Update | | X | X | +| Edit allowed types list for a registry | Update | | X | X | +| Edit custom registry name | Update | | X | X | +| Delete a collection | Delete | | X | X | +| Delete an automation | Delete | | X | X | +| Unlink an artifact from a registry | Delete | | X | X | +| Edit accepted artifact types for a registry | Admin | | | X | +| Change registry visibility (Organization or Restricted) | Admin | | | X | +| Add users to a registry | Admin | | | X | +| Assign or change a user's role in a registry | Admin | | | X | -## Registry visibility types +### Inherited permissions -There are two registry visibility types: restricted or organization visibility. The following table describes who has access to the registry by default: +A user's permission in a registry depends on the highest level of privilege assigned to that user, whether individually or by team membership. -| Visibility | Description | Default role | Example | -| --- | --- | --- | --- | -| Organization | Everyone in the org can access the registry. | By default, organization administrators are an admin for the registry. All other users are a viewer in the registry by default. | Core registry | -| Restricted | Only invited org members can access the registry.| The user who created the restricted registry is the only user in the registry by default, and is the organization's owner. | Custom registry or core registry | +For example, suppose a registry admin adds a user called Nico to Registry A and assigns them a **Viewer** registry role. A registry admin then adds a team called Foundation Model Team to Registry A and assigns Foundation Model Team a **Member** registry role. +Nico is a member of the Foundation Model Team, which is a **Member** of the Registry. Because **Member** has more permission than **Viewer**, W&B grants Nico the **Member** role. -## Restrict visibility to a registry - -Restrict who can view and access a custom registry. You can restrict visibility to a registry when you create a custom registry or after you create a custom registry. A custom registry can have either restricted or organization visibility. For more information on registry visibilities, see [Registry visibility types]({{< relref "./configure_registry.md#registry-visibility-types" >}}). +The proceeding table demonstrates the highest level of permission in the event of a conflict between a user's individual registry role and the registry role of a team they are a member of: - +| Team registry role | Individual registry role | Inherited registry role | +| ------ | ------ | ------ | +| Viewer | Viewer | Viewer | +| Member | Viewer | Member | +| Admin | Viewer | Admin | -The following steps describe how to restrict the visibility of a custom registry that already exists: +If there is a conflict, W&B displays the highest level of permissions next to the name of the user. -1. Navigate to the **Registry** App in the W&B App UI. -2. Select a registry. -3. Click on the gear icon on the upper right hand corner. -4. From the **Registry visibility** dropdown, select the desired registry visibility. +For example, in the proceeding image Alex inherits **Member** role privileges because they are a member of the `smle-reg-team-1` team. -Continue if you select **Restricted visibility**: +{{< img src="/images/registry/role_conflict.png" alt="A user inherits a Member role because they are part of a team." >}} -5. Add members of your organization that you want to have access to this registry. Scroll to the **Registry members and roles** section and click on the **Add member** button. -6. Within the **Member** field, add the email or username of the member you want to add. -7. Click **Add new member**. -{{< img src="/images/registry/change_registry_visibility.gif" alt="" >}} \ No newline at end of file +## Configure registry roles +1. Navigate to the Registry at https://wandb.ai/registry/. +2. Select the registry you want to configure. +3. Click the gear icon on the upper right hand corner. +4. Scroll to the **Registry members and roles** section. +5. Within the **Member** field, search for the user or team you want to edit permissions for. +6. In the **Registry role** column, click the user's role. +7. From the dropdown, select the role you want to assign to the user. \ No newline at end of file diff --git a/content/guides/models/registry/create_registry.md b/content/guides/models/registry/create_registry.md index c32cc0aee..551a4886e 100644 --- a/content/guides/models/registry/create_registry.md +++ b/content/guides/models/registry/create_registry.md @@ -7,23 +7,65 @@ title: Create a custom registry weight: 2 --- -Create a [custom registry]({{< relref "./registry_types.md#custom-registry" >}}) for each step of your ML workflow. +A custom registry offers flexibility and control over the artifact types that you can use, allows you to restrict the registry's visibility, and more. -Custom registries are particularly useful for organizing project-specific requirements that differ from the default, [core registry]({{< relref "./registry_types.md#core-registry" >}}). +{{% pageinfo color="info" %}} +See the summary table in [Registry types]({{< relref "registry_types.md#summary" >}}) for a complete comparison of core and custom registries. +{{% /pageinfo %}} -The following procedure describes how to interactively create a registry: -1. Navigate to the **Registry** App in the W&B App UI. + +## Create a custom registry + +To create a custom registry: +1. Navigate to the **Registry** App at https://wandb.ai/registry/. 2. Within **Custom registry**, click on the **Create registry** button. 3. Provide a name for your registry in the **Name** field. 4. Optionally provide a description about the registry. 5. Select who can view the registry from the **Registry visibility** dropdown. See [Registry visibility types]({{< relref "./configure_registry.md#registry-visibility-types" >}}) for more information on registry visibility options. 6. Select either **All types** or **Specify types** from the **Accepted artifacts type** dropdown. 7. (If you select **Specify types**) Add one or more artifact types that your registry accepts. +8. Click on the **Create registry** button. + {{% alert %}} -An artifact type can not be removed from a registry once it is added and saved in the registry's settings. +An artifact type cannot be removed from a registry once it is saved in the registry's settings. {{% /alert %}} -8. Click on the **Create registry** button. + +For example, the proceeding image shows a custom registry called `Fine_Tuned_Models` that a user is about to create. The registry is **Restricted** to only members that are manually added to the registry. {{< img src="/images/registry/create_registry.gif" alt="" >}} -For example, the preceding image shows a custom registry called "Fine_Tuned_Models" that a user is about to create. The registry is set to **Restricted** which means that only members that are manually added to the "Fine_Tuned_Models" registry will have access to this registry. \ No newline at end of file +## Visibility types + +The *visibility* of a registry determines who can access that registry. Restricting the visibility of a custom registry helps ensure that only specified members can access that registry. + +There are two type registry visibility options for a custom registry: + +| Visibility | Description | +| --- | --- | +| Restricted | Only invited organization members can access the registry.| +| Organization | Everyone in the org can access the registry. | + +A team administrator or registry administrator can set the visibility of a custom registry. + +The user who creates a custom registry with Restricted visibility is added to the registry automatically as its registry admin. + + +## Configure the visibility of a custom registry + +A team administrator or registry administrator can assign the visibility of a custom registry during or after the creation of a custom registry. + +To restrict the visibility of an existing custom registry: + +1. Navigate to the **Registry** App at https://wandb.ai/registry/. +2. Select a registry. +3. Click on the gear icon on the upper right hand corner. +4. From the **Registry visibility** dropdown, select the desired registry visibility. +5. if you select **Restricted visibility**: + 1. Add members of your organization that you want to have access to this registry. Scroll to the **Registry members and roles** section and click on the **Add member** button. + 2. Within the **Member** field, add the email or username of the member you want to add. + 3. Click **Add new member**. + +{{< img src="/images/registry/change_registry_visibility.gif" alt="" >}} + +See [Create a custom registry]({{< relref "./create_registry.md#create-a-custom-registry" >}}) for more information on how assign the visibility of a custom registry when a team administrator creates it. +