Skip to content

Commit

Permalink
Revert "Registry team access bulk (#1047)"
Browse files Browse the repository at this point in the history 
This reverts commit 1867b27.
  • Loading branch information
@ngrayluna
ngrayluna authored Feb 11, 2025
1 parent 1867b27 commit 87f64cc
Show file tree
Hide file tree
Showing 4 changed files with 83 additions and 145 deletions.
Binary file removed assets/images/registry/add_team_registry.gif
View file
Binary file not shown.
Binary file removed assets/images/registry/role_conflict.png
View file
Binary file not shown.
166 changes: 76 additions & 90 deletions content/guides/models/registry/configure_registry.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,121 +7,107 @@ title: Configure registry access
weight: 3
---

Registry admins can [configure registry roles]({{< relref "configure_registry.md#configure-registry-roles" >}}), [add users]({{< relref "configure_registry.md#add-a-user-or-a-team-to-a-registry" >}}), or [remove users]({{< relref "configure_registry.md#remove-a-user-or-team-from-a-registry" >}}) from a registry by configuring the registry's settings.
<!-- A registry, and the linked artifacts inside a registry, belong to an organization. This means that teams within an organization can publish and consume artifacts linked to a registry, if that team has correct access control. -->

## Add a user or a team to a registry

Registry admins can add individual users or entire teams to a registry. To add a user or team to a registry:

1. Navigate to the Registry App at https://wandb.ai/registry/.
2. Select the registry you want to add a user or team to.
3. Click on the gear icon on the upper right hand corner to access the registry settings.
4. Navigate to the **Registry access** section.
5. Click on the **Add access** button.
6. Specify one or more user names, emails, or the team names to the **Include users and teams** field.
7. Click **Add access**.

{{< img src="/images/registry/add_team_registry.gif" alt="Animation of using the UI to add teams and individual users to a registry" >}}

See [Registry role permissions]({{< relref "configure_registry.md#registry-role-permissions" >}}) for more information about registry roles. To edit roles, see [Configure user roles in a registry]({{< relref "configure_registry.md#configure-registry-roles" >}}).

## Remove a user or team from a registry
Registry admins can remove individual users or entire teams from a registry. To remove a user or team from a registry:

1. Navigate to the Registry App at https://wandb.ai/registry/.
2. Select the registry you want to remove a user from.
3. Click on the gear icon on the upper right hand corner to access the registry settings.
4. Navigate to the **Registry access** section and type in the username, email, or team you want to remove.
5. Click the **Delete** button.
Registry admins can limit who can access a registry by navigating to a registry's settings and assigning a user's role to [Admin, Member, or Viewer]({{< relref "#registry-roles-permissions" >}}). Users can have different roles in different registries. For example, a user can have a view role in "Registry A" and a member role in the "Registry B".

{{% alert %}}
Removing a user from a team also removes that user's access to the registry.
Only registry admins can [restrict visibility]({{< relref "#restrict-visibility-to-a-registry" >}}), [configure user roles]({{< relref "#configure-user-roles-in-a-registry" >}}), or [remove users]({{< relref "#remove-a-user-from-a-registry" >}}) from registries in an organization.
{{% /alert %}}

## Registry role permissions
## Registry roles permissions

Each user in a registry has a *registry role*, which determines what they can do in that registry.

W&B automatically assigns default registry roles to a user or team when they are added to a registry.

| Entity | Default registry role |
| ----- | ----- |
| Team | Viewer |
| User (non admin) | Viewer |
| Org admin | Admin |


Registry admins can assign or modify roles for users and teams in a registry.
See [Configure user roles in a registry]({{< relref "configure_registry.md#configure-registry-roles" >}}) for more information.
A user within an organization can have different roles, and therefore permissions, for each registry in their organization.

{{% alert title="W&B role types" %}}
There are two different types of roles in W&B: [Team roles]({{< relref "/guides/models/app/settings-page/teams.md#team-role-and-permissions" >}}) and [Registry roles]({{< relref "configure_registry.md#registry-role-permissions" >}}).
W&B has three different types of roles: Organization roles, [team roles]({{< relref "/guides/models/app/settings-page/teams.md#team-roles-and-permissions" >}}), and [registry roles]({{< relref "#registry-roles-permissions" >}}).

Your role in a team has no impact or relationship to your role in any registry.
Your role in a team has no impact or relationship on your role in any registry.
{{% /alert %}}


The proceeding table lists the different roles a user can have and their permissions:


| Permission | Permission Group | Viewer | Member | Admin |
|--------------------------------------------------------------- |------------------|--------|--------|-------|
| View a collection’s details | Read | X | X | X |
| View a linked artifact’s details | Read | X | X | X |
| Usage: Consume an artifact in a registry with use_artifact | Read | X | X | X |
| Download a linked artifact | Read | X | X | X |
| Download files from an artifact’s file viewer | Read | X | X | X |
| Search a registry | Read | X | X | X |
| View a registry’s settings and user list | Read | X | X | X |
| Create a new automation for a collection | Create | | X | X |
| Turn on Slack notifications for new version being added | Create | | X | X |
| Create a new collection | Create | | X | X |
| Create a new custom registry | Create | | X | X |
| Edit collection card (description) | Update | | X | X |
| Edit linked artifact description | Update | | X | X |
| Add or delete a collection’s tag | Update | | X | X |
| Add or delete an alias from a linked artifact | Update | | X | X |
| Link a new artifact | Update | | X | X |
| Edit allowed types list for a registry | Update | | X | X |
| Edit custom registry name | Update | | X | X |
| Delete a collection | Delete | | X | X |
| Delete an automation | Delete | | X | X |
| Unlink an artifact from a registry | Delete | | X | X |
| Edit accepted artifact types for a registry | Admin | | | X |
| Change registry visibility (Organization or Restricted) | Admin | | | X |
| Add users to a registry | Admin | | | X |
| Assign or change a user's role in a registry | Admin | | | X |
| Permission | Permission Group | Viewer | Member | Admin | Owner |
|--------------------------------------------------------------- |------------------|--------|--------|-------|-------|
| View a collection’s details | Read | X | X | X | X |
| View a linked artifact’s details | Read | X | X | X | X |
| Usage: Consume an artifact in a registry with use_artifact | Read | X | X | X | X |
| Download a linked artifact | Read | X | X | X | X |
| Download files from an artifact’s file viewer | Read | X | X | X | X |
| Search a registry | Read | X | X | X | X |
| View a registry’s settings and user list | Read | X | X | X | X |
| Create a new automation for a collection | Create | | X | X | X |
| Turn on Slack notifications for new version being added | Create | | X | X | X |
| Create a new collection | Create | | X | X | X |
| Create a new custom registry | Create | | X | X | X |
| Edit collection card (description) | Update | | X | X | X |
| Edit linked artifact description | Update | | X | X | X |
| Add or delete a collection’s tag | Update | | X | X | X |
| Add or delete an alias from a linked artifact | Update | | X | X | X |
| Link a new artifact | Update | | X | X | X |
| Edit allowed types list for a registry | Update | | X | X | X |
| Edit custom registry name | Update | | X | X | X |
| Delete a collection | Delete | | X | X | X |
| Delete an automation | Delete | | X | X | X |
| Unlink an artifact from a registry | Delete | | X | X | X |
| Edit accepted artifact types for a registry | Admin | | | X | X |
| Change registry visibility (Organization or Restricted) | Admin | | | X | X |
| Add users to a registry | Admin | | | X | X |
| Assign or change a user's role in a registry | Admin | | | X | X |



## Configure user roles in a registry
1. Navigate to the **Registry** App in the W&B App UI.
2. Select the registry you want to configure.
3. Click on the gear icon on the upper right hand corner.
4. Scroll to the **Registry members and roles** section.
5. Within the **Member** field, search for the user you want to edit permissions for.
6. Click on the user's role within the **Registry role** column.
7. From the dropdown, select the role you want to assign to the user.

{{< img src="/images/registry/configure_role_registry.gif" alt="" >}}

### Inherited permissions
## Remove a user from a registry
1. Navigate to the **Registry** App in the W&B App UI.
2. Select a core or custom registry.
3. Click on the gear icon on the upper right hand corner.
4. Scroll to the **Registry members and roles** section and type in the username of the member you want to remove.
5. Click the **Delete** button.

A user's permission in a registry depends on the highest level of privilege assigned to that user, whether through a team or individual.

For example, suppose a registry admin adds a user called Nico to Registry A and assigns them a `Viewer` registry role. The registry admin then adds a team called Foundation Model Team to Registry A and assigns Foundation Model Team a `Member` registry role. Nico is a member of Foundation Model Team.

Since Nico is a member of Foundation Model Team, W&B grants Nico `Member` registry role permissions because `Member` registry roles have higher level of permissions than `Viewer`.
## Registry visibility types

The proceeding table shows the highest level of permission in the event of a conflict:
There are two registry visibility types: restricted or organization visibility. The following table describes who has access to the registry by default:

| Registry role A | Registry role B | Inherited registry role |
| ------ | ------ | ------ |
| Viewer | Viewer | Viewer |
| Member | Viewer | Member |
| Admin | Viewer | Admin |
| Visibility | Description | Default role | Example |
| --- | --- | --- | --- |
| Organization | Everyone in the org can access the registry. | By default, organization administrators are an admin for the registry. All other users are a viewer in the registry by default. | Core registry |
| Restricted | Only invited org members can access the registry.| The user who created the restricted registry is the only user in the registry by default, and is the organization's owner. | Custom registry or core registry |

W&B displays the highest level of permissions next to the name of the user in the event of a conflict.

{{< img src="/images/registry/role_conflict.png" alt="A user inherits a Member role because they are part of a team." >}}
## Restrict visibility to a registry
<!-- Who can do this? -->
Restrict who can view and access a custom registry. You can restrict visibility to a registry when you create a custom registry or after you create a custom registry. A custom registry can have either restricted or organization visibility. For more information on registry visibilities, see [Registry visibility types]({{< relref "./configure_registry.md#registry-visibility-types" >}}).

For example, in the preceding image Ishita inherits `Member` role privileges because she is a member of smle-reg-team-1.
<!-- | Visibility | Description |
| --- | --- |
| Organization | Anyone in the organization can view the registry. |
| Restricted | Only invited organization members can view and edit the registry.| -->

## Configure registry roles
1. Navigate to the Registry App at https://wandb.ai/registry/.
2. Select the registry you want to configure.
The following steps describe how to restrict the visibility of a custom registry that already exists:

1. Navigate to the **Registry** App in the W&B App UI.
2. Select a registry.
3. Click on the gear icon on the upper right hand corner.
4. Scroll to the **Registry members and roles** section.
5. Within the **Member** field, search for the user you want to edit permissions for.
6. Click on the user's role within the **Registry role** column.
7. From the dropdown, select the role you want to assign to the user.
4. From the **Registry visibility** dropdown, select the desired registry visibility.

Continue if you select **Restricted visibility**:

5. Add members of your organization that you want to have access to this registry. Scroll to the **Registry members and roles** section and click on the **Add member** button.
6. Within the **Member** field, add the email or username of the member you want to add.
7. Click **Add new member**.

{{< img src="/images/registry/change_registry_visibility.gif" alt="" >}}
62 changes: 7 additions & 55 deletions content/guides/models/registry/create_registry.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,71 +7,23 @@ title: Create a custom registry
weight: 2
---

A custom registry offers flexibility and control over the artifact types that you can use, the visibility of the registry to other teams, and more.
Create a [custom registry]({{< relref "./registry_types.md#custom-registry" >}}) for each step of your ML workflow.

{{% pageinfo color="info" %}}
See the summary table in [Registry types]({{< relref "registry_types.md#summary" >}}) for a complete comparison of core and custom registries.
{{% /pageinfo %}}
Custom registries are particularly useful for organizing project-specific requirements that differ from the default, [core registry]({{< relref "./registry_types.md#core-registry" >}}).


## Create a custom registry

The following procedure describes how to create a custom registry:
1. Navigate to the **Registry** App at https://wandb.ai/registry/.
The following procedure describes how to interactively create a registry:
1. Navigate to the **Registry** App in the W&B App UI.
2. Within **Custom registry**, click on the **Create registry** button.
3. Provide a name for your registry in the **Name** field.
4. Optionally provide a description about the registry.
5. Select who can view the registry from the **Registry visibility** dropdown. See [Registry visibility types]({{< relref "./configure_registry.md#registry-visibility-types" >}}) for more information on registry visibility options.
6. Select either **All types** or **Specify types** from the **Accepted artifacts type** dropdown.
7. (If you select **Specify types**) Add one or more artifact types that your registry accepts.
8. Click on the **Create registry** button.

{{% alert %}}
An artifact type cannot be removed from a registry once it is saved in the registry's settings.
An artifact type can not be removed from a registry once it is added and saved in the registry's settings.
{{% /alert %}}
8. Click on the **Create registry** button.

{{< img src="/images/registry/create_registry.gif" alt="" >}}

For example, the preceding image shows a custom registry called `Fine_Tuned_Models` that a user is about to create. The registry is **Restricted** to only members that are manually added to the registry.


## Visibility types

The *visibility* of a registry determines who can access that registry. Restricting the visibility of a custom registry helps ensure that only specified members can access that registry.

There are two type registry visibility options for a custom registry:

| Visibility | Description |
| --- | --- |
| Restricted | Only invited organization members can access the registry.|
| Organization | Everyone in the org can access the registry. |

A team administrator or registry administrator can set the visibility of a custom registry.

The user who creates a custom registry with Restricted visibility is added to the registry automatically as its registry admin.


## Configure the visibility of a custom registry

A team administrator or registry administrator can assign the visibility of a custom registry during or after the creation of a custom registry.

To restrict the visibility of an existing custom registry:

1. Navigate to the **Registry** App at https://wandb.ai/registry/.
2. Select a registry.
3. Click on the gear icon on the upper right hand corner.
4. From the **Registry visibility** dropdown, select the desired registry visibility.

Continue if you select **Restricted** visibility:

<!-- To do: Add updated process of adding a team -->

5. Add members of your organization that you want to have access to this registry. Scroll to the **Registry members and roles** section and click on the **Add member** button.
6. Within the **Member** field, add the email or username of the member you want to add.
7. Click **Add new member**.

{{< img src="/images/registry/change_registry_visibility.gif" alt="" >}}

See [Create a custom registry]({{< relref "./create_registry.md#create-a-custom-registry" >}}) for more information on how assign the visibility of a custom registry when a team administrator creates it.


For example, the preceding image shows a custom registry called "Fine_Tuned_Models" that a user is about to create. The registry is set to **Restricted** which means that only members that are manually added to the "Fine_Tuned_Models" registry will have access to this registry.

0 comments on commit 87f64cc

Please sign in to comment.