Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "Registry team access bulk" #1093

Merged
merged 1 commit into from
Feb 11, 2025
Merged

Revert "Registry team access bulk" #1093

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file removed assets/images/registry/add_team_registry.gif
View file
Open in desktop
Binary file not shown.
Binary file removed assets/images/registry/role_conflict.png
View file
Open in desktop
Binary file not shown.
166 changes: 76 additions & 90 deletions content/guides/models/registry/configure_registry.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,121 +7,107 @@ title: Configure registry access
weight: 3
---

Registry admins can [configure registry roles]({{< relref "configure_registry.md#configure-registry-roles" >}}), [add users]({{< relref "configure_registry.md#add-a-user-or-a-team-to-a-registry" >}}), or [remove users]({{< relref "configure_registry.md#remove-a-user-or-team-from-a-registry" >}}) from a registry by configuring the registry's settings.
<!-- A registry, and the linked artifacts inside a registry, belong to an organization. This means that teams within an organization can publish and consume artifacts linked to a registry, if that team has correct access control. -->

## Add a user or a team to a registry

Registry admins can add individual users or entire teams to a registry. To add a user or team to a registry:

1. Navigate to the Registry App at https://wandb.ai/registry/.
2. Select the registry you want to add a user or team to.
3. Click on the gear icon on the upper right hand corner to access the registry settings.
4. Navigate to the **Registry access** section.
5. Click on the **Add access** button.
6. Specify one or more user names, emails, or the team names to the **Include users and teams** field.
7. Click **Add access**.

{{< img src="/images/registry/add_team_registry.gif" alt="Animation of using the UI to add teams and individual users to a registry" >}}

See [Registry role permissions]({{< relref "configure_registry.md#registry-role-permissions" >}}) for more information about registry roles. To edit roles, see [Configure user roles in a registry]({{< relref "configure_registry.md#configure-registry-roles" >}}).

## Remove a user or team from a registry
Registry admins can remove individual users or entire teams from a registry. To remove a user or team from a registry:

1. Navigate to the Registry App at https://wandb.ai/registry/.
2. Select the registry you want to remove a user from.
3. Click on the gear icon on the upper right hand corner to access the registry settings.
4. Navigate to the **Registry access** section and type in the username, email, or team you want to remove.
5. Click the **Delete** button.
Registry admins can limit who can access a registry by navigating to a registry's settings and assigning a user's role to [Admin, Member, or Viewer]({{< relref "#registry-roles-permissions" >}}). Users can have different roles in different registries. For example, a user can have a view role in "Registry A" and a member role in the "Registry B".

{{% alert %}}
Removing a user from a team also removes that user's access to the registry.
Only registry admins can [restrict visibility]({{< relref "#restrict-visibility-to-a-registry" >}}), [configure user roles]({{< relref "#configure-user-roles-in-a-registry" >}}), or [remove users]({{< relref "#remove-a-user-from-a-registry" >}}) from registries in an organization.
{{% /alert %}}

## Registry role permissions
## Registry roles permissions

Each user in a registry has a *registry role*, which determines what they can do in that registry.

W&B automatically assigns default registry roles to a user or team when they are added to a registry.

| Entity | Default registry role |
| ----- | ----- |
| Team | Viewer |
| User (non admin) | Viewer |
| Org admin | Admin |


Registry admins can assign or modify roles for users and teams in a registry.
See [Configure user roles in a registry]({{< relref "configure_registry.md#configure-registry-roles" >}}) for more information.
A user within an organization can have different roles, and therefore permissions, for each registry in their organization.

{{% alert title="W&B role types" %}}
There are two different types of roles in W&B: [Team roles]({{< relref "/guides/models/app/settings-page/teams.md#team-role-and-permissions" >}}) and [Registry roles]({{< relref "configure_registry.md#registry-role-permissions" >}}).
W&B has three different types of roles: Organization roles, [team roles]({{< relref "/guides/models/app/settings-page/teams.md#team-roles-and-permissions" >}}), and [registry roles]({{< relref "#registry-roles-permissions" >}}).

Your role in a team has no impact or relationship to your role in any registry.
Your role in a team has no impact or relationship on your role in any registry.
{{% /alert %}}


The proceeding table lists the different roles a user can have and their permissions:


| Permission | Permission Group | Viewer | Member | Admin |
|--------------------------------------------------------------- |------------------|--------|--------|-------|
| View a collection’s details | Read | X | X | X |
| View a linked artifact’s details | Read | X | X | X |
| Usage: Consume an artifact in a registry with use_artifact | Read | X | X | X |
| Download a linked artifact | Read | X | X | X |
| Download files from an artifact’s file viewer | Read | X | X | X |
| Search a registry | Read | X | X | X |
| View a registry’s settings and user list | Read | X | X | X |
| Create a new automation for a collection | Create | | X | X |
| Turn on Slack notifications for new version being added | Create | | X | X |
| Create a new collection | Create | | X | X |
| Create a new custom registry | Create | | X | X |
| Edit collection card (description) | Update | | X | X |
| Edit linked artifact description | Update | | X | X |
| Add or delete a collection’s tag | Update | | X | X |
| Add or delete an alias from a linked artifact | Update | | X | X |
| Link a new artifact | Update | | X | X |
| Edit allowed types list for a registry | Update | | X | X |
| Edit custom registry name | Update | | X | X |
| Delete a collection | Delete | | X | X |
| Delete an automation | Delete | | X | X |
| Unlink an artifact from a registry | Delete | | X | X |
| Edit accepted artifact types for a registry | Admin | | | X |
| Change registry visibility (Organization or Restricted) | Admin | | | X |
| Add users to a registry | Admin | | | X |
| Assign or change a user's role in a registry | Admin | | | X |
| Permission | Permission Group | Viewer | Member | Admin | Owner |
|--------------------------------------------------------------- |------------------|--------|--------|-------|-------|
| View a collection’s details | Read | X | X | X | X |
| View a linked artifact’s details | Read | X | X | X | X |
| Usage: Consume an artifact in a registry with use_artifact | Read | X | X | X | X |
| Download a linked artifact | Read | X | X | X | X |
| Download files from an artifact’s file viewer | Read | X | X | X | X |
| Search a registry | Read | X | X | X | X |
| View a registry’s settings and user list | Read | X | X | X | X |
| Create a new automation for a collection | Create | | X | X | X |
| Turn on Slack notifications for new version being added | Create | | X | X | X |
| Create a new collection | Create | | X | X | X |
| Create a new custom registry | Create | | X | X | X |
| Edit collection card (description) | Update | | X | X | X |
| Edit linked artifact description | Update | | X | X | X |
| Add or delete a collection’s tag | Update | | X | X | X |
| Add or delete an alias from a linked artifact | Update | | X | X | X |
| Link a new artifact | Update | | X | X | X |
| Edit allowed types list for a registry | Update | | X | X | X |
| Edit custom registry name | Update | | X | X | X |
| Delete a collection | Delete | | X | X | X |
| Delete an automation | Delete | | X | X | X |
| Unlink an artifact from a registry | Delete | | X | X | X |
| Edit accepted artifact types for a registry | Admin | | | X | X |
| Change registry visibility (Organization or Restricted) | Admin | | | X | X |
| Add users to a registry | Admin | | | X | X |
| Assign or change a user's role in a registry | Admin | | | X | X |



## Configure user roles in a registry
1. Navigate to the **Registry** App in the W&B App UI.
2. Select the registry you want to configure.
3. Click on the gear icon on the upper right hand corner.
4. Scroll to the **Registry members and roles** section.
5. Within the **Member** field, search for the user you want to edit permissions for.
6. Click on the user's role within the **Registry role** column.
7. From the dropdown, select the role you want to assign to the user.

{{< img src="/images/registry/configure_role_registry.gif" alt="" >}}

### Inherited permissions
## Remove a user from a registry
1. Navigate to the **Registry** App in the W&B App UI.
2. Select a core or custom registry.
3. Click on the gear icon on the upper right hand corner.
4. Scroll to the **Registry members and roles** section and type in the username of the member you want to remove.
5. Click the **Delete** button.

A user's permission in a registry depends on the highest level of privilege assigned to that user, whether through a team or individual.

For example, suppose a registry admin adds a user called Nico to Registry A and assigns them a `Viewer` registry role. The registry admin then adds a team called Foundation Model Team to Registry A and assigns Foundation Model Team a `Member` registry role. Nico is a member of Foundation Model Team.

Since Nico is a member of Foundation Model Team, W&B grants Nico `Member` registry role permissions because `Member` registry roles have higher level of permissions than `Viewer`.
## Registry visibility types

The proceeding table shows the highest level of permission in the event of a conflict:
There are two registry visibility types: restricted or organization visibility. The following table describes who has access to the registry by default:

| Registry role A | Registry role B | Inherited registry role |
| ------ | ------ | ------ |
| Viewer | Viewer | Viewer |
| Member | Viewer | Member |
| Admin | Viewer | Admin |
| Visibility | Description | Default role | Example |
| --- | --- | --- | --- |
| Organization | Everyone in the org can access the registry. | By default, organization administrators are an admin for the registry. All other users are a viewer in the registry by default. | Core registry |
| Restricted | Only invited org members can access the registry.| The user who created the restricted registry is the only user in the registry by default, and is the organization's owner. | Custom registry or core registry |

W&B displays the highest level of permissions next to the name of the user in the event of a conflict.

{{< img src="/images/registry/role_conflict.png" alt="A user inherits a Member role because they are part of a team." >}}
## Restrict visibility to a registry
<!-- Who can do this? -->
Restrict who can view and access a custom registry. You can restrict visibility to a registry when you create a custom registry or after you create a custom registry. A custom registry can have either restricted or organization visibility. For more information on registry visibilities, see [Registry visibility types]({{< relref "./configure_registry.md#registry-visibility-types" >}}).

For example, in the preceding image Ishita inherits `Member` role privileges because she is a member of smle-reg-team-1.
<!-- | Visibility | Description |
| --- | --- |
| Organization | Anyone in the organization can view the registry. |
| Restricted | Only invited organization members can view and edit the registry.| -->

## Configure registry roles
1. Navigate to the Registry App at https://wandb.ai/registry/.
2. Select the registry you want to configure.
The following steps describe how to restrict the visibility of a custom registry that already exists:

1. Navigate to the **Registry** App in the W&B App UI.
2. Select a registry.
3. Click on the gear icon on the upper right hand corner.
4. Scroll to the **Registry members and roles** section.
5. Within the **Member** field, search for the user you want to edit permissions for.
6. Click on the user's role within the **Registry role** column.
7. From the dropdown, select the role you want to assign to the user.
4. From the **Registry visibility** dropdown, select the desired registry visibility.

Continue if you select **Restricted visibility**:

5. Add members of your organization that you want to have access to this registry. Scroll to the **Registry members and roles** section and click on the **Add member** button.
6. Within the **Member** field, add the email or username of the member you want to add.
7. Click **Add new member**.

{{< img src="/images/registry/change_registry_visibility.gif" alt="" >}}
62 changes: 7 additions & 55 deletions content/guides/models/registry/create_registry.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,71 +7,23 @@ title: Create a custom registry
weight: 2
---

A custom registry offers flexibility and control over the artifact types that you can use, the visibility of the registry to other teams, and more.
Create a [custom registry]({{< relref "./registry_types.md#custom-registry" >}}) for each step of your ML workflow.

{{% pageinfo color="info" %}}
See the summary table in [Registry types]({{< relref "registry_types.md#summary" >}}) for a complete comparison of core and custom registries.
{{% /pageinfo %}}
Custom registries are particularly useful for organizing project-specific requirements that differ from the default, [core registry]({{< relref "./registry_types.md#core-registry" >}}).


## Create a custom registry

The following procedure describes how to create a custom registry:
1. Navigate to the **Registry** App at https://wandb.ai/registry/.
The following procedure describes how to interactively create a registry:
1. Navigate to the **Registry** App in the W&B App UI.
2. Within **Custom registry**, click on the **Create registry** button.
3. Provide a name for your registry in the **Name** field.
4. Optionally provide a description about the registry.
5. Select who can view the registry from the **Registry visibility** dropdown. See [Registry visibility types]({{< relref "./configure_registry.md#registry-visibility-types" >}}) for more information on registry visibility options.
6. Select either **All types** or **Specify types** from the **Accepted artifacts type** dropdown.
7. (If you select **Specify types**) Add one or more artifact types that your registry accepts.
8. Click on the **Create registry** button.

{{% alert %}}
An artifact type cannot be removed from a registry once it is saved in the registry's settings.
An artifact type can not be removed from a registry once it is added and saved in the registry's settings.
{{% /alert %}}
8. Click on the **Create registry** button.

{{< img src="/images/registry/create_registry.gif" alt="" >}}

For example, the preceding image shows a custom registry called `Fine_Tuned_Models` that a user is about to create. The registry is **Restricted** to only members that are manually added to the registry.


## Visibility types

The *visibility* of a registry determines who can access that registry. Restricting the visibility of a custom registry helps ensure that only specified members can access that registry.

There are two type registry visibility options for a custom registry:

| Visibility | Description |
| --- | --- |
| Restricted | Only invited organization members can access the registry.|
| Organization | Everyone in the org can access the registry. |

A team administrator or registry administrator can set the visibility of a custom registry.

The user who creates a custom registry with Restricted visibility is added to the registry automatically as its registry admin.


## Configure the visibility of a custom registry

A team administrator or registry administrator can assign the visibility of a custom registry during or after the creation of a custom registry.

To restrict the visibility of an existing custom registry:

1. Navigate to the **Registry** App at https://wandb.ai/registry/.
2. Select a registry.
3. Click on the gear icon on the upper right hand corner.
4. From the **Registry visibility** dropdown, select the desired registry visibility.

Continue if you select **Restricted** visibility:

<!-- To do: Add updated process of adding a team -->

5. Add members of your organization that you want to have access to this registry. Scroll to the **Registry members and roles** section and click on the **Add member** button.
6. Within the **Member** field, add the email or username of the member you want to add.
7. Click **Add new member**.

{{< img src="/images/registry/change_registry_visibility.gif" alt="" >}}

See [Create a custom registry]({{< relref "./create_registry.md#create-a-custom-registry" >}}) for more information on how assign the visibility of a custom registry when a team administrator creates it.


For example, the preceding image shows a custom registry called "Fine_Tuned_Models" that a user is about to create. The registry is set to **Restricted** which means that only members that are manually added to the "Fine_Tuned_Models" registry will have access to this registry.
Loading