diff --git a/platform/hosting/iam/access-management/manage-organization.mdx b/platform/hosting/iam/access-management/manage-organization.mdx index 0cbfd9ac46..e405bfdba5 100644 --- a/platform/hosting/iam/access-management/manage-organization.mdx +++ b/platform/hosting/iam/access-management/manage-organization.mdx @@ -185,8 +185,87 @@ A user within an organization can have one of the following roles: | Admin | An organization admin who can add users to the organization or remove them, change user roles, manage custom roles, add teams and more. W&B recommends ensuring there is more than one admin in the event that your admin is unavailable. | | Member | A regular user of the organization, invited by an organization admin. An organization member cannot invite other users or manage existing users in the organization. | | Viewer (Enterprise-only feature) | A view-only user of your organization, invited by an organization admin. A viewer only has read access to the organization and the underlying teams that they are a member of. | +| Billing only (Multi-tenant Cloud) | A billing-focused role for Multi-tenant Cloud organizations. You can assign this role only to the organization's billing user. Billing-only users can manage billing workflows, such as subscriptions, invoices, and payment methods, but they can't invite users, manage teams, or perform non-billing admin actions. Billing-only users are also removed from all organization teams and always have **No access** for both Models and Weave. | | Custom Roles (Enterprise-only feature) | Custom roles allow organization admins to compose new roles by inheriting from the preceding **Viewer** or **Member** organization roles, and adding additional permissions to achieve fine-grained access control. Team admins can then assign any of those custom roles to users in their respective teams. See also [Add and manage custom roles](#add-and-manage-custom-roles). | +### Organization role permissions + +Organization roles control administrative actions at the organization scope. They're separate from these other sets of roles: + +- [Team roles](#assign-or-update-a-team-members-role) control what a user can do inside a specific team. +- [Registry roles](https://docs.wandb.ai/models/registry/configure_registry#details-about-registry-roles) control what a user can do in a given registry. +- [Models seats and Weave access](#assign-or-update-a-users-access) control product access. + +The following tables summarize what **Member** and **Admin** users can do at the organization level. For team-scoped actions such as logging runs or editing reports, see [Team roles and permissions](/platform/app/settings-page/teams#team-roles-and-permissions). For registry-scoped actions, see [Registry role permissions](/models/registry/configure_registry#role-permissions). + + +**Viewer** and custom roles are Enterprise-only features. A **Viewer** has read-only access to teams they belong to and can't perform write actions at the organization or team level. Custom roles inherit from **Viewer** or **Member** and add team-level permissions; see [Add and manage custom roles](#add-and-manage-custom-roles). + + +#### User management + +| Permission | Permission group | Member | Admin | +| ------------------------------------------------------------ | --------------- | :----: | :---: | +| View the organization user list | Read | X | X | +| Invite users to the organization | Admin | | X | +| Remove users from the organization | Admin | | X | +| Assign or change a user's organization role | Admin | | X | +| Assign or change a user's Models seat or Weave access | Admin | | X | +| Export the organization user list as CSV | Admin | | X | +| View organization activity and usage trends | Read | X | X | + +When **Enforce team visibility restrictions** is enabled, non-admin members can view profiles only for themselves or for users who share a team with them. Organization admins can view all member profiles. For more information, see [Privacy settings](/platform/hosting/privacy-settings#enforce-privacy-settings-for-all-teams). + +#### Teams + +| Permission | Permission group | Member | Admin | +| ------------------------------------------------------------ | --------------- | :----: | :---: | +| Create teams in the organization | Admin | | X | +| Join teams when invited or through domain capture | Read | X | X | +| View team membership for teams the user belongs to | Read | X | X | +| View team membership for teams the user doesn't belong to | Read | | X | +| Invite users to a team without being a member of that team | Admin | | X | +| Add themselves to a team | Admin | | X | + + +On Self-Managed deployments, instance admins can optionally enable team creation for non-admin users. This option is managed at the instance level, not in organization settings. If you don't know whether your instance has this option enabled, contact your instance admin or W&B support. + + +Organization admins are assigned the **Admin** role in [registries](/models/registry/configure_registry#role-permissions) that are visible at the organization level. + +#### Organization settings + +| Permission | Permission group | Member | Admin | +| ------------------------------------------------------------ | --------------- | :----: | :---: | +| Change the organization name (Multi-tenant Cloud) | Admin | | X | +| Configure domain capture and SSO auto-provisioning | Admin | | X | +| Enforce organization-wide [privacy settings](/platform/hosting/privacy-settings#enforce-privacy-settings-for-all-teams) | Admin | | X | +| Create, edit, and delete custom roles (Enterprise) | Admin | | X | +| Connect external storage buckets at the organization level (Enterprise) | Admin | | X | + +#### Billing + +| Permission | Permission group | Member | Admin | +| ------------------------------------------------------------ | --------------- | :----: | :---: | +| Assign the billing admin | Admin | | X | +| Manage subscriptions, payment methods, and plan upgrades | Billing | | X | +| Cancel subscriptions | Billing | | X | +| Configure usage alerts | Billing | | X | + +Users designated as **billing admins** can perform billing actions, including configuring usage alerts, even if their organization role is **Member**. Unless they are also an organization admin, a billing admin can't perform other organization admin actions such as inviting users or creating teams. + +On Multi-tenant Cloud, you can optionally assign the billing admin the **Billing only** organization role. This role is restricted to the billing user, removes team membership, and enforces **No access** for both Models and Weave while preserving billing administration capabilities. + +#### Security and automation + +| Permission | Permission group | Member | Admin | +| ------------------------------------------------------------ | --------------- | :----: | :---: | +| Authenticate to the [SCIM API](/platform/hosting/iam/scim) | Admin | | X | +| Create and manage organization-scoped service accounts | Admin | | X | +| View and manage all organization API keys | Admin | | X | + +Organization-scoped service accounts used for SCIM automation have admin-equivalent access for SCIM operations. + To change a user's role: 1. Navigate to https://wandb.ai/home.