From c6d42a40517e573443b58c5365ebea6ea28cb6a5 Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Fri, 26 Jun 2026 13:23:20 -0700 Subject: [PATCH 1/6] Add details about organization roles Align with team and registry role details Validated from wandb/core Fixes DOCS-2751 --- .../access-management/manage-organization.mdx | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/platform/hosting/iam/access-management/manage-organization.mdx b/platform/hosting/iam/access-management/manage-organization.mdx index 02b49d46fb..80ce45384a 100644 --- a/platform/hosting/iam/access-management/manage-organization.mdx +++ b/platform/hosting/iam/access-management/manage-organization.mdx @@ -187,6 +187,80 @@ A user within an organization can have one of the following roles: | Viewer (Enterprise-only feature) | A view-only user of your organization, invited by an organization admin. A viewer only has read access to the organization and the underlying teams that they are a member of. | | Custom Roles (Enterprise-only feature) | Custom roles allow organization admins to compose new roles by inheriting from the preceding **Viewer** or **Member** organization roles, and adding additional permissions to achieve fine-grained access control. Team admins can then assign any of those custom roles to users in their respective teams. See also [Add and manage custom roles](#add-and-manage-custom-roles). | +### Organization role permissions + +Organization roles control administrative actions at the organization scope. They're separate from [team roles](#assign-or-update-a-team-members-role), which control what a user can do inside a specific team, and from [Models seat and Weave access](#assign-or-update-a-users-access), which control product access and billing. + +The following tables summarize what **Member** and **Admin** users can do at the organization level. For team-scoped actions such as logging runs or editing reports, see [Team roles and permissions](/platform/app/settings-page/teams#team-roles-and-permissions). For registry-scoped actions, see [Registry role permissions](/models/registry/configure_registry#role-permissions). + + +**Viewer** and custom roles are Enterprise-only features. A **Viewer** has read-only access to teams they belong to and can't perform write actions at the organization or team level. Custom roles inherit from **Viewer** or **Member** and add team-level permissions; see [Add and manage custom roles](#add-and-manage-custom-roles). + + +#### User management + +| Permission | Permission group | Member | Admin | +| ------------------------------------------------------------ | --------------- | :----: | :---: | +| View the organization user list | Read | X | X | +| Invite users to the organization | Admin | | X | +| Remove users from the organization | Admin | | X | +| Assign or change a user's organization role | Admin | | X | +| Assign or change a user's Models seat or Weave access | Admin | | X | +| Export the organization user list as CSV | Admin | | X | +| View organization activity and usage trends | Read | X | X | + +In organizations marked as hidden, members can view profiles only for themselves, for users who share a team with them, or if they're an organization admin. + +#### Teams + +| Permission | Permission group | Member | Admin | +| ------------------------------------------------------------ | --------------- | :----: | :---: | +| Create teams in the organization | Admin | | X | +| Join teams when invited or through domain capture | Read | X | X | +| View team membership for teams the user belongs to | Read | X | X | +| View team membership for teams the user doesn't belong to | Read | | X | +| Invite users to a team without being a member of that team | Admin | | X | +| Add themselves to a team as a member or viewer | Admin | | X | + + +On Self-Managed deployments, non-admin users might be allowed to create teams when your instance administrator enables that option. + + +Organization admins are assigned the **Admin** role in [registries](/models/registry/configure_registry#role-permissions) that are visible at the organization level. + +#### Organization settings + +| Permission | Permission group | Member | Admin | +| ------------------------------------------------------------ | --------------- | :----: | :---: | +| Change the organization name (Multi-tenant Cloud) | Admin | | X | +| Configure domain capture and SSO auto-provisioning | Admin | | X | +| Enforce organization-wide [privacy settings](/platform/hosting/privacy-settings#enforce-privacy-settings-for-all-teams) | Admin | | X | +| Create, edit, and delete custom roles (Enterprise) | Admin | | X | +| Configure organization alert thresholds | Admin | | X | +| Connect external storage buckets at the organization level (Enterprise) | Admin | | X | + +#### Billing + +| Permission | Permission group | Member | Admin | +| ------------------------------------------------------------ | --------------- | :----: | :---: | +| Assign the billing admin | Admin | | X | +| Manage subscriptions, payment methods, and plan upgrades | Billing | | X | +| Cancel subscriptions | Billing | | X | +| View billing alert thresholds | Read | | X | + +Users designated as **billing admins** can perform billing actions even if their organization role is **Member**. Billing admins can't perform other organization admin actions such as inviting users or creating teams. + +#### Security and automation + +| Permission | Permission group | Member | Admin | +| ------------------------------------------------------------ | --------------- | :----: | :---: | +| Authenticate to the [SCIM API](/platform/hosting/iam/scim) | Admin | | X | +| Create and manage organization-scoped service accounts | Admin | | X | +| View and manage all organization API keys | Admin | | X | +| Manage organization user secrets (Dedicated Cloud and Self-Managed) | Admin | | X | + +Organization-scoped service accounts used for SCIM automation have admin-equivalent access for SCIM operations. + To change a user's role: 1. Navigate to https://wandb.ai/home. From 72be6027b318b8844123ab83da5bf362da29b042 Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Fri, 26 Jun 2026 13:27:26 -0700 Subject: [PATCH 2/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- platform/hosting/iam/access-management/manage-organization.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/hosting/iam/access-management/manage-organization.mdx b/platform/hosting/iam/access-management/manage-organization.mdx index 80ce45384a..2672325144 100644 --- a/platform/hosting/iam/access-management/manage-organization.mdx +++ b/platform/hosting/iam/access-management/manage-organization.mdx @@ -209,7 +209,7 @@ The following tables summarize what **Member** and **Admin** users can do at the | Export the organization user list as CSV | Admin | | X | | View organization activity and usage trends | Read | X | X | -In organizations marked as hidden, members can view profiles only for themselves, for users who share a team with them, or if they're an organization admin. +In organizations marked as hidden, non-admin members can view profiles only for themselves or for users who share a team with them. #### Teams From d3850dfbd0bc5eccde9f0cf0cc09856264b19720 Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Mon, 29 Jun 2026 15:51:38 -0700 Subject: [PATCH 3/6] Add billing-only role for Multi-tenant Cloud --- platform/hosting/iam/access-management/manage-organization.mdx | 3 +++ 1 file changed, 3 insertions(+) diff --git a/platform/hosting/iam/access-management/manage-organization.mdx b/platform/hosting/iam/access-management/manage-organization.mdx index 2672325144..f89845adad 100644 --- a/platform/hosting/iam/access-management/manage-organization.mdx +++ b/platform/hosting/iam/access-management/manage-organization.mdx @@ -185,6 +185,7 @@ A user within an organization can have one of the following roles: | Admin | An organization admin who can add users to the organization or remove them, change user roles, manage custom roles, add teams and more. W&B recommends ensuring there is more than one admin in the event that your admin is unavailable. | | Member | A regular user of the organization, invited by an organization admin. An organization member cannot invite other users or manage existing users in the organization. | | Viewer (Enterprise-only feature) | A view-only user of your organization, invited by an organization admin. A viewer only has read access to the organization and the underlying teams that they are a member of. | +| Billing only (Multi-tenant Cloud) | A billing-focused role for Multi-tenant Cloud organizations. You can assign this role only to the organization's billing user. Billing-only users can manage billing workflows, such as subscriptions, invoices, and payment methods, but they can't invite users, manage teams, or perform non-billing admin actions. Billing-only users are also removed from all organization teams and always have **No access** for both Models and Weave. | | Custom Roles (Enterprise-only feature) | Custom roles allow organization admins to compose new roles by inheriting from the preceding **Viewer** or **Member** organization roles, and adding additional permissions to achieve fine-grained access control. Team admins can then assign any of those custom roles to users in their respective teams. See also [Add and manage custom roles](#add-and-manage-custom-roles). | ### Organization role permissions @@ -250,6 +251,8 @@ Organization admins are assigned the **Admin** role in [registries](/models/regi Users designated as **billing admins** can perform billing actions even if their organization role is **Member**. Billing admins can't perform other organization admin actions such as inviting users or creating teams. +On Multi-tenant Cloud, you can optionally assign the billing admin the **Billing only** organization role. This role is restricted to the billing user, removes team membership, and enforces **No access** for both Models and Weave while preserving billing administration capabilities. + #### Security and automation | Permission | Permission group | Member | Admin | From 853cc6babc6ee53ba3c57d94d62c41bdefdef5f6 Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Tue, 30 Jun 2026 12:50:30 -0700 Subject: [PATCH 4/6] Cassie's feedback --- .../iam/access-management/manage-organization.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/platform/hosting/iam/access-management/manage-organization.mdx b/platform/hosting/iam/access-management/manage-organization.mdx index f89845adad..d953759420 100644 --- a/platform/hosting/iam/access-management/manage-organization.mdx +++ b/platform/hosting/iam/access-management/manage-organization.mdx @@ -210,7 +210,7 @@ The following tables summarize what **Member** and **Admin** users can do at the | Export the organization user list as CSV | Admin | | X | | View organization activity and usage trends | Read | X | X | -In organizations marked as hidden, non-admin members can view profiles only for themselves or for users who share a team with them. +When **Enforce team visibility restrictions** is enabled, non-admin members can view profiles only for themselves or for users who share a team with them. Organization admins can view all member profiles. For more information, see [Privacy settings](/platform/hosting/privacy-settings#enforce-privacy-settings-for-all-teams). #### Teams @@ -221,10 +221,10 @@ In organizations marked as hidden, non-admin members can view profiles only for | View team membership for teams the user belongs to | Read | X | X | | View team membership for teams the user doesn't belong to | Read | | X | | Invite users to a team without being a member of that team | Admin | | X | -| Add themselves to a team as a member or viewer | Admin | | X | +| Add themselves to a team | Admin | | X | -On Self-Managed deployments, non-admin users might be allowed to create teams when your instance administrator enables that option. +On Self-Managed deployments, instance admins can optionally enable team creation for non-admin users. This option is managed at the instance level, not in organization settings. If you don't know whether your instance has this option enabled, contact your instance admin or W&B support. Organization admins are assigned the **Admin** role in [registries](/models/registry/configure_registry#role-permissions) that are visible at the organization level. @@ -247,9 +247,9 @@ Organization admins are assigned the **Admin** role in [registries](/models/regi | Assign the billing admin | Admin | | X | | Manage subscriptions, payment methods, and plan upgrades | Billing | | X | | Cancel subscriptions | Billing | | X | -| View billing alert thresholds | Read | | X | +| Configure usage alerts | Billing | | X | -Users designated as **billing admins** can perform billing actions even if their organization role is **Member**. Billing admins can't perform other organization admin actions such as inviting users or creating teams. +Users designated as **billing admins** can perform billing actions, including configuring usage alerts, even if their organization role is **Member**. Billing admins can't perform other organization admin actions such as inviting users or creating teams. On Multi-tenant Cloud, you can optionally assign the billing admin the **Billing only** organization role. This role is restricted to the billing user, removes team membership, and enforces **No access** for both Models and Weave while preserving billing administration capabilities. From 0934fff9323d157f84bb0c447794ce943cdb0958 Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Wed, 1 Jul 2026 14:32:34 -0700 Subject: [PATCH 5/6] Update platform/hosting/iam/access-management/manage-organization.mdx --- .../hosting/iam/access-management/manage-organization.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/platform/hosting/iam/access-management/manage-organization.mdx b/platform/hosting/iam/access-management/manage-organization.mdx index d953759420..c996088b81 100644 --- a/platform/hosting/iam/access-management/manage-organization.mdx +++ b/platform/hosting/iam/access-management/manage-organization.mdx @@ -190,7 +190,11 @@ A user within an organization can have one of the following roles: ### Organization role permissions -Organization roles control administrative actions at the organization scope. They're separate from [team roles](#assign-or-update-a-team-members-role), which control what a user can do inside a specific team, and from [Models seat and Weave access](#assign-or-update-a-users-access), which control product access and billing. +Organization roles control administrative actions at the organization scope. They're separate from these other sets of roles: + +- [Team roles](#assign-or-update-a-team-members-role) control what a user can do inside a specific team. +- [Registry roles](https://docs.wandb.ai/models/registry/configure_registry#details-about-registry-roles) control what a user can do in a given registry. +- [Models seats and Weave access](#assign-or-update-a-users-access) control product access and billing. The following tables summarize what **Member** and **Admin** users can do at the organization level. For team-scoped actions such as logging runs or editing reports, see [Team roles and permissions](/platform/app/settings-page/teams#team-roles-and-permissions). For registry-scoped actions, see [Registry role permissions](/models/registry/configure_registry#role-permissions). From e2fd574615da06deea4d6ac9a95282fe6d857cac Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Mon, 6 Jul 2026 16:05:37 -0700 Subject: [PATCH 6/6] Cassie's feedback Co-authored-by: Matt Linville --- .../hosting/iam/access-management/manage-organization.mdx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/platform/hosting/iam/access-management/manage-organization.mdx b/platform/hosting/iam/access-management/manage-organization.mdx index c996088b81..698e4c0206 100644 --- a/platform/hosting/iam/access-management/manage-organization.mdx +++ b/platform/hosting/iam/access-management/manage-organization.mdx @@ -194,7 +194,7 @@ Organization roles control administrative actions at the organization scope. The - [Team roles](#assign-or-update-a-team-members-role) control what a user can do inside a specific team. - [Registry roles](https://docs.wandb.ai/models/registry/configure_registry#details-about-registry-roles) control what a user can do in a given registry. -- [Models seats and Weave access](#assign-or-update-a-users-access) control product access and billing. +- [Models seats and Weave access](#assign-or-update-a-users-access) control product access. The following tables summarize what **Member** and **Admin** users can do at the organization level. For team-scoped actions such as logging runs or editing reports, see [Team roles and permissions](/platform/app/settings-page/teams#team-roles-and-permissions). For registry-scoped actions, see [Registry role permissions](/models/registry/configure_registry#role-permissions). @@ -241,7 +241,6 @@ Organization admins are assigned the **Admin** role in [registries](/models/regi | Configure domain capture and SSO auto-provisioning | Admin | | X | | Enforce organization-wide [privacy settings](/platform/hosting/privacy-settings#enforce-privacy-settings-for-all-teams) | Admin | | X | | Create, edit, and delete custom roles (Enterprise) | Admin | | X | -| Configure organization alert thresholds | Admin | | X | | Connect external storage buckets at the organization level (Enterprise) | Admin | | X | #### Billing @@ -253,7 +252,7 @@ Organization admins are assigned the **Admin** role in [registries](/models/regi | Cancel subscriptions | Billing | | X | | Configure usage alerts | Billing | | X | -Users designated as **billing admins** can perform billing actions, including configuring usage alerts, even if their organization role is **Member**. Billing admins can't perform other organization admin actions such as inviting users or creating teams. +Users designated as **billing admins** can perform billing actions, including configuring usage alerts, even if their organization role is **Member**. Unless they are also an organization admin, a billing admin can't perform other organization admin actions such as inviting users or creating teams. On Multi-tenant Cloud, you can optionally assign the billing admin the **Billing only** organization role. This role is restricted to the billing user, removes team membership, and enforces **No access** for both Models and Weave while preserving billing administration capabilities. @@ -264,7 +263,6 @@ On Multi-tenant Cloud, you can optionally assign the billing admin the **Billing | Authenticate to the [SCIM API](/platform/hosting/iam/scim) | Admin | | X | | Create and manage organization-scoped service accounts | Admin | | X | | View and manage all organization API keys | Admin | | X | -| Manage organization user secrets (Dedicated Cloud and Self-Managed) | Admin | | X | Organization-scoped service accounts used for SCIM automation have admin-equivalent access for SCIM operations.