✨ succinct documentation for resource groups (#1241)

* succinct documentation for resource groups * toctree + missing entry under Enterprise Hub * missing link in Enterprise Hub page * huggingchat reword
huggingface · Mar 14, 2024 · 22c1fca · 22c1fca
1 parent 00fd10b
commit 22c1fca
Show file tree

Hide file tree

Showing 7 changed files with 83 additions and 1 deletion.
diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml
@@ -279,6 +279,8 @@
         title: Storage Regions
       - local: enterprise-hub-datasets
         title: Dataset viewer for Private datasets
+      - local: enterprise-hub-resource-groups
+        title: Resource Groups (Advanced Access Control)
   - local: billing
     title: Billing
   - local: security
@@ -303,6 +305,8 @@
         title: How to configure SAML with Azure in the Hub
       - local: security-sso-azure-oidc
         title: How to configure OIDC with Azure in the Hub
+    - local: security-resource-groups
+      title: Advanced Access Control (Resource Groups)
     - local: security-malware
       title: Malware Scanning
     - local: security-pickle

diff --git a/docs/hub/enterprise-hub-resource-groups.md b/docs/hub/enterprise-hub-resource-groups.md
@@ -0,0 +1,9 @@
+# Datasets
+
+<Tip warning={true}>
+This feature is part of the <a href="https://huggingface.co/enterprise" target="_blank">Enterprise Hub</a>.
+</Tip>
+
+Resource Groups allow Enterprise Hub organizations to enforce fine-grained access control to its repositories.
+
+Read the [documentation for Resource Groups under the Security section](./security-resource-groups).
diff --git a/docs/hub/enterprise-hub.md b/docs/hub/enterprise-hub.md
@@ -10,3 +10,4 @@ In this section we will document the following Enterprise Hub features:
 - [Audit Logs](./audit-logs)
 - [Storage Regions](./storage-regions)
 - [Dataset viewer for Private datasets](./enterprise-hub-datasets)
+- [Resource Groups](./security-resource-groups)
diff --git a/docs/hub/organizations-security.md b/docs/hub/organizations-security.md
@@ -6,6 +6,14 @@ You can set up [Single Sign-On (SSO)](./security-sso) to be able to map access c
 
 </Tip>
 
+<Tip>
+
+Advanced and more fine-grained access control can be achieved with [Resource Groups](./security-resource-groups).
+
+The Resource Group feature is part of the <a href="https://huggingface.co/enterprise" target="_blank">Enterprise Hub</a>.
+
+</Tip>
+
 Members of organizations can have four different roles: `read`, `contributor`, `write` or `admin`:
 
 - `read`: read-only access to the Organization's repos and metadata/settings (eg, the Organization's profile, members list, API token, etc).
@@ -22,3 +30,4 @@ As an organization `admin`, go to the **Members** section of the org settings to
 <img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/org-members-page.png"/>
 <img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/org-members-page-dark.png"/>
 </div>
+
diff --git a/docs/hub/organizations.md b/docs/hub/organizations.md
@@ -13,3 +13,4 @@ If an organization needs to track user access to a dataset due to licensing or p
   - [SSO in Organizations](./enterprise-sso)
   - [Audit Logs](./audit-logs)
   - [Storage Regions](./storage-regions)
+  - [Resource Groups](./security-resource-groups)
diff --git a/docs/hub/security-resource-groups.md b/docs/hub/security-resource-groups.md
@@ -0,0 +1,58 @@
+# Advanced Access Control in Organizations with Resource Groups
+
+<Tip warning={true}>
+This feature is part of the <a href="https://huggingface.co/enterprise" target="_blank">Enterprise Hub</a>.
+</Tip>
+
+In your Hugging Face organization, you can use Resource Groups to control which members have access to specific repositories.
+
+## How does it work?
+
+Resource Groups allow organizations administrators to group related repositories together, and manage access to those repos.
+
+Resource Groups allow different teams to work on their respective repositories within the same organization.
+
+A repository can belong to only one Resource Group.
+
+Organizations members need to be added to the Resource Group to access its repositories. An Organization Member can belong to several Resource Groups.
+
+ Members are assigned a role in each Resource Group that determines their permissions for the group's repositories. Four distinct roles exist for Resource Groups:
+
+- `read`: Grants read access to repositories within the Resource Group.
+- `contributor`: Provides extra write rights to the subset of the Organization's repositories created by the user (i.e., users can create repos and then modify only those repos). Similar to the 'Write' role, but limited to repos created by the user.
+- `write`: Offers write access to all repositories in the Resource Group. Users can create, delete, or rename any repository in the Resource Group.
+- `admin`: In addition to write permissions on repositories, admin members can administer the Resource Group — add, remove, and alter the roles of other members. They can also transfer repositories in and out of the Resource Group.
+
+In addition, Organization admins can manage all resource groups inside the organization.
+
+Resource Groups also affect the visibility of private repositories inside the organization. A private repository that is part of a Resource Group will only be visible to members of that Resource Group. Public repositories, on the other 
+
+## Getting started
+
+Head to your Organization's settings, then navigate to the "Resource Group" tab in the left menu.
+
+<div class="flex justify-center">
+    <img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/org-resource-groups-page.png"/>
+    <img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/org-resource-groups-page-dark.png"/>
+</div>
+
+If you are an admin of the organization, you can create and manage Resource Groups from that page.
+
+After creating a resource group and giving it a meaningful name, you can start adding repositories and users to it.
+
+<div class="flex justify-center">
+    <img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/org-resource-groups-manage-empty-page.png"/>
+    <img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/org-resource-groups-manage-empty-page-dark.png"/>
+</div>
+
+Remember that a repository can be part of only one Resource Group. You'll be warned when trying to add a repository that already belongs to another Resource Group.
+
+<div class="flex justify-center">
+    <img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/org-resource-groups-manage-move-repo.png"/>
+    <img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/org-resource-groups-manage-move-repo-dark.png"/>
+</div>
+
+## Programmatic management (API)
+
+Coming soon!
+
diff --git a/docs/hub/security.md b/docs/hub/security.md
@@ -20,4 +20,4 @@ For any other security questions, please feel free to send us an email at securi
 - [Malware Scanning](./security-malware)
 - [Pickle Scanning](./security-pickle)
 - [Secrets Scanning](./security-secrets)
-
+- [Resource Groups](./security-resource-groups)