diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml index 5475c0011..866863307 100644 --- a/docs/hub/_toctree.yml +++ b/docs/hub/_toctree.yml @@ -279,6 +279,8 @@ title: Storage Regions - local: enterprise-hub-datasets title: Dataset viewer for Private datasets + - local: enterprise-hub-resource-groups + title: Resource Groups (Advanced Access Control) - local: billing title: Billing - local: security @@ -303,6 +305,8 @@ title: How to configure SAML with Azure in the Hub - local: security-sso-azure-oidc title: How to configure OIDC with Azure in the Hub + - local: security-resource-groups + title: Advanced Access Control (Resource Groups) - local: security-malware title: Malware Scanning - local: security-pickle diff --git a/docs/hub/enterprise-hub-resource-groups.md b/docs/hub/enterprise-hub-resource-groups.md new file mode 100644 index 000000000..3a07b5085 --- /dev/null +++ b/docs/hub/enterprise-hub-resource-groups.md @@ -0,0 +1,9 @@ +# Datasets + + +This feature is part of the Enterprise Hub. + + +Resource Groups allow Enterprise Hub organizations to enforce fine-grained access control to its repositories. + +Read the [documentation for Resource Groups under the Security section](./security-resource-groups). diff --git a/docs/hub/enterprise-hub.md b/docs/hub/enterprise-hub.md index 5cee31cb7..bc6c48b1a 100644 --- a/docs/hub/enterprise-hub.md +++ b/docs/hub/enterprise-hub.md @@ -10,3 +10,4 @@ In this section we will document the following Enterprise Hub features: - [Audit Logs](./audit-logs) - [Storage Regions](./storage-regions) - [Dataset viewer for Private datasets](./enterprise-hub-datasets) +- [Resource Groups](./security-resource-groups) diff --git a/docs/hub/organizations-security.md b/docs/hub/organizations-security.md index 1068503a1..6507f93e4 100644 --- a/docs/hub/organizations-security.md +++ b/docs/hub/organizations-security.md @@ -6,6 +6,14 @@ You can set up [Single Sign-On (SSO)](./security-sso) to be able to map access c + + +Advanced and more fine-grained access control can be achieved with [Resource Groups](./security-resource-groups). + +The Resource Group feature is part of the Enterprise Hub. + + + Members of organizations can have four different roles: `read`, `contributor`, `write` or `admin`: - `read`: read-only access to the Organization's repos and metadata/settings (eg, the Organization's profile, members list, API token, etc). @@ -22,3 +30,4 @@ As an organization `admin`, go to the **Members** section of the org settings to + diff --git a/docs/hub/organizations.md b/docs/hub/organizations.md index c30cdcca4..ef4d22e25 100644 --- a/docs/hub/organizations.md +++ b/docs/hub/organizations.md @@ -13,3 +13,4 @@ If an organization needs to track user access to a dataset due to licensing or p - [SSO in Organizations](./enterprise-sso) - [Audit Logs](./audit-logs) - [Storage Regions](./storage-regions) + - [Resource Groups](./security-resource-groups) diff --git a/docs/hub/security-resource-groups.md b/docs/hub/security-resource-groups.md new file mode 100644 index 000000000..0d08a0b71 --- /dev/null +++ b/docs/hub/security-resource-groups.md @@ -0,0 +1,58 @@ +# Advanced Access Control in Organizations with Resource Groups + + +This feature is part of the Enterprise Hub. + + +In your Hugging Face organization, you can use Resource Groups to control which members have access to specific repositories. + +## How does it work? + +Resource Groups allow organizations administrators to group related repositories together, and manage access to those repos. + +Resource Groups allow different teams to work on their respective repositories within the same organization. + +A repository can belong to only one Resource Group. + +Organizations members need to be added to the Resource Group to access its repositories. An Organization Member can belong to several Resource Groups. + + Members are assigned a role in each Resource Group that determines their permissions for the group's repositories. Four distinct roles exist for Resource Groups: + +- `read`: Grants read access to repositories within the Resource Group. +- `contributor`: Provides extra write rights to the subset of the Organization's repositories created by the user (i.e., users can create repos and then modify only those repos). Similar to the 'Write' role, but limited to repos created by the user. +- `write`: Offers write access to all repositories in the Resource Group. Users can create, delete, or rename any repository in the Resource Group. +- `admin`: In addition to write permissions on repositories, admin members can administer the Resource Group — add, remove, and alter the roles of other members. They can also transfer repositories in and out of the Resource Group. + +In addition, Organization admins can manage all resource groups inside the organization. + +Resource Groups also affect the visibility of private repositories inside the organization. A private repository that is part of a Resource Group will only be visible to members of that Resource Group. Public repositories, on the other + +## Getting started + +Head to your Organization's settings, then navigate to the "Resource Group" tab in the left menu. + +
+ + +
+ +If you are an admin of the organization, you can create and manage Resource Groups from that page. + +After creating a resource group and giving it a meaningful name, you can start adding repositories and users to it. + +
+ + +
+ +Remember that a repository can be part of only one Resource Group. You'll be warned when trying to add a repository that already belongs to another Resource Group. + +
+ + +
+ +## Programmatic management (API) + +Coming soon! + diff --git a/docs/hub/security.md b/docs/hub/security.md index 9e405489d..a90e94a3c 100644 --- a/docs/hub/security.md +++ b/docs/hub/security.md @@ -20,4 +20,4 @@ For any other security questions, please feel free to send us an email at securi - [Malware Scanning](./security-malware) - [Pickle Scanning](./security-pickle) - [Secrets Scanning](./security-secrets) - +- [Resource Groups](./security-resource-groups)