RBAC and workspace ops docs ref #1217
Conversation
|
Mintlify preview ID generated: preview-rbacpe-1761926321-5f4e52a |
katmayb
force-pushed
the
rbac-permissions-docs
branch
from
2770c42 to
a4543c5
Compare
|
Mintlify preview ID generated: preview-rbacpe-1762288317-22ecd67 |
|
Mintlify preview ID generated: preview-rbacpe-1762288778-75f4de5 |
src/langsmith/rbac.mdx
Outdated
| LangSmith's RBAC system manages user permissions within workspaces. RBAC allows you to control who can access your LangSmith [workspace](/langsmith/administration-overview#workspaces) and what they can do within it. | ||
|
|
||
| Each user has: | ||
| - One [**organization role**](#organization-roles) that applies across the entire organization (separate from RBAC, available on all plans). |
There was a problem hiding this comment.
Would say separate from workspace rbac - we do technically have org rbac, it's just a limited set of permissions (manage, create pats, and read), and we don't support custom combinations of org permissions. All org roles are predefined.
There was a problem hiding this comment.
Also, org roles are not available in personal orgs i.e. single-workspace orgs. This says all plans, but I believe it's only Plus and above, where multiple workspaces are supported
There was a problem hiding this comment.
I think I've now covered this
src/langsmith/rbac.mdx
Outdated
| To learn how to set up RBAC and assign roles to users, refer to the [User Management guide](/langsmith/user-management#set-up-access-control). | ||
|
|
||
| <Note> | ||
| For a comprehensive reference table of workspace-level and organization-level operations and which roles can perform them, refer to the [Workspace Operations Reference](/langsmith/workspace-operations). |
There was a problem hiding this comment.
If it has org actions as well, maybe name it something else like permissions reference?
There was a problem hiding this comment.
I've adjusted the name of that file.
src/langsmith/rbac.mdx
Outdated
|
|
||
| ### Organization roles | ||
|
|
||
| Organization roles are **distinct from the RBAC feature** and are used to manage organization-wide capabilities. These roles are available on all plans. |
There was a problem hiding this comment.
Would add that these are system-defined and cannot be modified or extended. While workspace system roles cannot be modified but the list can be extended with custom roles
src/langsmith/rbac.mdx
Outdated
| **Permissions**: | ||
| - `organization:manage` - Full control over organization settings, SSO, security, billing | ||
| - `organization:read` - Read access to all organization information | ||
| - `organization:pats:create` - Create organization-level personal access tokens |
There was a problem hiding this comment.
Nit: worth linking to pat docs?
There was a problem hiding this comment.
I have linked to those docs, and also linked key terms throughout this page.
src/langsmith/rbac.mdx
Outdated
| - Invite and remove organization members | ||
| - Assign organization and workspace roles to members | ||
| - Create and manage custom roles | ||
| - Configure RBAC and ABAC (Attribute-Based Access Control) policies |
There was a problem hiding this comment.
Would day abac is private preview
src/langsmith/rbac.mdx
Outdated
| - Assign organization and workspace roles to members | ||
| - Create and manage custom roles | ||
| - Configure RBAC and ABAC (Attribute-Based Access Control) policies | ||
| - Manage organization-level API keys and service accounts |
There was a problem hiding this comment.
We don't really expose service account mgmt, it's under the hood, so would remove
There was a problem hiding this comment.
OK, I've removed mentions of "service accounts"
src/langsmith/rbac.mdx
Outdated
|
|
||
| ### Workspace Admin | ||
|
|
||
| **Description**: Default role with full permissions for all resources and ability to manage workspace. |
There was a problem hiding this comment.
Would add context of specifically when this is default, or just remove the word
There was a problem hiding this comment.
I've removed that for now
src/langsmith/rbac.mdx
Outdated
| **Description**: Default role with full permissions for most resources. Cannot manage workspace settings or delete certain critical resources. | ||
|
|
||
| **Key Differences from Admin**: | ||
| - Cannot delete annotation queues |
There was a problem hiding this comment.
I believe Editor can delete AQS actually
There was a problem hiding this comment.
Editor can actually do all of these actions minus deleting runs and managing workspace settings
There was a problem hiding this comment.
Ah, ok, I've edited this
|
|
||
| The list includes API operations in LangSmith along with: | ||
|
|
||
| - Which roles can perform each operation. |
There was a problem hiding this comment.
| - Which roles can perform each operation. | |
| - Which system roles can perform each operation. |
| | **Core resources:**<br/>• [Projects](#projects): Organize traces and runs<br/>• [Runs](#runs): Individual execution traces<br/>• [Datasets](#datasets): Test datasets for evaluation<br/>• [Examples](#examples): Individual dataset examples<br/>• [Experiments](#experiments): Comparative experiments | **Core management:**<br/>• [Organization settings](#organization-settings): Org info and configuration<br/>• [Workspaces](#workspaces): Workspace management<br/>• [Organization members](#organization-members): Member management<br/>• [Roles and permissions](#roles-and-permissions): Custom roles | | ||
| | **Monitoring and analysis:**<br/>• [Rules](#rules): Automated run rules<br/>• [Alerts](#alerts): Alert rules for monitoring<br/>• [Feedback](#feedback): Scores and labels on outputs<br/>• [Annotation Queues](#annotation-queues): Human review queues<br/>• [Charts](#charts): Custom visualizations | **Security and authentication:**<br/>• [SSO and authentication](#sso-and-authentication): Single sign-on setup<br/>• [SCIM](#scim): Identity provisioning<br/>• [Access policies](#access-policies): Attribute-based access control | | ||
| | **Development and configuration:**<br/>• [Prompts](#prompts): Prompt templates (LangChain Hub)<br/>• [Deployments](#deployments): Deployment configurations<br/>• [MCP Servers](#mcp-servers): Model Context Protocol servers | **Billing and accounts:**<br/>• [Billing and payments](#billing-and-payments): Subscription management<br/>• [API keys and service accounts](#api-keys-and-service-accounts): Org-level keys | | ||
| | **Workspace management:**<br/>• [Workspace settings](#workspace-settings-and-management): Members, settings<br/>• [API Keys & Secrets](#api-keys-and-secrets): Authentication credentials<br/>• [Tags](#tags): Metadata tagging system<br/>• [Bulk Exports](#bulk-exports): Data export operations | **Analytics:**<br/>• [Charts and dashboards](#organization-charts-and-dashboards): Org-level visualizations<br/>• [Usage and analytics](#usage-and-analytics): Usage tracking and TTL settings | |
There was a problem hiding this comment.
API keys are managed at the organization level now
There was a problem hiding this comment.
OK, I've deleted API keys as a section from the workspace section of this page
| | Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission | | ||
| |-----------|:---------------:|:--------------:|:----------------:|---------------------| | ||
| | Send traces from SDK (create run) | ✓ | ✓ | ✗ | `runs:create` | | ||
| | Batch ingest runs | ✓ | ✓ | ✗ | `runs:create` | |
There was a problem hiding this comment.
would name this the same as above, so Send traces from SDK or via API (batch). and below, Send traces from SDK or via API (multipart). these are essentially the same operations, trace ingestion, just different endpoints. same with OTEL.
thinking a bit more, maybe
- Submit traces (includes single run, batch, multipart, and OTEL):
runs:create
There was a problem hiding this comment.
I think I've taken care of this correctly!
| - [Workspace Admin](/langsmith/rbac#workspace-admin) has full access to all resources within the workspace. | ||
| - [Workspace Editor](/langsmith/rbac#workspace-editor) has full permissions except for workspace management (adding/removing users, changing roles, configuring service keys). | ||
| - [Workspace Viewer](/langsmith/rbac#workspace-viewer) has read-only access to all resources within the workspace. |
There was a problem hiding this comment.
@bvs-langchain I added "Workspace" to the front of these roles to match what I'd done in the operations reference, but now I'm realizing that they are Admin, Viewer, and Editor in the UI. Should I remove "Workspace" from all the roles that include that in this PR, or do you think it's good to keep in order to differentiate from the Org roles?
katmayb
changed the title
katmayb
force-pushed
the
rbac-permissions-docs
branch
from
ae96b67 to
16d7b6f
Compare
|
Mintlify preview ID generated: preview-rbacpe-1762464426-c6f1c05 |
|
Mintlify preview ID generated: preview-rbacpe-1762465003-c2183e4 |
Fixes DOC-397, DOC-101
Preview
Organization and workspace operations: https://langchain-5e9cc07a-preview-rbacpe-1762465003-c2183e4.mintlify.app/langsmith/organization-workspace-operations
RBAC: https://langchain-5e9cc07a-preview-rbacpe-1762465003-c2183e4.mintlify.app/langsmith/rbac