An Organization is the root scope in your W&B account or instance. All actions in your account or instance take place within the context of that root scope, including managing users, managing teams, managing projects within teams, tracking usage and more.
If you are using Multi-tenant Cloud, you may have more than one organization where each may correspond to a business unit, a personal user, a joint partnership with another business and more.
If you are using Dedicated Cloud or a Self-managed instance, it corresponds to one organization. Your company may have more than one of Dedicated Cloud or Self-managed instances to map to different business units or departments, though that is strictly an optional way to manage AI practioners across your businesses or departments.
A Team is a subscope within a organization, that may map to a business unit / function, department, or a project team in your company. You may have more than one team in your organization depending on your deployment type and pricing plan.
AI projects are organized within the context of a team. The access control within a team is governed by team admins, who may or may not be admins at the parent organization level.
A Project is a subscope within a team, that maps to an actual AI project with specific intended outcomes. You may have more than one project within a team. Each project has a visibility mode which determines who can access it.
Authenticate your credentials with the W&B Server LDAP server. The following guide explains how to configure the settings for W&B Server. It covers mandatory and optional configurations, as well as instructions for configuring the LDAP connection from systems settings UI. it also provides information on the different inputs of the LDAP configuration, such as the address, base distinguished name, and attributes. You can specify these attributes from the W&B App UI or using environment variables. You can setup either an anonymous bind, or bind with an administrator DN and Password.
Only W&B Admin roles can enable and configure LDAP authentication.
Configure LDAP connection
Navigate to the W&B App.
Select your profile icon from the upper right. From the dropdown, select System Settings.
Toggle Configure LDAP Client.
Add the details in the form. Refer to Configuring Parameters section for details on each input.
Click on Update Settings to test your settings. This will establish a test client/connection with the W&B server.
If your connection is verified, toggle the Enable LDAP Authentication and select the Update Settings button.
Set LDAP an connection with the following environment variables:
Environment variable
Required
Example
LOCAL_LDAP_ADDRESS
Yes
ldaps://ldap.example.com:636
LOCAL_LDAP_BASE_DN
Yes
email=mail,group=gidNumber
LOCAL_LDAP_BIND_DN
No
cn=admin, dc=example,dc=org
LOCAL_LDAP_BIND_PW
No
LOCAL_LDAP_ATTRIBUTES
Yes
email=mail, group=gidNumber
LOCAL_LDAP_TLS_ENABLE
No
LOCAL_LDAP_GROUP_ALLOW_LIST
No
LOCAL_LDAP_LOGIN
No
See the Configuration parameters section for definitions of each environment variable. Note that the environment variable prefix LOCAL_LDAP was omitted from the definition names for clarity.
Configuration parameters
The following table lists and describes required and optional LDAP configurations.
Environment variable
Definition
Required
ADDRESS
This is the address of your LDAP server within the VPC that hosts W&B Server.
Yes
BASE_DN
The root path searches start from and required for doing any queries into this directory.
Yes
BIND_DN
Path of the administrative user registered in the LDAP server. This is required if the LDAP server does not support unauthenticated binding. If specified, W&B Server connects to the LDAP server as this user. Otherwise, W&B Server connects using anonymous binding.
No
BIND_PW
The password for administrative user, this is used to authenticate the binding. If left blank, W&B Server connects using anonymous binding.
No
ATTRIBUTES
Provide an email and group ID attribute names as comma separated string values.
Yes
TLS_ENABLE
Enable TLS.
No
GROUP_ALLOW_LIST
Group allowlist.
No
LOGIN
This tells W&B Server to use LDAP to authenticate. Set to either True or False. Optionally set this to false to test the LDAP configuration. Set this to true to start LDAP authentication.
No
1.2 - Configure SSO with OIDC
W&B Server’s support for OpenID Connect (OIDC) compatible identity providers allows for management of user identities and group memberships through external identity providers like Okta, Keycloak, Auth0, Google, and Entra.
OpenID Connect (OIDC)
W&B Server supports the following OIDC authentication flows for integrating with external Identity Providers (IdPs).
Implicit Flow with Form Post
Authorization Code Flow with Proof Key for Code Exchange (PKCE)
These flows authenticate users and provide W&B Server with the necessary identity information (in the form of ID tokens) to manage access control.
The ID token is a JWT that contains the user’s identity information, such as their name, username, email, and group memberships. W&B Server uses this token to authenticate the user and map them to appropriate roles or groups in the system.
In the context of W&B Server, access tokens authorize requests to APIs on behalf of the user, but since W&B Server’s primary concern is user authentication and identity, it only requires the ID token.
To assist with configuring Identity Providers for Dedicated cloud or Self-managed W&B Server installations, follow these guidelines to follow for various IdPs. If you’re using the SaaS version of W&B, reach out to support@wandb.com for assistance in configuring an Auth0 tenant for your organization.
Follow the procedure below to set up AWS Cognito for authorization:
First, sign in to your AWS account and navigate to the AWS Cognito App.
Provide an allowed callback URL to configure the application in your IdP:
Add http(s)://YOUR-W&B-HOST/oidc/callback as the callback URL. Replace YOUR-W&B-HOST with your W&B host path.
If your IdP supports universal logout, set the Logout URL to http(s)://YOUR-W&B-HOST. Replace YOUR-W&B-HOST with your W&B host path.
For example, if your application was running at https://wandb.mycompany.com, you would replace YOUR-W&B-HOST with wandb.mycompany.com.
The image below demonstrates how to provide allowed callback and sign-out URLs in AWS Cognito.
You can also configure wandb/local to perform an authorization_code grant that uses the PKCE Code Exchange flow.
Select one or more OAuth grant types to configure how AWS Cognito delivers tokens to your app.
W&B requires specific OpenID Connect (OIDC) scopes. Select the following from AWS Cognito App:
“openid”
“profile”
“email”
For example, your AWS Cognito App UI should look similar to the following image:
Select the Auth Method in the settings page or set the OIDC_AUTH_METHOD environment variable to tell wandb/local which grant to.
You must set the Auth Method to pkce.
You need a Client ID and the URL of your OIDC issuer. The OpenID discovery document must be available at $OIDC_ISSUER/.well-known/openid-configuration
For example, , you can generate your issuer URL by appending your User Pool ID to the Cognito IdP URL from the App Integration tab within the User Pools section:
Do not use the “Cognito domain” for the IDP URL. Cognito provides it’s discovery document at https://cognito-idp.$REGION.amazonaws.com/$USER_POOL_ID
Follow the procedure below to set up Okta for authorization:
On the overview screen of the Okta application that you just created, make note of the Client ID under Client Credentials under the General tab:
To identify the Okta OIDC Issuer URL, select Settings and then Account on the left side.
The Okta UI shows the company name under Organization Contact.
The OIDC issuer URL has the following format: https://COMPANY.okta.com. Replace COMPANY with the corresponding value. Make note of it.
On the screen named “Register an application,” fill out the values as follows:
Specify a name, for example “Weights and Biases application”
By default the selected account type is: “Accounts in this organizational directory only (Default Directory only - Single tenant).” Modify if you need to.
Configure Redirect URI as type Web with value: https://YOUR_W_AND_B_URL/oidc/callback
Click “Register.”
Make a note of the “Application (client) ID” and “Directory (tenant) ID.”
On the left side, click Authentication.
Under Front-channel logout URL, specify: https://YOUR_W_AND_B_URL/logout
Click “Save.”
On the left side, click “Certificates & secrets.”
Click “Client secrets” and then click “New client secret.”
On the screen named “Add a client secret,” fill out the values as follows:
Enter a description, for example “wandb”
Leave “Expires” as is or change if you have to.
Click “Add.”
Make a note of the “Value” of the secret. There is no need for the “Secret ID.”
You should now have made notes of three values:
OIDC Client ID
OIDC Client Secret
Tenant ID is needed for the OIDC Issuer URL
The OIDC issuer URL has the following format: https://login.microsoftonline.com/${TenantID}/v2.0
Set up SSO on the W&B Server
To set up SSO, you need administrator privileges and the following information:
OIDC Client ID
OIDC Auth method (implicit or pkce)
OIDC Issuer URL
OIDC Client Secret (optional; depends on how you have setup your IdP)
Should your IdP require a OIDC Client Secret, specify it with the environment variable OIDC_SECRET.
You can configure SSO using either the W&B Server UI or by passing environment variables to the wandb/local pod. The environment variables take precedence over UI.
If you’re unable to log in to your instance after configuring SSO, you can restart the instance with the LOCAL_RESTORE=true environment variable set. This outputs a temporary password to the containers logs and disables SSO. Once you’ve resolved any issues with SSO, you must remove that environment variable to enable SSO again.
The System Console is the successor to the System Settings page. It is available with the W&B Kubernetes Operator based deployment.
Navigate to Settings, then Authentication. Select OIDC in the Type dropdown.
Enter the values.
Click on Save.
Log out and then log back in, this time using the IdP login screen.
Sign in to your Weights&Biases instance.
Navigate to the W&B App.
From the dropdown, select System Settings:
Enter your Issuer, Client ID, and Authentication Method.
Select Update settings.
If you’re unable to log in to your instance after configuring SSO, you can restart the instance with the LOCAL_RESTORE=true environment variable set. This outputs a temporary password to the containers logs and turn off SSO. Once you’ve resolved any issues with SSO, you must remove that environment variable to enable SSO again.
Security Assertion Markup Language (SAML)
W&B Server does not support SAML.
1.3 - Use federated identities with SDK
Use identity federation to sign in using your organizational credentials through W&B SDK. If your W&B organization admin has configured SSO for your organization, then you already use your organizational credentials to sign-in to the W&B app UI. In that sense, identity federation is like SSO for W&B SDK, but by using JSON Web Tokens (JWTs) directly. You can use identity federation as an alternative to API keys.
RFC 7523 forms the underlying basis for identity federation with SDK.
Identity federation is available in Preview for Enterprise plans on all platform types - SaaS Cloud, Dedicated Cloud, and Self-managed instances. Reach out to your W&B team for any questions.
For the purpose of this document, the terms identity provider and JWT issuer are used interchangeably. Both refer to one and the same thing in the context of this capability.
JWT issuer setup
As a first step, an organization admin must set up a federation between your W&B organization and a publicly accessible JWT issuer.
Go to the Settings tab in your organization dashboard
In the Authentication option, press Set up JWT Issuer
Add the JWT issuer URL in the text box and press Create
W&B will automatically look for a OIDC discovery document at the path ${ISSUER_URL}/.well-known/oidc-configuration, and try to find the JSON Web Key Set (JWKS) at a relevant URL in the discovery document. The JWKS is used for real-time validation of the JWTs to ensure that those have been issued by the relevant identity provider.
Using the JWT to access W&B
Once a JWT issuer has been setup for your W&B organization, users can start accessing the relevant W&B projects using JWTs issued by that identity provider. The mechanism for using JWTs is as follows:
You must sign-in to the identity provider using one of the mechanisms available in your organization. Some providers can be accessed in an automated manner using an API or SDK, while some can only be accessed using a relevant UI. Reach out to your W&B organization admin or the owner of the JWT issuer for details.
Once you’ve retrieved the JWT after signing in to your identity provider, store it in a file at a secure location and configure the absolute file path in an environment variable WANDB_IDENTITY_TOKEN_FILE.
Access your W&B project using the W&B SDK or CLI. The SDK or CLI should automatically detect the JWT and exchange it for a W&B access token after the JWT has been successfully validated. The W&B access token is used to access the relevant APIs for enabling your AI workflows, that is, to log runs, metrics, artifacts and so forth. The access token is by default stored at the path ~/.config/wandb/credentials.json. You can change that path by specifying the environment variable WANDB_CREDENTIALS_FILE.
JWTs are meant to be short-lived credentials to address the shortcomings of long-lived credentials like API keys, passwords and so forth. Depending on the JWT expiry time configured in your identity provider, you must continuously refresh the JWT and ensure that it’s stored in the file referenced by the environment variable WANDB_IDENTITY_TOKEN_FILE.
W&B access token also has a default expiry duration, after which the SDK or the CLI automatically try to refresh that using your JWT. If the user JWT has also expired by that time and is not refreshed, that could result in an authentication failure. If possible, the JWT retrieval and post-expiry refresh mechanism should be implemented as part of the AI workload that uses the W&B SDK or CLI.
JWT validation
As part of the workflow to exchange the JWT for a W&B access token and then access a project, the JWT undergoes following validations:
The JWT signature is verified using the JWKS at the W&B organization level. This is the first line of defense, and if this fails, that means there’s a problem with your JWKS or how your JWT is signed.
The iss claim in the JWT should be equal to the issuer URL configured at the organization level.
The sub claim in the JWT should be equal to the user’s email address as configured in the W&B organization.
The aud claim in the JWT should be equal to the name of the W&B organization which houses the project that you are accessing as part of your AI workflow. In case of Dedicated Cloud or Self-managed instances, you could configure an instance-level environment variable SKIP_AUDIENCE_VALIDATION to true to skip validation of the audience claim, or use wandb as the audience.
The exp claim in the JWT is checked to see if the token is valid or has expired and needs to be refreshed.
External service accounts
W&B has supported built-in service accounts with long-lived API keys for long. With the identity federation capability for SDK and CLI, you can also bring external service accounts that could use JWTs for authentication, though as long as those are issued by the same issuer which is configured at the organization level. A team admin can configure external service accounts within the scope of a team, like the built-in service accounts.
To configure an external service account:
Go to the Service Accounts tab for your team
Press New service account
Provide a name for the service account, select Federated Identity as the Authentication Method, provide a Subject, and press Create
The sub claim in the external service account’s JWT should be same as what the team admin configures as its subject in the team-level Service Accounts tab. That claim is verified as part of JWT validation. The aud claim requirement is similar to that for human user JWTs.
When using an external service account’s JWT to access W&B, it’s typically easier to automate the workflow to generate the initial JWT and continuously refresh it. If you would like to attribute the runs logged using an external service account to a human user, you can configure the environment variables WANDB_USERNAME or WANDB_USER_EMAIL for your AI workflow, similar to how it’s done for the built-in service accounts.
W&B recommends to use a mix of built-in and external service accounts across your AI workloads with different levels of data sensitivity, in order to strike a balance between flexibility and simplicity.
1.4 - Use service accounts to automate workflows
Manage automated or non-interactive workflows using org and team scoped service accounts
A service account represents a non-human or machine user that can automatically perform common tasks across projects within a team or across teams.
An org admin can create a service account at the scope of the organization.
A team admin can create a service account at the scope of that team.
A service account’s API key allows the caller to read from or write to projects within the service account’s scope.
Service accounts allow for centralized management of workflows by multiple users or teams, to automate experiment tracking for W&B Models or to log traces for W&B Weave. You have the option to associate a human user’s identity with a workflow managed by a service account, by using either of the environment variablesWANDB_USERNAME or WANDB_USER_EMAIL.
Service accounts scoped to an organization have permissions to read and write in all projects in the organization, regardless of the team, with the exception of restricted projects. Before an organization-scoped service account can access a restricted project, an admin of that project must explicitly add the service account to the project.
An organization admin can obtain the API key for an organization-scoped service account from the Service Accounts tab of the organization or account dashboard.
To create a new organization-scoped service account:
Click New service account button in the Service Accounts tab of your organization dashboard.
Enter a Name.
Select a default team for the service account.
Click Create.
Next to the newly created service account, click Copy API key.
Store the copied API key in a secret manager or another secure but accessible location.
An organization-scoped service account requires a default team, even though it has access to non-restricted projects owned by all teams within the organization. This helps to prevent a workload from failing if the WANDB_ENTITY variable is not set in the environment for your model training or generative AI app. To use an organization-scoped service account for a project in a different team, you must set the WANDB_ENTITY environment variable to that team.
Team-scoped service accounts
A team-scoped service account can read and write in all projects within its team, except to restricted projects in that team. Before a team-scoped service account can access a restricted project, an admin of that project must explicitly add the service account to the project.
As a team admin, you can get the API key for a team-scoped service account in your team at <WANDB_HOST_URL>/<your-team-name>/service-accounts. Alternatively you can go to the Team settings for your team and then refer to the Service Accounts tab.
To create a new team scoped service account for your team:
Click New service account button in the Service Accounts tab of your team.
Enter a Name.
Select Generate API key (Built-in) as the authentication method.
Click Create.
Next to the newly created service account, click Copy API key.
Store the copied API key in a secret manager or another secure but accessible location.
If you do not configure a team in your model training or generative AI app environment that uses a team-scoped service account, the model runs or weave traces log to the named project within the service account’s parent team. In such a scenario, user attribution using the WANDB_USERNAME or WANDB_USER_EMAIL variables do not work unless the referenced user is part of the service account’s parent team.
A team-scoped service account cannot log runs to a team or restricted-scoped project in a team different from its parent team, but it can log runs to an open visibility project within another team.
External service accounts
In addition to Built-in service accounts, W&B also supports team-scoped External service accounts with the W&B SDK and CLI using Identity federation with identity providers (IdPs) that can issue JSON Web Tokens (JWTs).
2 - Access management
Manage users and teams within an organization
The first user to sign up to W&B with a unique organization domain is assigned as that organization’s instance administrator role. The organization administrator assigns specific users team administrator roles.
W&B recommends to have more than one instance admin in an organization. It is a best practice to ensure that admin operations can continue when the primary admin is not available.
A team administrator is a user in organization that has administrative permissions within a team.
The organization administrator can access and use an organization’s account settings at https://wandb.ai/account-settings/ to invite users, assign or update a user’s role, create teams, remove users from your organization, assign the billing administrator, and more. See Add and manage users for more information.
Once an organization administrator creates a team, the instance administrator or ateam administrator can:
Invite users to that team or remove users from the team.
Assign or update a team member’s role.
Automatically add new users to a team when they join your organization.
Both the organization administrator and the team administrator use team dashboards at https://wandb.ai/<your-team-name> to manage teams. For more information on what organization administrators and team administrators can do, see Add and manage teams.
Limit visibility to specific projects
Define the scope of a W&B project to limit who can view, edit, and submit W&B runs to it. Limiting who can view a project is particularly useful if a team works with sensitive or confidential data.
An organization admin, team admin, or the owner of a project can both set and edit a project’s visibility.
The following workflow applies to users with instance administrator roles. Reach out to an administrator in your organization if you believe you should have instance administrator permissions.
In the upper right corner of the page, select the User menu dropdown. Within the Account section of the dropdown, select Settings.
Within the Settings tab, select General.
Select the Change name button.
Within the modal that appears, provide a new name for your organization and select the Save name button.
Add and manage users
As an administrator, use your organization’s dashboard to:
Invite or remove users.
Assign or update a user’s role.
Assign the billing administrator.
There are several ways an organization administrator can add users to an organization:
Member-by-invite
Auto provisioning with SSO
Domain capture
Seats and pricing
The proceeding table summarizes how seats work for Models and Weave:
Product
Seats
Cost based on
Models
Pay per set
How many Models paid seats you have, and how much usage you’ve accrued determines your overall subscription cost. Each user can be assigned one of the three available seat types: Full, Viewer, and No-Access
Weave
Free
Usage based
Invite a user
Administrators can invite users to their organization, as well as specific teams within the organization.
In the upper right corner of the page, select the User menu dropdown. Within the Account section of the dropdown, select Users.
Select Invite new user.
In the modal that appears, provide the email or username of the user in the Email or username field.
(Recommended) Add the user to a team from the Choose teams dropdown menu.
From the Select role dropdown, select the role to assign to the user. You can change the user’s role at a later time. See the table listed in Assign a role for more information about possible roles.
Choose the Send invite button.
W&B sends an invite link using a third-party email server to the user’s email after you select the Send invite button. A user can access your organization once they accept the invite.
Navigate to https://<org-name>.io/console/settings/. Replace <org-name> with your organization name.
Select the Add user button
Within the modal that appears, provide the email of the new user in the Email field.
Select a role to assign to the user from the Role dropdown. You can change the user’s role at a later time. See the table listed in Assign a role for more information about possible roles.
Check the Send invite email to user box if you want W&B to send an invite link using a third-party email server to the user’s email.
Select the Add new user button.
Auto provision users
A W&B user with matching email domain can sign in to your W&B Organization with Single Sign-On (SSO) if you configure SSO and your SSO provider permits it. SSO is available for all Enterprise licenses.
Enable SSO for authentication
W&B strongly recommends and encourages that users authenticate using Single Sign-On (SSO). Reach out to your W&B team to enable SSO for your organization.
To learn more about how to setup SSO with Dedicated cloud or Self-managed instances, refer to SSO with OIDC or SSO with LDAP.
W&B assigned auto-provisioning users “Member” roles by default. You can change the role of auto-provisioned users at any time.
Auto-provisioning users with SSO is on by default for Dedicated cloud instances and Self-managed deployments. You can turn off auto provisioning. Turning auto provisioning off enables you to selectively add specific users to your W&B organization.
The proceeding tabs describe how to turn off SSO based on deployment type:
Reach out to your W&B team if you are on Dedicated cloud instance and you want to turn off auto provisioning with SSO.
Use the W&B Console to turn off auto provisioning with SSO:
Navigate to https://<org-name>.io/console/settings/. Replace <org-name> with your organization name.
Choose Security
Select the Disable SSO Provisioning to turn off auto provisioning with SSO.
Auto provisioning with SSO is useful for adding users to an organization at scale because organization administrators do not need to generate individual user invitations.
Domain capture
Domain capture helps your employees join the your companies organization to ensure new users do not create assets outside of your company jurisdiction.
Domains must be unique
Domains are unique identifiers. This means that you can not use a domain that is already in use by another organization.
Domain capture lets you automatically add people with a company email address, such as @example.com, to your W&B SaaS cloud organization. This helps all your employees join the right organization and ensures that new users do not create assets outside of your company jurisdiction.
This table summarizes the behavior of new and existing users with and without domain capture enabled:
With domain capture
Without domain capture
New users
Users who sign up for W&B from verified domains are automatically added as members to your organization’s default team. They can choose additional teams to join at sign up, if you enable team joining. They can still join other organizations and teams with an invitation.
Users can create W&B accounts without knowing there is a centralized organization available.
Invited users
Invited users automatically join your organization when accepting your invite. Invited users are not automatically added as members to your organization’s default team. They can still join other organizations and teams with an invitation.
Invited users automatically join your organization when accepting your invite. They can still join other organizations and teams with an invitation.
Existing users
Existing users with verified email addresses from your domains can join your organization’s teams within the W&B App. All data that existing users create before joining your organization remains. W&B does not migrate the existing user’s data.
Existing W&B users may be spread across multiple organizations and teams.
To automatically assign non-invited new users to a default team when they join your organization:
In the upper right corner of the page, select the User menu dropdown. From the dropdown, choose Settings.
Within the Settings tab, select General.
Choose the Claim domain button within Domain capture.
Select the team that you want new users to automatically join from the Default team dropdown. If no teams are available, you’ll need to update team settings. See the instructions in Add and manage teams.
Click the Claim email domain button.
You must enable domain matching within a team’s settings before you can automatically assign non-invited new users to that team.
Navigate to the team’s dashboard at https://wandb.ai/<team-name>. Where <team-name> is the name of the team you want to enable domain matching.
Select Team settings in the global navigation on the left side of the team’s dashboard.
Within the Privacy section, toggle the “Recommend new users with matching email domains join this team upon signing up” option.
Reach out to your W&B Account Team if you use Dedicated or Self-managed deployment type to configure domain capture. Once configured, your W&B SaaS instance automatically prompts users who create a W&B account with your company email address to contact your administrator to request access to your Dedicated or Self-managed instance.
With domain capture
Without domain capture
New users
Users who sign up for W&B on SaaS cloud from verified domains are automatically prompted to contact an administrator with an email address you customize. They can still create an organizations on SaaS cloud to trial the product.
Users can create W&B SaaS cloud accounts without learning their company has a centralized dedicated instance.
Existing users
Existing W&B users may be spread across multiple organizations and teams.
Existing W&B users may be spread across multiple organizations and teams.
Assign or update a user’s role
Every member in an Organization has an organization role and seat for both W&B Models and Weave. The type of seat they have determines both their billing status and the actions they can take in each product line.
You initially assign an organization role to a user when you invite them to your organization. You can change any user’s role at a later time.
A user within an organization can have one of the proceeding roles:
Role
Descriptions
Administrator
A instance administrator who can add or remove other users to the organization, change user roles, manage custom roles, add teams and more. W&B recommends ensuring there is more than one administrator in the event that your administrator is unavailable.
Member
A regular user of the organization, invited by an instance administrator. A organization member cannot invite other users or manage existing users in the organization.
Viewer (Enterprise-only feature)
A view-only user of your organization, invited by an instance administrator. A viewer only has read access to the organization and the underlying teams that they are a member of.
Custom Roles (Enterprise-only feature)
Custom roles allow organization administrators to compose new roles by inheriting from the preceding View-Only or Member roles, and adding additional permissions to achieve fine-grained access control. Team administrators can then assign any of those custom roles to users in their respective teams.
In the upper right corner of the page, select the User menu dropdown. From the dropdown, choose Users.
Provide the name or email of the user in the search bar.
Select a role from the TEAM ROLE dropdown next to the name of the user.
Assign or update a user’s access
A user within an organization has one of the proceeding model seat or weave access types: full, viewer, or no access.
Seat type
Description
Full
Users with this role type have full permissions to write, read, and export data for Models or Weave.
Viewer
A view-only user of your organization. A viewer only has read access to the organization and the underlying teams that they are a part of, and view only access to Models or Weave.
No access
Users with this role have no access to the Models or Weave products.
Model seat type and weave access type are defined at the organization level, and inherited by the team. If you want to change a user’s seat type, navigate to the organization settings and follow the proceeding steps:
For SaaS users, navigate to your organization’s settings at https://wandb.ai/account-settings/<organization>/settings. Ensure to replace the values enclosed in angle brackets (<>) with your organization name. For other Dedicated and Self-managed deployments, navigate to https://<your-instance>.wandb.io/org/dashboard.
Select the Users tab.
From the Role dropdown, select the seat type you want to assign to the user.
The organization role and subscription type determines which seat types are available within your organization.
Select Create a team to collaborate on the left navigation panel underneath Teams.
Provide a name for your team in the Team name field in the modal that appears.
Choose a storage type.
Select the Create team button.
After you select Create team button, W&B redirects you to a new team page at https://wandb.ai/<team-name>. Where <team-name> consists of the name you provide when you create a team.
Once you have a team, you can add users to that team.
Invite users to a team
Invite users to a team in your organization. Use the team’s dashboard to invite users using their email address or W&B username if they already have a W&B account.
Navigate to https://wandb.ai/<team-name>.
Select Team settings in the global navigation on the left side of the dashboard.
Select the Users tab.
Choose on Invite a new user.
Within the modal that appears, provide the email of the user in the Email or username field and select the role to assign to that user from the Select a team role dropdown. For more information about roles a user can have in a team, see Team roles.
Match members to a team organization during sign up
Allow new users within your organization discover Teams within your organization when they sign-up. New users must have a verified email domain that matches your organization’s verified email domain. Verified new users can view a list of verified teams that belong to an organization when they sign up for a W&B account.
An organization administrator must enable domain claiming. To enable domain capture, see the steps described in Domain capture.
Assign or update a team member’s role
Select the account type icon next to the name of the team member.
From the drop-down, choose the account type you want that team member to posses.
This table lists the roles you can assign to a member of a team:
Role
Definition
Administrator
A user who can add and remove other users in the team, change user roles, and configure team settings.
Member
A regular user of a team, invited by email or their organization-level username by the team administrator. A member user cannot invite other users to the team.
View-Only (Enterprise-only feature)
A view-only user of a team, invited by email or their organization-level username by the team administrator. A view-only user only has read access to the team and its contents.
Service (Enterprise-only feature)
A service worker or service account is an API key that is useful for utilizing W&B with your run automation tools. If you use an API key from a service account for your team, ensure to set the environment variable WANDB_USERNAME to correctly attribute runs to the appropriate user.
Custom Roles (Enterprise-only feature)
Custom roles allow organization administrators to compose new roles by inheriting from the preceding View-Only or Member roles, and adding additional permissions to achieve fine-grained access control. Team administrators can then assign any of those custom roles to users in their respective teams. Refer to this article for details.
Only enterprise licenses on Dedicated cloud or Self-managed deployment can assign custom roles to members in a team.
Remove users from a team
Remove a user from a team using the team’s dashboard. W&B preserves runs created in a team even if the member who created the runs is no longer on that team.
Navigate to https://wandb.ai/<team-name>.
Select Team settings in the left navigation bar.
Select the Users tab.
Hover your mouse next to the name of the user you want to delete. Select the ellipses or three dots icon (…) when it appears.
From the dropdown, select Remove user.
2.2 - Manage access control for projects
Manage project access using visibility scopes and project-level roles
Define the scope of a W&B project to limit who can view, edit, and submit W&B runs to it.
You can use a combination of a couple of controls to configure the access level for any project within a W&B team. Visibility scope is the higher-level mechanism. Use that to control which groups of users can view or submit runs in a project. For a project with Team or Restricted visibility scope, you can then use Project level roles to control the level of access that each user has within the project.
The owner of a project, a team admin, or an organization admin can set or edit a project’s visibility.
Visibility scopes
There are four project visibility scopes you can choose from. In order of most public to most private, they are:
Scope
Description
Open
Anyone who knows about the project can view it and submit runs or reports.
Public
Anyone who knows about the project can view it. Only your team can submit runs or reports.
Team
Only members of the parent team can view the project and submit runs or reports. Anyone outside the team can not access the project.
Restricted
Only invited members from the parent team can view the project and submit runs or reports.
Set a project’s scope to Restricted if you would like to collaborate on workflows related to sensitive or confidential data. When you create a restricted project within a team, you can invite or add specific members from the team to collaborate on relevant experiments, artifacts, reports, and so forth.
Unlike other project scopes, all members of a team do not get implicit access to a restricted project. At the same time, team admins can join restricted projects if needed.
Set visibility scope on a new or existing project
Set a project’s visibility scope when you create a project or when editing it later.
Only the owner of the project or a team admin can set or edit its visibility scope.
When a team admin enables Make all future team projects private (public sharing not allowed) within a team’s privacy setting, that turns off Open and Public project visibility scopes for that team. In this case, your team can only use Team and Restricted scopes.
Set visibility scope when you create a new project
Navigate to your W&B organization on SaaS Cloud, Dedicated Cloud, or Self-managed instance.
Click the Create a new project button in the left hand sidebar’s My projects section. Alternatively, navigate to the Projects tab of your team and click the Create new project button in the upper right hand corner.
After selecting the parent team and entering the name of the project, select the desired scope from the Project Visibility dropdown.
Complete the following step if you select Restricted visibility.
Provide names of one or more W&B team members in the Invite team members field. Add only those members who are essential to collaborate on the project.
You can add or remove members in a restricted project later, from its Users tab.
Edit visibility scope of an existing project
Navigate to your W&B Project.
Select the Overview tab on the left column.
Click the Edit Project Details button on the upper right corner.
From the Project Visibility dropdown, select the desired scope.
Complete the following step if you select Restricted visibility.
Go to the Users tab in the project, and click Add user button to invite specific users to the restricted project.
All members of a team lose access to a project if you change its visibility scope from Team to Restricted, unless you invite the required team members to the project.
All members of a team get access to a project if you change its visibility scope from Restricted to Team.
If you remove a team member from the user list for a restricted project, they lose access to that project.
Other key things to note for restricted scope
If you want to use a team-level service account in a restricted project, you should invite or add that specifically to the project. Otherwise a team-level service account can not access a restricted project by default.
You can not move runs from a restricted project, but you can move runs from a non-restricted project to a restricted one.
You can convert the visibility of a restricted project to only Team scope, irrespective of the team privacy setting Make all future team projects private (public sharing not allowed).
If the owner of a restricted project is not part of the parent team anymore, the team admin should change the owner to ensure seamless operations in the project.
Project level roles
For the Team or Restricted scoped projects in your team, you can assign a specific role to a user, which could be different from that user’s team level role. For example, if a user has Member role at the team level, you can assign the View-Only, or Admin, or any available custom role to that user within a Team or Restricted scope project in that team.
Project level roles are in preview on SaaS Cloud, Dedicated Cloud, and Self-managed instances.
Assign project level role to a user
Navigate to your W&B Project.
Select the Overview tab on the left column.
Go to the Users tab in the project.
Click the currently assigned role for the pertinent user in the Project Role field, which should open up a dropdown listing the other available roles.
Select another role from the dropdown. It should save instantly.
When you change the project level role for a user to be different from their team level role, the project level role includes a * to indicate the difference.
Other key things to note for project level roles
By default, project level roles for all users in a team or restricted scoped project inherit their respective team level roles.
You can not change the project level role of a user who has View-only role at the team level.
If the project level role for a user within a particular project is same as the team level role, and at some point if a team admin changes the team level role, the relevant project role is automatically changed to track the team level role.
If you change the project level role for a user within a particular project such that it is different from the team level role, and at some point if a team admin changes the team level role, the relevant project level role remains as is.
If you remove a user from a restricted project when their project level role was different from the team level role, and if you then add the user back to the project after some time, they would inherit the team level role due to the default behavior. If needed, you would need to change the project level role again to be different from the team level role.
3 - Automate user and team management
SCIM API
Use SCIM API to manage users, and the teams they belong to, in an efficient and repeatable manner. You can also use the SCIM API to manage custom roles or assign roles to users in your W&B organization. Role endpoints are not part of the official SCIM schema. W&B adds role endpoints to support automated management of custom roles.
SCIM API is especially useful if you want to:
manage user provisioning and de-provisioning at scale
manage users with a SCIM-supporting Identity Provider
There are broadly three categories of SCIM API - User, Group, and Roles.
User SCIM API
User SCIM API allows for creating, deactivating, getting the details of a user, or listing all users in a W&B organization. This API also supports assigning predefined or custom roles to users in an organization.
Deactivate a user within a W&B organization with the DELETE User endpoint. Deactivated users can no longer sign in. However, deactivated users still appears in the organization’s user list.
It is possible to re-enable a deactivated user, if needed.
Group SCIM API
Group SCIM API allows for managing W&B teams, including creating or removing teams in an organization. Use the PATCH Group to add or remove users in an existing team.
There is no notion of a group of users having the same role within W&B. A W&B team closely resembles a group, and allows diverse personas with different roles to work collaboratively on a set of related projects. Teams can consist of different groups of users. Assign each user in a team a role: team admin, member, viewer, or a custom role.
W&B maps Group SCIM API endpoints to W&B teams because of the similarity between groups and W&B teams.
Custom role API
Custom role SCIM API allows for managing custom roles, including creating, listing, or updating custom roles in an organization.
Delete a custom role with caution.
Delete a custom role within a W&B organization with the DELETE Role endpoint. The predefined role that the custom role inherits is assigned to all users that are assigned the custom role before the operation.
Update the inherited role for a custom role with the PUT Role endpoint. This operation doesn’t affect any of the existing, that is, non-inherited custom permissions in the custom role.
W&B Python SDK API
Just like how SCIM API allows you to automate user and team management, you can also use some of the methods available in the W&B Python SDK API for that purpose. Keep a note of the following methods:
Method name
Purpose
create_user(email, admin=False)
Add a user to the organization and optionally make them the organization admin.
user(userNameOrEmail)
Return an existing user in the organization.
user.teams()
Return the teams for the user. You can get the user object using the user(userNameOrEmail) method.
create_team(teamName, adminUserName)
Create a new team and optionally make an organization-level user the team admin.
team(teamName)
Return an existing team in the organization.
Team.invite(userNameOrEmail, admin=False)
Add a user to the team. You can get the team object using the team(teamName) method.
Team.create_service_account(description)
Add a service account to the team. You can get the team object using the team(teamName) method.
Member.delete()
Remove a member user from a team. You can get the list of member objects in a team using the team object’s members attribute. And you can get the team object using the team(teamName) method.
4 - Manage users, groups, and roles with SCIM
The System for Cross-domain Identity Management (SCIM) API allows instance or organization admins to manage users, groups, and custom roles in their W&B organization. SCIM groups map to W&B teams.
The SCIM API is accessible at <host-url>/scim/ and supports the /Users and /Groups endpoints with a subset of the fields found in the RC7643 protocol. It additionally includes the /Roles endpoints which are not part of the official SCIM schema. W&B adds the /Roles endpoints to support automated management of custom roles in W&B organizations.
SCIM API applies to all hosting options including Dedicated Cloud, Self-managed instances, and SaaS Cloud. In SaaS Cloud, the organization admin must configure the default organization in user settings to ensure that the SCIM API requests go to the right organization. The setting is available in the section SCIM API Organization within user settings.
Authentication
The SCIM API is accessible by instance or organization admins using basic authentication with their API key. With basic authentication, send the HTTP request with the Authorization header that contains the word Basic followed by a space and a base64-encoded string for username:password where password is your API key. For example, to authorize as demo:p@55w0rd, the header should be Authorization: Basic ZGVtbzpwQDU1dzByZA==.
User resource
The SCIM user resource maps to W&B users.
Get user
Endpoint:<host-url>/scim/Users/{id}
Method: GET
Description: Retrieve the information for a specific user in your SaaS Cloud organization or your Dedicated Cloud or Self-managed instance by providing the user’s unique ID.
Description: Fully delete a user from your SaaS Cloud organization or your Dedicated Cloud or Self-managed instance by providing the user’s unique ID. Use the Create user API to add the user again to the organization or instance if needed.
Request Example:
To temporarily deactivate the user, refer to Deactivate user API which uses the PATCH endpoint.
DELETE /scim/Users/abc
Response Example:
(Status204)
Deactivate user
Endpoint: <host-url>/scim/Users/{id}
Method: PATCH
Description: Temporarily deactivate a user in your Dedicated Cloud or Self-managed instance by providing the user’s unique ID. Use the Reactivate user API to reactivate the user when needed.
Supported Fields:
Field
Type
Required
op
String
Type of operation. The only allowed value is replace.
value
Object
Object {"active": false} indicating that the user should be deactivated.
User deactivation and reactivation operations are not supported in SaaS Cloud.
Description: Assign an organization-level role to a user. The role can be one of admin, viewer or member as described here. For SaaS Cloud, ensure that you have configured the correct organization for SCIM API in user settings.
Supported Fields:
Field
Type
Required
op
String
Type of operation. The only allowed value is replace.
path
String
The scope at which role assignment operation takes effect. The only allowed value is organizationRole.
value
String
The predefined organization-level role to assign to the user. It can be one of admin, viewer or member. This field is case insensitive for predefined roles.
Request Example:
PATCH /scim/Users/abc
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "organizationRole",
"value": "admin"// will set the user's organization-scoped role to admin
}
]
}
Response Example:
This returns the User object.
(Status 200)
{
"active": true,
"displayName": "Dev User 1",
"emails": {
"Value": "dev-user1@test.com",
"Display": "",
"Type": "",
"Primary": true },
"id": "abc",
"meta": {
"resourceType": "User",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Users/abc" },
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User" ],
"userName": "dev-user1",
"teamRoles": [ // Returns the user's roles in all the teams that they are a part of
{
"teamName": "team1",
"roleName": "admin" }
],
"organizationRole": "admin"// Returns the user's role at the organization scope
}
Assign team-level role to user
Endpoint: <host-url>/scim/Users/{id}
Method: PATCH
Description: Assign a team-level role to a user. The role can be one of admin, viewer, member or a custom role as described here. For SaaS Cloud, ensure that you have configured the correct organization for SCIM API in user settings.
Supported Fields:
Field
Type
Required
op
String
Type of operation. The only allowed value is replace.
path
String
The scope at which role assignment operation takes effect. The only allowed value is teamRoles.
value
Object array
A one-object array where the object consists of teamName and roleName attributes. The teamName is the name of the team where the user holds the role, and roleName can be one of admin, viewer, member or a custom role. This field is case insensitive for predefined roles and case sensitive for custom roles.
Request Example:
PATCH /scim/Users/abc
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "teamRoles",
"value": [
{
"roleName": "admin", // role name is case insensitive for predefined roles and case sensitive for custom roles
"teamName": "team1"// will set the user's role in the team team1 to admin
}
]
}
]
}
Response Example:
This returns the User object.
(Status 200)
{
"active": true,
"displayName": "Dev User 1",
"emails": {
"Value": "dev-user1@test.com",
"Display": "",
"Type": "",
"Primary": true },
"id": "abc",
"meta": {
"resourceType": "User",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Users/abc" },
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User" ],
"userName": "dev-user1",
"teamRoles": [ // Returns the user's roles in all the teams that they are a part of
{
"teamName": "team1",
"roleName": "admin" }
],
"organizationRole": "admin"// Returns the user's role at the organization scope
}
Group resource
The SCIM group resource maps to W&B teams, that is, when you create a SCIM group in a W&B deployment, it creates a W&B team. Same applies to other group endpoints.
Get team
Endpoint: <host-url>/scim/Groups/{id}
Method: GET
Description: Retrieve team information by providing the team’s unique ID.
Deleting teams is currently unsupported by the SCIM API since there is additional data linked to teams. Delete teams from the app to confirm you want everything deleted.
Role resource
The SCIM role resource maps to W&B custom roles. As mentioned earlier, the /Roles endpoints are not part of the official SCIM schema, W&B adds /Roles endpoints to support automated management of custom roles in W&B organizations.
Get custom role
Endpoint:<host-url>/scim/Roles/{id}
Method: GET
Description: Retrieve information for a custom role by providing the role’s unique ID.
Request Example:
GET /scim/Roles/abc
Response Example:
(Status 200)
{
"description": "A sample custom role for example",
"id": "Um9sZTo3",
"inheritedFrom": "member", // indicates the predefined role
"meta": {
"resourceType": "Role",
"created": "2023-11-20T23:10:14Z",
"lastModified": "2023-11-20T23:31:23Z",
"location": "Roles/Um9sZTo3" },
"name": "Sample custom role",
"organizationID": "T3JnYW5pemF0aW9uOjE0ODQ1OA==",
"permissions": [
{
"name": "artifact:read",
"isInherited": true// inherited from member predefined role
},
...... {
"name": "project:update",
"isInherited": false// custom permission added by admin
}
],
"schemas": [
"" ]
}
List custom roles
Endpoint:<host-url>/scim/Roles
Method: GET
Description: Retrieve information for all custom roles in the W&B organization
Request Example:
GET /scim/Roles
Response Example:
(Status 200)
{
"Resources": [
{
"description": "A sample custom role for example",
"id": "Um9sZTo3",
"inheritedFrom": "member", // indicates the predefined role that the custom role inherits from
"meta": {
"resourceType": "Role",
"created": "2023-11-20T23:10:14Z",
"lastModified": "2023-11-20T23:31:23Z",
"location": "Roles/Um9sZTo3" },
"name": "Sample custom role",
"organizationID": "T3JnYW5pemF0aW9uOjE0ODQ1OA==",
"permissions": [
{
"name": "artifact:read",
"isInherited": true// inherited from member predefined role
},
...... {
"name": "project:update",
"isInherited": false// custom permission added by admin
}
],
"schemas": [
"" ]
},
{
"description": "Another sample custom role for example",
"id": "Um9sZToxMg==",
"inheritedFrom": "viewer", // indicates the predefined role that the custom role inherits from
"meta": {
"resourceType": "Role",
"created": "2023-11-21T01:07:50Z",
"location": "Roles/Um9sZToxMg==" },
"name": "Sample custom role 2",
"organizationID": "T3JnYW5pemF0aW9uOjE0ODQ1OA==",
"permissions": [
{
"name": "launchagent:read",
"isInherited": true// inherited from viewer predefined role
},
...... {
"name": "run:stop",
"isInherited": false// custom permission added by admin
}
],
"schemas": [
"" ]
}
],
"itemsPerPage": 9999,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse" ],
"startIndex": 1,
"totalResults": 2}
Create custom role
Endpoint: <host-url>/scim/Roles
Method: POST
Description: Create a new custom role in the W&B organization.
Supported Fields:
Field
Type
Required
name
String
Name of the custom role
description
String
Description of the custom role
permissions
Object array
Array of permission objects where each object includes a name string field that has value of the form w&bobject:operation. For example, a permission object for delete operation on W&B runs would have name as run:delete.
inheritedFrom
String
The predefined role which the custom role would inherit from. It can either be member or viewer.
Request Example:
POST /scim/Roles
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Role"],
"name": "Sample custom role",
"description": "A sample custom role for example",
"permissions": [
{
"name": "project:update" }
],
"inheritedFrom": "member"}
Response Example:
(Status 201)
{
"description": "A sample custom role for example",
"id": "Um9sZTo3",
"inheritedFrom": "member", // indicates the predefined role
"meta": {
"resourceType": "Role",
"created": "2023-11-20T23:10:14Z",
"lastModified": "2023-11-20T23:31:23Z",
"location": "Roles/Um9sZTo3" },
"name": "Sample custom role",
"organizationID": "T3JnYW5pemF0aW9uOjE0ODQ1OA==",
"permissions": [
{
"name": "artifact:read",
"isInherited": true// inherited from member predefined role
},
...... {
"name": "project:update",
"isInherited": false// custom permission added by admin
}
],
"schemas": [
"" ]
}
Delete custom role
Endpoint: <host-url>/scim/Roles/{id}
Method: DELETE
Description: Delete a custom role in the W&B organization. Use it with caution. The predefined role from which the custom role inherited is now assigned to all users that were assigned the custom role before the operation.
Request Example:
DELETE /scim/Roles/abc
Response Example:
(Status 204)
Update custom role permissions
Endpoint: <host-url>/scim/Roles/{id}
Method: PATCH
Description: Add or remove custom permissions in a custom role in the W&B organization.
Supported Fields:
Field
Type
Required
operations
Object array
Array of operation objects
op
String
Type of operation within the operation object. It can either be add or remove.
path
String
Static field in the operation object. Only value allowed is permissions.
value
Object array
Array of permission objects where each object includes a name string field that has value of the form w&bobject:operation. For example, a permission object for delete operation on W&B runs would have name as run:delete.
Request Example:
PATCH /scim/Roles/abc
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "add", // indicates the type of operation, other possible value being `remove`
"path": "permissions",
"value": [
{
"name": "project:delete" }
]
}
]
}
Response Example:
(Status 200)
{
"description": "A sample custom role for example",
"id": "Um9sZTo3",
"inheritedFrom": "member", // indicates the predefined role
"meta": {
"resourceType": "Role",
"created": "2023-11-20T23:10:14Z",
"lastModified": "2023-11-20T23:31:23Z",
"location": "Roles/Um9sZTo3" },
"name": "Sample custom role",
"organizationID": "T3JnYW5pemF0aW9uOjE0ODQ1OA==",
"permissions": [
{
"name": "artifact:read",
"isInherited": true// inherited from member predefined role
},
...... {
"name": "project:update",
"isInherited": false// existing custom permission added by admin before the update
},
{
"name": "project:delete",
"isInherited": false// new custom permission added by admin as part of the update
}
],
"schemas": [
"" ]
}
Update custom role metadata
Endpoint: <host-url>/scim/Roles/{id}
Method: PUT
Description: Update the name, description or inherited role for a custom role in the W&B organization. This operation doesn’t affect any of the existing, that is, non-inherited custom permissions in the custom role.
Supported Fields:
Field
Type
Required
name
String
Name of the custom role
description
String
Description of the custom role
inheritedFrom
String
The predefined role which the custom role inherits from. It can either be member or viewer.
Request Example:
PUT /scim/Roles/abc
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Role"],
"name": "Sample custom role",
"description": "A sample custom role for example but now based on viewer",
"inheritedFrom": "viewer"}
Response Example:
(Status 200)
{
"description": "A sample custom role for example but now based on viewer", // changed the descripton per the request
"id": "Um9sZTo3",
"inheritedFrom": "viewer", // indicates the predefined role which is changed per the request
"meta": {
"resourceType": "Role",
"created": "2023-11-20T23:10:14Z",
"lastModified": "2023-11-20T23:31:23Z",
"location": "Roles/Um9sZTo3" },
"name": "Sample custom role",
"organizationID": "T3JnYW5pemF0aW9uOjE0ODQ1OA==",
"permissions": [
{
"name": "artifact:read",
"isInherited": true// inherited from viewer predefined role
},
...// Any permissions that are in member predefined role but not in viewer will not be inherited post the update
{
"name": "project:update",
"isInherited": false// custom permission added by admin
},
{
"name": "project:delete",
"isInherited": false// custom permission added by admin
}
],
"schemas": [
"" ]
}
Choose any of the following environment variables for your instance depending on your IAM needs.
Environment variable
Description
DISABLE_SSO_PROVISIONING
Set this to true to turn off user auto-provisioning in your W&B instance.
SESSION_LENGTH
If you would like to change the default user session expiry time, set this variable to the desired number of hours. For example, set SESSION_LENGTH to 24 to configure session expiry time to 24 hours. The default value is 720 hours.
GORILLA_ENABLE_SSO_GROUP_CLAIMS
If you are using OIDC based SSO, set this variable to true to automate W&B team membership in your instance based on your OIDC groups. Add a groups claim to user OIDC token. It should be a string array where each entry is the name of a W&B team that the user should belong to. The array should include all the teams that a user is a part of.
GORILLA_LDAP_GROUP_SYNC
If you are using LDAP based SSO, set it to true to automate W&B team membership in your instance based on your LDAP groups.
GORILLA_OIDC_CUSTOM_SCOPES
If you are using OIDC based SSO, you can specify additional scopes that W&B instance should request from your identity provider. W&B does not change the SSO functionality due to these custom scopes in any way.
GORILLA_USE_IDENTIFIER_CLAIMS
If you are using OIDC based SSO, set this variable to true to enforce username and full name of your users using specific OIDC claims from your identity provider. If set, ensure that you configure the enforced username and full name in the preferred_username and name OIDC claims respectively. Usernames can only contain alphanumeric characters along with underscores and hyphens as special characters.
GORILLA_DISABLE_PERSONAL_ENTITY
Set this to true to turn off personal user projects in your W&B instance. If set, users can not create new personal projects in their personal entities, plus writes to existing personal projects are turned off.
GORILLA_DISABLE_ADMIN_TEAM_ACCESS
Set this to true to restrict Organization or Instance Admins from self-joining or adding themselves to a W&B team, thus ensuring that only Data & AI personas have access to the projects within the teams.
W&B advises to exercise caution and understand all implications before enabling some of these settings, like GORILLA_DISABLE_ADMIN_TEAM_ACCESS. Reach out to your W&B team for any questions.
