You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
chore: add docs on restricting PAT creation (#1204)
## Overview
<!-- Brief description of what documentation is being added/updated -->
adds documentation on restricting PAT creation
* restrict per-user: use the new `Organization Viewer` role
* restrict for the entire organization: new `pat_creation_disabled`
setting
## Type of change
**Type:** Update existing documentation
## Related issues/PRs
<!--
Link to related issues, feature PRs, or discussions (if applicable)
To automatically close an issue when this PR is merged, use closing
keywords:
- "closes#123" or "fixes#123" or "resolves#123"
For regular references without auto-closing, just use:
- "#123" or "See issue #123"
Examples:
- closes#456 (will auto-close issue #456 when PR is merged)
- See #789 for context (will reference but not auto-close issue #789)
-->
- GitHub issue:
- Feature PR:
<!-- For LangChain employees, if applicable: -->
- Linear issue: ent-126
- Slack thread:
## Checklist
<!-- Put an 'x' in all boxes that apply -->
- [x] I have read the [contributing guidelines](README.md)
- [x] I have tested my changes locally using `docs dev`
- [x] All code examples have been tested and work correctly
- [x] I have used **root relative** paths for internal links
- [x] I have updated navigation in `src/docs.json` if needed
- I have gotten approval from the relevant reviewers
- (Internal team members only / optional) I have created a preview
deployment using the [Create Preview Branch
workflow](https://github.com/langchain-ai/docs/actions/workflows/create-preview-branch.yml)
## Additional notes
<!-- Any other information that would be helpful for reviewers -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copy file name to clipboardExpand all lines: src/langsmith/administration-overview.mdx
+23-18Lines changed: 23 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -122,30 +122,35 @@ Organization roles are distinct from the Enterprise feature (RBAC) below and are
122
122
The organization role selected also impacts workspace membership as described here:
123
123
124
124
*`Organization Admin` grants full access to manage all organization configuration, users, billing, and workspaces. **An `Organization Admin` has `Admin` access to all workspaces in an organization**
125
-
*`Organization User` may read organization information but cannot execute any write actions at the organization level. **An `Organization User` can be added to a subset of workspaces and assigned workspace roles as usual (if RBAC is enabled), which specify permissions at the workspace level.**
125
+
*`Organization User` may read organization information but cannot execute any write actions at the organization level. An `Organization User` may create Personal Access Tokens. **An `Organization User` can be added to a subset of workspaces and assigned workspace roles as usual (if RBAC is enabled), which specify permissions at the workspace level.**
126
+
*`Organization Viewer` is equivalent to `Organization User`, but **cannot** create Personal Access Tokens. (for self-hosted, available in Helm chart version 0.11.25+)
126
127
127
128
<Info>
128
-
The `Organization User` role is only available in organizations on plans with multiple workspaces. In organizations limited to a single workspace, all users are `Organization Admins`. Custom organization-scoped roles are not available yet.
129
+
The `Organization User` and `Organization Viewer` roles are only available in organizations on plans with multiple workspaces. In organizations limited to a single workspace, all users are `Organization Admins`. Custom organization-scoped roles are not available yet.
130
+
131
+
See [security settings](/langsmith/manage-organization-by-api#security-settings) for instructions on how to disable PAT creation for the entire organization.
129
132
</Info>
130
133
131
134
See the table below for all organization permissions:
Copy file name to clipboardExpand all lines: src/langsmith/manage-organization-by-api.mdx
+9Lines changed: 9 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -72,6 +72,10 @@ These params should be omitted: `read_only` (deprecated), `password` and `full_n
72
72
73
73
## Security settings
74
74
75
+
<Note>
76
+
Organization Admin permissions are required to make these changes.
77
+
</Note>
78
+
75
79
<Note>
76
80
"Shared resources" in this context refer to [public prompts](/langsmith/create-a-prompt#save-your-prompt), [shared runs](/langsmith/share-trace), and [shared datasets](/langsmith/manage-datasets#share-a-dataset).
77
81
</Note>
@@ -84,6 +88,11 @@ You can update these settings under the **Settings > Shared** tab for a workspac
* use `unshare_all` to unshare **ALL** shared resources in the organization - use `disable_public_sharing` to prevent future sharing of resources
86
90
91
+
These settings are only editable via API:
92
+
*[Disable/enable PAT creation](https://api.smith.langchain.com/redoc#tag/orgs/operation/update_current_organization_info_api_v1_orgs_current_info_patch) (for self-hosted, available in Helm chart version 0.11.25+)
93
+
* use `pat_creation_disabled` to disable PAT creation for the entire organization.
94
+
* see the [admin guide](/langsmith/administration-overview#organization-roles) for information about the Organization Viewer role, which cannot create PATs.
95
+
87
96
## User-only endpoints
88
97
89
98
These endpoints are user-scoped and require a logged-in user's JWT, so they should only be executed through the UI.
0 commit comments