Security and RBAC
Nomic Atlas implements organization-level and dataset-level role-based access controls (RBAC).
Organization Role-Based Access Controls
Every Atlas user belongs to one or more organizations. Every user in an organization has one of the following roles and associated permissions.
| Org Owner | Org Admin | Org Editor | Org Viewer | Org Guest | Non-member | |
|---|---|---|---|---|---|---|
| Read organization metadata | ✅ | ✅ | ✅ | ✅ | 🚫 | only if public organization |
| Read public datasets | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Read organization-wide restricted datasets | ✅ | ✅ | ✅ | ✅ | 🚫 | 🚫 |
| Read restricted datasets | ✅ | ✅ | Only if shared | Only if shared | Only if shared | 🚫 |
| Create/edit datasets | ✅ | ✅ | ✅ | 🚫 | 🚫 | 🚫 |
| Create/delete personal API keys | ✅ | ✅ | ✅ | ✅ | 🚫 | 🚫 |
| Manage member API keys | ✅ | ✅ | 🚫 | 🚫 | 🚫 | 🚫 |
| Manage members | ✅ | ✅ | 🚫 | 🚫 | 🚫 | 🚫 |
| Manage billing | ✅ | ✅ | 🚫 | 🚫 | 🚫 | 🚫 |
Dataset Role-Based Access Controls
Users within an organization perform actions on their own organizations' datasets. The dataset's creator and the organization's owner and admins are all admins on the dataset. Dataset admins can grant users in the organization the following roles and permissions.
| Dataset Admin | Dataset Editor | Dataset Viewer | No dataset role | |
|---|---|---|---|---|
| Read public dataset | ✅ | ✅ | ✅ | ✅ |
| Read restricted dataset | ✅ | ✅ | ✅ | 🚫 |
| Add new data to dataset | ✅ | ✅ | 🚫 | 🚫 |
| Change dataset name and description | ✅ | ✅ | 🚫 | 🚫 |
| Create tags | ✅ | ✅ | 🚫 | 🚫 |
| See other users' tags | ✅ | ✅ | 🚫 | 🚫 |
| Delete/rename other users' tags | 🚫 | 🚫 | 🚫 | 🚫 |
| Delete dataset | ✅ | 🚫 | 🚫 | 🚫 |
| Edit dataset sharing permissions | ✅ | 🚫 | 🚫 | 🚫 |
| Share dataset within organization | ✅ | 🚫 | 🚫 | 🚫 |
| Make dataset public to world | Only if org admin or owner | 🚫 | 🚫 | 🚫 |
Organization-level roles supersede dataset-level roles. For example, all organization owners and admins automatically have full-access to all datasets.
Default Organization Roles on Datasets
| Org Role | Dataset Role |
|---|---|
| Org Owner | Dataset Admin (irrevocable) |
| Org Admin | Dataset Admin (irrevocable) |
| Org Editor & Creator of Dataset | Dataset Admin (revocable) |
| Org Editor & Not Creator of Dataset | (promotable) |
| Org Viewer | Dataset Viewer (non-promotable) |
| Org Guest | No dataset permissions; can be added as viewer |
Who can see my datasets?
When you create a dataset, you can toggle it as public or restricted in your dataset's page settings.
Public datasets are accessible by anyone with a link in your Atlas deployment.
Restricted datasets are only accessible by authenticated individuals in your organization.
Atlas Client Restricted Map Example
from nomic import atlas
import numpy as np
num_embeddings = 10000
embeddings = np.random.rand(num_embeddings, 256)
response = atlas.map_data(embeddings=embeddings,
is_public=False,
organization_name='my_organization'
)
print(response)
Creating datasets in organizations
You can create datasets under any organization you are apart of by specifying an organization_slug prefix in the dataset identifier.
For example, we can create a dataset in the sterling-cooper organization called my-dataset by specifying sterling-cooper/my-dataset
as the dataset name.