Security and RBAC
Nomic Atlas implements organization-level and dataset-level role-based access controls (RBAC).
Organization Role-Based Access Controls
Every Atlas user belongs to one or more organizations. Every user in an organization has one of the following roles and associated permissions.
| Org Owner | Org Admin | Org Editor | Org Viewer | Org Guest | Non-member | |
|---|---|---|---|---|---|---|
| Read organization metadata | ✅ | ✅ | ✅ | ✅ | 🚫 | Only if public organization |
| Read public datasets | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Read organization-wide restricted datasets | ✅ | ✅ | ✅ | ✅ | Only if shared | 🚫 |
| Read restricted datasets | ✅ | ✅ | Only if shared | Only if shared | Only if shared | 🚫 |
| Create datasets | ✅ | ✅ | ✅ | 🚫 | 🚫 | 🚫 |
| Edit datasets | ✅ | ✅ | Only if shared or user-created | 🚫 | 🚫 | 🚫 |
| Create/delete personal API keys | ✅ | ✅ | ✅ | ✅ | 🚫 | 🚫 |
| Manage member API keys | ✅ | ✅ | 🚫 | 🚫 | 🚫 | 🚫 |
| Manage members | ✅ | ✅ | 🚫 | 🚫 | 🚫 | 🚫 |
| Manage billing | ✅ | ✅ | 🚫 | 🚫 | 🚫 | 🚫 |
Dataset Role-Based Access Controls
Users within an organization perform actions on their own organizations' datasets. The dataset's creator and the organization's owner and admins are all admins on the dataset. Dataset admins can grant users in the organization the following roles and permissions.
| Dataset Admin | Dataset Editor | Dataset Viewer | No dataset role | |
|---|---|---|---|---|
| Read public dataset | ✅ | ✅ | ✅ | ✅ |
| Read restricted dataset | ✅ | ✅ | ✅ | 🚫 |
| Add new data to dataset | ✅ | ✅ | 🚫 | 🚫 |
| Change dataset name and description | ✅ | ✅ | 🚫 | 🚫 |
| Create tags | ✅ | ✅ | 🚫 | 🚫 |
| See other users' tags | ✅ | ✅ | 🚫 | 🚫 |
| Delete/rename other users' tags | 🚫 | 🚫 | 🚫 | 🚫 |
| Delete dataset | ✅ | 🚫 | 🚫 | 🚫 |
| Edit dataset sharing permissions | ✅ | 🚫 | 🚫 | 🚫 |
| Share dataset within organization | ✅ | 🚫 | 🚫 | 🚫 |
| Make dataset public to world | Only if org admin or owner | 🚫 | 🚫 | 🚫 |
Organization-level roles supersede dataset-level roles. For example, all organization owners and admins automatically have full-access to all datasets.
Default Organization Roles on Datasets
| Org Role | Dataset Role |
|---|---|
| Org Owner | Dataset Admin (irrevocable) |
| Org Admin | Dataset Admin (irrevocable) |
| Org Editor & Creator of Dataset | Dataset Admin (revocable) |
| Org Editor & Not Creator of Dataset | (promotable) |
| Org Viewer | Dataset Viewer (non-promotable) |
| Org Guest | No dataset permissions; can be added as viewer |
API Key Scoping
You can create Nomic API keys scoped with different permissions levels using our API Key admin endpoints.
By default, API keys are scoped to an organization. Additionally, API keys can also be scoped to a specific dataset or a specific user.
If only key_name is provided in the request for creating an API key, the key will be scoped to the user's current organization.
To scope an API key to a specific organization by ID, set key_scope = "ORGANIZATION" and key_target_id with the UUID of the organization in the API key creation request.
To scope an API key to a specific dataset, set key_scope = "DATASET" and key_target_id with the UUID of the dataset in the API key creation request.
To scope an API key to a specific user, set key_scope = "USER" in the API key creation request.
Who can see my datasets?
When you create a dataset, you can toggle it as public or restricted in your dataset's page settings.
Public datasets are accessible by anyone with a link in your Atlas deployment.
Restricted datasets are only accessible by authenticated individuals in your organization.
Atlas Client Restricted Map Example
from nomic import atlas
import numpy as np
num_embeddings = 10000
embeddings = np.random.rand(num_embeddings, 256)
response = atlas.map_data(embeddings=embeddings,
is_public=False,
identifier='my_organization/dataset_name'
)
print(response)
Creating datasets in organizations
You can create datasets under any organization you are apart of by specifying an organization_slug prefix in the dataset identifier as we did above: identifier='my_organization/dataset_name'
For example, we can create a dataset in the sterling-cooper organization called my-dataset by specifying sterling-cooper/my-dataset
as the dataset identifier.