Security and RBAC

Nomic Atlas implements organization-level and dataset-level role-based access controls (RBAC).

Organization Role-Based Access Controls

Every Atlas user belongs to one or more organizations. Every user in an organization has one of the following roles and associated permissions.

	Org Owner	Org Admin	Org Editor	Org Viewer	Org Guest	Non-member
Read organization metadata	✅	✅	✅	✅	🚫	Only if public organization
Read public datasets	✅	✅	✅	✅	✅	✅
Read organization-wide restricted datasets	✅	✅	✅	✅	Only if shared	🚫
Read restricted datasets	✅	✅	Only if shared	Only if shared	Only if shared	🚫
Create datasets	✅	✅	✅	🚫	🚫	🚫
Edit datasets	✅	✅	Only if shared or user-created	🚫	🚫	🚫
Create/delete personal API keys	✅	✅	✅	✅	🚫	🚫
Manage member API keys	✅	✅	🚫	🚫	🚫	🚫
Manage members	✅	✅	🚫	🚫	🚫	🚫
Manage billing	✅	✅	🚫	🚫	🚫	🚫

Dataset Role-Based Access Controls

Users within an organization perform actions on their own organizations' datasets. The dataset's creator and the organization's owner and admins are all admins on the dataset. Dataset admins can grant users in the organization the following roles and permissions.

	Dataset Admin	Dataset Editor	Dataset Viewer	No dataset role
Read public dataset	✅	✅	✅	✅
Read restricted dataset	✅	✅	✅	🚫
Add new data to dataset	✅	✅	🚫	🚫
Change dataset name and description	✅	✅	🚫	🚫
Create tags	✅	✅	🚫	🚫
See other users' tags	✅	✅	🚫	🚫
Delete/rename other users' tags	🚫	🚫	🚫	🚫
Delete dataset	✅	🚫	🚫	🚫
Edit dataset sharing permissions	✅	🚫	🚫	🚫
Share dataset within organization	✅	🚫	🚫	🚫
Make dataset public to world	Only if org admin or owner	🚫	🚫	🚫

Organization-level roles supersede dataset-level roles. For example, all organization owners and admins automatically have full-access to all datasets.

Default Organization Roles on Datasets

Org Role	Dataset Role
Org Owner	Dataset Admin (irrevocable)
Org Admin	Dataset Admin (irrevocable)
Org Editor & Creator of Dataset	Dataset Admin (revocable)
Org Editor & Not Creator of Dataset	(promotable)
Org Viewer	Dataset Viewer (non-promotable)
Org Guest	No dataset permissions; can be added as viewer

API Key Scoping

You can create Nomic API keys scoped with different permissions levels using our API Key admin endpoints.

By default, API keys are scoped to an organization. Additionally, API keys can also be scoped to a specific dataset or a specific user.

If only key_name is provided in the request for creating an API key, the key will be scoped to the user's current organization.

To scope an API key to a specific organization by ID, set key_scope = "ORGANIZATION" and key_target_id with the UUID of the organization in the API key creation request.

To scope an API key to a specific dataset, set key_scope = "DATASET" and key_target_id with the UUID of the dataset in the API key creation request.

To scope an API key to a specific user, set key_scope = "USER" in the API key creation request.

Who can see my datasets?

When you create a dataset, you can toggle it as public or restricted in your dataset's page settings.

Public datasets are accessible by anyone with a link in your Atlas deployment.

Restricted datasets are only accessible by authenticated individuals in your organization.

Atlas Client Restricted Map Example

from nomic import atlas
import numpy as np

num_embeddings = 10000
embeddings = np.random.rand(num_embeddings, 256)

response = atlas.map_data(embeddings=embeddings,
                                is_public=False,
                                identifier='my_organization/dataset_name'
                                )
print(response)

Creating datasets in organizations

You can create datasets under any organization you are apart of by specifying an organization_slug prefix in the dataset identifier as we did above: identifier='my_organization/dataset_name'

For example, we can create a dataset in the sterling-cooper organization called my-dataset by specifying sterling-cooper/my-dataset as the dataset identifier.