Access controls
These docs are for the new Anyscale design. If you started using Anyscale before April 2024, use Version 1.0.0 of the docs. If you're transitioning to Anyscale Preview, see the guide for how to migrate.
Anyscale allows specifying granular access controls for organizations and clouds.
You can't provide separate access controls on cluster environments, compute configs, or Anyscale workload resources (workspaces, jobs, services). Instead:
- All cluster environments can be used by all users in the organization
- Compute configs referencing a cloud can be used by all users with access to the cloud
A strict resource tree hierarchy exists between organization, clouds, and resources, where you can only grant permissions to a particular resource if permissions already exist on the parent resource.
- As a result, not granting a user access to a particular resource prevents that user from accessing any child resource.
- Generally, inheritance is not used by Anyscale permissions. For example, granting a user access to a cloud doesn't give them access to all resources in the cloud, but does give access to public resources in the cloud.
- Some exceptions to this policy are with admin permissions.
Organization permissions
You can grant one of two levels of permissions at the organization level:
- Owner: There can be one or more organization owners for an organization. These users have full admin rights for the organization.
- Organization owners can perform management actions on the organizations, in addition to all the collaborator actions. Management actions include:
- Inviting users to the organization
- Converting an existing collaborator to an owner
- Accessing the billing and costs dashboard
- Only organization owners can create clouds, and after doing so they get explicit permissions as a cloud owner.
- Organization owners also has admin permissions to all Anyscale resources, which allows them to access resources they don't have explicit permissions to.
- Organization owners can perform management actions on the organizations, in addition to all the collaborator actions. Management actions include:
See User Management for instructions on how to perform organization owner actions.
- Collaborator: Collaborator is the default role Anyscale assigns to a user when they are invited to the organization.
- Collaborators don't have access to the My Organization page, and can't change their or other users' status in the organization.
- By default, collaborators only have access to cluster environments, which are public to all users in the organization.
- You must add a collaborator to a cloud for them to be able to take additional actions on other Anyscale resources in the cloud.
Because organization owners have admin permissions in addition to their individual user permissions, add organization owners to clouds they intend to develop on, so that they keep permissions to the cloud even if they are demoted from being admin.
Admin permissions
Admin permissions are a type of implicit permission granted to organization owners. Admin permissions give the user the strongest "Owner" access to all resources in Anyscale, which allows organization owners to easily troubleshoot any issues.
We do not show organization admins the pages which list users with access to a resource unless they were assigned access to these resources as individuals.
Removing users from an organization
You can remove any organization collaborator from an organization. Resources created by the user still exist in the organization, but the user is no longer able to log into the organization or use their tokens to access these resources. Any private resources that only this user had access to is still accessible to organization owners through admin permissions.
Anyscale doesn't support re-adding a user who was previously removed from an organization.
Cloud permissions
Like organizations, clouds also support Owner and Collaborator roles.
- Owner: The organization admin who creates a cloud becomes the first owner of that cloud.
- Cloud owners can manage which users have either owner or collaborator permissions to a cloud.
- Only users in the organization are eligible to be granted either of these two cloud permissions.
- Only organization owners are eligible to be granted cloud owner permissions at the individual level.
- Cloud owners also have all cloud collaborator permissions.
- Cloud owners can manage which users have either owner or collaborator permissions to a cloud.
Anyscale doesn't support adding a non-organization admin as a cloud owner. Cloud owner permissions are only granted to the organization admin or to the user who created a cloud.
- Collaborator: Cloud collaborators can view details about the cloud, and use the cloud to create any child Anyscale resources. All resources within the cloud are accessible to cloud collaborators by default.
See cloud details and owner actions at https://console.anyscale.com/v2/clouds.
Removing users from a cloud
When an owner removes a user from a cloud, the user loses access to all resources within the cloud. This action could result in some entities that the user was previously an owner of to show up as (Removed user). Organization owners still have owner privileges on these entities through organization admin permissions.
Owners can directly remove owners or collaborators from a cloud. However, owners can't remove themselves. Instead, another cloud owner must remove them.
Auto add user to cloud
You can enable the auto add user feature for clouds that should be accessible to all users in the organization. Cloud owners can modify this field in the UI in the Cloud detail and owner actions page at https://console.anyscale.com/v2/clouds. They can also modify the field through the CLI with the anyscale cloud edit and anyscale cloud update commands.
If an owner enables this feature, they grant all individual users in the organization cloud collaborator permissions and all users appear in the cloud collaborator table view. Owners can no longer manually modify cloud permissions while the feature is enabled because all users need to have access. Note: It may take up to 30 seconds for Anyscale to grant cloud collaborator permissions after an owner enables this feature or adds a new user to the organization.
Disabling this feature causes no change in cloud permissions for individual users. If some users received cloud collaborator permissions while the "auto add user" feature was enabled, those users continue to have cloud collaborator permissions if the feature becomes disabled, until a cloud owner manually modifies their individual permissions.
Inheritance to child resources
Because there are no granular access controls for resources below a cloud, all workspaces, jobs, and services inherit permissions from their cloud.