How to use Gated User Access (or suitable other functionality) for user access within an Organization?

Intermediate
1

Hi,
I write requesting guidance on ability to do fine access control within an organizations members ability to access certain repos. I am abbreviating HuggingFace as HF and Resource Group as RG for brevity.

BACKGROUND:
We have a Team licence. As the AI core team, we manage the usage of HF across our organization. The general ground-rules we enforce are:

  1. Create an HF account with only official email-id and note down username.
  2. Core team adds user to the Org members list. SSO is used to allow these users to reach the Org page.
  3. All repos must be created with the owner as the Org. Never make a public repo - we have disabled ability to make a Public repo with owner as our Org.
  4. Set the Access Control as Everyone if all members of organization should have access, else set it to a suitable RG. Only necessary members of the org are part of the RG.

USE-CASE (problem faced):

  1. Say we have 5 members in the Org. Person-1/2/3 are from the Finance Department. But Person-4/5 are not. Thus any repos with owner as our Org and with Access as Everyone can be seen by all 5 members. No one outside of our Org can access these repos. All good here.
  2. Only Person-1/2/3 who belong to Finance Department are all part of Resource Group “RG-Fin”. There are several repos with Access Control as “RG-Fin” - thus only accessible by these three persons. All good here.
  3. Now Person-4 also wants access to the models of Finance department. We are ok with Person-4 having access to ALL the repos currently in RG-Fin or those added in future. So Person-4 is added to RG-Fin. All good here.
  4. Now Finance department creates a new repo “SpecialModel” with Access Control as RG-Fin. So its currently accessible by the Persons 1/2/3/4.
  5. Now Person-5 needs to have access only to this repo SpecialModel. We do NOT want to give access to Person-5 for all the repos that are already part of RG-Fin. So we do want to add Person-5 to RG-Fin.
  6. We tried to use Gated repo to do this. In the Settings for repo SpecialModel, we enabled “Gated User Access”, with “Manual Review”, and with “Add Access” button successfully granted access to Person-5. But Person-5 gets a 404 error accessing the repo. It seems this person must be added to RG-Fin but we do not want to do this.

Alternatives that may work but we do not want to do here:

  1. We do not want to create a totally different resource group e.g. RG-Fin-2 where only the new SpecialModel is added. We understand a Repo can only be mapped to a unique resource group. We want it to remain under RG-Fin.
  2. We also do not want to create a copy of the repo and use that. There are then two different repos which could not be updated together.
  3. We do not want to make the repo public, and then use the Gated model route to grant access. We do not want any repo to even be accessible by anyone outside our Org members.

My questions:

  1. Is this already possible in HF today? Am I doing something wrong here with Gated User Access?
  2. Is there any work on-going to rollout such functionalty?

Regards,
Rohit

2

Hi @AI-CC-RohitBewoor If you haven’t already, can you email team-support@huggingface.co? We’re happy to help look into this for you! :hugs:

3

Hi @meganariley ,
Thank you - will do this right away.
Regards.

4

TLDR: Having “member-group” concept where an org-admin can add/remove some set of users would make member access via Resource Group much easier.

On emailing the team-support email id mentioned above, I got their inputs quite fast. Based on that, it seems I could recommend making a new Resource Group for this, then move the repo “SpecialModel” to the new RG. Then we would add all the existing members of the original RG to the new RG + the person for whom we wanted to grant access newly.
This would work, but I see no concept of “member-groups” in HF. If such a thing existed then it would be much easier to map all necessary members in to any new Resource Groups. I would just select such the existing member-group for “Finance” and have to add just the one new person. Futher, if if Person-3 left the Finance department some day, I could easily edit the “member-group” for Finance to remove Person-3. And the members who are then mapped to one or more RG’s using this member-group is updated automatically. But right now, I would need to every resource group created and delete Person-3 from them.