From 571da1d2fd417195e8561db5f74ac79af99f6427 Mon Sep 17 00:00:00 2001 From: Alexandre Nicolas Date: Thu, 16 Apr 2026 13:17:35 +0200 Subject: [PATCH 1/2] docs: add no_access organization member role --- docs/hub/enterprise-resource-groups.md | 2 +- docs/hub/organizations-security.md | 4 +++- docs/hub/programmatic-user-access-control.md | 6 +++--- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/hub/enterprise-resource-groups.md b/docs/hub/enterprise-resource-groups.md index e0ba5419be..92730ef6f3 100644 --- a/docs/hub/enterprise-resource-groups.md +++ b/docs/hub/enterprise-resource-groups.md @@ -22,7 +22,7 @@ This feature allows organization administrators to: - Group related repositories together for better organization - Control member access at a group level rather than individual repository level -- Assign different permission roles (read, contributor, write, admin) to team members +- Assign different permission roles (no_access, read, contributor, write, admin) to team members - Keep private repositories visible only to authorized group members - Enable multiple teams to work independently within the same organization - Configure which member roles are allowed to create new resource groups diff --git a/docs/hub/organizations-security.md b/docs/hub/organizations-security.md index 60ade02a4a..3fe01ec78b 100644 --- a/docs/hub/organizations-security.md +++ b/docs/hub/organizations-security.md @@ -8,7 +8,9 @@ > > The Resource Group feature is part of the Team & Enterprise plans. -Members of organizations can have four different roles: `read`, `contributor`, `write`, or `admin`: +Members of organizations can have five different roles: `no_access`, `read`, `contributor`, `write`, or `admin`: + +- `no_access`: the member belongs to the Organization but has no access to its repositories or settings. Use with [Resource Groups](./security-resource-groups) to grant access to specific repos only. - `read`: read-only access to the Organization's repos and metadata/settings (eg, the Organization's profile, members list, API token, etc). diff --git a/docs/hub/programmatic-user-access-control.md b/docs/hub/programmatic-user-access-control.md index 5ba80abae5..c5e88c73ce 100644 --- a/docs/hub/programmatic-user-access-control.md +++ b/docs/hub/programmatic-user-access-control.md @@ -12,7 +12,7 @@ This guide describes how to manage organization member roles and resource group ## Change member role via API -You can change a member's **organization role** (Read / Contributor / Write / Admin) and, optionally, their roles in **resource groups** using the Hub API. The API updates **one member per request**. To change roles for multiple members, call the API in a loop (examples below). +You can change a member's **organization role** (No Access / Read / Contributor / Write / Admin) and, optionally, their roles in **resource groups** using the Hub API. The API updates **one member per request**. To change roles for multiple members, call the API in a loop (examples below). **OpenAPI reference:** PUT /api/organizations/{name}/members/{username}/role @@ -50,10 +50,10 @@ Content-Type: application/json - `org_name`: Organization slug (e.g. `my-org`). - `username`: Hugging Face **username** of the member whose role you are changing. - **Body** - - `role` (required): The member's **organization-level** role. One of: `"read"`, `"contributor"`, `"write"`, or `"admin"`. + - `role` (required): The member's **organization-level** role. One of: `"no_access"`, `"read"`, `"contributor"`, `"write"`, or `"admin"`. - `resourceGroups` (optional): Array of resource group assignments for this user. Each item: - `id`: Resource group ID (24-character hex string; get IDs from the [resource groups list API](#list-resource-groups)). - - `role`: Role in that resource group: `"read"`, `"contributor"`, `"write"`, or `"admin"`. + - `role`: Role in that resource group: `"no_access"`, `"read"`, `"contributor"`, `"write"`, or `"admin"`. - If you omit `resourceGroups` or pass `[]`, the user is removed from all resource groups. To only change org role and leave resource groups unchanged, pass their current resource group memberships (the body always sets both org role and resource group list). **Example (curl) – set org role to "read", no resource groups (removes any the user was previously in)** From a7296d4fb0a2c7e2c928c94d14b732523e347c57 Mon Sep 17 00:00:00 2001 From: Alexandre Nicolas Date: Thu, 16 Apr 2026 18:36:40 +0200 Subject: [PATCH 2/2] fix: remove no_access role in resource group --- docs/hub/programmatic-user-access-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hub/programmatic-user-access-control.md b/docs/hub/programmatic-user-access-control.md index c5e88c73ce..5aeba3a721 100644 --- a/docs/hub/programmatic-user-access-control.md +++ b/docs/hub/programmatic-user-access-control.md @@ -53,7 +53,7 @@ Content-Type: application/json - `role` (required): The member's **organization-level** role. One of: `"no_access"`, `"read"`, `"contributor"`, `"write"`, or `"admin"`. - `resourceGroups` (optional): Array of resource group assignments for this user. Each item: - `id`: Resource group ID (24-character hex string; get IDs from the [resource groups list API](#list-resource-groups)). - - `role`: Role in that resource group: `"no_access"`, `"read"`, `"contributor"`, `"write"`, or `"admin"`. + - `role`: Role in that resource group: `"read"`, `"contributor"`, `"write"`, or `"admin"`. - If you omit `resourceGroups` or pass `[]`, the user is removed from all resource groups. To only change org role and leave resource groups unchanged, pass their current resource group memberships (the body always sets both org role and resource group list). **Example (curl) – set org role to "read", no resource groups (removes any the user was previously in)**