diff --git a/src/langsmith/abac.mdx b/src/langsmith/abac.mdx index d3faeed489..35f2b2f511 100644 --- a/src/langsmith/abac.mdx +++ b/src/langsmith/abac.mdx @@ -20,6 +20,35 @@ Roles and resource tags can be managed via the UI or API. ABAC policies are curr * [Set up resource tags](/langsmith/set-up-resource-tags) in your workspace. * ABAC currently only supports `resource_tag_key` as an `attribute_name` in policies, for evaluating against resource tags. No other attributes are supported yet. +## Enable ABAC for self-hosted deployments + +1. ABAC requires a [self-hosted](/langsmith/self-hosted) LangSmith deployment running Helm chart 0.11.28 or later (application version 0.12.1). Once you've upgraded, use one of the following options to enable ABAC: + + - **Enable for a specific organization:** Run the following against your LangSmith PostgreSQL database, replacing `` with the ID copied from the organization settings page in the UI: + + ```sql + UPDATE organizations SET config = config || '{"can_use_abac": true}' WHERE id = '' AND NOT is_personal; + ``` + + - **Enable for all organizations:** Add the following environment variable to `commonEnv` in your `values.yaml`: + + ```yaml + DEFAULT_ORG_FEATURE_CAN_USE_ABAC: "true" + ``` + + + This environment variable has no effect on personal organizations, because [RBAC](/langsmith/rbac) is not enabled for personal organizations. + + +1. Set up authentication. To manage access policies via the API, you need an [Organization Admin](/langsmith/rbac#organization-admin) API key (Personal Access Token or Service Key). Set the following environment variables before running any scripts: + + ```bash + export LANGSMITH_API_KEY="your_admin_api_key" + # Required for self-hosted or EU deployments: + # export LANGCHAIN_ENDPOINT="https://eu.api.smith.langchain.com" + # export LANGCHAIN_ENDPOINT="https://langsmith.yourdomain.com/api" + ``` + ## Access policy structure An access policy defines conditions under which access is granted or denied. Here's the structure: