Skip to content

Add ABAC section on self-hosted enablement #3008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Kathryn May (katmayb) merged 3 commits into from
Mar 12, 2026
Merged

Add ABAC section on self-hosted enablement #3008

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e8aad12
Add ABAC section on self-hosted enablement
katmayb Mar 9, 2026
0c825a7
bvs feedback
katmayb Mar 12, 2026
78b388f
Merge branch 'main' into abac-self-hosted-enablement
katmayb Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions src/langsmith/abac.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,35 @@ Roles and resource tags can be managed via the UI or API. ABAC policies are curr
* [Set up resource tags](/langsmith/set-up-resource-tags) in your workspace.
* ABAC currently only supports `resource_tag_key` as an `attribute_name` in policies, for evaluating against resource tags. No other attributes are supported yet.

## Enable ABAC for self-hosted deployments

1. ABAC requires a [self-hosted](/langsmith/self-hosted) LangSmith deployment running Helm chart 0.11.28 or later (application version 0.12.1). Once you've upgraded, use one of the following options to enable ABAC:

- **Enable for a specific organization:** Run the following against your LangSmith PostgreSQL database, replacing `<organization_id>` with the ID copied from the organization settings page in the UI:

```sql
UPDATE organizations SET config = config || '{"can_use_abac": true}' WHERE id = '<organization_id>';
```

- **Enable for all organizations:** Add the following environment variable to `commonEnv` in your `values.yaml`:

```yaml
DEFAULT_ORG_FEATURE_CAN_USE_ABAC: "true"
```

<Note>
This environment variable has no effect on personal organizations, which do not have [RBAC](/langsmith/rbac) enabled.
Copy link
Copy Markdown
Contributor Author

@katmayb Kathryn May (katmayb) Mar 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Brian Vander Schaaf (@bvs-langchain) Is this trying to say this has no effect on personal organizations because RBAC isn't enabled. Or, this has no effect on personal organizations that don't have RBAC enabled?

This is just for Enterprise, so assuming the former?

Copy link
Copy Markdown
Contributor

@bvs-langchain Brian Vander Schaaf (bvs-langchain) Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes the former. and we should update the sql to say ... where not is_personal to match this fact (even though it would have no effect for personal orgs, better to avoid doubt).

</Note>

1. Set up authentication. To manage access policies via the API, you need an [Organization Admin](/langsmith/rbac#organization-admin) API key (Personal Access Token or Service Key). Set the following environment variables before running any scripts:

```bash
export LANGSMITH_API_KEY="your_admin_api_key"
# Required for self-hosted or EU deployments:
# export LANGCHAIN_ENDPOINT="https://eu.api.smith.langchain.com"
# export LANGCHAIN_ENDPOINT="https://langsmith.yourdomain.com/api"
```

## Access policy structure

An access policy defines conditions under which access is granted or denied. Here's the structure:
Expand Down