Managing Access

This section shows you how to manage users and permissions in NeMo Microservices. Access management involves creating workspaces to organize resources and adding members with appropriate roles.

Creating Workspaces

Workspaces are the primary authorization boundary—all resources belong to a workspace, and access is controlled at the workspace level. When you create a workspace, you automatically become its Admin.

Create separate workspaces to isolate teams (ml-research, nlp-team), environments (dev, staging, prod), or projects. For detailed workspace management, see Workspaces.

CLI

nmp workspaces create --name ml-team

# Set the workspace as your default for subsequent commands
nmp config set --workspace ml-team

Python SDK

from nemo_microservices import NeMoMicroservices

client = NeMoMicroservices(base_url="<NMP_BASE_URL>")

workspace = client.workspaces.create(
    name="ml-team",
    description="Machine learning team workspace"
)

Managing Workspace Members

Members are users who have been granted access to a workspace. Each member has one of three roles:

• Viewer — Read-only access to all resources

• Editor — Can create, modify, and delete resources

• Admin — Full control, including managing members

Add a Member

Grant someone access to a workspace by adding them as a member with a specific role. The principal is typically an email address that identifies the user in your identity provider.

CLI

nmp members create --principal alice@example.com --roles Editor

{
  "principal": "alice@example.com",
  "roles": ["Editor"],
  "granted_at": "2026-01-20T10:00:00Z",
  "granted_by": "admin@example.com"
}

Python SDK

from nemo_microservices import NeMoMicroservices

client = NeMoMicroservices(base_url="<NMP_BASE_URL>")

# Add a member with Editor role
client.members.create(
    workspace="ml-team",
    principal="alice@example.com",
    roles=["Editor"]
)

# Add a member with Viewer role (read-only)
client.members.create(
    workspace="ml-team",
    principal="bob@example.com",
    roles=["Viewer"]
)

# Add a member with Admin role (full control)
client.members.create(
    workspace="ml-team",
    principal="charlie@example.com",
    roles=["Admin"]
)

List Members

View all members of a workspace to audit access or verify permissions. The response includes each member’s principal, roles, and when access was granted.

CLI

nmp members list

[
  {
    "principal": "alice@example.com",
    "roles": ["Editor"],
    "granted_at": "2026-01-20T10:00:00Z",
    "granted_by": "admin@example.com"
  },
  {
    "principal": "bob@example.com",
    "roles": ["Viewer"],
    "granted_at": "2026-01-20T10:01:00Z",
    "granted_by": "admin@example.com"
  },
  {
    "principal": "charlie@example.com",
    "roles": ["Admin"],
    "granted_at": "2026-01-20T10:02:00Z",
    "granted_by": "admin@example.com"
  }
]

Python SDK

from nemo_microservices import NeMoMicroservices

client = NeMoMicroservices(base_url="<NMP_BASE_URL>")

members = client.members.list(workspace="ml-team")

for member in members.data:
    print(f"{member.principal}: {member.roles}")

Update Member Roles

Change a member’s role to adjust their permissions—for example, promoting a Viewer to Editor when they need to create resources.

CLI

nmp members update bob@example.com --roles Editor

Python SDK

from nemo_microservices import NeMoMicroservices

client = NeMoMicroservices(base_url="<NMP_BASE_URL>")

# Promote a Viewer to Editor
client.members.update(
    workspace="ml-team",
    principal_id="bob@example.com",
    roles=["Editor"]
)

Remove a Member

Revoke a member’s access by removing them from the workspace. This removes all their role bindings in the workspace—they will no longer be able to access any resources unless re-added.

CLI

nmp members delete alice@example.com

Python SDK

from nemo_microservices import NeMoMicroservices

client = NeMoMicroservices(base_url="<NMP_BASE_URL>")

client.members.delete(
    workspace="ml-team",
    principal_id="alice@example.com"
)

Granting Access to All Users

Use the wildcard principal * to grant a role to all authenticated users. This is useful for shared workspaces where you want broad access without adding each user individually.

Common use cases:

• Shared datasets — Grant Viewer to * so everyone can use common training data

• Team shared space — Grant Editor to * for a workspace where anyone can experiment

• Published models — Grant Viewer to * for production models that everyone should access

Make a Workspace Readable by Everyone

Grant the Viewer role to * so all authenticated users can view resources.

CLI

nmp members create --principal "*" --roles Viewer

{
  "principal": "*",
  "roles": ["Viewer"],
  "granted_at": "2026-01-20T10:05:00Z",
  "granted_by": "admin@example.com"
}

Python SDK

from nemo_microservices import NeMoMicroservices

client = NeMoMicroservices(base_url="<NMP_BASE_URL>")

client.members.create(
    workspace="shared-models",
    principal="*",
    roles=["Viewer"]
)

Make a Workspace Editable by Everyone

Grant the Editor role to * so all authenticated users can create and modify resources.

CLI

nmp members create --principal "*" --roles Editor

Python SDK

from nemo_microservices import NeMoMicroservices

client = NeMoMicroservices(base_url="<NMP_BASE_URL>")

client.members.create(
    workspace="shared-datasets",
    principal="*",
    roles=["Editor"]
)

Remove Public Access

Remove the wildcard binding to restrict the workspace to explicit members only.

CLI

nmp members delete "*"

Python SDK

from nemo_microservices import NeMoMicroservices

client = NeMoMicroservices(base_url="<NMP_BASE_URL>")

client.members.delete(
    workspace="ml-team",
    principal_id="*"
)

Note

Default Workspace Access

The platform automatically grants wildcard access to built-in workspaces:

• default workspace: All users have Editor access

• system workspace: All users have Viewer access (read-only)

This allows users to start working immediately without explicit role assignment.

Admin Protection

Every workspace must have at least one Admin to prevent orphaned workspaces. The platform enforces this rule:

• You cannot remove the last Admin from a workspace

• You cannot change the last Admin’s role to Viewer or Editor

If you need to leave a workspace where you’re the only Admin, first add another Admin:

CLI

# Add another admin first
nmp members create --principal charlie@example.com --roles Admin

# Now you can remove yourself
nmp members delete alice@example.com

Python SDK

from nemo_microservices import NeMoMicroservices

client = NeMoMicroservices(base_url="<NMP_BASE_URL>")

# Add another admin first
client.members.create(
    workspace="ml-team",
    principal="charlie@example.com",
    roles=["Admin"]
)

# Now you can remove yourself
client.members.delete(
    workspace="ml-team",
    principal_id="alice@example.com"
)

Deleting Workspaces

Admins can delete workspaces they manage. However, a workspace cannot be deleted if it contains resources (projects, datasets, models, etc.). The API returns a 409 Conflict error listing which entity types exist:

{
  "detail": "Cannot delete workspace 'ml-team': workspace contains entities that must be deleted first: project (3), dataset (5)"
}

Delete all resources in the workspace before deleting the workspace itself:

CLI

# List and delete projects first
nmp projects list --workspace ml-team
nmp projects delete my-project --workspace ml-team

# Then delete the workspace
nmp workspaces delete ml-team

Python SDK

from nemo_microservices import NeMoMicroservices, ConflictError

client = NeMoMicroservices(base_url="<NMP_BASE_URL>")

try:
    client.workspaces.delete("ml-team")
except ConflictError as e:
    print(f"Cannot delete workspace: {e}")
    # Delete resources first, then retry
    projects = client.projects.list(workspace="ml-team")
    for project in projects.data:
        client.projects.delete(project.name, workspace="ml-team")
    # Now delete the workspace
    client.workspaces.delete("ml-team")