Sharing and access control¶
Workloads support shared roles via GET /workloads/{workload_id}/sharedRoles and PATCH /workloads/{workload_id}/sharedRoles. A shared role grants a user, group, or organization a specific access level on the Workload.
Available roles¶
The Workload API exposes three sharing roles:
| Role | Access level |
|---|---|
owner |
Full control, including deletion and re-sharing. |
user |
Invoke and read. The standard production-consumer role. |
consumer |
Invoke only; cannot read full configuration or statistics. |
Shared roles propagate to events, statistics, and the /protons/ sub-resource so collaborators see the same telemetry and lifecycle as owners.
Update shared roles¶
PATCH /workloads/{workload_id}/sharedRoles replaces the current shared role list. You can set up to 100 entries in a single request, and each entry identifies the recipient by id (with shareRecipientType) or by username (for users).
curl -X PATCH "${DATAROBOT_ENDPOINT}/workloads/${WORKLOAD_ID}/sharedRoles" \
-H "Authorization: Bearer ${DATAROBOT_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"operation": "updateRoles",
"roles": [
{"id": "USER_ID", "role": "user", "shareRecipientType": "user"},
{"username": "alice@example.com", "role": "consumer", "shareRecipientType": "user"}
]
}'
shareRecipientType accepts user, group, organization, or role.
Artifacts and artifact repositories¶
Artifacts and artifact repositories use the same sharedRoles pattern for registry governance:
| Resource | Shared role endpoints |
|---|---|
| Artifact | GET /artifacts/{artifact_id}/sharedRoles, PATCH /artifacts/{artifact_id}/sharedRoles. |
| Artifact repository | GET /artifactRepositories/{artifact_repository_id}/sharedRoles, PATCH /artifactRepositories/{artifact_repository_id}/sharedRoles. |