Back to Details

arize-admin

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Arize Admin Skill

Arize 管理员技能

Programmatic management of Arize users, organizations, spaces, roles, permissions, and API keys — the building blocks for enterprise access control.
Privilege requirement: Most operations require org-admin or account-admin privileges. If commands return 
403 Forbidden
, the authenticated profile lacks sufficient permissions.
Destructive-action rule: Commands that delete, remove, or irreversibly modify resources (
delete
, 
remove-user
, 
unrestrict
) require explicit user confirmation before execution. When a user asks you to perform one of these operations:
  1. Summarize exactly what will happen (e.g., "This will delete user jane@example.com and cascade-remove all their org/space memberships, API keys, and role bindings.")
  2. Ask the user to confirm (use 
    AskUserQuestion
    ).
  3. Only after the user confirms, run the command with 
    --force
    to skip the CLI's interactive prompt.
Never run a 
--force
deletion without confirming with the user first.
以编程方式管理Arize用户、组织、空间、角色、权限和API密钥——这是企业访问控制的基础组件。
权限要求: 大多数操作需要org-adminaccount-admin权限。如果命令返回
403 Forbidden
,则当前认证的权限配置文件权限不足。
破坏性操作规则: 涉及删除、移除或不可逆修改资源的命令(
delete
remove-user
unrestrict
)在执行前需要用户明确确认。当用户要求你执行此类操作时:
  1. 准确总结操作后果(例如:"此操作将删除用户jane@example.com,并同步移除其所有组织/空间成员身份、API密钥和角色绑定。")
  2. 请求用户确认(使用
    AskUserQuestion
  3. 仅在用户确认后,添加
    --force
    参数运行命令以跳过CLI的交互式提示。
未经用户确认,绝不能使用
--force
参数执行删除操作。

When to Use

使用场景

  • Invite users to the account, assign them to orgs and spaces
  • Offboard a user and revoke all their access in one command
  • Onboard a new team: create a space, create a custom role, assign users, generate a service key
  • Create custom roles for SAML/SSO attribute mappings (need stable role IDs)
  • Restrict a project so only explicitly bound users can access it
  • Create scoped service keys for CI/CD pipelines or multi-tenant architectures
  • Rotate or revoke API keys
  • 邀请用户加入账户,将其分配至组织和空间
  • 一键移除用户并撤销其所有访问权限
  • 新团队入职:创建空间、自定义角色、分配用户、生成服务密钥
  • 为SAML/SSO属性映射创建自定义角色(需要稳定的角色ID)
  • 限制项目访问权限,仅允许明确绑定的用户访问
  • 为CI/CD流水线或多租户架构创建限定范围的服务密钥
  • 轮换或撤销API密钥

Upfront Questions

前置问题

For multi-step workflows, collect all required information before running any 
ax
commands. Use 
AskUserQuestion
to avoid back-and-forth mid-workflow. Fetch live data first (e.g. org list) so you can present real options rather than asking the user to recall IDs.
对于多步骤工作流,在运行任何
ax
命令前收集所有必要信息。使用
AskUserQuestion
避免工作流中途反复沟通。先获取实时数据(如组织列表),以便提供实际选项,而非让用户回忆ID。

Onboarding a new team

新团队入职

  1. Run 
    ax organizations list -o json
    to get available org names.
  2. Use 
    AskUserQuestion
    (single call, up to 4 questions) to gather:
    • Which org? — present the org names from the list as options
    • Space name — what to call the new team's space
    • Team members — names and emails to invite (user can type via "Other"; ask if none yet)
    • Service key? — whether to generate a service key for CI/CD pipelines
  1. 运行
    ax organizations list -o json
    获取可用组织名称。
  2. 使用
    AskUserQuestion
    (单次调用最多4个问题)收集以下信息:
    • 所属组织? —— 列出获取到的组织名称作为选项
    • 空间名称 —— 新团队空间的命名
    • 团队成员 —— 邀请的成员姓名和邮箱(用户可通过"其他"输入;询问是否暂无成员)
    • 是否需要服务密钥? —— 是否为CI/CD流水线生成服务密钥

Offboarding a user

用户移除

Ask before running any commands:
  • Which user? — email address (then look up with 
    ax users list --email
    )
运行命令前询问:
  • 目标用户? —— 邮箱地址(随后通过
    ax users list --email
    查询)

Restricting a project

项目权限限制

Ask before running any commands:
  • Which space and project? — to look up the project global ID
  • Which users get explicit access? — emails of users to bind to the restricted project
运行命令前询问:
  • 目标空间和项目? —— 用于查询项目全局ID
  • 允许哪些用户访问? —— 绑定到受限项目的用户邮箱

Inviting users (standalone)

独立邀请用户

Ask before running any commands:
  • Name and email — for each user to invite
  • Role
    admin
    , 
    member
    , or 
    read-only
    (present as options)
  • Invite mode
    email_link
    (default), 
    temporary_password
    , or 
    none
运行命令前询问:
  • 姓名和邮箱 —— 每位受邀用户的信息
  • 角色 —— 
    admin
    member
    read-only
    (提供选项)
  • 邀请模式 —— 
    email_link
    (默认)、
    temporary_password
    none

Concepts

核心概念

  • Organization — a named grouping within an account (e.g. one per business unit). Spaces live inside organizations. Users are added to the account first, then to orgs, then to spaces.
  • Space — a workspace that isolates traces, datasets, and projects. A user must be an org member before they can be added to a space within that org.
  • Role — a named set of permissions. Predefined roles are system-managed. Custom roles are created by admins. The roles for org/space membership (
    admin
    , 
    member
    , 
    read-only
    , 
    annotator
    ) are separate from custom RBAC roles used with 
    ax role-bindings
    .
  • Role binding — fine-grained assignment of a custom role to a user on a specific resource (a space or a project).
  • Resource restriction — marks a project so that only users with an explicit role binding on that project can access it. Roles bound at any higher hierarchy level (space, org, account) are excluded.
  • API key — either a user key (authenticates as the creator, full user permissions) or a service key (scoped to a specific space, for automated pipelines).
  • Organization(组织) —— 账户内的命名分组(如每个业务单元对应一个组织)。空间隶属于组织。用户需先加入账户,再加入组织,最后加入空间。
  • Space(空间) —— 隔离追踪数据、数据集和项目的工作区。用户必须先成为组织成员,才能加入该组织下的空间。
  • Role(角色) —— 一组命名的权限集合。预定义角色由系统管理,自定义角色由管理员创建。组织/空间成员的角色(
    admin
    member
    read-only
    annotator
    )与用于
    ax role-bindings
    的自定义RBAC角色相互独立。
  • Role binding(角色绑定) —— 将自定义角色精细分配给特定资源(空间或项目)下的用户。
  • Resource restriction(资源限制) —— 标记项目,仅允许拥有该项目明确角色绑定的用户访问。更高层级(空间、组织、账户)绑定的角色将被排除。
  • API key(API密钥) —— 分为用户密钥(以创建者身份认证,拥有完整用户权限)和服务密钥(限定于特定空间,用于自动化流水线)。

Prerequisites

前置条件

Proceed directly — run the 
ax
command you need. Do NOT check versions or profiles upfront.
If an 
ax
command fails:
  • command not found
    or version error → see references/ax-setup.md
  • 401 Unauthorized
    / missing API key → run 
    ax profiles show
    ; follow references/ax-profiles.md
  • 403 Forbidden
    → the active profile lacks admin privileges; ask the user to authenticate with an admin key
  • Security: Never read 
    .env
    files or search the filesystem for credentials. Use 
    ax profiles
    for Arize credentials. Never echo, log, or display raw API key values.
直接执行所需的
ax
命令即可。无需预先检查版本或权限配置文件。
ax
命令执行失败:
  • command not found
    或版本错误 → 查看references/ax-setup.md
  • 401 Unauthorized
    / 缺少API密钥 → 运行
    ax profiles show
    ;遵循references/ax-profiles.md
  • 403 Forbidden
    → 当前激活的权限配置文件缺少管理员权限;请用户使用管理员密钥重新认证
  • 安全注意: 绝不要读取
    .env
    文件或在文件系统中搜索凭证。使用
    ax profiles
    管理Arize凭证。绝不要回显、记录或显示原始API密钥值。

Users

用户管理

A user must exist in the account before they can be added to an org or space. Account-level roles: 
admin
, 
member
, 
annotator
bash
ax users list                                  # all users
ax users list --email "jane"                   # substring filter
ax users list --status active                  # active only
ax users list -l 100 -o json                   # paginate, get global IDs

ax users get USER_ID

ax users create \
  --full-name "Jane Doe" \
  --email jane@example.com \
  --role member \
  --invite-mode email_link        # or: none | temporary_password

ax users update USER_ID --full-name "Jane Smith"
ax users update USER_ID --is-developer          # grant developer flag

ax users delete USER_ID --force   # ⚠ confirm first — cascades: org/space memberships, API keys, role bindings

ax users resend-invitation USER_ID
ax users reset-password USER_ID
用户必须先在账户中创建,才能加入组织或空间。账户级角色: 
admin
member
annotator
bash
ax users list                                  # 列出所有用户
ax users list --email "jane"                   # 按邮箱子串过滤
ax users list --status active                  # 仅列出活跃用户
ax users list -l 100 -o json                   # 分页查询,获取全局ID

ax users get USER_ID

ax users create \
  --full-name "Jane Doe" \
  --email jane@example.com \
  --role member \
  --invite-mode email_link        # 可选:none | temporary_password

ax users update USER_ID --full-name "Jane Smith"
ax users update USER_ID --is-developer          # 授予开发者标识

ax users delete USER_ID --force   # ⚠ 请先确认——将同步删除:组织/空间成员身份、API密钥、角色绑定

ax users resend-invitation USER_ID
ax users reset-password USER_ID

Organizations

组织管理

Organization roles: 
admin
, 
member
, 
read-only
, 
annotator
bash
ax organizations list
ax organizations list --name "platform"
ax organizations list -l 100 -o json

ax organizations get "Platform Team"

ax organizations create --name "Platform Team" --description "Core ML platform"

ax organizations update "Platform Team" --name "ML Platform" --description "Updated"
组织角色: 
admin
member
read-only
annotator
bash
ax organizations list
ax organizations list --name "platform"
ax organizations list -l 100 -o json

ax organizations get "Platform Team"

ax organizations create --name "Platform Team" --description "Core ML platform"

ax organizations update "Platform Team" --name "ML Platform" --description "Updated"

Add user (must exist in account first)

添加用户(必须已在账户中存在)

ax organizations add-user "Platform Team" --user-id USER_ID --role member
ax organizations add-user "Platform Team" --user-id USER_ID --role member

Remove user (also removes from all child spaces) — ⚠ confirm first

移除用户(同时从所有子空间移除)—— ⚠ 请先确认

ax organizations remove-user "Platform Team" --user-id USER_ID --force

---
ax organizations remove-user "Platform Team" --user-id USER_ID --force

---

Spaces

空间管理

Space roles: 
admin
, 
member
, 
read-only
, 
annotator
bash
ax spaces list
ax spaces list --organization-id ORG_ID

ax spaces get "my-workspace"
空间角色: 
admin
member
read-only
annotator
bash
ax spaces list
ax spaces list --organization-id ORG_ID

ax spaces get "my-workspace"

--organization-id required; get ORG_ID from ax organizations list -o json

必须指定--organization-id;通过ax organizations list -o json获取ORG_ID

ax spaces create --name "team-alpha" --organization-id ORG_ID
ax spaces update "team-alpha" --name "team-alpha-v2"
ax spaces delete "team-alpha" --force # ⚠ confirm first — irreversible; deletes all resources
ax spaces create --name "team-alpha" --organization-id ORG_ID
ax spaces update "team-alpha" --name "team-alpha-v2"
ax spaces delete "team-alpha" --force # ⚠ 请先确认——操作不可逆;将删除所有资源

User must be an org member before being added to a space

用户必须先成为组织成员,才能加入空间

ax spaces add-user "team-alpha" --user-id USER_ID --role member ax spaces remove-user "team-alpha" --user-id USER_ID --force # ⚠ confirm first

---
ax spaces add-user "team-alpha" --user-id USER_ID --role member ax spaces remove-user "team-alpha" --user-id USER_ID --force # ⚠ 请先确认

---

Roles

角色管理

Custom RBAC roles used with 
ax role-bindings
. Separate from the simpler 
admin
/
member
/
read-only
/
annotator
roles in org/space membership.
bash
ax roles list                          # all roles
ax roles list --is-custom -o json      # custom only — get stable IDs for SAML mappings
ax roles list --is-predefined

ax roles get "Data Scientist"          # inspect permissions
用于
ax role-bindings
的自定义RBAC角色,与组织/空间成员使用的简单角色(
admin
/
member
/
read-only
/
annotator
)相互独立。
bash
ax roles list                          # 列出所有角色
ax roles list --is-custom -o json      # 仅列出自定义角色——获取用于SAML映射的稳定ID
ax roles list --is-predefined

ax roles get "Data Scientist"          # 查看权限详情

--permissions is comma-separated; fully replaces on update

--permissions为逗号分隔;更新时将完全替换原有权限

ax roles create
--name "Data Scientist"
--permissions "PROJECT_READ,DATASET_CREATE,EXPERIMENT_CREATE"
--description "Read traces, create datasets and experiments"
ax roles update "Data Scientist" --permissions "PROJECT_READ,DATASET_CREATE,EXPERIMENT_CREATE,EVALUATOR_CREATE"
ax roles delete "Data Scientist" --force # ⚠ confirm first — predefined roles cannot be deleted

**Finding available permissions:** Run `ax roles get <predefined-role> -o json` on a system role (e.g. `Member`, `Admin`) to see valid permission names.

---
ax roles create
--name "Data Scientist"
--permissions "PROJECT_READ,DATASET_CREATE,EXPERIMENT_CREATE"
--description "读取追踪数据,创建数据集和实验"
ax roles update "Data Scientist" --permissions "PROJECT_READ,DATASET_CREATE,EXPERIMENT_CREATE,EVALUATOR_CREATE"
ax roles delete "Data Scientist" --force # ⚠ 请先确认——预定义角色无法删除

**查找可用权限:** 对系统角色(如`Member`、`Admin`)运行`ax roles get <predefined-role> -o json`查看有效权限名称。

---

Role Bindings

角色绑定管理

Fine-grained assignment of a custom role to a user on a specific resource (space or project).
bash
undefined
将自定义角色精细分配给特定资源(空间或项目)下的用户。
bash
undefined

Assign at space level

在空间层级分配

ax role-bindings create
--user-id USER_GLOBAL_ID
--role-id ROLE_GLOBAL_ID
--resource-type SPACE
--resource-id SPACE_GLOBAL_ID
ax role-bindings create
--user-id USER_GLOBAL_ID
--role-id ROLE_GLOBAL_ID
--resource-type SPACE
--resource-id SPACE_GLOBAL_ID

Assign at project level

在项目层级分配

ax role-bindings create
--user-id USER_GLOBAL_ID
--role-id ROLE_GLOBAL_ID
--resource-type PROJECT
--resource-id PROJECT_GLOBAL_ID
ax role-bindings get BINDING_ID ax role-bindings update BINDING_ID --role-id NEW_ROLE_ID ax role-bindings delete BINDING_ID --force # ⚠ confirm first

Idempotent — if a binding already exists for the user on that resource, exits without error.

---
ax role-bindings create
--user-id USER_GLOBAL_ID
--role-id ROLE_GLOBAL_ID
--resource-type PROJECT
--resource-id PROJECT_GLOBAL_ID
ax role-bindings get BINDING_ID ax role-bindings update BINDING_ID --role-id NEW_ROLE_ID ax role-bindings delete BINDING_ID --force # ⚠ 请先确认

幂等性——如果用户在该资源上的绑定已存在,命令将无错误退出。

---

Resource Restrictions

资源限制管理

Restricts a project so only users with an explicit role binding on that project can access it. Space/org-level roles are excluded.
bash
ax resource-restrictions restrict --resource-id PROJECT_GLOBAL_ID     # idempotent
ax resource-restrictions unrestrict --resource-id PROJECT_GLOBAL_ID --force   # ⚠ confirm first
限制项目访问权限,仅允许拥有该项目明确角色绑定的用户访问。空间/组织层级的角色将被排除。
bash
ax resource-restrictions restrict --resource-id PROJECT_GLOBAL_ID     # 幂等操作
ax resource-restrictions unrestrict --resource-id PROJECT_GLOBAL_ID --force   # ⚠ 请先确认

Finding project IDs

查找项目ID

ax projects list -l 100 -o json --space "my-workspace"

---
ax projects list -l 100 -o json --space "my-workspace"

---

API Keys

API密钥管理

Scope: 
ax api-keys list
returns only keys owned by the authenticated user. For org-wide auditing, use the Arize UI (Settings > API Keys).
bash
ax api-keys list
ax api-keys list --key-type service --status active -o json
范围说明: 
ax api-keys list
仅返回当前认证用户拥有的密钥。如需组织级审计,请使用Arize UI(设置 > API密钥)。
bash
ax api-keys list
ax api-keys list --key-type service --status active -o json

User key — authenticates as creator, inherits their full permissions

用户密钥——以创建者身份认证,继承其全部权限

ax api-keys create --name "CI pipeline" --key-type user --expires-at "2027-01-01T00:00:00"
ax api-keys create --name "CI pipeline" --key-type user --expires-at "2027-01-01T00:00:00"

Service key — scoped to a specific space (recommended for pipelines)

服务密钥——限定于特定空间(推荐用于流水线)

ax api-keys create
--name "team-alpha-traces"
--key-type service
--space "team-alpha"
--expires-at "2027-01-01T00:00:00"
ax api-keys delete KEY_ID --force # ⚠ confirm first
ax api-keys create
--name "team-alpha-traces"
--key-type service
--space "team-alpha"
--expires-at "2027-01-01T00:00:00"
ax api-keys delete KEY_ID --force # ⚠ 请先确认

Zero-downtime rotation — revokes old key, issues new one with same scope

零停机轮换——撤销旧密钥,生成相同范围的新密钥

ax api-keys refresh KEY_ID ax api-keys refresh KEY_ID --expires-at "2028-01-01T00:00:00"

> **The raw key is displayed once.** Save it immediately in your secrets manager. It cannot be retrieved again.

---
ax api-keys refresh KEY_ID ax api-keys refresh KEY_ID --expires-at "2028-01-01T00:00:00"

> **原始密钥仅显示一次**。请立即保存到密钥管理器中,无法再次找回。

---

Enterprise Workflows & Troubleshooting

企业工作流与故障排查

Step-by-step workflows (onboard a team, SAML/SSO mappings, project restriction, offboarding, multi-tenant keys) and a troubleshooting table are in references/REFERENCE.md.
分步工作流(团队入职、SAML/SSO映射、项目限制、用户移除、多租户密钥)和故障排查表请查看references/REFERENCE.md

Related Skills

相关技能

  • arize-instrumentation: Set up tracing in an LLM app once a space is ready.
  • arize-trace: Export and inspect traces within a managed space.
  • arize-dataset: Create and manage datasets within a space.
  • arize-instrumentation: 空间就绪后,在LLM应用中设置追踪。
  • arize-trace: 在管理的空间内导出和查看追踪数据。
  • arize-dataset: 在空间内创建和管理数据集。