Control access to Vertex AI Workbench

You can grant and restrict access to Vertex AI Workbench for an organization or a project.

Set the organization policy for Vertex AI Workbench

Use the organization policy to restrict or enable permissions for an organization or project to create or update a JupyterLab notebook. The YAML organization policy file, GDCHRestrictedServices, specifies the organization policy. To learn more, see the following topics:

Restrict access to Vertex AI Workbench from your organization

To restrict access to Vertex AI Workbench from your organization, edit the GDCHRestrictedServices organization policy by adding kinds and apiGroups from the following sample code:

apiGroups: ["aiplatform.gdc.goog"]
kinds: ["Notebook"]

In the following example GDCHRestrictedServices organization policy, add the last two lines to revoke access to Vertex AI Workbench from your organization:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GDCHRestrictedService
metadata:
  name: restrict-notebook-for-organization
spec:
  match:
    scope: "Namespaced"
    kinds:
      - apiGroups: ["aiplatform.gdc.goog"]
        kinds: ["Notebook"]

To learn more about organization policies and how to edit the GDCHRestrictedService organization policy, see Define the scope of an organization policy within a cluster. To restore an organization's access to Vertex AI Workbench, see Grant your organization access to Vertex AI Workbench.

Restrict access to Vertex AI Workbench from a project

To restrict access to Vertex AI Workbench from a project, edit the GDCHRestrictedServices organization policy by adding kinds and apiGroups for the project namespace.

In the following example of the GDCHRestrictedServices organization policy, add the last two lines beneath the project namespace to revoke access to Vertex AI Workbench from that project.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GDCHRestrictedService
metadata:
  name: restrict-notebook-for-organization
spec:
  match:
    scope: "Namespaced"
    namespaces: [PROJECT_NAMESPACE]
    kinds:
      - apiGroups: ["aiplatform.gdc.goog"]
        kinds: ["Notebook"]

You might need to add the following line to your GDCHRestrictedServices organization policy to identify your project. Replace PROJECT_NAMESPACE with the project name.

namespaces: [PROJECT_NAMESPACE]

To learn more about organization policies and how to edit the GDCHRestrictedService organization policy, see Define the scope of an organization policy within a cluster.

Grant your organization access to Vertex AI Workbench

By default, an organization has permissions to access the Vertex AI Workbench. If permissions to access the Vertex AI Workbench are revoked from an organization, they can be reinstated. To reinstate permissions to access the Vertex AI Workbench for all projects in your organization, identify the GDCHRestrictedServices custom resource in your org admin cluster with the following two lines:

apiGroups: ["aiplatform.gdc.goog"]
kinds: ["Notebook"]

If these two lines are the only content in the spec.match.kinds field of the GDCHRestrictedService resource, delete the GDCHRestrictedService resource to reinstate the Vertex AI Workbench service for all projects in your organization. If there are other restricted services in the GDCHRestrictedService resource like in the following example, remove the two lines to reinstate the Vertex AI Workbench service for all of the projects in your organization.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GDCHRestrictedService
metadata:
  name: restrict-notebook-for-organization
spec:
  match:
    scope: "Namespaced"
    kinds:
      - apiGroups: ["marketplace.gdc.goog"]
        kinds: ["MarketplaceService"]
      - apiGroups: ["aiplatform.gdc.goog"]
        kinds: ["Notebook"]

To learn more about organization policies and how to edit the GDCHRestrictedService organization policy, see Define the scope of an organization policy within a cluster.