# `HuggingfaceClient.Hub.Enterprise.Security` [🔗](https://github.com/huggingface/huggingface_client/blob/v0.1.0/lib/huggingface_client/hub/enterprise/security.ex#L1) HuggingFace Enterprise Security & Compliance (7.2). Covers: - **Audit logs** — track all actions on your organization's resources - **Role-based access control (RBAC)** — member roles and permissions - **SSO/SAML** — single sign-on configuration - **API token management** — create, list, revoke tokens - **Repository access control** — fine-grained repo permissions > **Enterprise feature**: Most functions require an Enterprise or Team Hub subscription. See: https://huggingface.co/docs/hub/enterprise-hub ## Example # Get audit log for your organization {:ok, logs} = HuggingfaceClient.Enterprise.audit_logs("my-enterprise-org", limit: 100, access_token: token) logs |> Enum.each(fn entry -> IO.puts("#{entry["user"]} — #{entry["action"]} — #{entry["timestamp"]}") end) # `audit_logs` ```elixir @spec audit_logs( String.t(), keyword() ) :: {:ok, [map()]} | {:error, Exception.t()} ``` Returns the audit log for an organization. Audit logs record all significant actions taken by organization members, including repo creation/deletion, permission changes, and API access. > **Enterprise feature**: Requires an Enterprise Hub subscription. ## Options - `:limit` — max entries to return (default: 100) - `:offset` — pagination offset - `:user` — filter by username - `:action` — filter by action type (e.g. `"repo.create"`, `"member.invite"`) - `:resource_type` — filter by resource type: `"model"`, `"dataset"`, `"space"`, `"bucket"` - `:start_date` — ISO8601 start date - `:end_date` — ISO8601 end date - `:access_token` ## Action types - `"repo.create"` — repository created - `"repo.delete"` — repository deleted - `"repo.update"` — repository settings changed - `"repo.visibility"` — visibility changed - `"member.invite"` — member invited - `"member.remove"` — member removed - `"member.role_change"` — member role changed - `"token.create"` — API token created - `"token.revoke"` — API token revoked - `"access_request.accept"` — gated repo request accepted - `"access_request.reject"` — gated repo request rejected ## Example {:ok, logs} = HuggingfaceClient.audit_logs("my-org", limit: 50, action: "member.invite", access_token: token) # `create_token` ```elixir @spec create_token(keyword()) :: {:ok, map()} | {:error, Exception.t()} ``` Creates a new API token for the authenticated user. ## Options - `:name` — token name (required) - `:role` — `"read"` | `"write"` | `"admin"` (default: `"read"`) - `:expires_at` — ISO8601 expiry date (optional) - `:access_token` ## Example {:ok, new_token} = HuggingfaceClient.create_token( name: "ci-token", role: "read", access_token: token ) IO.puts("Token: #{new_token["token"]}") # `get_sso_config` ```elixir @spec get_sso_config( String.t(), keyword() ) :: {:ok, map()} | {:error, Exception.t()} ``` Gets SSO configuration for an organization. > **Enterprise feature**: Requires Enterprise Hub subscription with SSO enabled. ## Example {:ok, sso} = HuggingfaceClient.get_sso_config("my-enterprise-org", access_token: token) IO.puts("Provider: #{sso["provider"]}") IO.puts("Enabled: #{sso["enabled"]}") # `has_org_role?` ```elixir @spec has_org_role?(String.t(), String.t(), keyword()) :: boolean() ``` Checks if the authenticated user has at least the specified role in an org. Roles (from lowest to highest): `"read"`, `"write"`, `"admin"`. ## Example true = HuggingfaceClient.has_org_role?("my-org", "write", access_token: token) # `list_tokens` ```elixir @spec list_tokens(keyword()) :: {:ok, [map()]} | {:error, Exception.t()} ``` Lists API tokens for the authenticated user. ## Example {:ok, tokens} = HuggingfaceClient.list_tokens(access_token: token) Enum.each(tokens, fn t -> IO.puts("#{t["name"]}: #{t["role"]} — last used: #{t["last_used"]}") end) # `my_org_role` ```elixir @spec my_org_role( String.t(), keyword() ) :: {:ok, String.t() | nil} | {:error, Exception.t()} ``` Returns the current user's role in an organization. ## Example {:ok, role} = HuggingfaceClient.my_org_role("huggingface", access_token: token) # "admin" | "write" | "read" | "contributor" | nil (not a member) # `revoke_token` ```elixir @spec revoke_token(keyword()) :: :ok | {:error, Exception.t()} ``` Revokes an API token. ## Options - `:token_name` — name of the token to revoke (required) - `:access_token` # `set_repo_internal_visibility` ```elixir @spec set_repo_internal_visibility( String.t(), keyword() ) :: :ok | {:error, Exception.t()} ``` Moves a repo to a private or internal state (Enterprise feature). Internal repos are accessible to all org members but not the public. ## Options - `:visibility` — `"public"`, `"private"`, `"internal"` (required) - `:access_token` # `set_repo_visibility` ```elixir @spec set_repo_visibility( String.t(), keyword() ) :: :ok | {:error, Exception.t()} ``` Sets the visibility of a repository (public/private). This is a convenience wrapper around `update_repo_settings/2`. ## Example :ok = HuggingfaceClient.set_repo_visibility("my-org/my-model", private: true, access_token: token) # `stream_audit_logs` ```elixir @spec stream_audit_logs( String.t(), keyword() ) :: Enumerable.t() ``` Streams all audit log entries, following pagination automatically. Returns a lazy `Stream` of audit log entries. ## Example result = HuggingfaceClient.stream_audit_logs("my-org", access_token: token) |> Stream.filter(fn e -> e["action"] == "repo.delete" end) |> Enum.take(20) |> Enum.each(fn e -> IO.puts("#{e["user"]} deleted #{e["resource"]}") end) # `update_sso_config` ```elixir @spec update_sso_config( String.t(), keyword() ) :: {:ok, map()} | {:error, Exception.t()} ``` Updates SSO/SAML configuration for an organization. > **Enterprise feature**: Requires Enterprise Hub subscription. ## Options - `:provider` — `"saml"` | `"oidc"` (required) - `:enabled` — enable or disable SSO - `:sso_url` — SAML SSO URL or OIDC issuer - `:certificate` — SAML certificate (for SAML provider) - `:client_id` — OIDC client ID - `:client_secret` — OIDC client secret - `:access_token` --- *Consult [api-reference.md](api-reference.md) for complete listing*