Merge pull request #268815 from sdgilley/sdg-data-labeling

Update how-to-add-users

Author: v-dirichards

articles/machine-learning/how-to-add-users.md

@@ -8,7 +8,8 @@ ms.reviewer: sgilley
 ms.service: machine-learning
 ms.subservice: mldata
 ms.topic: how-to
-ms.date: 02/08/2023
+ms.date: 03/12/2024
+# customer intent: As a data labeling project manager, I want to add users to my data labeling project so that they can label data, but with restricted permissions.
 ---
 
 # Add users to your data labeling project
@@ -28,27 +29,40 @@ You need certain permission levels to follow the steps in this article. If you c
 
 ## Add custom role
 
-To add a custom role, you must have `Microsoft.Authorization/roleAssignments/write` permissions for your subscription - for example, [User Access Administrator](../../articles/role-based-access-control/built-in-roles.md).
+When you add a user to your project, you assign them a role to define their level of access. Before you add users, define the roles you want to use.
 
-1. Open your workspace in [Azure Machine Learning studio](https://ml.azure.com)
-1. Open the menu on the top right, and select **View all properties in Azure Portal**. You use the Azure portal for the remaining steps in this article.
-1. Select the **Resource group** link in the middle of the page.
-1. On the left, select **Access control (IAM)**.
-1. At the top, select **+ Add > Add custom role**.
-1. For the **Custom role name**, type the name you want to use. For example, **Labeler**.
-1. In the **Description** box, add a description. For example, **Labeler access for data labeling projects**.
-1. Select **Start from JSON**.
-1. At the bottom of the page, select **Next**.
-1. Don't do anything for the **Permissions** tab. You add permissions in a later step. Select **Next**.
-1. The **Assignable scopes** tab shows your subscription information. Select **Next**.
-1. In the **JSON** tab, above the edit box, select **Edit**.
-1. Select lines starting with **"actions:"** and **"notActions:"**.
+There is a built-in role for data labeling, scoped only to labeling data. If you want to use the built-in role for all your labelers, skip this section and proceed to [add guest user](#add-guest-user).  
+
+The following custom roles give other levels of access for a data labeling project. Define all the roles you want to use before moving on to add the users.
+
+ To add a custom role, you must have `Microsoft.Authorization/roleAssignments/write` permissions for your subscription - for example, [User Access Administrator](../../articles/role-based-access-control/built-in-roles.md).
 
-    :::image type="content" source="media/how-to-add-users/replace-lines.png" alt-text="Create custom role: select lines to replace them in the editor.":::
+1. Access the resource group for your workspace in the Azure portal. 
+    1. Open your workspace in [Azure Machine Learning studio](https://ml.azure.com).
+    1. Open the menu on the top right, and select **View all properties in Azure Portal**. You use the Azure portal for the remaining steps in this section.
+    1. Select the **Resource group** link in the middle of the page.
+1. Add a custom role
+    1. On the left, select **Access control (IAM)**.
+    1. At the top, select **+ Add > Add custom role**.
+    1. For the **Custom role name**, type the name you want to use. For example, **Labeling team lead**.
+    1. In the **Description** box, add a description. For example, **Team leader for labeling projects**.
+    1. Select **Start from JSON**.
+    1. Ignore the **Select a file** entry, even though it is starred.  You'll create the JSON in a future step.
+    1. At the bottom of the page, select **Next**.
+1. Skip tabs.
+    1. Don't do anything for the **Permissions** tab. You add permissions in a later step. Select **Next**.
+    1. The **Assignable scopes** tab shows your subscription information. Select **Next**.
+1. Edit the JSON definition.
+    1. In the **JSON** tab, above the edit box, select **Edit**.
+    1. Select lines starting with **"actions:"** and **"notActions:"**.
 
-1. Replace these two lines with the `Actions` and `NotActions` from the appropriate role listed at [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md#data-labeling). Make sure to copy from `Actions` through the closing bracket, `],`
+        :::image type="content" source="media/how-to-add-users/replace-lines.png" alt-text="Create custom role: select lines to replace them in the editor.":::
 
-1. Select **Save** at the top of the edit box to save your changes.
+    1. Replace these two lines with the `Actions` and `NotActions` from the appropriate role in the following tabs. Make sure to copy from `Actions` through the closing bracket, `],`.
+
+        [!INCLUDE [custom-role-data-labeling](includes/custom-role-data-labeling.md)]
+
+    1. Select **Save** at the top of the edit box to save your changes.
 
     > [!IMPORTANT]
     > Don't select **Next** until you've saved your edits.
@@ -59,7 +73,7 @@ To add a custom role, you must have `Microsoft.Authorization/roleAssignments/wri
 
 ## Add guest user
 
-If your labelers are outside of your organization, add them, so they can access your workspace. If labelers are already inside your organization, skip this step.
+If your labelers are outside of your organization, add them, so they can access your workspace. If labelers are already inside your organization, skip this step and proceed to [add users to your workspace](#add-users-to-your-workspace).
 
 To add a guest user, your organization's external collaboration settings need the correct configuration to allow you to invite guests.
 
@@ -76,28 +90,26 @@ To add a guest user, your organization's external collaboration settings need th
 
     :::image type="content" source="media/how-to-add-users/invite-user.png" alt-text="Invite guest user from Microsoft Entra ID.":::
 
-Repeat these steps for each of your labelers. You can also use the link at the bottom of the **Invite user** box to invite multiple users in bulk.
+Repeat these steps for each of the guest users. Or use the link at the bottom of the **Invite user** box to invite multiple users in bulk.
 
 > [!TIP]
-> Inform your labelers that they will receive this email. They must accept the invitation in order to gain access to your project.
+> Inform your labelers that they will receive an email. They must accept the invitation in order to gain access to your project.
 
 ## Add users to your workspace
 
-Now that you added your labelers to the system, you can add them to your workspace. 
+Once you have the appropriate users in your system and the role(s) defined, add the users to your workspace so that they can access your data labeling project.
 
 To add users to your workspace, you must be an owner of the workspace.
 
-1. In [Azure portal](https://portal.azure.com), in the top search field, type **Machine Learning**. 
-1. Select **Machine Learning**.
-    :::image type="content" source="media/how-to-manage-workspace/find-workspaces.png" alt-text="Search for Azure Machine Learning workspace.":::
-
-1. Select the workspace that contains your data labeling project.
+1. Access your workspace in the Azure portal. 
+    1. Open your workspace in [Azure Machine Learning studio](https://ml.azure.com).
+    1. Open the menu on the top right, and select **View all properties in Azure Portal**. You use the Azure portal for the remaining steps in this section.
 1. On the left, select **Access control (IAM)**.
 1. At the top, select **+ Add > Add role assignment**.
 
     :::image type="content" source="media/how-to-add-users/add-role-assignment.png" alt-text="Add role assignment from your workspace.":::
 
-1. Select the **Labeler** or **Labeling Team Lead** role in the list. Use **Search** if necessary to find it.
+1. Select the role you want to use from the list. Use **Search** if necessary to find it.
 1. Select **Next**.
 1. In the middle of the page, next to **Members**, select the **+ Select members** link.
 1. Select each of the users you want to add. Use **Search** if necessary to find them.
@@ -108,7 +120,7 @@ To add users to your workspace, you must be an owner of the workspace.
 
 ## For your labelers
 
-Now, your labelers can begin labeling in your project. However, they still need information from you to access the project.
+Once labelers have been added as users in the workspace, they can begin labeling in your project. However, they still need information from you to access the project.
 
 Be sure to create your labeling project before you contact your labelers.
 
@@ -122,10 +134,10 @@ Send the following information to your labelers, after you fill in your workspac
 1. Open [Azure Machine Learning studio](https://ml.azure.com).
 1. Use the dropdown to select the workspace **\<workspace-name\>**.
 1. Select the **Label data** tool for **\<project-name\>**.
-    :::image type="content" source="media/how-to-add-users/label-data.png" alt-text="Screenshot showing the label data tool.":::
+    :::image type="content" source="media/how-to-add-users/label-data.png" alt-text="Screenshot shows the label data tool in a project.":::
 1. For more information about how to label data, see [Labeling images and text documents](how-to-label-data.md).
 
-## Next steps
+## Related content
 
 * Learn more about [working with a data labeling vendor company](how-to-outsource-data-labeling.md)
 * [Create an image labeling project and export labels](how-to-create-image-labeling-projects.md)

articles/machine-learning/how-to-assign-roles.md

@@ -466,150 +466,9 @@ The workspace admin also cannot create a new role. It can only assign existing b
 
 ### Data labeling
 
-# [Data labeler](#tab/labeler)
+There is a built-in role for data labeling, scoped only to labeling data. The following custom roles give other levels of access for a data labeling project. 
 
-Allows you to define a role scoped only to labeling data:
-
-*labeler_custom_role.json* :
-
-```json
-{
-    "Name": "Labeler Custom",
-    "IsCustom": true,
-    "Description": "Can label data for Labeling",
-    "Actions": [
-        "Microsoft.MachineLearningServices/workspaces/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/write"   
-    ],
-    "NotActions": [        
-    ],
-    "AssignableScopes": [
-        "/subscriptions/<subscriptionId>"
-    ]
-}
-```
-
-# [Labeling team lead](#tab/team-lead)
-
-Allows you to review and reject the labeled dataset and view labeling insights. In addition to it, this role also allows you to perform the role of a labeler.
-
-*labeling_team_lead_custom_role.json* :
-
-```json
-{
-    "Name": "Labeling Team Lead",
-    "IsCustom": true,
-    "Description": "Team lead for Labeling Projects",
-    "Actions": [
-        "Microsoft.MachineLearningServices/workspaces/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/write",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/update/action",
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read"
-    ],
-    "NotActions": [
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/write",
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/delete",
-        "Microsoft.MachineLearningServices/workspaces/labeling/export/action"
-    ],
-    "AssignableScopes": [
-        "/subscriptions/<subscriptionId>"
-    ]
-}
-```
-
-# [Vendor account manager](#tab/vendor-admin)
-
-A vendor account manager can help manage all the vendor roles and perform any labeling action. They can't modify projects or view MLAssist experiments.
-
-*vendor_admin_role.json* :
-
-```json
-{
-    "Name": "Vendor account admin",
-    "IsCustom": true,
-    "Description": "Vendor account admin for Labeling Projects",
-    "Actions": [
-        "Microsoft.MachineLearningServices/workspaces/read", 
-        "Microsoft.MachineLearningServices/workspaces/experiments/runs/read", 
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/read", 
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/write", 
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/update/action",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/approve_unapprove/action",
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/read", 
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read", 
-        "Microsoft.MachineLearningServices/workspaces/labeling/export/action", 
-        "Microsoft.MachineLearningServices/workspaces/datasets/registered/read"
-    ],
-    "AssignableScopes": [
-        "/subscriptions/<subscriptionId>"
-    ]
-}
-```
-
-# [Customer QA](#tab/customer-qa)
-
-A customer quality assurance role can view project dashboards, preview datasets, export a labeling project, and review submitted labels. This role can't submit labels.
-
-*customer_qa_role.json* :
-
-```json
-{
-    "Name": "Customer QA",
-    "IsCustom": true,
-    "Description": "Customer QA for Labeling Projects",
-    "Actions": [
-        "Microsoft.MachineLearningServices/workspaces/read",
-        "Microsoft.MachineLearningServices/workspaces/experiments/runs/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/approve_unapprove/action",
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read",
-        "Microsoft.MachineLearningServices/workspaces/labeling/export/action",
-        "Microsoft.MachineLearningServices/workspaces/datasets/registered/read"
-    ],
-    "AssignableScopes": [
-        "/subscriptions/<subscriptionId>"
-    ]
-}
-```
-
-# [Vendor QA](#tab/vendor-qa)
-
-A vendor quality assurance role can perform a customer quality assurance role, but can't preview the dataset.
-
-*vendor_qa_role.json*:
-
-```json
-{
-    "Name": "Vendor QA",
-    "IsCustom": true,
-    "Description": "Vendor QA for Labeling Projects",
-    "Actions": [
-        "Microsoft.MachineLearningServices/workspaces/read", 
-        "Microsoft.MachineLearningServices/workspaces/experiments/runs/read", 
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/read", 
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/update/action",
-        "Microsoft.MachineLearningServices/workspaces/labeling/labels/approve_unapprove/action",
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/read", 
-        "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read", 
-        "Microsoft.MachineLearningServices/workspaces/labeling/export/action"
-    ],
-    "AssignableScopes": [
-        "/subscriptions/<subscriptionId>"
-    ]
-}
-```
-
----
+[!INCLUDE [custom-role-data-labeling](includes/custom-role-data-labeling.md)]
 
 ## Troubleshooting