(feat proxy) [beta] add support for organization role based access controls (#6112)

* track LiteLLM_OrganizationMembership

* add add_internal_user_to_organization

* add org membership to schema

* read organization membership when reading user info in auth checks

* add check for valid organization_id

* add test for test_create_new_user_in_organization

* test test_create_new_user_in_organization

* add new ADMIN role

* add test for org admins creating teams

* add test for test_org_admin_create_user_permissions

* test_org_admin_create_user_team_wrong_org_permissions

* test_org_admin_create_user_team_wrong_org_permissions

* fix organization_role_based_access_check

* fix getting user members

* fix TeamBase

* fix types used for use role

* fix type checks

* sync prisma schema

* docs - organization admins

* fix use organization_endpoints for /organization management

* add types for org member endpoints

* fix role name for org admin

* add type for member add response

* add organization/member_add

* add error handling for adding members to an org

* add nice doc string for oranization/member_add

* fix test_create_new_user_in_organization

* linting fix

* use simple route changes

* fix types

* add organization member roles

* add org admin auth checks

* add auth checks for orgs

* test for creating teams as org admin

* simplify org id usage

* fix typo

* test test_org_admin_create_user_team_wrong_org_permissions

* fix type check issue

* code quality fix

* fix schema.prisma

docs/my-website/docs/proxy/access_control.md

@@ -0,0 +1,145 @@
+# Role-based Access Controls (RBAC)
+
+Role-based access control (RBAC) is based on Organizations, Teams and Internal User Roles
+
+- `Organizations` are the top-level entities that contain Teams.
+- `Team` - A Team is a collection of multiple `Internal Users`
+- `Internal Users` - users that can create keys, make LLM API calls, view usage on LiteLLM 
+- `Roles` define the permissions of an `Internal User`
+- `Virtual Keys` - Keys are used for authentication to the LiteLLM API. Keys are tied to a `Internal User` and `Team` 
+
+## Roles
+
+**Admin Roles**
+  - `proxy_admin`: admin over the platform
+  - `proxy_admin_viewer`: can login, view all keys, view all spend. **Cannot** create/delete keys, add new users.
+
+**Organization Roles**
+  - `organization_admin`: admin over the organization. Can create teams and users within their organization
+
+**Internal User Roles**
+  - `internal_user`: can login, view/create/delete their own keys, view their spend. **Cannot** add new users.
+  - `internal_user_viewer`: can login, view their own keys, view their own spend. **Cannot** create/delete keys, add new users.
+
+
+## Managing Organizations 
+
+### 1. Creating a new Organization
+
+Any user with role=`proxy_admin` can create a new organization
+
+**Usage**
+
+[**API Reference for /organization/new**](https://litellm-api.up.railway.app/#/organization%20management/new_organization_organization_new_post)
+
+```shell
+curl --location 'http://0.0.0.0:4000/organization/new' \
+    --header 'Authorization: Bearer sk-1234' \
+    --header 'Content-Type: application/json' \
+    --data '{
+        "organization_alias": "marketing_department",
+        "models": ["gpt-4"],
+        "max_budget": 20
+    }'
+```
+
+Expected Response 
+
+```json
+{
+  "organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23",
+  "organization_alias": "marketing_department",
+  "budget_id": "98754244-3a9c-4b31-b2e9-c63edc8fd7eb",
+  "metadata": {},
+  "models": [
+    "gpt-4"
+  ],
+  "created_by": "109010464461339474872",
+  "updated_by": "109010464461339474872",
+  "created_at": "2024-10-08T18:30:24.637000Z",
+  "updated_at": "2024-10-08T18:30:24.637000Z"
+}
+```
+
+
+### 2. Adding an `organization_admin` to an Organization
+
+Create a user (ishaan@berri.ai) as an `organization_admin` for the `marketing_department` Organization (from [step 1](#1-creating-a-new-organization))
+
+Users with the following roles can call `/organization/member_add`
+- `proxy_admin`
+- `organization_admin` only within their own organization
+
+```shell
+curl -X POST 'http://0.0.0.0:4000/organization/member_add' \
+    -H 'Authorization: Bearer sk-1234' \
+    -H 'Content-Type: application/json' \
+    -d '{"organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23", "member": {"role": "organization_admin", "user_id": "ishaan@berri.ai"}}'
+```
+
+Now a user with user_id = `ishaan@berri.ai` and role = `organization_admin` has been created in the `marketing_department` Organization
+
+Create a Virtual Key for user_id = `ishaan@berri.ai`. The User can then use the Virtual key for their Organization Admin Operations
+
+```shell
+curl --location 'http://0.0.0.0:4000/key/generate' \
+        --header 'Authorization: Bearer sk-1234' \
+        --header 'Content-Type: application/json' \
+        --data '{
+            "user_id": "ishaan@berri.ai"
+    }'
+```
+
+Expected Response 
+
+```json
+{
+  "models": [],
+  "user_id": "ishaan@berri.ai",
+  "key": "sk-7shH8TGMAofR4zQpAAo6kQ",
+  "key_name": "sk-...o6kQ",
+}
+```
+
+### 3. `Organization Admin` - Create a Team
+
+The organization admin will use the virtual key created in [step 2](#2-adding-an-organization_admin-to-an-organization) to create a `Team` within the `marketing_department` Organization
+
+```shell
+curl --location 'http://0.0.0.0:4000/team/new' \
+    --header 'Authorization: Bearer sk-7shH8TGMAofR4zQpAAo6kQ' \
+    --header 'Content-Type: application/json' \
+    --data '{
+        "team_alias": "engineering_team",
+        "organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23",
+    }'
+```
+
+This will create the team `engineering_team` within the `marketing_department` Organization
+
+Expected Response 
+
+```json
+{
+  "team_alias": "engineering_team",
+  "team_id": "01044ee8-441b-45f4-be7d-c70e002722d8",
+  "organization_id": "ad15e8ca-12ae-46f4-8659-d02debef1b23",
+}
+```
+
+
+### `Organization Admin` - Add an `Internal User`
+
+The organization admin will use the virtual key created in [step 2](#2-adding-an-organization_admin-to-an-organization) to add an Internal User to the `engineering_team` Team. 
+
+- We will assign role=`internal_user` so the user can create Virtual Keys for themselves
+- `team_id` is from [step 3](#3-organization-admin---create-a-team)
+
+```shell
+curl -X POST 'http://0.0.0.0:4000/team/member_add' \
+    -H 'Authorization: Bearer sk-1234' \
+    -H 'Content-Type: application/json' \
+    -d '{"team_id": "01044ee8-441b-45f4-be7d-c70e002722d8",, "member": {"role": "internal_user", "user_id": "krrish@berri.ai"}}'
+
+```
+

docs/my-website/sidebars.js

@@ -78,7 +78,12 @@ const sidebars = {
         {
           type: "category",
           label: "Admin UI",
-          items: ["proxy/ui", "proxy/self_serve", "proxy/custom_sso"],
+          items: [
+            "proxy/ui", 
+            "proxy/self_serve", 
+            "proxy/access_control",
+            "proxy/custom_sso"
+          ],
         },
         {
           type: "category",