Update RBAC example for Dashboard access (pingcap#7988)

dashboard/dashboard-access.md

@@ -30,7 +30,7 @@ You can use TiDB Dashboard in the following common desktop browsers of a relativ
 
 After accessing TiDB Dashboard, you will be directed to the user login interface, as shown in the image below.
 
-- You can sign in with TiDB Dashboard using the TiDB `root` account. 
+- You can sign in to TiDB Dashboard using the TiDB `root` account.
 - If you have created a [User-defined SQL User](/dashboard/dashboard-user.md), you can sign in using this account and the corresponding password.
 
 ![Login interface](/media/dashboard/dashboard-access-login.png)

dashboard/dashboard-ops-security.md

@@ -20,7 +20,7 @@ It is recommended that you set a strong password for the TiDB `root` user. See [
 
 The account system of TiDB Dashboard is consistent with that of TiDB SQL. Users accessing TiDB Dashboard are authenticated and authorized based on TiDB SQL user's privileges. Therefore, TiDB Dashboard requires limited privileges, or merely the read-only privilege. You can configure users to access TiDB Dashboard based on the principle of least privilege, thus avoiding access of high-privileged users.
 
-It is recommended that you create a least-privileged SQL user to access and sign in with TiDB Dashboard. This avoids access of high-privileged users and improves security. See [TiDB Dashboard User Management](/dashboard/dashboard-user.md) for details.
+It is recommended that you create a least-privileged SQL user to access and sign in to TiDB Dashboard. This avoids access of high-privileged users and improves security. See [TiDB Dashboard User Management](/dashboard/dashboard-user.md) for details.
 
 ## Use a firewall to block untrusted access
 

dashboard/dashboard-user.md

@@ -6,7 +6,7 @@ aliases: ['/docs/dev/dashboard/dashboard-user/']
 
 # TiDB Dashboard User Management
 
-TiDB Dashboard uses the same user privilege system and sign-in authentication as TiDB. You can control and manage TiDB SQL users to limit their access to TiDB Dashboard. This document describes the least privileges required for TiDB SQL users to access TiDB Dashboard and exemplifies how to create a least-privileged SQL user.
+TiDB Dashboard uses the same user privilege system and sign-in authentication as TiDB. You can control and manage TiDB SQL users to limit their access to TiDB Dashboard. This document describes the least privileges required for TiDB SQL users to access TiDB Dashboard and exemplifies how to create a least-privileged SQL user and how to authorize via RBAC.
 
 For details about how to control and manage TiDB SQL users, see [TiDB User Account Management](/user-account-management.md).
 
@@ -29,36 +29,33 @@ For details about how to control and manage TiDB SQL users, see [TiDB User Accou
     - RESTRICTED_STATUS_ADMIN
     - RESTRICTED_VARIABLES_ADMIN
 
-- To modify the configurations on the interface after signing in with TiDB Dashboard, the SQL user must also have the following privilege:
+- To modify the configurations on the interface after signing in to TiDB Dashboard, the SQL user must also have the following privilege:
 
     - SYSTEM_VARIABLES_ADMIN
 
 > **Note:**
 >
-> Users with high privileges such as `ALL PRIVILEGES` or `SUPER` can sign in with TiDB Dashboard as well. Therefore, to comply with the least privilege principle, it is highly recommended that you create users with the required privileges only to prevent unintended operations. See [Privilege Management](/privilege-management.md) for more information on these privileges.
+> Users with high privileges such as `ALL PRIVILEGES` or `SUPER` can sign in to TiDB Dashboard as well. Therefore, to comply with the least privilege principle, it is highly recommended that you create users with the required privileges only to prevent unintended operations. See [Privilege Management](/privilege-management.md) for more information on these privileges.
 
-If an SQL user does not meet the preceding privilege requirements, the user fails to sign in with TiDB Dashboard, as shown below.
+If an SQL user does not meet the preceding privilege requirements, the user fails to sign in to TiDB Dashboard, as shown below.
 
 ![insufficient-privileges](/media/dashboard/dashboard-user-insufficient-privileges.png)
 
 ## Example: Create a least-privileged SQL user to access TiDB Dashboard
 
-- When [Security Enhanced Mode (SEM)](/system-variables.md#tidb_enable_enhanced_security) is not enabled on the connected TiDB server, to create an SQL user `dashboardAdmin` that can sign in with TiDB Dashboard, execute the following SQL statements:
+- When [Security Enhanced Mode (SEM)](/system-variables.md#tidb_enable_enhanced_security) is not enabled on the connected TiDB server, to create an SQL user `dashboardAdmin` that can sign in to TiDB Dashboard, execute the following SQL statements:
 
     ```sql
     CREATE USER 'dashboardAdmin'@'%' IDENTIFIED BY '<YOUR_PASSWORD>';
     GRANT PROCESS, CONFIG ON *.* TO 'dashboardAdmin'@'%';
     GRANT SHOW DATABASES ON *.* TO 'dashboardAdmin'@'%';
     GRANT DASHBOARD_CLIENT ON *.* TO 'dashboardAdmin'@'%';
-    ```
-
-    -- To modify the configuration items on the interface after signing in with TiDB Dashboard, the user-defined SQL user must be granted with the following privilege:
 
-    ```sql
+    -- To modify the configuration items on the interface after signing in to TiDB Dashboard, the user-defined SQL user must be granted with the following privilege.
     GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%';
     ```
 
-- When [Security Enhanced Mode (SEM)](/system-variables.md#tidb_enable_enhanced_security) is enabled on the connected TiDB server, disable SEM first and execute the following SQL statements to create an SQL user `dashboardAdmin` that can sign in with TiDB Dashboard. After creating the user, enable SEM again:
+- When [Security Enhanced Mode (SEM)](/system-variables.md#tidb_enable_enhanced_security) is enabled on the connected TiDB server, disable SEM first and execute the following SQL statements to create an SQL user `dashboardAdmin` that can sign in to TiDB Dashboard. After creating the user, enable SEM again:
 
     ```sql
     CREATE USER 'dashboardAdmin'@'%' IDENTIFIED BY '<YOUR_PASSWORD>';
@@ -68,14 +65,36 @@ If an SQL user does not meet the preceding privilege requirements, the user fail
     GRANT RESTRICTED_STATUS_ADMIN ON *.* TO 'dashboardAdmin'@'%';
     GRANT RESTRICTED_TABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%';
     GRANT RESTRICTED_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%';
+
+    -- To modify the configuration items on the interface after signing in to TiDB Dashboard, the user-defined SQL user must be granted with the following privilege.
+    GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%';
+    ```
+
+## Example: Authorize SQL user to access TiDB Dashboard via RBAC
+
+The following example demonstrates how to create a role and a user to access TiDB Dashboard through the [role-based access control (RBAC)](/role-based-access-control.md) mechanism.
+
+1. Create a `dashboard_access` role that meets the privilege requirements of TiDB Dashboard:
+
+    ```sql
+    CREATE ROLE 'dashboard_access';
+    GRANT PROCESS, CONFIG ON *.* TO 'dashboard_access'@'%';
+    GRANT SHOW DATABASES ON *.* TO 'dashboard_access'@'%';
+    GRANT DASHBOARD_CLIENT ON *.* TO 'dashboard_access'@'%';
+    GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboard_access'@'%';
     ```
 
-    -- To modify the configuration items on the interface after signing in with TiDB Dashboard, the user-defined SQL user must be granted with the following privilege:
+2. Grant the `dashboard_access` role to other users and set `dashboard_access` as the default role:
 
     ```sql
-    GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'dashboardAdmin'@'%';
+    CREATE USER 'dashboardAdmin'@'%' IDENTIFIED BY '<YOUR_PASSWORD>';
+    GRANT 'dashboard_access' TO 'dashboardAdmin'@'%';
+    -- You need to set dashboard_access as the default role to the user
+    SET DEFAULT ROLE dashboard_access to 'dashboardAdmin'@'%';
     ```
 
-## Sign in with TiDB Dashboard
+After the above steps, you can use the `dashboardAdmin` user to sign in to TiDB Dashboard.
+
+## Sign in to TiDB Dashboard
 
-After creating an SQL user that meets the privilege requirements of TiDB Dashboard, you can use this user to [Sign in](/dashboard/dashboard-access.md#Sign in) with TiDB Dashboard.
+After creating an SQL user that meets the privilege requirements of TiDB Dashboard, you can use this user to [Sign in](/dashboard/dashboard-access.md#sign-in) to TiDB Dashboard.