preview: permissions

aiven · Sep 19, 2024 · b183d15 · b183d15
1 parent 0c4a605
commit b183d15
Show file tree

Hide file tree

Showing 17 changed files with 189 additions and 61 deletions.
diff --git a/docs/platform/concepts/orgs-units-projects.md b/docs/platform/concepts/orgs-units-projects.md
@@ -24,7 +24,7 @@ When you sign up to Aiven, an organization is created for you. You can use your
 organization to create a hierarchical structure that fits your needs.
 
 Organizations also let you centrally manage settings like:
-
+<!-- vale off -->
 - [Domains and identity providers](/docs/platform/howto/list-identity-providers):
    Only available at the organization level
 - [Authentication policies](/docs/platform/howto/set-authentication-policies):

diff --git a/docs/platform/concepts/permissions.md b/docs/platform/concepts/permissions.md
@@ -0,0 +1,126 @@
+---
+title: Roles and permissions
+---
+
+To give users access to projects and services in your organizations, you can grant them permissions and roles. You grant access to principals at the project level:
+
+* **Permissions**: Actions that a principal can perform on a resource or group of resources.
+* **Role**: A set of permissions that assigned to a principal.
+
+Principals are organization users, application users, and groups. Resources are any
+object in the platform such as users, projects, logs, and features.
+
+To grant users access to resources at the organization level, you can
+make them super admin. Limit the number of users with this role as it
+gives unrestricted access to all organization resources including billing,
+admin, and all projects and services.
+
+<!--
+To give users access to your organization's resources, you can grant them permissions and roles. You can grant these at the organization and project level.
+
+When you grant permissions and roles at the organization level, you give users access
+to all projects and services within your organization. You can limit the scope by
+granting permissions and roles for specific projects.
+
+
+
+## Organization permissions
+
+Super admin, other roles.
+-->
+
+## Project permissions
+
+You can grant the following permissions to users, application users, and groups.
+The actions listed for each permission apply to the project and all services within
+it.
+
+### Manage service deployments
+
+- Create and delete services
+- Power on and off services
+- Fork databases
+- Add and remove DDS
+- Activate and deactivate tiered storage
+- Change service plans
+- Change cloud providers and regions
+
+#### Manage connection secrets
+
+- Create and delete service user passwords
+- Change and reset service user passwords
+- View service user passwords
+- Create and delete keys
+- Change keys
+- View keys
+
+### Manage integrations
+
+- Add and delete integration endpoints
+- Change integration endpoints
+- Add and remove service integrations
+- View integration secrets
+
+### Maintain services
+
+- Apply maintenance updates
+- Change maintenance window
+- Upgrade service versions
+
+### Manage networking
+
+- Change cloud providers and regions
+- Set public IP filters
+- Add and modify network configuration options
+- Manage static IP addresses
+
+### Manage service users
+
+- Action
+- Action
+
+### Recover services
+
+### Query services
+
+### Configure services
+
+### View services
+
+### View service integrations
+
+### View ...
+
+
+
+
+## Roles
+
+### Admin
+
+Admin have full access to the project and its services. Every project has at least
+one admin user. This role is automatically granted to users who create a project.
+Project admin do not have access to organization settings such as billing unless
+they are also a [super admin](/docs/platform/howto/make-super-admin).
+
+### Operator
+
+- Create and delete services
+- Power on and off services
+- Apply maintenance updates
+- Change maintenance windows
+- ...
+
+
+### Developer
+
+- Create databases
+- Connect to databases
+- Remove Aiven for OpenSearch® indexes
+- Create and change Aiven for Apache Kafka® topics
+- Create and change Aiven for PostgreSQL® connection pools
+- Create and change service database users
+
+### Read-only
+
+View all services and ...
diff --git a/docs/platform/concepts/projects.md b/docs/platform/concepts/projects.md
@@ -2,4 +2,5 @@
 title: Projects
 ---
 
+<!-- vale off -->
 Use projects to [create collections](/docs/platform/howto/manage-project) of related services and [manage access](/docs/platform/reference/project-member-privileges) to its services.
diff --git a/docs/platform/howto/add-groups-projects.md b/docs/platform/howto/add-groups-projects.md
@@ -4,6 +4,7 @@ title: Add groups to projects
 
 import ConsoleLabel from "@site/src/components/ConsoleIcons"
 
+<!-- vale off -->
 Give [groups](/docs/platform/howto/manage-groups) of organization users access to a project and the services
 in it by adding groups to it. When you add a group, you set the
 permission level by assigning the group a

diff --git a/docs/platform/howto/add-project-members.md b/docs/platform/howto/add-project-members.md
@@ -4,6 +4,7 @@ title: Add users and groups to projects
 
 import ConsoleLabel from "@site/src/components/ConsoleIcons"
 
+<!-- vale off -->
 You can give [users in your organization](/docs/platform/howto/manage-groups) access to a project and the services in it by adding them to the project.
 
 Users can be added individually or as part of a user

diff --git a/docs/platform/howto/list-authentication.md b/docs/platform/howto/list-authentication.md
diff --git a/docs/platform/howto/list-identity-providers.md b/docs/platform/howto/list-identity-providers.md
diff --git a/docs/platform/howto/make-super-admin.md b/docs/platform/howto/make-super-admin.md
@@ -18,6 +18,6 @@ To revoke super admin privileges for a user, follow the same steps and
 select **Revoke super admin**.
 
 ## Related pages
-
+<!-- vale off -->
 - [Manage organization users](/docs/platform/howto/manage-org-users)
 - [Project member roles](/docs/platform/reference/project-member-privileges)
diff --git a/docs/platform/howto/manage-groups.md b/docs/platform/howto/manage-groups.md
@@ -1,5 +1,5 @@
 ---
-title: Create and manage groups in an organization
+title: Manage groups of users
 ---
 
 import ConsoleLabel from "@site/src/components/ConsoleIcons"

diff --git a/docs/platform/howto/manage-permissions.md b/docs/platform/howto/manage-permissions.md
@@ -0,0 +1,29 @@
+---
+title: Manage roles and permissions
+---
+
+import ConsoleLabel from "@site/src/components/ConsoleIcons"
+
+Introduction
+
+## Add users and groups to projects
+
+Users can be added individually or as part of a user
+[group](/docs/platform/howto/list-groups):
+
+1. In the project, click <ConsoleLabel name="projectpermissions"/>.
+
+1. Click **Add users** and select **Add users** or **Add groups**.
+
+1. Select the users or groups to add to the project.
+<!-- vale off -->
+1. Select a **Role**. The [role](/docs/platform/reference/project-member-privileges)
+   will be assigned to all users in all selected groups.
+
+1. Click **Add users** or **Add groups**.
+## Change permissions for a user or group
+
+1. Org > Project
+1. Permissions
+1. Actions > Change role
+1. ...
diff --git a/docs/platform/howto/manage-vpc-peering.md b/docs/platform/howto/manage-vpc-peering.md
@@ -21,7 +21,7 @@ To set up VPC peering for your Aiven project:
     <ConsoleLabel name="services"/> > <ConsoleLabel name="vpcs"/>.
 
 1.  Click **Create VPC**.
-
+<!-- vale off -->
     :::note
     **Admin** and **operator**
     [project member roles](/docs/platform/reference/project-member-privileges)

diff --git a/docs/products/kafka/howto/enable-governance.md b/docs/products/kafka/howto/enable-governance.md
@@ -106,6 +106,6 @@ To change global topic configurations after enabling governance:
   new default governance group.
 
 ## Related pages
-
+<!-- vale off -->
 - [Aiven for Apache Kafka® governance overview](/docs/products/kafka/concepts/governance-overview)
 - [Project member roles and permissions](/docs/platform/reference/project-member-privileges)
diff --git a/docs/products/kafka/howto/prevent-full-disks.md b/docs/products/kafka/howto/prevent-full-disks.md
@@ -124,7 +124,7 @@ Parameters:
 Deleting topics frees up the disk space they used. The log cleaner process can take a
 few minutes to remove the associated data files from the disk. Once complete, the
 access control list (ACL) updates to allow write operations.
-
+<!-- vale off -->
 :::note
 [Admin](/docs/platform/reference/project-member-privileges) access is required to
 perform this action.

diff --git a/docs/tools/aiven-console.md b/docs/tools/aiven-console.md
@@ -56,7 +56,7 @@ groups, billing groups, and SAML authentication.
 
 Organization and organizational unit settings are available on the
 **Admin** page where you can:
-
+<!-- vale off -->
 -   [Manage your groups](/docs/platform/howto/manage-groups)
 -   Create new projects under an organization or organizational unit
 -   Configure

diff --git a/docs/tools/aiven-console/howto/create-manage-teams.md b/docs/tools/aiven-console/howto/create-manage-teams.md
@@ -1,5 +1,5 @@
 ---
-title: Create and manage teams
+title: Manage teams
 ---
 
 import ConsoleLabel from "@site/src/components/ConsoleIcons"

diff --git a/sidebars.ts b/sidebars.ts
@@ -65,8 +65,6 @@ const sidebars: SidebarsConfig = {
               },
               items: [
                 'platform/howto/manage-project',
-                'platform/howto/add-project-members',
-                'platform/reference/project-member-privileges',
                 'platform/howto/technical-emails',
                 'platform/howto/manage-unassigned-projects',
                 'platform/howto/reactivate-suspended-project',
@@ -114,30 +112,39 @@ const sidebars: SidebarsConfig = {
           type: 'category',
           label: 'User and access management',
           items: [
-            'platform/howto/manage-org-users',
-            'platform/howto/make-super-admin',
-            'platform/concepts/application-users',
-            'platform/howto/manage-application-users',
-            'platform/howto/delete-user',
+            {
+              type: 'category',
+              label: 'Organization user management',
+              items: [
+                'platform/howto/manage-org-users',
+                'platform/concepts/application-users',
+                'platform/howto/manage-application-users',
+                'platform/concepts/managed-users',
+                'platform/howto/manage-groups',
+                'tools/aiven-console/howto/create-manage-teams',
+              ],
+            },
+            {
+              type: 'category',
+              label: 'Permissions',
+              items: [
+                'platform/concepts/permissions',
+                'platform/howto/manage-permissions',
+                'platform/howto/make-super-admin',
+              ],
+            },
             {
               type: 'category',
               label: 'User profiles',
-              link: {
-                type: 'doc',
-                id: 'platform/howto/list-user-profile',
-              },
               items: [
                 'platform/howto/edit-user-profile',
                 'platform/howto/change-your-email-address',
+                'platform/howto/delete-user',
               ],
             },
             {
               type: 'category',
               label: 'Authentication methods',
-              link: {
-                type: 'doc',
-                id: 'platform/howto/list-authentication',
-              },
               items: [
                 'platform/howto/add-authentication-method',
                 'platform/reference/password-policy',
@@ -150,12 +157,7 @@ const sidebars: SidebarsConfig = {
             {
               type: 'category',
               label: 'Identity providers and domains',
-              link: {
-                type: 'doc',
-                id: 'platform/howto/list-identity-providers',
-              },
               items: [
-                'platform/concepts/managed-users',
                 'platform/howto/manage-domains',
                 'platform/howto/saml/add-identity-providers',
                 'platform/howto/saml/add-auth0-idp',
@@ -168,19 +170,6 @@ const sidebars: SidebarsConfig = {
                 'platform/howto/saml/add-onelogin-idp',
               ],
             },
-            {
-              type: 'category',
-              label: 'Groups',
-              link: {
-                type: 'doc',
-                id: 'platform/howto/list-groups',
-              },
-              items: [
-                'platform/howto/manage-groups',
-                'platform/howto/add-groups-projects',
-                'tools/aiven-console/howto/create-manage-teams',
-              ],
-            },
           ],
         },
         {

diff --git a/static/_redirects b/static/_redirects
@@ -50,6 +50,7 @@
 /platform/howto/list-billing                           https://aiven.io/docs/platform/concepts/billing-and-payment
 /platform/howto/list-billing-groups                    https://aiven.io/docs/platform/concepts/billing-groups
 /platform/howto/list-byoc                              https://aiven.io/docs/platform/concepts/byoc
+/platform/howto/list-identity-providers                https://aiven.io/docs/platform/howto/saml/add-identity-providers
 /platform/howto/list-network                           https://aiven.io/docs/platform/concepts/cloud-security
 /platform/howto/list-user                              https://aiven.io/docs/platform/howto/manage-org-users
 /platform/howto/metrics-integrations                   https://aiven.io/docs/platform/howto/list-monitoring