preview: permissions

docs/platform/concepts/orgs-units-projects.md

@@ -25,7 +25,8 @@ organization to create a hierarchical structure that fits your needs.
 
 Organizations also let you centrally manage settings like:
 
-- [Domains and identity providers](/docs/platform/howto/list-identity-providers):
+- [Domains](/docs/platform/howto/manage-domains) and
+  [identity providers](/docs/platform/howto/saml/add-identity-providers):
    Only available at the organization level
 - [Authentication policies](/docs/platform/howto/set-authentication-policies):
    Only available on the organization level

docs/platform/concepts/permissions.md

@@ -0,0 +1,75 @@
+---
+title: Roles and permissions
+---
+
+To give users access to projects and services in your organizations, you can grant them permissions and roles. You grant access to principals at the project level:
+
+* **Permissions**: Actions that a principal can perform on a resource or group of resources.
+* **Role**: A set of permissions that assigned to a principal.
+
+Principals are organization users, application users, and groups. Resources are any
+object in the platform such as users, projects, logs, and features.
+
+To grant users access to resources at the organization level, you can
+make them super admin. Limit the number of users with this role as it
+gives unrestricted access to all organization resources including billing,
+admin, and all projects and services.
+
+<!--
+To give users access to your organization's resources, you can grant them permissions and roles. You can grant these at the organization and project level.
+
+When you grant permissions and roles at the organization level, you give users access
+to all projects and services within your organization. You can limit the scope by
+granting permissions and roles for specific projects.
+
+
+
+## Organization permissions
+
+Super admin, other roles.
+-->
+
+## Project and service permissions
+
+You can grant the following permissions to users, application users, and groups.
+The actions listed for each permission apply to the project and all services within
+it.
+
+| Console name | API name | Allowed actions |
+| ------------ | -------- | --------------- |
+| Manage service deployments | `project:services:write` | Create and delete services <br/> Power services on and off <br/> Add and remove storage <br/> Change service plans <br/> Change cloud regions <br/> Fork services |
+| View services | `project:services:read` | View all services and their configuration |
+| Manage project integrations | `project:integrations:write` | Add and remove integration endpoints <br/> View and change integration secrets |
+| View project integrations | `project:integrations:read` | View all integration endpoints |
+
+
+## Roles
+
+### Admin
+
+Admin have full access to the project and its services. Every project has at least
+one admin user. This role is automatically granted to users who create a project.
+Project admin do not have access to organization settings such as billing unless
+they are also a [super admin](/docs/platform/howto/make-super-admin).
+
+### Operator
+
+- Create and delete services
+- Power on and off services
+- Apply maintenance updates
+- Change maintenance windows
+- ...
+
+
+### Developer
+
+- Create databases
+- Connect to databases
+- Remove Aiven for OpenSearch® indexes
+- Create and change Aiven for Apache Kafka® topics
+- Create and change Aiven for PostgreSQL® connection pools
+- Create and change service database users
+
+### Read-only
+
+View all services and ...

docs/platform/concepts/projects.md

@@ -2,4 +2,5 @@
 title: Projects
 ---
 
+<!-- vale off -->
 Use projects to [create collections](/docs/platform/howto/manage-project) of related services and [manage access](/docs/platform/reference/project-member-privileges) to its services.

docs/platform/howto/add-groups-projects.md

@@ -4,6 +4,7 @@ title: Add groups to projects
 
 import ConsoleLabel from "@site/src/components/ConsoleIcons"
 
+<!-- vale off -->
 Give [groups](/docs/platform/howto/manage-groups) of organization users access to a project and the services
 in it by adding groups to it. When you add a group, you set the
 permission level by assigning the group a

docs/platform/howto/add-project-members.md

@@ -4,6 +4,7 @@ title: Add users and groups to projects
 
 import ConsoleLabel from "@site/src/components/ConsoleIcons"
 
+<!-- vale off -->
 You can give [users in your organization](/docs/platform/howto/manage-groups) access to a project and the services in it by adding them to the project.
 
 Users can be added individually or as part of a user

docs/platform/howto/make-super-admin.md

@@ -18,6 +18,6 @@ To revoke super admin privileges for a user, follow the same steps and
 select **Revoke super admin**.
 
 ## Related pages
-
+<!-- vale off -->
 - [Manage organization users](/docs/platform/howto/manage-org-users)
 - [Project member roles](/docs/platform/reference/project-member-privileges)

docs/platform/howto/manage-groups.md

@@ -1,5 +1,5 @@
 ---
-title: Create and manage groups in an organization
+title: Manage groups of users
 ---
 
 import ConsoleLabel from "@site/src/components/ConsoleIcons"

docs/platform/howto/manage-permissions.md

@@ -0,0 +1,29 @@
+---
+title: Manage roles and permissions
+---
+
+import ConsoleLabel from "@site/src/components/ConsoleIcons"
+
+Introduction
+
+## Add users and groups to projects
+
+Users can be added individually or as part of a user
+[group](/docs/platform/howto/list-groups):
+
+1. In the project, click <ConsoleLabel name="projectpermissions"/>.
+
+1. Click **Add users** and select **Add users** or **Add groups**.
+
+1. Select the users or groups to add to the project.
+<!-- vale off -->
+1. Select a **Role**. The [role](/docs/platform/reference/project-member-privileges)
+   will be assigned to all users in all selected groups.
+
+1. Click **Add users** or **Add groups**.
+## Change permissions for a user or group
+
+1. Org > Project
+1. Permissions
+1. Actions > Change role
+1. ...

docs/platform/howto/manage-vpc-peering.md

@@ -21,7 +21,7 @@ To set up VPC peering for your Aiven project:
     <ConsoleLabel name="services"/> > <ConsoleLabel name="vpcs"/>.
 
 1.  Click **Create VPC**.
-
+<!-- vale off -->
     :::note
     **Admin** and **operator**
     [project member roles](/docs/platform/reference/project-member-privileges)

docs/products/kafka/howto/enable-governance.md

@@ -106,6 +106,6 @@ To change global topic configurations after enabling governance:
   new default governance group.
 
 ## Related pages
-
+<!-- vale off -->
 - [Aiven for Apache Kafka® governance overview](/docs/products/kafka/concepts/governance-overview)
 - [Project member roles and permissions](/docs/platform/reference/project-member-privileges)

docs/products/kafka/howto/prevent-full-disks.md

@@ -124,7 +124,7 @@ Parameters:
 Deleting topics frees up the disk space they used. The log cleaner process can take a
 few minutes to remove the associated data files from the disk. Once complete, the
 access control list (ACL) updates to allow write operations.
-
+<!-- vale off -->
 :::note
 [Admin](/docs/platform/reference/project-member-privileges) access is required to
 perform this action.

docs/tools/aiven-console.md

@@ -56,11 +56,10 @@ groups, billing groups, and SAML authentication.
 
 Organization and organizational unit settings are available on the
 **Admin** page where you can:
-
 -   [Manage your groups](/docs/platform/howto/manage-groups)
 -   Create new projects under an organization or organizational unit
 -   Configure
-    [authentication policies for an organization](/docs/platform/howto/list-authentication)
+    [authentication policies for an organization](/docs/platform/howto/set-authentication-policies)
 -   View logs of activity such as the adding or removing of users,
     changing authentication methods, and more
 -   Rename or delete an organization or organizational unit

docs/tools/aiven-console/howto/create-manage-teams.md

@@ -1,5 +1,5 @@
 ---
-title: Create and manage teams
+title: Manage teams
 ---
 
 import ConsoleLabel from "@site/src/components/ConsoleIcons"

sidebars.ts

@@ -65,8 +65,6 @@ const sidebars: SidebarsConfig = {
               },
               items: [
                 'platform/howto/manage-project',
-                'platform/howto/add-project-members',
-                'platform/reference/project-member-privileges',
                 'platform/howto/technical-emails',
                 'platform/howto/manage-unassigned-projects',
                 'platform/howto/reactivate-suspended-project',
@@ -114,75 +112,66 @@ const sidebars: SidebarsConfig = {
           type: 'category',
           label: 'User and access management',
           items: [
-            'platform/howto/manage-org-users',
-            'platform/howto/make-super-admin',
-            'platform/concepts/application-users',
-            'platform/howto/manage-application-users',
-            'platform/howto/delete-user',
             {
               type: 'category',
-              label: 'User profiles',
-              link: {
-                type: 'doc',
-                id: 'platform/howto/list-user-profile',
-              },
+              label: 'Organization user management',
               items: [
-                'platform/howto/edit-user-profile',
-                'platform/howto/change-your-email-address',
+                'platform/howto/manage-org-users',
+                'platform/concepts/application-users',
+                'platform/howto/manage-application-users',
+                'platform/concepts/managed-users',
+                'platform/howto/manage-groups',
+                'tools/aiven-console/howto/create-manage-teams',
               ],
             },
             {
               type: 'category',
-              label: 'Authentication methods',
-              link: {
-                type: 'doc',
-                id: 'platform/howto/list-authentication',
-              },
+              label: 'Permissions',
               items: [
-                'platform/howto/add-authentication-method',
-                'platform/reference/password-policy',
-                'platform/howto/user-2fa',
-                'platform/howto/set-authentication-policies',
-                'platform/concepts/authentication-tokens',
-                'platform/howto/create_authentication_token',
+                'platform/concepts/permissions',
+                'platform/howto/manage-permissions',
+                'platform/howto/make-super-admin',
               ],
             },
             {
               type: 'category',
-              label: 'Identity providers and domains',
-              link: {
-                type: 'doc',
-                id: 'platform/howto/list-identity-providers',
-              },
-              items: [
-                'platform/concepts/managed-users',
-                'platform/howto/manage-domains',
-                'platform/howto/saml/add-identity-providers',
-                'platform/howto/saml/add-auth0-idp',
-                'platform/howto/saml/add-fusionauth-idp',
-                'platform/howto/saml/add-google-idp',
-                'platform/howto/saml/add-jumpcloud-idp',
-                'platform/howto/saml/add-azure-idp',
-                'platform/howto/saml/add-okta-idp',
-                'platform/howto/okta-user-provisioning-with-scim',
-                'platform/howto/saml/add-onelogin-idp',
-              ],
-            },
-            {
-              type: 'category',
-              label: 'Groups',
-              link: {
-                type: 'doc',
-                id: 'platform/howto/list-groups',
-              },
+              label: 'User profiles',
               items: [
-                'platform/howto/manage-groups',
-                'platform/howto/add-groups-projects',
-                'tools/aiven-console/howto/create-manage-teams',
+                'platform/howto/edit-user-profile',
+                'platform/howto/change-your-email-address',
+                'platform/howto/delete-user',
               ],
             },
           ],
         },
+        {
+          type: 'category',
+          label: 'Authentication methods',
+          items: [
+            'platform/howto/add-authentication-method',
+            'platform/reference/password-policy',
+            'platform/howto/user-2fa',
+            'platform/howto/set-authentication-policies',
+            'platform/concepts/authentication-tokens',
+            'platform/howto/create_authentication_token',
+          ],
+        },
+        {
+          type: 'category',
+          label: 'Identity providers and domains',
+          items: [
+            'platform/howto/manage-domains',
+            'platform/howto/saml/add-identity-providers',
+            'platform/howto/saml/add-auth0-idp',
+            'platform/howto/saml/add-fusionauth-idp',
+            'platform/howto/saml/add-google-idp',
+            'platform/howto/saml/add-jumpcloud-idp',
+            'platform/howto/saml/add-azure-idp',
+            'platform/howto/saml/add-okta-idp',
+            'platform/howto/okta-user-provisioning-with-scim',
+            'platform/howto/saml/add-onelogin-idp',
+          ],
+        },
         {
           type: 'category',
           label: 'Service management',

static/_redirects

@@ -50,6 +50,7 @@
 /platform/howto/list-billing                           https://aiven.io/docs/platform/concepts/billing-and-payment
 /platform/howto/list-billing-groups                    https://aiven.io/docs/platform/concepts/billing-groups
 /platform/howto/list-byoc                              https://aiven.io/docs/platform/concepts/byoc
+/platform/howto/list-identity-providers                https://aiven.io/docs/platform/howto/saml/add-identity-providers
 /platform/howto/list-network                           https://aiven.io/docs/platform/concepts/cloud-security
 /platform/howto/list-user                              https://aiven.io/docs/platform/howto/manage-org-users
 /platform/howto/metrics-integrations                   https://aiven.io/docs/platform/howto/list-monitoring