update: add project-level permissions and roles (#558)

.vscode/aiven.code-snippets

@@ -17,7 +17,7 @@
     "prefix": "Required access",
     "body": [
       "## Required access",
-      "You must be a ${1|[super admin](/docs/platform/howto/make-super-admin),[project admin](/docs/platform/reference/project-member-privileges),[project operator](/docs/platform/reference/project-member-privileges)|} to access this feature."
+      "You must be a ${1|[super admin](/docs/platform/howto/make-super-admin),[project admin](/docs/platform/concepts/permissions),[project operator](/docs/platform/concepts/permissions)|} to access this feature."
     ],
     "description": "Inserts a section with information on what role is needed to access a feature"
   },

docs/get-started.md

@@ -170,7 +170,7 @@ Add users to groups to streamline access management to your Aiven projects and s
       description="Create and add users to groups."
     />
     <Card
-      to="/docs/platform/reference/project-member-privileges"
+      to="/docs/platform/concepts/permissions"
       iconName="book"
       title="Project member roles"
       description="View project permissions you can assign to users and groups."

docs/platform/concepts/permissions.md

@@ -30,6 +30,8 @@ You can grant the following roles for projects to principals.
 | Developer         | `developer`                 | <ul> <li> Create databases. </li> <li> View service connection information. </li> <li> Remove Aiven for OpenSearch® indexes. </li> <li> Create and change Aiven for Apache Kafka® topics. </li> <li> Create and change Aiven for PostgreSQL® connection pools. </li> <li> Create and change service database users. </li> </ul> |
 | Operator          | `operator`                  | <ul> <li> View project audit log. </li> <li> View project permissions. </li> <li>  Full access to all services in the project and their configuration. </li> </ul>                                                                                                                                                              |
 | Read only         | `read_only`                 | <ul> <li> View all services and their configuration. </li> </ul>                                                                                                                                                                                                                                                                |
+| Maintain services | `role:services:maintenance` | <ul> <li> Perform service maintenance updates. </li> <li> Change maintenance windows. </li> <li> Upgrade service versions. </li> </ul>                                                                                                                                                                                          |
+| Recover services  | `role:services:recover`     | <ul> <li> Add and remove  dynamic disk sizing and tiered storage. </li> <li> Change service plans. </li> <li> Fork services. </li> <li> Promote read replicas. </li> </ul>                                                                                                                                                      |
 
 Project admin do not have access to organization settings such as billing unless
 they are also a [super admin](/docs/platform/howto/make-super-admin).
@@ -53,5 +55,9 @@ permission apply to the project and all services within it.
 | Manage project networking    | `project:networking:write`    | <ul> <li> Add, edit, and remove project VPCs.  </li> </ul>                                                                                                                                                                                                                                                                                                  |
 | View project permissions     | `project:permissions:read`    | <ul> <li> View all users granted permissions to a project. </li> </ul>                                                                                                                                                                                                                                                                                      |
 | View services                | `project:services:read`       | <ul> <li> View all details for services in a project, except the service logs. </li> </ul>                                                                                                                                                                                                                                                                  |
+| Manage services              | `project:services:write`      | <ul> <li> Create and delete services. </li> <li> Power on and off services. </li> <li> Add and remove dynamic disk sizing and tiered storage. </li> <li> Change service plans. </li> <li> Change cloud regions. </li> <li> Fork services. </li> </ul>                                                                                                       |
 | Manage service configuration | `service:configuration:write` | <ul> <li> Change clouds and regions. </li> <li> Change deployment models. </li> <li> Update IP allowlists. </li> <li> Change the network configuration options. </li> <li> Add and remove service tags. </li> <li> Enable and disable termination protection. </li> <li> Configure backup settings. </li> <li> Add and remove service contacts. </li> </ul> |
+| Access data                  | `service:data:write`          | <ul> <li> Perform service queries through the API and Console. </li> <li> View query statistics and current queries. </li> <li> Manage service-specific features like Kafka Topics and Schemas, PostgreSQL and AlloyDB Omni connection pools, and OpenSearch indexes. </li> </ul>                                                                           |
 | View service logs            | `service:logs:read`           | <ul> <li> View logs for all services in the project. </li> </ul> **Service logs may contain sensitive information.**                                                                                                                                                                                                                                        |
+| View configuration secrets   | `service:secrets:read`        | <ul> <li> Read service configuration secrets such as keys. </li> </ul>                                                                                                                                                                                                                                                                                      |
+| Manage service users         | `service:users:write`         | <ul> <li> Create and delete service users. </li> <li> View and update connection information for services. </li> </ul>                                                                                                                                                                                                                                      |

docs/platform/concepts/projects.md

@@ -3,4 +3,4 @@ title: Projects
 ---
 
 <!-- vale off -->
-Use projects to [create collections](/docs/platform/howto/manage-project) of related services and [manage access](/docs/platform/reference/project-member-privileges) to its services.
+Use projects to [create collections](/docs/platform/howto/manage-project) of related services and [manage access](/docs/platform/concepts/permissions) to its services.

docs/platform/howto/add-groups-projects.md

@@ -4,7 +4,7 @@ title: Add groups to projects
 
 import ConsoleLabel from "@site/src/components/ConsoleIcons"
 
-Give [groups](/docs/platform/howto/manage-groups) of organization users access to a project and the services in it by adding groups to it. When you add a group, you grant permissions to all users in the group by assigning the group [roles](/docs/platform/reference/project-member-privileges) for that specific project.
+Give [groups](/docs/platform/howto/manage-groups) of organization users access to a project and the services in it by adding groups to it. When you add a group, you grant permissions to all users in the group by assigning the group [roles and permissions](/docs/platform/concepts/permissions) for that specific project.
 
 ## Add groups to a project
 
@@ -20,4 +20,4 @@ the <ConsoleLabel name="actions"/> for that group.
 ## Related pages
 
 - [Manage projects](/docs/platform/howto/manage-project)
-- [Project member roles](/docs/platform/reference/project-member-privileges)
+- [Permissions](/docs/platform/concepts/permissions)

docs/platform/howto/add-project-members.md

@@ -16,7 +16,7 @@ Users can be added individually or as part of a user
 
 1. Select the users or groups to add to the project.
 
-1. Select a **Role**. The [role](/docs/platform/reference/project-member-privileges)
+1. Select a **Role**. The [role](/docs/platform/concepts/permissions)
    will be assigned to all users in all selected groups.
 
 1. Click **Add users** or **Add groups**.

docs/platform/howto/make-super-admin.md

@@ -20,4 +20,4 @@ select **Revoke super admin**.
 ## Related pages
 <!-- vale off -->
 - [Manage organization users](/docs/platform/howto/manage-org-users)
-- [Project member roles](/docs/platform/reference/project-member-privileges)
+- [Permissions](/docs/platform/concepts/permissions)

docs/platform/howto/manage-vpc-peering.md

@@ -24,7 +24,7 @@ To set up VPC peering for your Aiven project:
 <!-- vale off -->
     :::note
     **Admin** and **operator**
-    [project member roles](/docs/platform/reference/project-member-privileges)
+    [project member roles](/docs/platform/concepts/permissions)
     can create a VPC.
     :::
 

docs/products/kafka/howto/enable-governance.md

@@ -108,4 +108,4 @@ To change global topic configurations after enabling governance:
 ## Related pages
 <!-- vale off -->
 - [Aiven for Apache Kafka® governance overview](/docs/products/kafka/concepts/governance-overview)
-- [Project member roles and permissions](/docs/platform/reference/project-member-privileges)
+- [Project member roles and permissions](/docs/platform/concepts/permissions)

docs/products/kafka/howto/prevent-full-disks.md

@@ -126,7 +126,7 @@ few minutes to remove the associated data files from the disk. Once complete, th
 access control list (ACL) updates to allow write operations.
 <!-- vale off -->
 :::note
-[Admin](/docs/platform/reference/project-member-privileges) access is required to
+[Admin](/docs/platform/concepts/permissions) access is required to
 perform this action.
 :::
 

static/_redirects

@@ -77,6 +77,7 @@
 /platform/howto/update-tax-status                      https://aiven.io/docs/platform/concepts/tax-information
 /platform/ip-addresses                                 https://aiven.io/docs/platform/reference/service-ip-address
 /platform/privatelink                                  https://aiven.io/docs/platform/howto/use-aws-privatelinks
+/platform/reference/project-member-privileges          https://aiven.io/docs/platform/concepts/permissions
 /platform/vpc                                          https://aiven.io/docs/platform/howto/manage-vpc-peering
 /products/caching/concepts                             https://aiven.io/docs/docs/products/caching/concepts/high-availability-redis
 /products/caching/concepts/overview                    https://aiven.io/docs/products/caching