diff --git a/docs/platform/concepts/permissions.md b/docs/platform/concepts/permissions.md index 6eee18a9..4d90d15c 100644 --- a/docs/platform/concepts/permissions.md +++ b/docs/platform/concepts/permissions.md @@ -8,53 +8,65 @@ To give users access to projects and services in your organizations, you grant t group of resources. * **Roles**: Sets of permissions that you can assign to a principal. -Principals can be: -* [Organization users](/docs/platform/howto/manage-org-users) -* [Application users](/docs/platform/concepts/application-users) -* [Groups](/docs/platform/howto/manage-groups) +Principals are +[organization users](/docs/platform/howto/manage-org-users), +[application users](/docs/platform/concepts/application-users), +and [groups](/docs/platform/howto/manage-groups). -You can -[grant access to principals at the project level](/docs/platform/howto/manage-permissions). -You can also [add users to services](/docs/platform/howto/create_new_service_user). +You can grant access to principals at the organization and project level. -To grant access to resources at the organization level, you can -make organization users [super admin](/docs/platform/howto/make-super-admin). -Limit the number of users with this role as it gives unrestricted access to -all organization resources including billing, admin, and all projects and services. +To give users access to a specific service, +[create service users](/docs/platform/howto/create_new_service_user). -## Project roles +## Organization roles and permissions -You can grant the following roles for projects to principals. +You can grant the following roles and permissions to principals at the organization level. +Roles and permissions at this level apply to the organization and all units, projects, +and services within it. -| Console name | API name | Permissions | -| ----------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Admin | `admin` | | -| Developer | `developer` | | -| Operator | `operator` | | -| Read only | `read_only` | | -| Maintain services | `role:services:maintenance` | | -| Recover services | `role:services:recover` | | +### Organization roles -Project admin do not have access to organization settings such as billing unless -they are also a [super admin](/docs/platform/howto/make-super-admin). +| Console name | API name | Allowed actions | +| ------------------------------- | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Organization member | None | This is the default role for all organization users. **You cannot grant this role to users.**

All non-managed organization users can:
[Managed users](/docs/platform/concepts/managed-users) have more restrictions. | +| Admin | `role:organization:admin` | | -## Project and service permissions +### Organization permissions -:::important -Permissions are not yet fully supported in the Aiven Console. They are intended for -use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes®. -::: +| Console name | API name | Allowed actions | +| ------------------------------- | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Manage application users | `organization:app_users:write` | | +| View organization audit log | `organization:audit_logs:read` | | +| Manage domains | `organization:domains:write` | | +| Manage groups | `organization:groups:write` | | +| Manage IdPs | `organization:idps:write` | | +| Manage organization users | `organization:users:write` | | -You can grant the following permissions to principals. The actions listed for each -permission apply to the project and all services within it. + +## Project roles and permissions +You can grant the following roles and permissions to principals. Roles and permissions +granted at this level apply to the project and all services within it. + +### Project roles + +| Console name | API name | Permissions | +| ----------------- | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Admin | `admin` | | +| Developer | `developer` | | +| Operator | `operator` | | +| Read only | `read_only` | | +| Maintain services | `role:services:maintenance` | | +| Recover services | `role:services:recover` | | + +### Project permissions | Console name | API name | Allowed actions | | ---------------------------- | ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| View project audit log | `project:audit_logs:read` | | +| View project audit logs | `project:audit_logs:read` | | | View project integrations | `project:integrations:read` | | | Manage project integrations | `project:integrations:write` | | -| View project networking | `project:networking:read` | | -| Manage project networking | `project:networking:write` | | +| View project networking | `project:networking:read` | | +| Manage project networking | `project:networking:write` | | | View project permissions | `project:permissions:read` | | | View services | `project:services:read` | | | Manage services | `project:services:write` | | @@ -62,4 +74,4 @@ permission apply to the project and all services within it. | Access data | `service:data:write` | | | View service logs | `service:logs:read` | **Service logs may contain sensitive information.** | | View configuration secrets | `service:secrets:read` | | -| Manage service users | `service:users:write` | | +| Manage service users | `service:users:write` | | diff --git a/docs/platform/howto/make-super-admin.md b/docs/platform/howto/make-super-admin.md index 6f1702dc..12c931e6 100644 --- a/docs/platform/howto/make-super-admin.md +++ b/docs/platform/howto/make-super-admin.md @@ -4,11 +4,9 @@ title: Super admin import ConsoleLabel from "@site/src/components/ConsoleIcons" -The super admin role has full access to an organization, its billing and settings, and all its organizational units, projects, and services. +The super admin role is a special role that has unrestricted access to an organization and all of its resources. This role should be limited to as few users as possible for organization setup and emergency use. For daily administrative tasks, assign users the [organization admin role](/docs/platform/concepts/permissions) instead. Aiven also highly recommends enabling [two-factor authentication](/docs/platform/howto/user-2fa) for super admin. -## Make a user a super admin - -To give a user full access to your organization: +To make a user a super admin: 1. In the organization, click **Admin**. 1. Click . @@ -16,8 +14,3 @@ To give a user full access to your organization: To revoke super admin privileges for a user, follow the same steps and select **Revoke super admin**. - -## Related pages - -- [Manage organization users](/docs/platform/howto/manage-org-users) -- [Permissions](/docs/platform/concepts/permissions) diff --git a/docs/platform/howto/manage-permissions.md b/docs/platform/howto/manage-permissions.md index f51fb475..4e4d2383 100644 --- a/docs/platform/howto/manage-permissions.md +++ b/docs/platform/howto/manage-permissions.md @@ -5,9 +5,64 @@ title: Manage permissions import ConsoleLabel from "@site/src/components/ConsoleIcons" import {ConsoleIcon} from "@site/src/components/ConsoleIcons" -You can give users and groups access to a project and the services in it by granting them roles and permissions for that project. +You can grant [organization users](/docs/platform/howto/manage-org-users), [application users](/docs/platform/concepts/application-users), and [groups](/docs/platform/howto/manage-groups) access at the organization and project level through [roles and permissions](/docs/platform/concepts/permissions). -## Grant project permissions to a user or group +:::important +When you remove permissions from a user or group, service credentials are not changed. +Users can still directly access services if they know the service credentials. To prevent +this type of access, reset all service passwords. +::: + +## Organization permissions + +### Grant organization permissions to a user or group + +1. In the organization, click **Admin**. + +1. Click . + +1. Click **Grant permissions** and select **Grant to users** or **Grant to groups**. + +1. Select the users or groups, and the + [roles and permissions](/docs/platform/concepts/permissions) to grant. + +1. Click **Grant permissions**. + +### Change organization permissions for a user or group + +1. In the organization, click **Admin**. + +1. Click . + +1. For the user or group click > + **Edit permissions**. + +1. Add or remove permissions and click **Save changes**. + +### Remove all organization-level roles and permissions + +You can remove all organization-level permissions that you granted to a user or group. +After removing the permissions, organization users have the +[default access level](/docs/platform/concepts/permissions#organization-roles-and-permissions) +to the organization. + +To remove all organization permissions for a user or group: + +1. In the organization, click **Admin**. + +1. Click . + +1. For the user or group click > + **Remove**. + +1. Click **Remove user** or **Remove group** to confirm. + +## Project permissions + +You can give users access to a specific project by granting them roles and permissions +at the project level. + +### Grant project permissions to a user or group 1. In the project, click . @@ -19,7 +74,7 @@ You can give users and groups access to a project and the services in it by gran 1. Click **Grant permissions**. -## Change permissions for a user or group +### Change permissions for a user or group 1. In the project, click . @@ -28,13 +83,7 @@ You can give users and groups access to a project and the services in it by gran 1. Add or remove permissions and click **Save changes**. -## Remove access to a project - -:::important -When you remove permissions from a user or group, service credentials are not changed. -Users can still directly access services if they know the service credentials. To prevent -this type of access, reset all service passwords. -::: +### Remove all project-level roles and permissions To remove all permissions to a project: diff --git a/src/components/ConsoleIcons/index.tsx b/src/components/ConsoleIcons/index.tsx index 4ab14300..b5ca41b6 100644 --- a/src/components/ConsoleIcons/index.tsx +++ b/src/components/ConsoleIcons/index.tsx @@ -201,6 +201,12 @@ export default function ConsoleLabel({name}): ReactElement { Permissions ); + case 'orgpermissions': + return ( + <> + Permissions + + ); case 'users': return ( <>