diff --git a/docs/platform/concepts/permissions.md b/docs/platform/concepts/permissions.md
index 6eee18a9..4d90d15c 100644
--- a/docs/platform/concepts/permissions.md
+++ b/docs/platform/concepts/permissions.md
@@ -8,53 +8,65 @@ To give users access to projects and services in your organizations, you grant t
group of resources.
* **Roles**: Sets of permissions that you can assign to a principal.
-Principals can be:
-* [Organization users](/docs/platform/howto/manage-org-users)
-* [Application users](/docs/platform/concepts/application-users)
-* [Groups](/docs/platform/howto/manage-groups)
+Principals are
+[organization users](/docs/platform/howto/manage-org-users),
+[application users](/docs/platform/concepts/application-users),
+and [groups](/docs/platform/howto/manage-groups).
-You can
-[grant access to principals at the project level](/docs/platform/howto/manage-permissions).
-You can also [add users to services](/docs/platform/howto/create_new_service_user).
+You can grant access to principals at the organization and project level.
-To grant access to resources at the organization level, you can
-make organization users [super admin](/docs/platform/howto/make-super-admin).
-Limit the number of users with this role as it gives unrestricted access to
-all organization resources including billing, admin, and all projects and services.
+To give users access to a specific service,
+[create service users](/docs/platform/howto/create_new_service_user).
-## Project roles
+## Organization roles and permissions
-You can grant the following roles for projects to principals.
+You can grant the following roles and permissions to principals at the organization level.
+Roles and permissions at this level apply to the organization and all units, projects,
+and services within it.
-| Console name | API name | Permissions |
-| ----------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Admin | `admin` |
- Full access to the project and all of its services.
|
-| Developer | `developer` | - Create databases.
- View service connection information.
- Remove Aiven for OpenSearch® indexes.
- Create and change Aiven for Apache Kafka® topics.
- Create and change Aiven for PostgreSQL® connection pools.
- Create and change service database users.
|
-| Operator | `operator` | - View project audit log.
- View project permissions.
- Full access to all services in the project and their configuration.
|
-| Read only | `read_only` | - View all services and their configuration.
|
-| Maintain services | `role:services:maintenance` | - Perform service maintenance updates.
- Change maintenance windows.
- Upgrade service versions.
|
-| Recover services | `role:services:recover` | - Add and remove dynamic disk sizing and tiered storage.
- Change service plans.
- Fork services.
- Promote read replicas.
|
+### Organization roles
-Project admin do not have access to organization settings such as billing unless
-they are also a [super admin](/docs/platform/howto/make-super-admin).
+| Console name | API name | Allowed actions |
+| ------------------------------- | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Organization member | None | This is the default role for all organization users. **You cannot grant this role to users.**
All non-managed organization users can: - Edit their profiles.
- Create organizations.
- Leave organizations.
- Add [allowed authentication methods](/docs/platform/howto/set-authentication-policies).
- Generate and revoke personal tokens, if allowed by the [authentication policy](/docs/platform/howto/set-authentication-policies).
- Enable and disable feature previews.
[Managed users](/docs/platform/concepts/managed-users) have more restrictions. |
+| Admin | `role:organization:admin` | - Full access to the organization.
- View and change billing information.
- Change the authentication policy.
- Invite, deactivate, and remove organization users.
- Create, edit, and delete groups.
- Create and delete application users and their tokens.
- Add and remove domains.
- Add, enable, disable, and remove identity providers.
|
-## Project and service permissions
+### Organization permissions
-:::important
-Permissions are not yet fully supported in the Aiven Console. They are intended for
-use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes®.
-:::
+| Console name | API name | Allowed actions |
+| ------------------------------- | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Manage application users | `organization:app_users:write` | - Create, edit, and delete application users.
- View all application users.
- Generate and revoke application tokens.
- List all application tokens.
|
+| View organization audit log | `organization:audit_logs:read` | |
+| Manage domains | `organization:domains:write` | - Add, edit, and remove domains.
- View all organization domains.
|
+| Manage groups | `organization:groups:write` | - Create, edit, and delete groups.
- Add organization and application users to groups.
- Remove organization and application users from groups.
|
+| Manage IdPs | `organization:idps:write` | - Add, edit, enable, disable, and remove identity providers.
- View all identity providers for the organization.
|
+| Manage organization users | `organization:users:write` | - Invite new users to the organization.
- View all invited users.
- Remove user invites.
- Deactivate, edit and delete [managed users](/docs/platform/concepts/managed-users).
- Remove non-managed users from the organization.
- Reset passwords for managed users.
- View all authentication methods for an organization user.
- Revoke tokens for managed users.
- View all tokens generated by managed users.
|
-You can grant the following permissions to principals. The actions listed for each
-permission apply to the project and all services within it.
+
+## Project roles and permissions
+You can grant the following roles and permissions to principals. Roles and permissions
+granted at this level apply to the project and all services within it.
+
+### Project roles
+
+| Console name | API name | Permissions |
+| ----------------- | --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Admin | `admin` | - Full access to the project and all of its services.
|
+| Developer | `developer` | - View project event log.
- View project tags.
- View all services in the project.
- Create databases.
- View service connection information.
- View integration endpoints.
- Remove Aiven for OpenSearch® indexes.
- Create and change Aiven for Apache Kafka® topics.
- Create and change Aiven for PostgreSQL® connection pools.
- Create and change service database users.
|
+| Operator | `operator` | - View project audit log.
- Add, edit, and delete project tags.
- View project tags.
- View project permissions.
- Create, edit, and delete services and their configuration.
- Perform service maintenance updates.
- Create, edit, and delete project VPCs and peering connections.
- View project event log.
- Created, edit, and delete integration endpoints.
- Enable and disable service integrations.
- View integration endpoints.
|
+| Read only | `read_only` | - View project event log.
- View project tags.
- View all services and their configuration.
- View integration endpoints.
|
+| Maintain services | `role:services:maintenance` | - Perform service maintenance updates.
- Change maintenance windows.
- Upgrade service versions.
|
+| Recover services | `role:services:recover` | - Add and remove dynamic disk sizing and tiered storage.
- Change service plans.
- Fork services.
- Promote read replicas.
|
+
+### Project permissions
| Console name | API name | Allowed actions |
| ---------------------------- | ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| View project audit log | `project:audit_logs:read` | - View the log for the project.
- View all services in the project.
|
+| View project audit logs | `project:audit_logs:read` | - View the logs for the project.
- View all services in the project.
|
| View project integrations | `project:integrations:read` | - View all integration endpoints for a project.
|
| Manage project integrations | `project:integrations:write` | - Add and remove integration endpoints.
- Read and write integration secrets.
|
-| View project networking | `project:networking:read` | |
-| Manage project networking | `project:networking:write` | - Add, edit, and remove project VPCs.
|
+| View project networking | `project:networking:read` | - View all project VPCs.
- List all peering connections.
|
+| Manage project networking | `project:networking:write` | - Create, edit, and delete project VPCs and peering connections.
- View all project VPCs and peering connections.
|
| View project permissions | `project:permissions:read` | - View all users granted permissions to a project.
|
| View services | `project:services:read` | - View all details for services in a project, except the service logs.
|
| Manage services | `project:services:write` | - Create and delete services.
- Power on and off services.
- Add and remove dynamic disk sizing and tiered storage.
- Change service plans.
- Change cloud regions.
- Fork services.
|
@@ -62,4 +74,4 @@ permission apply to the project and all services within it.
| Access data | `service:data:write` | - Perform service queries through the API and Console.
- View query statistics and current queries.
- Manage service-specific features like Kafka Topics and Schemas, PostgreSQL and AlloyDB Omni connection pools, and OpenSearch indexes.
|
| View service logs | `service:logs:read` | - View logs for all services in the project.
**Service logs may contain sensitive information.** |
| View configuration secrets | `service:secrets:read` | - Read service configuration secrets such as keys.
|
-| Manage service users | `service:users:write` | - Create and delete service users.
- View and update connection information for services.
|
+| Manage service users | `service:users:write` | - Create and delete service users.
- View all service users.
- View, update, and reset connection information for services.
|
diff --git a/docs/platform/howto/make-super-admin.md b/docs/platform/howto/make-super-admin.md
index 6f1702dc..12c931e6 100644
--- a/docs/platform/howto/make-super-admin.md
+++ b/docs/platform/howto/make-super-admin.md
@@ -4,11 +4,9 @@ title: Super admin
import ConsoleLabel from "@site/src/components/ConsoleIcons"
-The super admin role has full access to an organization, its billing and settings, and all its organizational units, projects, and services.
+The super admin role is a special role that has unrestricted access to an organization and all of its resources. This role should be limited to as few users as possible for organization setup and emergency use. For daily administrative tasks, assign users the [organization admin role](/docs/platform/concepts/permissions) instead. Aiven also highly recommends enabling [two-factor authentication](/docs/platform/howto/user-2fa) for super admin.
-## Make a user a super admin
-
-To give a user full access to your organization:
+To make a user a super admin:
1. In the organization, click **Admin**.
1. Click .
@@ -16,8 +14,3 @@ To give a user full access to your organization:
To revoke super admin privileges for a user, follow the same steps and
select **Revoke super admin**.
-
-## Related pages
-
-- [Manage organization users](/docs/platform/howto/manage-org-users)
-- [Permissions](/docs/platform/concepts/permissions)
diff --git a/docs/platform/howto/manage-permissions.md b/docs/platform/howto/manage-permissions.md
index f51fb475..4e4d2383 100644
--- a/docs/platform/howto/manage-permissions.md
+++ b/docs/platform/howto/manage-permissions.md
@@ -5,9 +5,64 @@ title: Manage permissions
import ConsoleLabel from "@site/src/components/ConsoleIcons"
import {ConsoleIcon} from "@site/src/components/ConsoleIcons"
-You can give users and groups access to a project and the services in it by granting them roles and permissions for that project.
+You can grant [organization users](/docs/platform/howto/manage-org-users), [application users](/docs/platform/concepts/application-users), and [groups](/docs/platform/howto/manage-groups) access at the organization and project level through [roles and permissions](/docs/platform/concepts/permissions).
-## Grant project permissions to a user or group
+:::important
+When you remove permissions from a user or group, service credentials are not changed.
+Users can still directly access services if they know the service credentials. To prevent
+this type of access, reset all service passwords.
+:::
+
+## Organization permissions
+
+### Grant organization permissions to a user or group
+
+1. In the organization, click **Admin**.
+
+1. Click .
+
+1. Click **Grant permissions** and select **Grant to users** or **Grant to groups**.
+
+1. Select the users or groups, and the
+ [roles and permissions](/docs/platform/concepts/permissions) to grant.
+
+1. Click **Grant permissions**.
+
+### Change organization permissions for a user or group
+
+1. In the organization, click **Admin**.
+
+1. Click .
+
+1. For the user or group click >
+ **Edit permissions**.
+
+1. Add or remove permissions and click **Save changes**.
+
+### Remove all organization-level roles and permissions
+
+You can remove all organization-level permissions that you granted to a user or group.
+After removing the permissions, organization users have the
+[default access level](/docs/platform/concepts/permissions#organization-roles-and-permissions)
+to the organization.
+
+To remove all organization permissions for a user or group:
+
+1. In the organization, click **Admin**.
+
+1. Click .
+
+1. For the user or group click >
+ **Remove**.
+
+1. Click **Remove user** or **Remove group** to confirm.
+
+## Project permissions
+
+You can give users access to a specific project by granting them roles and permissions
+at the project level.
+
+### Grant project permissions to a user or group
1. In the project, click .
@@ -19,7 +74,7 @@ You can give users and groups access to a project and the services in it by gran
1. Click **Grant permissions**.
-## Change permissions for a user or group
+### Change permissions for a user or group
1. In the project, click .
@@ -28,13 +83,7 @@ You can give users and groups access to a project and the services in it by gran
1. Add or remove permissions and click **Save changes**.
-## Remove access to a project
-
-:::important
-When you remove permissions from a user or group, service credentials are not changed.
-Users can still directly access services if they know the service credentials. To prevent
-this type of access, reset all service passwords.
-:::
+### Remove all project-level roles and permissions
To remove all permissions to a project:
diff --git a/src/components/ConsoleIcons/index.tsx b/src/components/ConsoleIcons/index.tsx
index 4ab14300..b5ca41b6 100644
--- a/src/components/ConsoleIcons/index.tsx
+++ b/src/components/ConsoleIcons/index.tsx
@@ -201,6 +201,12 @@ export default function ConsoleLabel({name}): ReactElement {
Permissions
>
);
+ case 'orgpermissions':
+ return (
+ <>
+ Permissions
+ >
+ );
case 'users':
return (
<>