From 6a3e29bbd0b1841a0aae0280ce3e152038671af9 Mon Sep 17 00:00:00 2001
From: Stacey Salamon <stacey.salamon@aiven.io>
Date: Fri, 1 Nov 2024 15:03:34 +0100
Subject: [PATCH] update: add new project-level permissions

---
 docs/platform/concepts/permissions.md         |  6 ++++
 .../reference/project-member-privileges.md    | 36 -------------------
 static/_redirects                             |  1 +
 3 files changed, 7 insertions(+), 36 deletions(-)
 delete mode 100644 docs/platform/reference/project-member-privileges.md

diff --git a/docs/platform/concepts/permissions.md b/docs/platform/concepts/permissions.md
index 7b3d81f5f..8eb576069 100644
--- a/docs/platform/concepts/permissions.md
+++ b/docs/platform/concepts/permissions.md
@@ -30,6 +30,8 @@ You can grant the following roles for projects to principals.
 | Developer         | `developer`                 | <ul> <li> Create databases. </li> <li> View service connection information. </li> <li> Remove Aiven for OpenSearch® indexes. </li> <li> Create and change Aiven for Apache Kafka® topics. </li> <li> Create and change Aiven for PostgreSQL® connection pools. </li> <li> Create and change service database users. </li> </ul> |
 | Operator          | `operator`                  | <ul> <li> View project audit log. </li> <li> View project permissions. </li> <li>  Full access to all services in the project and their configuration. </li> </ul>                                                                                                                                                              |
 | Read only         | `read_only`                 | <ul> <li> View all services and their configuration. </li> </ul>                                                                                                                                                                                                                                                                |
+| Maintain services | `role:services:maintenance` | <ul> <li> Perform service maintenance updates. </li> <li> Change maintenance windows. </li> <li> Upgrade service versions. </li> </ul>                                                                                                                                                                                          |
+| Recover services  | `role:services:recover`     | <ul> <li> Add and remove  dynamic disk sizing and tiered storage. </li> <li> Change service plans. </li> <li> Fork services. </li> <li> Promote read replicas. </li> </ul>                                                                                                                                                      |
 
 Project admin do not have access to organization settings such as billing unless
 they are also a [super admin](/docs/platform/howto/make-super-admin).
@@ -53,5 +55,9 @@ permission apply to the project and all services within it.
 | Manage project networking    | `project:networking:write`    | <ul> <li> Add, edit, and remove project VPCs.  </li> </ul>                                                                                                                                                                                                                                                                                                  |
 | View project permissions     | `project:permissions:read`    | <ul> <li> View all users granted permissions to a project. </li> </ul>                                                                                                                                                                                                                                                                                      |
 | View services                | `project:services:read`       | <ul> <li> View all details for services in a project, except the service logs. </li> </ul>                                                                                                                                                                                                                                                                  |
+| Manage services              | `project:services:write`      | <ul> <li> Create and delete services. </li> <li> Power on and off services. </li> <li> Add and remove dynamic disk sizing and tiered storage. </li> <li> Change service plans. </li> <li> Change cloud regions. </li> <li> Fork services. </li> </ul>                                                                                                       |
 | Manage service configuration | `service:configuration:write` | <ul> <li> Change clouds and regions. </li> <li> Change deployment models. </li> <li> Update IP allowlists. </li> <li> Change the network configuration options. </li> <li> Add and remove service tags. </li> <li> Enable and disable termination protection. </li> <li> Configure backup settings. </li> <li> Add and remove service contacts. </li> </ul> |
+| Access data                  | `service:data:write`          | <ul> <li> Perform service queries through the API and Console. </li> <li> View query statistics and current queries. </li> <li> Manage service-specific features like Kafka Topics and Schemas, PostgreSQL and AlloyDB Omni connection pools, and OpenSearch indexes. </li> </ul>                                                                           |
 | View service logs            | `service:logs:read`           | <ul> <li> View logs for all services in the project. </li> </ul> **Service logs may contain sensitive information.**                                                                                                                                                                                                                                        |
+| View configuration secrets   | `service:secrets:read`        | <ul> <li> Read service configuration secrets such as keys. </li> </ul>                                                                                                                                                                                                                                                                                      |
+| Manage service users         | `service:users:write`         | <ul> <li> Create and delete service users. </li> <li> View and update connection information for services. </li> </ul>                                                                                                                                                                                                                                      |
diff --git a/docs/platform/reference/project-member-privileges.md b/docs/platform/reference/project-member-privileges.md
deleted file mode 100644
index 009292a6c..000000000
--- a/docs/platform/reference/project-member-privileges.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Project roles and permissions
-sidebar_label: Project member roles
----
-
-When you add users to a project individually or as part of a [group](/docs/platform/howto/manage-groups) you also assign them a role for that project.
-
-| Role              | View services | Create services | Manage services | Connect | Power services on/off | Edit permissions |
-| ----------------- | ------------- | --------------- | --------------- | ------- | --------------------- | ---------------------- |
-| **Administrator** | ✅             | ✅               | ✅               | ✅       | ✅                     | ✅                      |
-| **Operator**      | ✅             | ✅               | ✅               | ✅       | ✅                     |                        |
-| **Developer**     | ✅             |                 | ✅               | ✅       |                       |                        |
-| **Read Only**     | ✅             |                 |                 |         |                       |                        |
-
-- **Admin**: Full access to the project and its services.
-  -   Every project has at least one admin user. This role is automatically granted to
-      users who create a project.
-  -   Does not have access to organization settings such as billing unless they are also
-      a [super admin](/docs/platform/howto/make-super-admin).
-  -   Can add users and groups to the project.
-  -   Can remove users and groups from the project.
-
-- **Operator**: Full access to all services in the project.
-  -   Can create new services.
-  -   Cannot make changes to the users, groups, or permissions for a project.
-- **Developer**: Allowed to manage services in this project.
-  -   Can make changes to services and databases, for example:
-        creating databases, connecting to databases, removing Aiven for
-        OpenSearch® indexes, creating and modifying Aiven for Apache
-        Kafka® topics, and creating and modifying Aiven for PostgreSQL®
-        connection pools.
-  -   Can create and change service database users.
-  -   Cannot make changes to the project users, groups, or permissions.
-  -   Cannot make changes that affect billing, such as powering services on or off.
-- **Read-only**: Only allowed to view services.
-  -   Cannot make any changes to the project or its services.
diff --git a/static/_redirects b/static/_redirects
index bee695cda..6e22ddd87 100644
--- a/static/_redirects
+++ b/static/_redirects
@@ -77,6 +77,7 @@
 /platform/howto/update-tax-status                      https://aiven.io/docs/platform/concepts/tax-information
 /platform/ip-addresses                                 https://aiven.io/docs/platform/reference/service-ip-address
 /platform/privatelink                                  https://aiven.io/docs/platform/howto/use-aws-privatelinks
+/platform/reference/project-member-privileges          https://aiven.io/docs/platform/concepts/permissions
 /platform/vpc                                          https://aiven.io/docs/platform/howto/manage-vpc-peering
 /products/caching/concepts                             https://aiven.io/docs/docs/products/caching/concepts/high-availability-redis
 /products/caching/concepts/overview                    https://aiven.io/docs/products/caching