Skip to content

Commit

Permalink
feat(web-modeler): add super-user self-managed
Browse files Browse the repository at this point in the history
  • Loading branch information
JacobiCamunda committed Aug 26, 2024
1 parent 8f818a3 commit 8c86816
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 17 deletions.
41 changes: 34 additions & 7 deletions docs/components/modeler/web-modeler/collaboration.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ description: Collaboration features and access rights for Web Modeler.
---

import SuperUserModeImg from './img/super-user-mode.png';
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";

<span class="badge badge--cloud">Camunda 8 only</span>

Expand All @@ -28,25 +30,50 @@ There are four roles with different levels of access rights that can be assigned
- **Commenter**: The user cannot edit folders or diagrams or invite users, but can view diagrams and properties and leave comments.
- **Viewer**: The user cannot edit folders or diagrams nor leave comments, but can only view diagrams.

Additionally, the **Owner** and **Admins** of the organization have special privileges to do administrative tasks in **super-user mode**.
Additionally, users with elevated access have special privileges to do administrative tasks in **super-user mode**.

#### Super-user mode

:::note
Super-user mode is not yet available in Web Modeler Self-Managed.
:::

Super-user mode is only available to the **Owner** and **Admins** of the organization and can be enabled via the user menu in Web Modeler:
Super-user mode is only available to users with elevated access and can be enabled via the user menu in Web Modeler:

<p><img src={SuperUserModeImg} style={{width: 280}} alt="Enable super-user mode in Web Modeler's user menu" /></p>

The main purpose of this mode is to assign collaborators to orphaned projects (which have no collaborators).
Ordinarily, these projects would not be accessible or visible to any users.

When the **Owner** or an **Admin** activates super-user mode, they are temporarily granted **Project Admin** access to all projects
When a user activates super-user mode, they are temporarily granted **Project Admin** access to all projects
of the organization. This allows them to assign collaborators to orphaned projects and gives them
full access when none of the ordinary collaborators are available.

##### Required Roles/Permissions for Super-User Mode Access

<Tabs groupId="permissions" defaultValue="saas" queryString values={
[
{label: 'SaaS', value: 'saas' },
{label: 'Self-Managed', value: 'self-managed' },
]}>

<TabItem value='saas'>

The user must be assigned the organization **Owner** or **Admin** role.

</TabItem>

<TabItem value='self-managed'>

The user must be assigned the **Web Modeler Admin** role.

If the role is not pre-existing, it can be created with the following permissions:

- Web Modeler Internal API - `write:*`
- Web Modeler Internal API - `admin:*`
- Camunda Identity Resource Server - `read:users`

See [here](../../../self-managed/identity/user-guide/roles/add-assign-role.md) how to add a new role and [here](../../../self-managed/identity/user-guide/roles/add-assign-permission.md) how to add the new `admin:*` permission to the Web Modeler Internal API.
</TabItem>

</Tabs>

### Inviting users to projects

:::note
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,16 @@ You can create permissions for granular access control over your APIs. Permissio

The preset permissions for Camunda components are:

| Component | Permissions | Descriptions |
| ----------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Connectors | `read:*` | Read access to all APIs |
| Console | `write:*` | Write access to all pages |
| Identity | `read` <br/> `read:users` <br/> `write` | Read access to all pages <br/> Access only the **Users** page and related subpages <br/> Write access to all pages |
| Operate | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Optimize | `write:*` | Write access to all APIs |
| Tasklist | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Web Modeler | `create:*` <br/> `read:*` <br/> `update:*` <br/> `delete:*` | CRUD access |
| Zeebe | `write:*` | Write access to all APIs |
| Component | Permissions | Descriptions |
| ----------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Connectors | `read:*` | Read access to all APIs |
| Console | `write:*` | Write access to all pages |
| Identity | `read` <br/> `read:users` <br/> `write` | Read access to all pages <br/> Access only the **Users** page and related subpages <br/> Write access to all pages |
| Operate | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Optimize | `write:*` | Write access to all APIs |
| Tasklist | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Web Modeler | `write:*` <br/> `admin:*` <br/> `create:*` <br/> `read:*` <br/> `update:*` <br/> `delete:*` | Access to the Internal API <br/> Elevated Access <br/> CRUD access to Public API |
| Zeebe | `write:*` | Write access to all APIs |

In this guide, we will show you how to use Identity to add and assign a permission to a role.

Expand Down

0 comments on commit 8c86816

Please sign in to comment.