From 8c86816c14a9593c054bfe202c41c7eed1aeb70f Mon Sep 17 00:00:00 2001 From: Jeremy Jacobi Date: Thu, 22 Aug 2024 14:50:33 +0200 Subject: [PATCH] feat(web-modeler): add super-user self-managed --- .../modeler/web-modeler/collaboration.md | 41 +++++++++++++++---- .../user-guide/roles/add-assign-permission.md | 20 ++++----- 2 files changed, 44 insertions(+), 17 deletions(-) diff --git a/docs/components/modeler/web-modeler/collaboration.md b/docs/components/modeler/web-modeler/collaboration.md index 9b2dfa5b06..75a23125c4 100644 --- a/docs/components/modeler/web-modeler/collaboration.md +++ b/docs/components/modeler/web-modeler/collaboration.md @@ -5,6 +5,8 @@ description: Collaboration features and access rights for Web Modeler. --- import SuperUserModeImg from './img/super-user-mode.png'; +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; Camunda 8 only @@ -28,25 +30,50 @@ There are four roles with different levels of access rights that can be assigned - **Commenter**: The user cannot edit folders or diagrams or invite users, but can view diagrams and properties and leave comments. - **Viewer**: The user cannot edit folders or diagrams nor leave comments, but can only view diagrams. -Additionally, the **Owner** and **Admins** of the organization have special privileges to do administrative tasks in **super-user mode**. +Additionally, users with elevated access have special privileges to do administrative tasks in **super-user mode**. #### Super-user mode -:::note -Super-user mode is not yet available in Web Modeler Self-Managed. -::: - -Super-user mode is only available to the **Owner** and **Admins** of the organization and can be enabled via the user menu in Web Modeler: +Super-user mode is only available to users with elevated access and can be enabled via the user menu in Web Modeler:

Enable super-user mode in Web Modeler's user menu

The main purpose of this mode is to assign collaborators to orphaned projects (which have no collaborators). Ordinarily, these projects would not be accessible or visible to any users. -When the **Owner** or an **Admin** activates super-user mode, they are temporarily granted **Project Admin** access to all projects +When a user activates super-user mode, they are temporarily granted **Project Admin** access to all projects of the organization. This allows them to assign collaborators to orphaned projects and gives them full access when none of the ordinary collaborators are available. +##### Required Roles/Permissions for Super-User Mode Access + + + + + +The user must be assigned the organization **Owner** or **Admin** role. + + + + + +The user must be assigned the **Web Modeler Admin** role. + +If the role is not pre-existing, it can be created with the following permissions: + +- Web Modeler Internal API - `write:*` +- Web Modeler Internal API - `admin:*` +- Camunda Identity Resource Server - `read:users` + +See [here](../../../self-managed/identity/user-guide/roles/add-assign-role.md) how to add a new role and [here](../../../self-managed/identity/user-guide/roles/add-assign-permission.md) how to add the new `admin:*` permission to the Web Modeler Internal API. + + + + ### Inviting users to projects :::note diff --git a/docs/self-managed/identity/user-guide/roles/add-assign-permission.md b/docs/self-managed/identity/user-guide/roles/add-assign-permission.md index b4c81ecbb7..ecb3f7977e 100644 --- a/docs/self-managed/identity/user-guide/roles/add-assign-permission.md +++ b/docs/self-managed/identity/user-guide/roles/add-assign-permission.md @@ -16,16 +16,16 @@ You can create permissions for granular access control over your APIs. Permissio The preset permissions for Camunda components are: -| Component | Permissions | Descriptions | -| ----------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -| Connectors | `read:*` | Read access to all APIs | -| Console | `write:*` | Write access to all pages | -| Identity | `read`
`read:users`
`write` | Read access to all pages
Access only the **Users** page and related subpages
Write access to all pages | -| Operate | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | -| Optimize | `write:*` | Write access to all APIs | -| Tasklist | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | -| Web Modeler | `create:*`
`read:*`
`update:*`
`delete:*` | CRUD access | -| Zeebe | `write:*` | Write access to all APIs | +| Component | Permissions | Descriptions | +| ----------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | +| Connectors | `read:*` | Read access to all APIs | +| Console | `write:*` | Write access to all pages | +| Identity | `read`
`read:users`
`write` | Read access to all pages
Access only the **Users** page and related subpages
Write access to all pages | +| Operate | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | +| Optimize | `write:*` | Write access to all APIs | +| Tasklist | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | +| Web Modeler | `write:*`
`admin:*`
`create:*`
`read:*`
`update:*`
`delete:*` | Access to the Internal API
Elevated Access
CRUD access to Public API | +| Zeebe | `write:*` | Write access to all APIs | In this guide, we will show you how to use Identity to add and assign a permission to a role.