From f42eda2fde96c73d178cf1994ca91a4bdeaaac52 Mon Sep 17 00:00:00 2001 From: Jeremy Jacobi Date: Thu, 22 Aug 2024 14:50:33 +0200 Subject: [PATCH 1/3] feat(web-modeler): add super-user self-managed --- .../modeler/web-modeler/collaboration.md | 41 +++++++++++++++---- .../user-guide/roles/add-assign-permission.md | 20 ++++----- 2 files changed, 44 insertions(+), 17 deletions(-) diff --git a/docs/components/modeler/web-modeler/collaboration.md b/docs/components/modeler/web-modeler/collaboration.md index 9b2dfa5b06..75a23125c4 100644 --- a/docs/components/modeler/web-modeler/collaboration.md +++ b/docs/components/modeler/web-modeler/collaboration.md @@ -5,6 +5,8 @@ description: Collaboration features and access rights for Web Modeler. --- import SuperUserModeImg from './img/super-user-mode.png'; +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; Camunda 8 only @@ -28,25 +30,50 @@ There are four roles with different levels of access rights that can be assigned - **Commenter**: The user cannot edit folders or diagrams or invite users, but can view diagrams and properties and leave comments. - **Viewer**: The user cannot edit folders or diagrams nor leave comments, but can only view diagrams. -Additionally, the **Owner** and **Admins** of the organization have special privileges to do administrative tasks in **super-user mode**. +Additionally, users with elevated access have special privileges to do administrative tasks in **super-user mode**. #### Super-user mode -:::note -Super-user mode is not yet available in Web Modeler Self-Managed. -::: - -Super-user mode is only available to the **Owner** and **Admins** of the organization and can be enabled via the user menu in Web Modeler: +Super-user mode is only available to users with elevated access and can be enabled via the user menu in Web Modeler:

Enable super-user mode in Web Modeler's user menu

The main purpose of this mode is to assign collaborators to orphaned projects (which have no collaborators). Ordinarily, these projects would not be accessible or visible to any users. -When the **Owner** or an **Admin** activates super-user mode, they are temporarily granted **Project Admin** access to all projects +When a user activates super-user mode, they are temporarily granted **Project Admin** access to all projects of the organization. This allows them to assign collaborators to orphaned projects and gives them full access when none of the ordinary collaborators are available. +##### Required Roles/Permissions for Super-User Mode Access + + + + + +The user must be assigned the organization **Owner** or **Admin** role. + + + + + +The user must be assigned the **Web Modeler Admin** role. + +If the role is not pre-existing, it can be created with the following permissions: + +- Web Modeler Internal API - `write:*` +- Web Modeler Internal API - `admin:*` +- Camunda Identity Resource Server - `read:users` + +See [here](../../../self-managed/identity/user-guide/roles/add-assign-role.md) how to add a new role and [here](../../../self-managed/identity/user-guide/roles/add-assign-permission.md) how to add the new `admin:*` permission to the Web Modeler Internal API. + + + + ### Inviting users to projects :::note diff --git a/docs/self-managed/identity/user-guide/roles/add-assign-permission.md b/docs/self-managed/identity/user-guide/roles/add-assign-permission.md index b4c81ecbb7..ecb3f7977e 100644 --- a/docs/self-managed/identity/user-guide/roles/add-assign-permission.md +++ b/docs/self-managed/identity/user-guide/roles/add-assign-permission.md @@ -16,16 +16,16 @@ You can create permissions for granular access control over your APIs. Permissio The preset permissions for Camunda components are: -| Component | Permissions | Descriptions | -| ----------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -| Connectors | `read:*` | Read access to all APIs | -| Console | `write:*` | Write access to all pages | -| Identity | `read`
`read:users`
`write` | Read access to all pages
Access only the **Users** page and related subpages
Write access to all pages | -| Operate | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | -| Optimize | `write:*` | Write access to all APIs | -| Tasklist | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | -| Web Modeler | `create:*`
`read:*`
`update:*`
`delete:*` | CRUD access | -| Zeebe | `write:*` | Write access to all APIs | +| Component | Permissions | Descriptions | +| ----------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | +| Connectors | `read:*` | Read access to all APIs | +| Console | `write:*` | Write access to all pages | +| Identity | `read`
`read:users`
`write` | Read access to all pages
Access only the **Users** page and related subpages
Write access to all pages | +| Operate | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | +| Optimize | `write:*` | Write access to all APIs | +| Tasklist | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | +| Web Modeler | `write:*`
`admin:*`
`create:*`
`read:*`
`update:*`
`delete:*` | Access to the Internal API
Elevated Access
CRUD access to Public API | +| Zeebe | `write:*` | Write access to all APIs | In this guide, we will show you how to use Identity to add and assign a permission to a role. From df18472b48cf8fe3629650102fb79999fbd4339a Mon Sep 17 00:00:00 2001 From: Jeremy Jacobi Date: Thu, 29 Aug 2024 09:03:53 +0200 Subject: [PATCH 2/3] incorporate review feedback --- .../user-guide/roles/add-assign-permission.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/self-managed/identity/user-guide/roles/add-assign-permission.md b/docs/self-managed/identity/user-guide/roles/add-assign-permission.md index ecb3f7977e..ad378dd8cc 100644 --- a/docs/self-managed/identity/user-guide/roles/add-assign-permission.md +++ b/docs/self-managed/identity/user-guide/roles/add-assign-permission.md @@ -16,16 +16,16 @@ You can create permissions for granular access control over your APIs. Permissio The preset permissions for Camunda components are: -| Component | Permissions | Descriptions | -| ----------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -| Connectors | `read:*` | Read access to all APIs | -| Console | `write:*` | Write access to all pages | -| Identity | `read`
`read:users`
`write` | Read access to all pages
Access only the **Users** page and related subpages
Write access to all pages | -| Operate | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | -| Optimize | `write:*` | Write access to all APIs | -| Tasklist | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | -| Web Modeler | `write:*`
`admin:*`
`create:*`
`read:*`
`update:*`
`delete:*` | Access to the Internal API
Elevated Access
CRUD access to Public API | -| Zeebe | `write:*` | Write access to all APIs | +| Component | Permissions | Descriptions | +| ----------- | ------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connectors | `read:*` | Read access to all APIs | +| Console | `write:*` | Write access to all pages | +| Identity | `read`
`read:users`
`write` | Read access to all pages
Access only the **Users** page and related subpages
Write access to all pages | +| Operate | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | +| Optimize | `write:*` | Write access to all APIs | +| Tasklist | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | +| Web Modeler | `write:*`
`admin:*`
`create:*`
`read:*`
`update:*`
`delete:*` | Access to the Internal API
Elevated Access to the Internal API (See [Super-User Mode](../../../../components/modeler/web-modeler/collaboration.md#super-user-mode) and [Publishing Connector Templates](../../../../components/connectors/manage-connector-templates.md#publish-a-connector-template))
CRUD access to Public API | +| Zeebe | `write:*` | Write access to all APIs | In this guide, we will show you how to use Identity to add and assign a permission to a role. From b0a9fd7339d68ff6ce01fa920d5b76961c2643e1 Mon Sep 17 00:00:00 2001 From: Wolfgang Amann Date: Tue, 3 Sep 2024 11:08:48 +0200 Subject: [PATCH 3/3] review feedback --- .../modeler/web-modeler/collaboration.md | 2 +- .../user-guide/roles/add-assign-permission.md | 20 +++++++++---------- .../user-guide/roles/add-assign-permission.md | 20 +++++++++---------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/docs/components/modeler/web-modeler/collaboration.md b/docs/components/modeler/web-modeler/collaboration.md index 75a23125c4..0432c19f22 100644 --- a/docs/components/modeler/web-modeler/collaboration.md +++ b/docs/components/modeler/web-modeler/collaboration.md @@ -69,7 +69,7 @@ If the role is not pre-existing, it can be created with the following permission - Web Modeler Internal API - `admin:*` - Camunda Identity Resource Server - `read:users` -See [here](../../../self-managed/identity/user-guide/roles/add-assign-role.md) how to add a new role and [here](../../../self-managed/identity/user-guide/roles/add-assign-permission.md) how to add the new `admin:*` permission to the Web Modeler Internal API. +Refer to the documentation pages about [assigning roles](../../../self-managed/identity/user-guide/roles/add-assign-role.md) and [adding permissions](../../../self-managed/identity/user-guide/roles/add-assign-permission.md) for detailed instructions. diff --git a/docs/self-managed/identity/user-guide/roles/add-assign-permission.md b/docs/self-managed/identity/user-guide/roles/add-assign-permission.md index ad378dd8cc..bd4469cf51 100644 --- a/docs/self-managed/identity/user-guide/roles/add-assign-permission.md +++ b/docs/self-managed/identity/user-guide/roles/add-assign-permission.md @@ -16,16 +16,16 @@ You can create permissions for granular access control over your APIs. Permissio The preset permissions for Camunda components are: -| Component | Permissions | Descriptions | -| ----------- | ------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Connectors | `read:*` | Read access to all APIs | -| Console | `write:*` | Write access to all pages | -| Identity | `read`
`read:users`
`write` | Read access to all pages
Access only the **Users** page and related subpages
Write access to all pages | -| Operate | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | -| Optimize | `write:*` | Write access to all APIs | -| Tasklist | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | -| Web Modeler | `write:*`
`admin:*`
`create:*`
`read:*`
`update:*`
`delete:*` | Access to the Internal API
Elevated Access to the Internal API (See [Super-User Mode](../../../../components/modeler/web-modeler/collaboration.md#super-user-mode) and [Publishing Connector Templates](../../../../components/connectors/manage-connector-templates.md#publish-a-connector-template))
CRUD access to Public API | -| Zeebe | `write:*` | Write access to all APIs | +| Component | Permissions | Descriptions | +| ----------- | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Connectors | `read:*` | Read access to all APIs | +| Console | `write:*` | Write access to all pages | +| Identity | `read`
`read:users`
`write` | Read access to all pages
Access only the **Users** page and related subpages
Write access to all pages | +| Operate | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | +| Optimize | `write:*` | Write access to all APIs | +| Tasklist | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | +| Web Modeler | `write:*`

`admin:*`

`create:*`
`read:*`
`update:*`
`delete:*` | Access to internal API

Elevated Access to the Internal API (see [super-user mode](../../../../components/modeler/web-modeler/collaboration.md#super-user-mode) and [publishing Connector templates](../../../../components/connectors/manage-connector-templates.md#publish-a-connector-template))

CRUD access to public API | +| Zeebe | `write:*` | Write access to all APIs | In this guide, we will show you how to use Identity to add and assign a permission to a role. diff --git a/versioned_docs/version-8.5/self-managed/identity/user-guide/roles/add-assign-permission.md b/versioned_docs/version-8.5/self-managed/identity/user-guide/roles/add-assign-permission.md index b4c81ecbb7..6235f85102 100644 --- a/versioned_docs/version-8.5/self-managed/identity/user-guide/roles/add-assign-permission.md +++ b/versioned_docs/version-8.5/self-managed/identity/user-guide/roles/add-assign-permission.md @@ -16,16 +16,16 @@ You can create permissions for granular access control over your APIs. Permissio The preset permissions for Camunda components are: -| Component | Permissions | Descriptions | -| ----------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -| Connectors | `read:*` | Read access to all APIs | -| Console | `write:*` | Write access to all pages | -| Identity | `read`
`read:users`
`write` | Read access to all pages
Access only the **Users** page and related subpages
Write access to all pages | -| Operate | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | -| Optimize | `write:*` | Write access to all APIs | -| Tasklist | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | -| Web Modeler | `create:*`
`read:*`
`update:*`
`delete:*` | CRUD access | -| Zeebe | `write:*` | Write access to all APIs | +| Component | Permissions | Descriptions | +| ----------- | -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | +| Connectors | `read:*` | Read access to all APIs | +| Console | `write:*` | Write access to all pages | +| Identity | `read`
`read:users`
`write` | Read access to all pages
Access only the **Users** page and related subpages
Write access to all pages | +| Operate | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | +| Optimize | `write:*` | Write access to all APIs | +| Tasklist | `read:*`
`write:*` | Read access to all APIs
Write access to all APIs | +| Web Modeler | `write:*`

`create:*`
`read:*`
`update:*`
`delete:*` | Access to internal API

CRUD access to public API | +| Zeebe | `write:*` | Write access to all APIs | In this guide, we will show you how to use Identity to add and assign a permission to a role.