Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(web-modeler): add super-user self-managed #4185

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 34 additions & 7 deletions docs/components/modeler/web-modeler/collaboration.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ description: Collaboration features and access rights for Web Modeler.
---

import SuperUserModeImg from './img/super-user-mode.png';
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";

<span class="badge badge--cloud">Camunda 8 only</span>

Expand All @@ -28,25 +30,50 @@ There are four roles with different levels of access rights that can be assigned
- **Commenter**: The user cannot edit folders or diagrams or invite users, but can view diagrams and properties and leave comments.
- **Viewer**: The user cannot edit folders or diagrams nor leave comments, but can only view diagrams.

Additionally, the **Owner** and **Admins** of the organization have special privileges to do administrative tasks in **super-user mode**.
Additionally, users with elevated access have special privileges to do administrative tasks in **super-user mode**.

#### Super-user mode

:::note
Super-user mode is not yet available in Web Modeler Self-Managed.
:::

Super-user mode is only available to the **Owner** and **Admins** of the organization and can be enabled via the user menu in Web Modeler:
Super-user mode is only available to users with elevated access and can be enabled via the user menu in Web Modeler:

<p><img src={SuperUserModeImg} style={{width: 280}} alt="Enable super-user mode in Web Modeler's user menu" /></p>

The main purpose of this mode is to assign collaborators to orphaned projects (which have no collaborators).
Ordinarily, these projects would not be accessible or visible to any users.

When the **Owner** or an **Admin** activates super-user mode, they are temporarily granted **Project Admin** access to all projects
When a user activates super-user mode, they are temporarily granted **Project Admin** access to all projects
of the organization. This allows them to assign collaborators to orphaned projects and gives them
full access when none of the ordinary collaborators are available.

##### Required Roles/Permissions for Super-User Mode Access

<Tabs groupId="permissions" defaultValue="saas" queryString values={
[
{label: 'SaaS', value: 'saas' },
{label: 'Self-Managed', value: 'self-managed' },
]}>

<TabItem value='saas'>

The user must be assigned the organization **Owner** or **Admin** role.

</TabItem>

<TabItem value='self-managed'>

The user must be assigned the **Web Modeler Admin** role.

If the role is not pre-existing, it can be created with the following permissions:

- Web Modeler Internal API - `write:*`
- Web Modeler Internal API - `admin:*`
- Camunda Identity Resource Server - `read:users`
JacobiCamunda marked this conversation as resolved.
Show resolved Hide resolved

Refer to the documentation pages about [assigning roles](../../../self-managed/identity/user-guide/roles/add-assign-role.md) and [adding permissions](../../../self-managed/identity/user-guide/roles/add-assign-permission.md) for detailed instructions.
</TabItem>

</Tabs>

### Inviting users to projects

:::note
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,16 @@ You can create permissions for granular access control over your APIs. Permissio

The preset permissions for Camunda components are:

| Component | Permissions | Descriptions |
| ----------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Connectors | `read:*` | Read access to all APIs |
| Console | `write:*` | Write access to all pages |
| Identity | `read` <br/> `read:users` <br/> `write` | Read access to all pages <br/> Access only the **Users** page and related subpages <br/> Write access to all pages |
| Operate | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Optimize | `write:*` | Write access to all APIs |
| Tasklist | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Web Modeler | `create:*` <br/> `read:*` <br/> `update:*` <br/> `delete:*` | CRUD access |
| Zeebe | `write:*` | Write access to all APIs |
| Component | Permissions | Descriptions |
| ----------- | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Connectors | `read:*` | Read access to all APIs |
| Console | `write:*` | Write access to all pages |
| Identity | `read` <br/> `read:users` <br/> `write` | Read access to all pages <br/> Access only the **Users** page and related subpages <br/> Write access to all pages |
| Operate | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Optimize | `write:*` | Write access to all APIs |
| Tasklist | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Web Modeler | `write:*` <br/><br/> `admin:*` <br/><br/> `create:*` <br/> `read:*` <br/> `update:*` <br/> `delete:*` | Access to internal API <br/><br/> Elevated Access to the Internal API (see [super-user mode](../../../../components/modeler/web-modeler/collaboration.md#super-user-mode) and [publishing Connector templates](../../../../components/connectors/manage-connector-templates.md#publish-a-connector-template)) <br/><br/> CRUD access to public API |
| Zeebe | `write:*` | Write access to all APIs |

In this guide, we will show you how to use Identity to add and assign a permission to a role.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,16 @@ You can create permissions for granular access control over your APIs. Permissio

The preset permissions for Camunda components are:

| Component | Permissions | Descriptions |
| ----------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Connectors | `read:*` | Read access to all APIs |
| Console | `write:*` | Write access to all pages |
| Identity | `read` <br/> `read:users` <br/> `write` | Read access to all pages <br/> Access only the **Users** page and related subpages <br/> Write access to all pages |
| Operate | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Optimize | `write:*` | Write access to all APIs |
| Tasklist | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Web Modeler | `create:*` <br/> `read:*` <br/> `update:*` <br/> `delete:*` | CRUD access |
| Zeebe | `write:*` | Write access to all APIs |
| Component | Permissions | Descriptions |
| ----------- | -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Connectors | `read:*` | Read access to all APIs |
| Console | `write:*` | Write access to all pages |
| Identity | `read` <br/> `read:users` <br/> `write` | Read access to all pages <br/> Access only the **Users** page and related subpages <br/> Write access to all pages |
| Operate | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Optimize | `write:*` | Write access to all APIs |
| Tasklist | `read:*` <br/> `write:*` | Read access to all APIs <br/> Write access to all APIs |
| Web Modeler | `write:*` <br/><br/> `create:*` <br/> `read:*` <br/> `update:*` <br/> `delete:*` | Access to internal API <br/><br/> CRUD access to public API |
| Zeebe | `write:*` | Write access to all APIs |

In this guide, we will show you how to use Identity to add and assign a permission to a role.

Expand Down
Loading