diff --git a/en/identity-server/7.1.0/docs/assets/img/guides/organization/console/granular-console-role-permissions.png b/en/identity-server/7.1.0/docs/assets/img/guides/organization/console/granular-console-role-permissions.png new file mode 100644 index 0000000000..e10b29d367 Binary files /dev/null and b/en/identity-server/7.1.0/docs/assets/img/guides/organization/console/granular-console-role-permissions.png differ diff --git a/en/includes/guides/admin-portal/manage-console-access.md b/en/includes/guides/admin-portal/manage-console-access.md index 42126fc293..c36586438b 100644 --- a/en/includes/guides/admin-portal/manage-console-access.md +++ b/en/includes/guides/admin-portal/manage-console-access.md @@ -46,11 +46,86 @@ To customize login for the Console, 3. Click **Update** to save the changes. - ## Manage Console roles Roles are a collection of permissions. You can create roles and assign users and groups to them so that they gain limited access to Console features. Follow the sections below to learn about managing Console roles. +### Console role permissions + +When you create a Console role, you grant it access to one or more **Console components** — features such as **Applications**, **Connections**, **Users**, **Groups**, and **Roles**. You assign these permissions at two levels: + + + + + + + + + + +
Tenant PermissionsThe permissions the role has for the root organization.
Organization PermissionsThe permissions the role has for the child organizations.
+ +#### Permission levels + +By default, you can assign each Console component one of the following permission levels: + + + + + + + + + + +
ViewAssigns read permissions for the component.
EditAssigns read, create, update, and delete permissions for the component.
+ +!!! note + + Selecting **View** or **Edit** for a given Console component assigns the role several scopes pertaining to it. For example, if you select **Applications** and assign the **View** permission, the role is assigned the following scopes. + + ![Scopes assigned for a given permission for a Console component]({{base_path}}/assets/img/guides/organization/console/console-role-permissions.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} + +#### Granular console permissions + +By default, Console roles use the combined **View** and **Edit** permission model described above, where **Edit** grants **Create**, **Update**, and **Delete** access together. + +You can optionally enable a more granular permission model that lets you assign **Create**, **Update**, and **Delete** permissions independently for each Console component. This is controlled by the `use_granular_console_permissions` setting, which is `false` by default. Enable it only when you need this level of control over Console permissions. To do so, add the following configuration to the `deployment.toml` file and restart the server. + +```toml +[console_settings] +use_granular_console_permissions = true +``` + +Once enabled, you can assign each Console component the following permission levels: + + + + + + + + + + + + + + + + + + +
ViewAssigns read permissions for the component.
CreateAssigns read and create permissions for the component.
UpdateAssigns read and update permissions for the component.
DeleteAssigns read and delete permissions for the component.
+ +![Granular console permissions]({{base_path}}/assets/img/guides/organization/console/granular-console-role-permissions.png) + +!!! note + **View** is required whenever **Create**, **Update**, or **Delete** is selected for a component, and it cannot be turned off while any of those write permissions remain active. + +!!! note "Compatibility with existing roles" + Console roles created earlier with the combined **Edit** permission continue to work when the granular model is enabled. **Edit** grants **Create**, **Update**, and **Delete** together. + ### Create a role !!! warning "Important" @@ -66,37 +141,6 @@ To create a role for the Console, ![Create a role for the Console]({{base_path}}/assets/img/guides/organization/console/create-console-role.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} - - - - - - - - - - - - - -
Role NameProvide a meaningful name that describes the level of access the role has to the Console e.g. application:read
Tenant PermissionsSelect the permissions the role has for the root organization. For each Console component, -
    -
  • Select View if you wish to assign read permissions for the component.
  • -
  • Select Edit if you wish to assign read, create, update and delete permissions for the component.
  • -
-
Organization PermissionsSelect the permissions the role has for the child organizations. For each Console component, -
    -
  • Select View if you wish to assign read permissions for the component.
  • -
  • Select Edit if you wish to assign read, create, update and delete permissions for the component.
  • -
-
- - !!! note - - When choosing tenant and organization permissions, selecting **View** or **Edit** for a given Console component gives the role access to several scopes pertaining to it. For example, if you select `Applications` and assign the `View` permission, the role will be assigned the following scopes. - - ![Scopes assigned for a given permission for a Conosle component]({{base_path}}/assets/img/guides/organization/console/console-role-permissions.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} - 4. Click **Add** to save the role. ### Assign users/groups to a role