-
Notifications
You must be signed in to change notification settings - Fork 435
Add Granular Console permissions documentation #6189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -46,11 +46,86 @@ | |
|
|
||
| 3. Click **Update** to save the changes. | ||
|
|
||
|
|
||
| ## Manage Console roles | ||
|
|
||
| Roles are a collection of permissions. You can create roles and assign users and groups to them so that they gain limited access to Console features. Follow the sections below to learn about managing Console roles. | ||
|
|
||
| ### Console role permissions | ||
|
|
||
| When you create a Console role, you grant it access to one or more **Console components** — features such as **Applications**, **Connections**, **Users**, **Groups**, and **Roles**. You assign these permissions at two levels: | ||
|
|
||
| <table> | ||
| <tr> | ||
| <td><b>Tenant Permissions</b></td> | ||
| <td>The permissions the role has for the root organization.</td> | ||
| </tr> | ||
| <tr> | ||
| <td><b>Organization Permissions</b></td> | ||
| <td>The permissions the role has for the child organizations.</td> | ||
| </tr> | ||
| </table> | ||
|
|
||
| #### Permission levels | ||
|
|
||
| By default, you can assign each Console component one of the following permission levels: | ||
|
|
||
| <table> | ||
| <tr> | ||
| <td><b>View</b></td> | ||
| <td>Assigns read permissions for the component.</td> | ||
| </tr> | ||
| <tr> | ||
| <td><b>Edit</b></td> | ||
| <td>Assigns read, create, update, and delete permissions for the component.</td> | ||
| </tr> | ||
| </table> | ||
|
|
||
| !!! note | ||
|
|
||
| Selecting **View** or **Edit** for a given Console component assigns the role several scopes pertaining to it. For example, if you select **Applications** and assign the **View** permission, the role is assigned the following scopes. | ||
|
|
||
| {: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} | ||
|
|
||
| #### Granular console permissions | ||
|
|
||
| By default, Console roles use the combined **View** and **Edit** permission model described above, where **Edit** grants **Create**, **Update**, and **Delete** access together. | ||
|
|
||
| You can optionally enable a more granular permission model that lets you assign **Create**, **Update**, and **Delete** permissions independently for each Console component. This is controlled by the `use_granular_console_permissions` setting, which is `false` by default. Enable it only when you need this level of control over Console permissions. To do so, add the following configuration to the `deployment.toml` file and restart the server. | ||
|
|
||
| ```toml | ||
| [console_settings] | ||
| use_granular_console_permissions = true | ||
| ``` | ||
|
|
||
| Once enabled, you can assign each Console component the following permission levels: | ||
|
|
||
| <table> | ||
| <tr> | ||
| <td><b>View</b></td> | ||
| <td>Assigns read permissions for the component.</td> | ||
| </tr> | ||
| <tr> | ||
| <td><b>Create</b></td> | ||
| <td>Assigns read and create permissions for the component.</td> | ||
| </tr> | ||
| <tr> | ||
| <td><b>Update</b></td> | ||
| <td>Assigns read and update permissions for the component.</td> | ||
| </tr> | ||
| <tr> | ||
| <td><b>Delete</b></td> | ||
| <td>Assigns read and delete permissions for the component.</td> | ||
| </tr> | ||
| </table> | ||
|
|
||
|  | ||
|
|
||
| !!! note | ||
| **View** is required whenever **Create**, **Update**, or **Delete** is selected for a component, and it cannot be turned off while any of those write permissions remain active. | ||
|
|
||
| !!! note "Compatibility with existing roles" | ||
| Console roles created earlier with the combined **Edit** permission continue to work when the granular model is enabled. **Edit** grants **Create**, **Update**, and **Delete** together. | ||
|
|
||
| ### Create a role | ||
|
|
||
| !!! warning "Important" | ||
|
|
@@ -66,37 +141,6 @@ | |
|
|
||
| {: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} | ||
|
|
||
| <table> | ||
| <tr> | ||
| <td><b>Role Name</b></td> | ||
| <td>Provide a meaningful name that describes the level of access the role has to the Console <code>e.g. application:read</code></td> | ||
| </tr> | ||
| <tr> | ||
| <td><b>Tenant Permissions</b></td> | ||
| <td>Select the permissions the role has for the root organization. For each Console component, | ||
| <ul> | ||
| <li>Select <b>View</b> if you wish to assign read permissions for the component.</li> | ||
| <li>Select <b>Edit</b> if you wish to assign read, create, update and delete permissions for the component.</li> | ||
| </ul> | ||
| </td> | ||
| </tr> | ||
| <tr> | ||
| <td><b>Organization Permissions</b></td> | ||
| <td>Select the permissions the role has for the child organizations. For each Console component, | ||
| <ul> | ||
| <li>Select <b>View</b> if you wish to assign read permissions for the component.</li> | ||
| <li>Select <b>Edit</b> if you wish to assign read, create, update and delete permissions for the component.</li> | ||
| </ul> | ||
| </td> | ||
| </tr> | ||
| </table> | ||
|
|
||
| !!! note | ||
|
|
||
| When choosing tenant and organization permissions, selecting **View** or **Edit** for a given Console component gives the role access to several scopes pertaining to it. For example, if you select `Applications` and assign the `View` permission, the role will be assigned the following scopes. | ||
|
|
||
| {: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} | ||
|
|
||
| 4. Click **Add** to save the role. | ||
|
|
||
| ### Assign users/groups to a role | ||
|
|
@@ -119,7 +163,7 @@ | |
|
|
||
| - Click **Update** to assign the user. | ||
|
|
||
|
|
||
|
Check failure on line 166 in en/includes/guides/admin-portal/manage-console-access.md
|
||
| - To assign a group: | ||
|
|
||
| - Go to the **Groups** tab. | ||
|
|
@@ -140,9 +184,9 @@ | |
|
|
||
| 3. Select the checkbox and confirm your action. | ||
|
|
||
|
|
||
|
Check failure on line 187 in en/includes/guides/admin-portal/manage-console-access.md
|
||
| ## Manage administrators | ||
|
|
||
| Users who are assigned to one or more Console roles created [above](#create-a-role), are listed under the **Administrators** tab in **Console Settings**. For instructions on managing administrators, refer to [manage administrators]({{base_path}}/guides/users/manage-administrators/). | ||
|
|
||
|
|
||
|
Check failure on line 192 in en/includes/guides/admin-portal/manage-console-access.md
|
||
Uh oh!
There was an error while loading. Please reload this page.