Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: add org permissions and roles #532

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

update: add org permissions and roles #532

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3c4d899
update: add org permissions and roles
staceysalamon-aiven Oct 28, 2024
5a0700d
change structure
staceysalamon-aiven Oct 30, 2024
4d09b56
Merge branch 'main' into staceys-doc-1200
staceysalamon-aiven Nov 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 45 additions & 19 deletions docs/platform/concepts/permissions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,53 @@ Principals are
[organization users](/docs/platform/howto/manage-org-users),
[application users](/docs/platform/concepts/application-users),
and [groups](/docs/platform/howto/list-groups).
You can grant access to principals at the project level. You can

You can grant access to principals at the organization and project level.
You can
[add users to services](/docs/platform/howto/create_new_service_user).

To grant access to resources at the organization level, you can
make organization users [super admin](/docs/platform/howto/make-super-admin).
Limit the number of users with this role as it gives unrestricted access to
all organization resources including billing, admin, and all projects and services.
:::important
Permissions are not yet fully supported in the Aiven Console. They are intended for
use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes.
:::

## Organization roles and permissions

You can grant the following roles and permissions to principals at the organization level.
Roles and permissions at this level apply to the organization and all units, projects,
and services within it.

### Organization roles

| Console name | API name | Permissions |
| ------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Admin | `role:organization:admin` | <ul> <li> Full access to the organization. </li> <li> View and change billing information. </li> <li> Change the authentication policy. </li> <li> Invite, deactivate, and remove organization users. </li> <li> Create, edit, and delete groups. </li> <li> Create and delete application users and their tokens. </li> <li> Add and remove domains. </li> <li> Add, enable, disable, and remove identity providers. </li> </ul> |
| Organization member | `role:organization:member` | The default role assigned to all organization users. <br/> <br/> Non-managed users can: <ul> <li> Edit their profiles. </li> <li> Create organizations. </li> <li> Leave organizations. </li> <li> Add [allowed authentication methods](/docs/platform/howto/set-authentication-policies). </li> <li> Generate and revoke personal tokens, if allowed by the [authentication policy](/docs/platform/howto/set-authentication-policies). </li> <li> Enable and disable feature previews. </li> </ul> |

### Organization permissions

## Project roles
| Console name | API name | Allowed actions |
| ------------------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Manage application users | `organization:app_users:write` | <ul> <li> Create, edit, and delete application users. </li> <li> Generate and revoke application tokens. </li> </ul> |
| View organization audit log | `organization:audit_log:read` | <ul> <li> View the audit log. </li> </ul> |
| View billing | `organization:billing:read` | <ul> <li> View all billing groups, billing addresses, and payment methods. </li> </ul> |
| Manage billing | `organization:billing:write` | <ul> <li> Create, edit, and delete billing groups, billing addresses, and payment methods. </li> </ul> |
| Manage domains | `organization:domains:write` | <ul> <li> Add and remove domains. </li> </ul> |
| Manage groups | `organization:groups:write` | <ul> <li> Add and remove organization and application users to/from groups. </li> </ul> |
| Manage IdPs | `organization:idps:write` | <ul> <li> Add edit, enable, disable, and remove identity providers. </li> </ul> |
| View organization networking | `organization:networking:read` | <ul> <li> View all organization virtual private clouds (VPCs). </li> </ul> |
| Manage organization networking | `organization:networking:write` | <ul> <li> Add, edit, and remove organization VPCs. </li> <li> Create and change VPC peering connections. </li> </ul> |
| View organization permissions | `organization:permissions:read` | <ul> <li> View all permissions. </li> </ul> |
| Manage organization permissions | `organization:permissions:write` | <ul> <li> Grant, edit, and remove organization permissions to/from groups and users. </li> </ul> |
| View projects | `organization:projects:read` | <ul> <li> List all projects. </li> <li> View all project tags. </li> </ul> No project or service access. |
| Manage projects | `organization:projects:write` | <ul> <li> Create and delete projects. </li> <li> Change the billing group the project is assigned to. </li> <li> Move a project to another organization or unit. </li> <li> Add and remove project tags. </li> </ul> No access to other project settings or services. |

You can grant the following roles for projects to principals.

## Project roles and permissions
You can grant the following roles and permissions to principals. Roles and permissions granted at
this level apply to the project and all services within it.

### Project roles

| Console name | API name | Permissions |
| ----------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
Expand All @@ -33,18 +69,7 @@ You can grant the following roles for projects to principals.
| Maintain services | `role:services:maintenance` | <ul> <li> Perform service maintenance updates. </li> <li> Change maintenance windows. </li> <li> Upgrade service versions. </li> </ul> |
| Recover services | `role:services:recover` | <ul> <li> Add and remove dynamic disk sizing and tiered storage. </li> <li> Change service plans. </li> <li> Fork services. </li> <li> Promote read replicas. </li> </ul> |

Project admin do not have access to organization settings such as billing unless
they are also a [super admin](/docs/platform/howto/make-super-admin).

## Project and service permissions

:::important
Permissions are not yet fully supported in the Aiven Console. They are intended for
use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes.
:::

You can grant the following permissions to principals. The actions listed for each
permission apply to the project and all services within it.
### Project permissions

| Console name | API name | Allowed actions |
| ---------------------------- | ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
Expand All @@ -61,3 +86,4 @@ permission apply to the project and all services within it.
| View service logs | `service:logs:read` | <ul> <li> View logs for all services in the project. </li> </ul> **Service logs may contain sensitive information.** |
| View configuration secrets | `service:secrets:read` | <ul> <li> Read service configuration secrets such as keys. </li> </ul> |
| Manage service users | `service:users:write` | <ul> <li> Create and delete service users. </li> <li> View and update connection information for services. </li> </ul> |