Skip to content

Commit

Permalink
add org member back to table and remove notices
Browse files Browse the repository at this point in the history
  • Loading branch information
staceysalamon-aiven committed Dec 12, 2024
1 parent 56a9b26 commit 661f040
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 26 deletions.
24 changes: 4 additions & 20 deletions docs/platform/concepts/permissions.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,34 +17,18 @@ You can grant access to principals at the organization and project level.
You can
[add users to services](/docs/platform/howto/create_new_service_user).

:::important
Permissions are not yet fully supported in the Aiven Console. They are intended for
use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes.
:::

## Organization roles and permissions

By default all non-managed organization users can:

- Edit their profiles.
- Create organizations.
- Leave organizations.
- Add [allowed authentication methods](/docs/platform/howto/set-authentication-policies).
- Generate and revoke personal tokens, if allowed by the
[authentication policy](/docs/platform/howto/set-authentication-policies).
- Enable and disable feature previews.

[Managed users](/docs/platform/concepts/managed-users) have more restrictions.

You can grant the following roles and permissions to principals at the organization level.
Roles and permissions at this level apply to the organization and all units, projects,
and services within it.

### Organization roles

| Console name | API name | Permissions |
| ------------------- | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Admin | `role:organization:admin` | <ul> <li> Full access to the organization. </li> <li> View and change billing information. </li> <li> Change the authentication policy. </li> <li> Invite, deactivate, and remove organization users. </li> <li> Create, edit, and delete groups. </li> <li> Create and delete application users and their tokens. </li> <li> Add and remove domains. </li> <li> Add, enable, disable, and remove identity providers. </li> </ul> |
| Console name | API name | Permissions | | |
| ------------------- | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Organization member | None | This is the default role for all organization users. You cannot grant this role to users. All non-managed organization users can: <ul> <li> Edit their profiles. </li> <li> Create organizations. </li> <li> Leave organizations. </li> <li> Add [allowed authentication methods](/docs/platform/howto/set-authentication-policies). </li> <li> Generate and revoke personal tokens, if allowed by the [authentication policy](/docs/platform/howto/set-authentication-policies). </li> <li> Enable and disable feature previews. </li> </ul> [Managed users](/docs/platform/concepts/managed-users) have more restrictions. |
| Admin | `role:organization:admin` | <ul> <li> Full access to the organization. </li> <li> View and change billing information. </li> <li> Change the authentication policy. </li> <li> Invite, deactivate, and remove organization users. </li> <li> Create, edit, and delete groups. </li> <li> Create and delete application users and their tokens. </li> <li> Add and remove domains. </li> <li> Add, enable, disable, and remove identity providers. </li> </ul> |

### Organization permissions

Expand Down
2 changes: 1 addition & 1 deletion docs/platform/howto/make-super-admin.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ title: Super admin

import ConsoleLabel from "@site/src/components/ConsoleIcons"

The super admin role is a special role that has unrestricted access to an organization and all of is resources. This role should be limited to as few users as possible for organization setup and emergency use. For daily administrative tasks, assign users the [organization admin role](/docs/platform/concepts/permissions) instead. Aiven also highly recommends enabling [two-factor authentication](/docs/platform/howto/user-2fa).
The super admin role is a special role that has unrestricted access to an organization and all of is resources. This role should be limited to as few users as possible for organization setup and emergency use. For daily administrative tasks, assign users the [organization admin role](/docs/platform/concepts/permissions) instead. Aiven also highly recommends enabling [two-factor authentication](/docs/platform/howto/user-2fa) for super admin.

To make a user a super admin:

Expand Down
5 changes: 0 additions & 5 deletions docs/platform/howto/manage-permissions.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,6 @@ import {ConsoleIcon} from "@site/src/components/ConsoleIcons"

You can grant [organzation users](/docs/platform/howto/manage-org-users), [application users](/docs/platform/concepts/application-users), and [groups](/docs/platform/howto/manage-groups) access at the organization and project level through [roles and permissions](/docs/platform/concepts/permissions).

:::important
Permissions are not yet fully supported in the Aiven Console. They are intended for
use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes.
:::

:::important
When you remove permissions from a user or group, service credentials are not changed.
Users can still directly access services if they know the service credentials. To prevent
Expand Down

0 comments on commit 661f040

Please sign in to comment.