diff --git a/docs/platform/concepts/permissions.md b/docs/platform/concepts/permissions.md index 14cd351a..b59cc107 100644 --- a/docs/platform/concepts/permissions.md +++ b/docs/platform/concepts/permissions.md @@ -17,34 +17,18 @@ You can grant access to principals at the organization and project level. You can [add users to services](/docs/platform/howto/create_new_service_user). -:::important -Permissions are not yet fully supported in the Aiven Console. They are intended for -use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes. -::: - ## Organization roles and permissions -By default all non-managed organization users can: - -- Edit their profiles. -- Create organizations. -- Leave organizations. -- Add [allowed authentication methods](/docs/platform/howto/set-authentication-policies). -- Generate and revoke personal tokens, if allowed by the - [authentication policy](/docs/platform/howto/set-authentication-policies). -- Enable and disable feature previews. - -[Managed users](/docs/platform/concepts/managed-users) have more restrictions. - You can grant the following roles and permissions to principals at the organization level. Roles and permissions at this level apply to the organization and all units, projects, and services within it. ### Organization roles -| Console name | API name | Permissions | -| ------------------- | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Admin | `role:organization:admin` | | +| Console name | API name | Allowed actions | +| ------------------------------- | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Organization member | None | This is the default role for all organization users. **You cannot grant this role to users.**

All non-managed organization users can:
[Managed users](/docs/platform/concepts/managed-users) have more restrictions. | +| Admin | `role:organization:admin` | | ### Organization permissions diff --git a/docs/platform/howto/make-super-admin.md b/docs/platform/howto/make-super-admin.md index 5c4960bd..b0ac1c20 100644 --- a/docs/platform/howto/make-super-admin.md +++ b/docs/platform/howto/make-super-admin.md @@ -4,7 +4,7 @@ title: Super admin import ConsoleLabel from "@site/src/components/ConsoleIcons" -The super admin role is a special role that has unrestricted access to an organization and all of is resources. This role should be limited to as few users as possible for organization setup and emergency use. For daily administrative tasks, assign users the [organization admin role](/docs/platform/concepts/permissions) instead. Aiven also highly recommends enabling [two-factor authentication](/docs/platform/howto/user-2fa). +The super admin role is a special role that has unrestricted access to an organization and all of is resources. This role should be limited to as few users as possible for organization setup and emergency use. For daily administrative tasks, assign users the [organization admin role](/docs/platform/concepts/permissions) instead. Aiven also highly recommends enabling [two-factor authentication](/docs/platform/howto/user-2fa) for super admin. To make a user a super admin: diff --git a/docs/platform/howto/manage-permissions.md b/docs/platform/howto/manage-permissions.md index 341a4d7f..1a2999e4 100644 --- a/docs/platform/howto/manage-permissions.md +++ b/docs/platform/howto/manage-permissions.md @@ -7,11 +7,6 @@ import {ConsoleIcon} from "@site/src/components/ConsoleIcons" You can grant [organzation users](/docs/platform/howto/manage-org-users), [application users](/docs/platform/concepts/application-users), and [groups](/docs/platform/howto/manage-groups) access at the organization and project level through [roles and permissions](/docs/platform/concepts/permissions). -:::important -Permissions are not yet fully supported in the Aiven Console. They are intended for -use with the Aiven API, Aiven Provider for Terraform, and Aiven Operator for Kubernetes. -::: - :::important When you remove permissions from a user or group, service credentials are not changed. Users can still directly access services if they know the service credentials. To prevent