Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOC-11250] Document adding roles upon invite #18964

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/current/cockroachcloud/cloud-org-sso.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ A user can view their current authentication method by clicking **My Account** i

No. With Basic SSO, only one authentication method can be active for each CockroachDB {{ site.data.products.cloud }} Console user. To view or update their active authentication method, a user can click **My Account** in the [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) .

#### Does this change to invite users?
#### Does this change how to invite users?

The [workflow for inviting team members]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization) to your CockroachDB {{ site.data.products.cloud }} organization remains the same.

Expand Down
6 changes: 0 additions & 6 deletions src/current/cockroachcloud/create-an-account.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,12 +72,6 @@ We highly recommend enabling multi-factor authentication (MFA) with your SSO pro

## Change your account details

- [Change your account name](#change-your-account-name)
- [Change your email](#change-your-email)
- [Change your account password](#change-your-account-password)
- [Change your organization name](#change-your-organization-name)
- [Change your login method](#change-your-login-method)

### Change your account name

To change your account name:
Expand Down
17 changes: 9 additions & 8 deletions src/current/cockroachcloud/managing-access.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,26 +32,26 @@ An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administra

1. If you are a member of multiple organizations, navigate to the organization to which you want to invite a team member. You can navigate to the correct organization by using the drop-down box in the top-right corner.
1. On the **Access Management** page, under the *Members* tab, click **Invite**.
1. In the **Email Address** field, enter the email address of the team member you want to invite. By default, a user is assigned the [Organization member]({% link cockroachcloud/authorization.md %}#organization-member) role; this default role grants no access. After the user accepts the invitation, an [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can grant them additional roles.
1. In the **Email Address** field, enter the email address of the team member you want to invite. By default, a user is assigned the [Organization member]({% link cockroachcloud/authorization.md %}#organization-member) role; this default role grants no access. After the user is invited, you will be able to [grant additional roles](#change-a-team-members-roles).
1. If required, you could invite multiple users at the same time by adding a row per email address using **+ Add Member**.

It is also possible to enable [autoprovisioning]({% link cockroachcloud/cloud-org-sso.md %}#autoprovisioning) for your organization, which removes the need to invite team members.

### Change a team member's role
<a id="change-a-team-members-role"></a>
### Change a team member's roles

1. On the **Access Management** page, locate the team member's details whose role you want to change. Note that the **Role** column lists current organization roles granted to each user. See: [Organization User Roles]({% link cockroachcloud/authorization.md %}#organization-user-roles)
1. On the **Access Management** page, locate the team member's details whose role you want to change. The **Role** column lists current organization roles granted to each user. See: [Organization User Roles]({% link cockroachcloud/authorization.md %}#organization-user-roles)
1. In the row for the target member, click the three-dots **Action** button and select **Edit Roles**.
1. A number of fine-grained roles can be assigned to a given user. Each role is represented by a row. Each row has a **scope**, which is either **Organization** or the name of a particular cluster. If the role is Cluster Administrator, Cluster Operator, or Cluster Developer, assigning it at the organization scope means that it applies to all clusters in the organization.
1. A number of fine-grained roles can be assigned to a given user. Each role is represented by a row. Each row has a **scope**, which is one of **Organization**, the name of a particular [folder]({% link cockroachcloud/folders.md %}), or the name of a particular cluster. If the role is Cluster Administrator, Cluster Operator, or Cluster Developer, assigning it at the organization scope means that it applies to all clusters in the organization.

{{site.data.alerts.callout_info}}
When editing roles for a group in the **Groups** tab, the fields for that group's inherited roles are read-only, because inherited roles cannot be edited directly. Instead, you must either remove the role from the parent group from which it is inherited, or remove the member from the parent group.
{{site.data.alerts.end}}

{{site.data.alerts.callout_danger}}
An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can revoke that role from their own user, but cannot subsequently re-grant the administrator role to themselves.
An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can revoke the Org Administrator role from their own user, but cannot subsequently re-grant the administrator role to themselves.
{{site.data.alerts.end}}


### Remove a team member

1. On the **Access Management** page, locate the team member you want to remove.
Expand All @@ -66,7 +66,7 @@ An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administra

### Delete an email address

This is not currently available through the Console. To remove an email address from your account, [contact Support](https://support.cockroachlabs.com).
This is not currently available through the CockroachDB {{ site.data.products.cloud }} Console. To remove an email address from your account, [contact Support](https://support.cockroachlabs.com).

### Delete an organization

Expand Down Expand Up @@ -96,7 +96,7 @@ The access management model for service accounts is unified with the [user model
1. Confirm creation of the service account.

{{site.data.alerts.callout_info}}
Service accounts, like users, are given only the **Org Member** role by default upon creation. This role grants no access in the organization.
Service accounts, like users, are given only the **Org Member** role by default upon creation. This role grants no access in the organization. After it is created, you can grant additional roles to the service account.
{{site.data.alerts.end}}

### Edit roles on a service account
Expand All @@ -106,6 +106,7 @@ Service accounts, like users, are given only the **Org Member** role by default
1. A number of fine-grained roles can be assigned to a given service account. These are the same [roles that can be assigned to users]({% link cockroachcloud/authorization.md %}#organization-user-roles). Each role is represented by a row. Each row has a **scope**, which is either **Organization** or the name of a particular cluster. If the role is Cluster Administrator, Cluster Operator, or Cluster Developer, assigning it at the organization scope means that it applies to all clusters in the organization.

The fields for a group's inherited roles are read-only, because inherited roles cannot be edited directly. Instead, you must either remove the role from the parent group from which it is inherited, or remove the member from the parent group.

### API access

Each service account can have one or more API keys. API keys are used to authenticate and authorize service accounts when using the API. All API keys created by the account are listed under **API Access**.
Expand Down
Loading