AccessControl: Document basic roles changes and provisioning V2 (#48910)
* AccessControl: Document basic roles simplifying * Add sample file for provisioning v2 * WIP * Update provisioning example from docs * Fix wrong permission in docs * Nits on about-rbas.md * Manage rbac roles * Nit. * Nit. * Rephrase * Comment * Add version to the role * Update role * Update role * Spell * Final touch on about-rbac * Add basic role UID mapping about-rbac * Team assignments * assign rbac roles * move for more info * enable rbac and provisioning * spell * plan rbac rollout strategy * Cover factory reset * remove builtin assignment permissions from docs * to -> from * Custom role actions scopes * spell * Update docs/sources/enterprise/access-control/about-rbac.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/about-rbac.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/assign-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/assign-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/assign-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/plan-rbac-rollout-strategy.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/plan-rbac-rollout-strategy.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/custom-role-actions-scopes.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/custom-role-actions-scopes.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/enable-rbac-and-provisioning.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Remove factory as much as possible * Update docs/sources/enterprise/access-control/plan-rbac-rollout-strategy.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/plan-rbac-rollout-strategy.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Have -> Must Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Have -> Must Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Replace factory by hard reset * Replace LINK * Update docs/sources/enterprise/access-control/about-rbac.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Suggestion on example descriptions Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/enterprise/access-control/manage-rbac-roles.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Remove comment on permissions escalate * Prettier. * add a sentence to explain the type:escalate * add a sentence to explain the type:escalate * Rephrase * Remove TODOs as discussed with jguer Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Implement vardan's suggestion to have only one mapping: Co-authored-by: Vardan Torosyan <vardants@gmail.com> * Document that you cannot delete basic roles Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
This commit is contained in:
Gabriel MABILLE
GitHub
@@ -1,76 +1,68 @@
|
||||
# ---
|
||||
# # config file version
|
||||
# apiVersion: 1
|
||||
# apiVersion: 2
|
||||
|
||||
# # list of default built-in role assignments that should be removed
|
||||
# removeDefaultAssignments:
|
||||
# # <string>, must be one of the Organization roles (`Viewer`, `Editor`, `Admin`) or `Grafana Admin`
|
||||
# - builtInRole: "Grafana Admin"
|
||||
# # <string>, must be one of the existing fixed roles
|
||||
# fixedRole: "fixed:permissions:admin"
|
||||
|
||||
# # list of default built-in role assignments that should be added back
|
||||
# addDefaultAssignments:
|
||||
# # <string>, must be one of the Organization roles (`Viewer`, `Editor`, `Admin`) or `Grafana Admin`
|
||||
# - builtInRole: "Admin"
|
||||
# # <string>, must be one of the existing fixed roles
|
||||
# fixedRole: "fixed:reporting:admin:read"
|
||||
|
||||
# # list of roles that should be deleted
|
||||
# deleteRoles:
|
||||
# # <string> name of the role you want to create. Required if no uid is set
|
||||
# - name: "custom:reports:editor"
|
||||
# # <string> uid of the role. Required if no name
|
||||
# uid: "customreportseditor1"
|
||||
# # <int> org id. will default to Grafana's default if not specified
|
||||
# orgId: 1
|
||||
# # <bool> force deletion revoking all grants of the role
|
||||
# force: true
|
||||
# - name: "custom:global:reports:reader"
|
||||
# uid: "customglobalreportsreader1"
|
||||
# # <bool> overwrite org id and removes a global role
|
||||
# global: true
|
||||
# force: true
|
||||
|
||||
# # list of roles to insert/update depending on what is available in the database
|
||||
# # <list> list of roles to insert/update/delete
|
||||
# roles:
|
||||
# # <string, required> name of the role you want to create. Required
|
||||
# - name: "custom:users:editor"
|
||||
# # <string, required> name of the role you want to create or update. Required.
|
||||
# - name: 'custom:users:writer'
|
||||
# # <string> uid of the role. Has to be unique for all orgs.
|
||||
# uid: customuserseditor1
|
||||
# uid: customuserswriter1
|
||||
# # <string> description of the role, informative purpose only.
|
||||
# description: "Role for our custom user editors"
|
||||
# # <int> version of the role, Grafana will update the role when increased
|
||||
# description: 'Create, read, write users'
|
||||
# # <int> version of the role, Grafana will update the role when increased.
|
||||
# version: 2
|
||||
# # <int> org id. will default to Grafana's default if not specified
|
||||
# orgId: 1
|
||||
# # <list> list of the permissions granted by this role
|
||||
# # <int> org id. Defaults to Grafana's default if not specified.
|
||||
# orgId: 1
|
||||
# # <list> list of the permissions granted by this role.
|
||||
# permissions:
|
||||
# # <string, required> action allowed
|
||||
# - action: "users:read"
|
||||
# #<string> scope it applies to
|
||||
# scope: "users:*"
|
||||
# - action: "users:write"
|
||||
# scope: "users:*"
|
||||
# - action: "users:create"
|
||||
# scope: "users:*"
|
||||
# # <list> list of builtIn roles the role should be assigned to
|
||||
# builtInRoles:
|
||||
# # <string, required> name of the builtin role you want to assign the role to
|
||||
# - name: "Editor"
|
||||
# # <int> org id. will default to the role org id
|
||||
# orgId: 1
|
||||
# - name: "custom:global:users:reader"
|
||||
# uid: "customglobalusersreader1"
|
||||
# description: "Global Role for custom user readers"
|
||||
# version: 1
|
||||
# # <bool> overwrite org id and creates a global role
|
||||
# # <string, required> action allowed.
|
||||
# - action: 'users:read'
|
||||
# #<string> scope it applies to.
|
||||
# scope: 'users:*'
|
||||
# - action: 'users:write'
|
||||
# scope: 'users:*'
|
||||
# - action: 'users:create'
|
||||
# - name: 'custom:global:users:reader'
|
||||
# # <bool> overwrite org id and creates a global role.
|
||||
# global: true
|
||||
# permissions:
|
||||
# - action: "users:read"
|
||||
# scope: "users:*"
|
||||
# builtInRoles:
|
||||
# - name: "Viewer"
|
||||
# orgId: 1
|
||||
# - name: "Editor"
|
||||
# # <bool> overwrite org id and assign role globally
|
||||
# # <string> state of the role. Defaults to 'present'. If 'absent', role will be deleted.
|
||||
# state: 'absent'
|
||||
# # <bool> force deletion revoking all grants of the role.
|
||||
# force: true
|
||||
# - uid: 'basic_editor'
|
||||
# version: 2
|
||||
# global: true
|
||||
# # <list> list of roles to copy permissions from.
|
||||
# from:
|
||||
# - uid: 'basic_editor'
|
||||
# global: true
|
||||
# - name: 'fixed:users:writer'
|
||||
# global: true
|
||||
# # <list> list of the permissions to add/remove on top of the copied ones.
|
||||
# permissions:
|
||||
# - action: 'users:read'
|
||||
# scope: 'users:*'
|
||||
# - action: 'users:write'
|
||||
# scope: 'users:*'
|
||||
# # <string> state of the permission. Defaults to 'present'. If 'absent', the permission will be removed.
|
||||
# state: absent
|
||||
|
||||
# # <list> list role assignments to teams to create or remove.
|
||||
# teams:
|
||||
# # <string, required> name of the team you want to assign roles to. Required.
|
||||
# - name: 'Users writers'
|
||||
# # <int> org id. Will default to Grafana's default if not specified.
|
||||
# orgId: 1
|
||||
# # <list> list of roles to assign to the team
|
||||
# roles:
|
||||
# # <string> uid of the role you want to assign to the team.
|
||||
# - uid: 'customuserswriter1'
|
||||
# # <int> org id. Will default to Grafana's default if not specified.
|
||||
# orgId: 1
|
||||
# # <string> name of the role you want to assign to the team.
|
||||
# - name: 'fixed:users:writer'
|
||||
# # <bool> overwrite org id to specify the role is global.
|
||||
# global: true
|
||||
# # <string> state of the assignment. Defaults to 'present'. If 'absent', the assignment will be revoked.
|
||||
# state: absent
|
||||
|
||||
Reference in New Issue
Block a user