Clarify group roles docs

2026-05-25 06:08:29 +00:00 · 2019-12-18 16:34:07 -07:00
parent 63ba7b1fd5
commit 176c33a332
2 changed files with 27 additions and 10 deletions
@@ -64,7 +64,7 @@ The steps to add custom roles differ depending on the version of Rancher.

 1.  From the **Global** view, select **Security > Roles** from the main menu.

-1.  Click **Add Cluster/Project Role**.
+1.  Click **Add Role**.

 1.  **Name** the role.

@@ -72,7 +72,7 @@ The steps to add custom roles differ depending on the version of Rancher.

    > **Note:** Locked roles cannot be assigned to users.

-1.  Assign the role a **Context**. Context determines the scope of role assigned to the user. The contexts are:
+1.  In the **Context** dropdown menu, choose the scope of the role assigned to the user. The contexts are:

    - **All:** The user can use their assigned role regardless of context. This role is valid for assignment when adding/managing members to clusters or projects.

@@ -95,7 +95,7 @@ The steps to add custom roles differ depending on the version of Rancher.

 ## Creating a Custom Global Role that Copies Rules from an Existing Role

-_Available as of v2.3.4_
+_Available as of v2.4_

 If you have a group of individuals that need the same level of access in Rancher, it can save time to create a custom global role in which all of the rules from another role, such as the administrator role, are copied into a new role. This allows you to only configure the variations between the existing role and the new role.

@@ -112,7 +112,7 @@ To create a custom global role based on an existing role,

 ## Creating a Custom Global Role that Does Not Copy Rules from Another Role

-_Available as of v2.3.4_
+_Available as of v2.4_

 Custom global roles don't have to be based on existing roles. To create a custom global role by choosing the specific Kubernetes resource operations that should be allowed for the role, follow these steps:

@@ -125,7 +125,7 @@ Custom global roles don't have to be based on existing roles. To create a custom

 ## Deleting a Custom Global Role

-_Available as of v2.3.4_
+_Available as of v2.4_

 When deleting a custom global role, all global role bindings with this custom role are deleted.

@@ -141,7 +141,7 @@ To delete a custom global role,

 ## Assigning a Custom Global Role to a Group

-_Available as of v2.3.4_
+_Available as of v2.4_

 If you have a group of individuals that need the same level of access in Rancher, it can save time to create a custom global role. When the role is assigned to a group, the users in the group have the appropriate level of access the first time they sign into Rancher.

@@ -16,6 +16,8 @@ You cannot update or delete the built-in Global Permissions.
 This section covers the following topics:

 - [Global permission assignment](#global-permission-assignment)
+  - [Global permissions for new local users](#global-permissions-for-new-local-users)
+  - [Global permissions for users with external authentication](#global-permissions-for-users-with-external-authentication)
 - [Custom global permissions](#custom-global-permissions)
  - [Custom global permissions reference](#custom-global-permissions-reference)
  - [Configuring default global permissions for new users](#configuring-default-global-permissions)
@@ -24,10 +26,25 @@ This section covers the following topics:

 # Global Permission Assignment

-Assignment of global permissions to a user depends on their authentication source: external or local.
+Global permissions for local users are assigned differently than users who log in to Rancher using external authentication.

- **External Authentication:** When a user logs into Rancher using an external authentication provider for the first time, they are automatically assigned the `Standard User` global permission.
- **Local Authentication:** When you create a new local user, you assign them a global permission as you complete the **Add User** form.
+### Global Permissions for New Local Users
+
+When you create a new local user, you assign them a global permission as you complete the **Add User** form.
+
+To see the default permissions for new users, go to the **Global** view and click **Security > Roles.** On the **Global** tab, there is a column named **New User Default.** When adding a new local user, the user receives all  default global permissions that are marked as checked in this column. You can [change the default global permissions to meet your needs.](#configuring-default-global-permissions)
+
+### Global Permissions for Users with External Authentication
+
+When a user logs into Rancher using an external authentication provider for the first time, they are automatically assigned the `Standard User` global permission by default. 
+
+When a user logs into Rancher using an external authentication provider for the first time, they are automatically assigned the  **New User Default** global permissions. By default, Rancher assigns the **Standard User** permission for new users.
+
+To see the default permissions for new users, go to the **Global** view and click **Security > Roles.** On the **Global** tab, there is a column named **New User Default.** When adding a new local user, the user receives all default global permissions that are marked as checked in this column, and you can [change them to meet your needs.](#configuring-default-global-permissions)
+
+Permissions can be assigned to an individual user with [these steps.](#configuring-global-permissions-for-existing-individual-users)
+
+As of Rancher v2.4, you can [assign a role to everyone in the group at the same time](#configuring-global-permissions-for-groups) if the external authentication provider supports groups.

 # Custom Global Permissions

@@ -112,7 +129,7 @@ To configure permission for a user,

 ### Configuring Global Permissions for Groups

-_Available as of v2.3.4_
+_Available as of v2.4_

 If you have a group of individuals that need the same level of access in Rancher, in can save time to assign permissions to the entire group at once, so that the users in the group have the appropriate level of access the first time they sign into Rancher.