Clean up the Cloud Console roles topic #19758
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Screenshot showing how the table renders. Note that it currently requires horizontal scrolling on browser windows smaller than fullscreen 1920x1080 which may not be acceptable. 
|
jhlodin
changed the title
jhlodin
force-pushed
the
jl/doc-12238
branch
2 times, most recently
from
7cb8e59 to
e86347f
Compare
jaiayu
reviewed
Jun 17, 2025
| | `Folder` | Applies to clusters within a specific folder. Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Creator`, `Cluster Admin`, `Folder Admin`, `Folder Mover` | | ||
| | `Cluster` | Applies to a specific cluster | `Cluster Admin`, `Cluster Operator`, `Cluster Developer` | | ||
|
|
||
| {% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions given, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %} |
There was a problem hiding this comment.
@biplav-crl can you review these roles and permissions and ensure they are correct?
There was a problem hiding this comment.
We need to add which roles can do cluster upgrade/downgrade. Additionally, add PCR whenever we add documentation for PCR. Mention about Terraform for Cluster Creator/Admin. Also bring in details for ccloud. I see network auth, but calling our create private clusters, egress perimeter control would be a good idea. Also, linking these operation to relevant documentation pages will add value.
I was unable to review the pages and have just reviewed the table. Apart from above feedback comments, rest LGTM.
There was a problem hiding this comment.
We must ideally create a similar table for Cloud Console API's. Categories might be similar but listing our APIs instead of permission might be a good idea.
jaiayu
reviewed
Jun 17, 2025
src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md
Outdated
Show resolved
Hide resolved
jaiayu
reviewed
Jun 17, 2025
src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md
Outdated
Show resolved
Hide resolved
jaiayu
reviewed
Jun 17, 2025
mikeCRL
approved these changes
Jun 17, 2025
src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md
Outdated
Show resolved
Hide resolved
src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md
Outdated
Show resolved
Hide resolved
src/current/_includes/cockroachcloud/cluster-operator-prereq.md
Outdated
Show resolved
Hide resolved
jaiayu
reviewed
Jun 17, 2025
| @@ -1,3 +1,3 @@ | |||
| {{site.data.alerts.callout_info}} | |||
| Only [Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) and [Cluster Administrators]({% link cockroachcloud/authorization.md %}#cluster-administrator) can create SQL users and issue credentials. | |||
| Only [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) and [Cluster Admins]({% link cockroachcloud/authorization.md %}#cluster-admin) can create SQL users using the {{site.data.products.cloud}} Console or API. These SQL users default to the `Admin` role. For granular provisioning of SQL user privileges, refer to documentation on [using the cluster's SQL interface]({% link cockroachcloud/managing-access.md %}?filters=client#create-a-sql-user). | |||
There was a problem hiding this comment.
@biplav-crl can you confirm if org admins can create SQL users? I don't think you can via console.
There was a problem hiding this comment.
The Organization Admin cannot create the SQL users.
jaiayu
reviewed
Jun 17, 2025
| @@ -31,13 +31,13 @@ All users assigned the Developer role in a CockroachDB Cloud organization will n | |||
|
|
|||
| See [Role Options](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/alter-user#{% if site.current_cloud_version == "v22.1" %}parameters{% else %}role-options{% endif %}) for more information on these roles. | |||
|
|
|||
| The users assigned the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-administrator) in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster [SQL admin user](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization#admin-role), as it is intended to be an all-access, highly privileged role. | |||
| The users assigned the [Organization Admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster [SQL admin user](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization#admin-role), as it is intended to be an all-access, highly privileged role. | |||
There was a problem hiding this comment.
I would have to read the complete page to comment effectively on this. Based on what is here this does not look right. Can you please deploy these changes for me to review?
|
I have reviewed the table and left my comments above. For any remaining changes, will have to look at a deployed version. Thx. |
@biplav-crl Deploy preview can be found here - https://deploy-preview-19758--cockroachdb-docs.netlify.app/docs/cockroachcloud/authorization |
rmloveland
approved these changes
Jun 18, 2025
There was a problem hiding this comment.
LGTM from the narrow POV of the terminology change to:
- Cloud users are "assigned" "permissions"
- SQL users are "granted" "privileges"
I think this is a huge improvement in clarity!
@jhlodin is there any chance you'd PR a new 'Controlled Vocabulary' section in our Style Guide and add this terminology there?
| @@ -7,9 +7,9 @@ docs_area: reference.security | |||
|
|
|||
| Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). | |||
|
|
|||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
There was a problem hiding this comment.
doubled sentence here (and I think in the other versions of vXX.Y/security-reference/authorization.md
| @@ -7,9 +7,9 @@ docs_area: reference.security | |||
|
|
|||
| Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). | |||
|
|
|||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
There was a problem hiding this comment.
doubled sentence i think (eyes crossing from close reading thru this PR so double check me on this 🩻 )
| @@ -7,9 +7,9 @@ docs_area: reference.security | |||
|
|
|||
| Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). | |||
|
|
|||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
| @@ -7,9 +7,9 @@ docs_area: reference.security | |||
|
|
|||
| Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). | |||
|
|
|||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
| @@ -7,9 +7,9 @@ docs_area: reference.security | |||
|
|
|||
| Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). | |||
|
|
|||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
| @@ -7,9 +7,9 @@ docs_area: reference.security | |||
|
|
|||
| Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). | |||
|
|
|||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
| This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. | |||
|
Convo with Ayushi:
|
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
GRANTand related SQL statements