From d93a0438838add7f6cb8ea63cfe302cb078b49bd Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Wed, 11 Jun 2025 17:20:13 -0400 Subject: [PATCH 1/9] Add table describing cloud console roles --- .../org-roles/cloud-roles-table.md | 23 +++++++++++++++++++ src/current/cockroachcloud/authorization.md | 4 +++- src/current/cockroachcloud/managing-access.md | 8 ++++++- 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md diff --git a/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md b/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md new file mode 100644 index 00000000000..61b0c7cc0ec --- /dev/null +++ b/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md @@ -0,0 +1,23 @@ +The following table describes the high level permissions granted to each CockroachDB {{ site.data.products.cloud }} user role. Permissions are additive, so a user with multiple roles that grant different permissions are granted the highest level privileges given by their assigned roles. + +| **Role name** | **User management** | **Billing management** | **Cluster management** | **Database management** | **Monitoring & observability** | **Security & access** | **Backup & restore** | **Folder management** | **Other permissions** | +|---|---|---|---|---|---|---|---|---|---| +| `Organization Member` | None | None | None | None | None | None | None | None | None | +| `Cluster Admin` | Manage SQL users, manage service accounts, grant user roles | None | Create / edit / delete cluster, scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None, unless role is granted with organization scope | Access DB console, configure maintenance windows | +| `Cluster Creator` | None | None | Create cluster (grants `Cluster Admin` role for that cluster), edit / delete clusters created by this user | None | None | None, unless role is granted with organization scope | None | None, unless role is granted with organization scope | None | +| `Cluster Developer` | None | None | None | None | None | None | None | None | Access DB console, view cluster details | +| `Billing Coordinator` | None | Manage billing | None | None | None | None | None | None | None | +| `Cluster Operator` | None | None | Scale nodes, upgrade CockroachDB | Manage Databases | View metrics / insights / logs / jobs | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None | Access DB console, configure maintenance windows, send test alerts | +| `Organization Admin` | Manage users and service accounts, grant and revoke roles | None | None | None | None | None | None | None | Manage email alerts (maintenance/issues) | +| `Folder Admin` | Assign roles to folders | None | None | None | None | None | None | Create / delete / manage folders | None | +| `Folder Mover` | None | None | Move cluster between folders | None | None | None | None | None | None | + +Some roles can be assigned to users at specific levels of scope to provide more granular permission control: + +| **Scope level** | **Description** | **Applicable roles** | +|---|---|---| +| `Organization` | Applies to the entire CockroachDB {{ site.data.products.cloud }} organization, including all clusters and folders | `Cluster Admin`, `Cluster Creator`, `Billing Coordinator`, `Organization Admin`, `Folder Admin`, `Folder Mover` | +| `Cluster` | Applies to a specific cluster | `Cluster Admin`, `Cluster Operator`, `Cluster Developer` | +| `Folder` | Applies to clusters within a specific folder. Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Creator`, `Cluster Admin`, `Folder Admin`, `Folder Mover` | + +{% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions granted, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %} \ No newline at end of file diff --git a/src/current/cockroachcloud/authorization.md b/src/current/cockroachcloud/authorization.md index 4e27753b9da..63351f8920c 100644 --- a/src/current/cockroachcloud/authorization.md +++ b/src/current/cockroachcloud/authorization.md @@ -45,7 +45,9 @@ When a user or service account is first added to an organization, they are grant To learn more, refer to [Manage organization users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users). -The following CockroachDB {{ site.data.products.cloud }} organization roles can be granted: +{% include_cached cockroachcloud/org-roles/cloud-roles-table.md %} + +The following sections describe available CockroachDB {{ site.data.products.cloud }} roles in more detail: ### Organization Member diff --git a/src/current/cockroachcloud/managing-access.md b/src/current/cockroachcloud/managing-access.md index 30bdc7f40e5..95a0a7e0b30 100644 --- a/src/current/cockroachcloud/managing-access.md +++ b/src/current/cockroachcloud/managing-access.md @@ -40,7 +40,13 @@ It is also possible to enable [autoprovisioning]({% link cockroachcloud/cloud-or ### Change a team member's roles -1. On the **Access Management** page, locate the team member's details whose role you want to change. The **Role** column lists current organization roles granted to each user. See: [Organization User Roles]({% link cockroachcloud/authorization.md %}#organization-user-roles) +In the CockroachDB {{ site.data.products.cloud }} Console, users must be assigned **roles** that allow them to perform actions. + +{% include_cached cockroachcloud/org-roles/cloud-roles-table.md %} + +To edit a user's role, perform the following steps: + +1. On the **Access Management** page, locate the team member's details whose role you want to change. The **Role** column lists current organization roles granted to each user. 1. In the row for the target member, click the three-dots **Action** button and select **Edit Roles**. 1. A number of fine-grained roles can be assigned to a given user. Each role is represented by a row. Each row has a **scope**, which is one of **Organization**, the name of a particular [folder]({% link cockroachcloud/folders.md %}), or the name of a particular cluster. If the role is Cluster Administrator, Cluster Operator, or Cluster Developer, assigning it at the organization scope means that it applies to all clusters in the organization. From 9009cec57657f4e28b60e0a700bf340bf2ccac18 Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Thu, 12 Jun 2025 15:50:28 -0400 Subject: [PATCH 2/9] Edit cloud access management page for consistent language --- .../org-roles/cloud-roles-table.md | 8 ++--- .../cockroachcloud/org-roles/folder-admin.md | 2 +- .../cockroachcloud/org-roles/folder-mover.md | 2 +- src/current/cockroachcloud/authorization.md | 35 +++++++++---------- 4 files changed, 22 insertions(+), 25 deletions(-) diff --git a/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md b/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md index 61b0c7cc0ec..f6542eb74b1 100644 --- a/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md +++ b/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md @@ -3,12 +3,12 @@ The following table describes the high level permissions granted to each Cockroa | **Role name** | **User management** | **Billing management** | **Cluster management** | **Database management** | **Monitoring & observability** | **Security & access** | **Backup & restore** | **Folder management** | **Other permissions** | |---|---|---|---|---|---|---|---|---|---| | `Organization Member` | None | None | None | None | None | None | None | None | None | +| `Organization Admin` | Manage users and service accounts, grant and revoke roles | None | None | None | None | None | None | None | Manage email alerts (maintenance/issues) | +| `Billing Coordinator` | None | Manage billing | None | None | None | None | None | None | None | +| `Cluster Operator` | None | None | Scale nodes, upgrade CockroachDB | Manage Databases | View metrics / insights / logs / jobs | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None | Access DB console, configure maintenance windows, send test alerts | | `Cluster Admin` | Manage SQL users, manage service accounts, grant user roles | None | Create / edit / delete cluster, scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None, unless role is granted with organization scope | Access DB console, configure maintenance windows | | `Cluster Creator` | None | None | Create cluster (grants `Cluster Admin` role for that cluster), edit / delete clusters created by this user | None | None | None, unless role is granted with organization scope | None | None, unless role is granted with organization scope | None | | `Cluster Developer` | None | None | None | None | None | None | None | None | Access DB console, view cluster details | -| `Billing Coordinator` | None | Manage billing | None | None | None | None | None | None | None | -| `Cluster Operator` | None | None | Scale nodes, upgrade CockroachDB | Manage Databases | View metrics / insights / logs / jobs | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None | Access DB console, configure maintenance windows, send test alerts | -| `Organization Admin` | Manage users and service accounts, grant and revoke roles | None | None | None | None | None | None | None | Manage email alerts (maintenance/issues) | | `Folder Admin` | Assign roles to folders | None | None | None | None | None | None | Create / delete / manage folders | None | | `Folder Mover` | None | None | Move cluster between folders | None | None | None | None | None | None | @@ -17,7 +17,7 @@ Some roles can be assigned to users at specific levels of scope to provide more | **Scope level** | **Description** | **Applicable roles** | |---|---|---| | `Organization` | Applies to the entire CockroachDB {{ site.data.products.cloud }} organization, including all clusters and folders | `Cluster Admin`, `Cluster Creator`, `Billing Coordinator`, `Organization Admin`, `Folder Admin`, `Folder Mover` | -| `Cluster` | Applies to a specific cluster | `Cluster Admin`, `Cluster Operator`, `Cluster Developer` | | `Folder` | Applies to clusters within a specific folder. Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Creator`, `Cluster Admin`, `Folder Admin`, `Folder Mover` | +| `Cluster` | Applies to a specific cluster | `Cluster Admin`, `Cluster Operator`, `Cluster Developer` | {% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions granted, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %} \ No newline at end of file diff --git a/src/current/_includes/cockroachcloud/org-roles/folder-admin.md b/src/current/_includes/cockroachcloud/org-roles/folder-admin.md index 6b9374f2062..0d96e3939a0 100644 --- a/src/current/_includes/cockroachcloud/org-roles/folder-admin.md +++ b/src/current/_includes/cockroachcloud/org-roles/folder-admin.md @@ -1,4 +1,4 @@ - A {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} can create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. They can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders. + The {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role is granted permissions to create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. They can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders. A user with the {% if page.name == 'authorization.md' %}[Org Administrator](#org-administrator){% else %}[Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator){% endif %} role can grant themselves, another user, or a service account the Folder Admin role. diff --git a/src/current/_includes/cockroachcloud/org-roles/folder-mover.md b/src/current/_includes/cockroachcloud/org-roles/folder-mover.md index e8582829a86..b47705e0485 100644 --- a/src/current/_includes/cockroachcloud/org-roles/folder-mover.md +++ b/src/current/_includes/cockroachcloud/org-roles/folder-mover.md @@ -1,4 +1,4 @@ - A {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} can rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}). + The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role is granted permission to rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}). {{site.data.alerts.callout_info}} A cluster cannot be renamed. diff --git a/src/current/cockroachcloud/authorization.md b/src/current/cockroachcloud/authorization.md index 63351f8920c..0fa76d67696 100644 --- a/src/current/cockroachcloud/authorization.md +++ b/src/current/cockroachcloud/authorization.md @@ -21,21 +21,18 @@ In CockroachDB {{ site.data.products.cloud }}, an organization corresponds to an CockroachDB {{ site.data.products.cloud }} has a hierarchical authorization model, where roles can be assigned at different scopes: -1. Organization: Each CockroachDB {{ site.data.products.cloud }} organization has a set of [roles](#organization-user-roles) defined on it, which allow users to perform administrative tasks relating to the management of clusters, organization users, SQL users, and billing. -1. Folder: [roles](#organization-user-roles) can be assigned on folders. Role inheritance is transitive; a role granted on the organization or a folder is inherited by descendent resources. +1. Organization: A CockroachDB {{ site.data.products.cloud }} organization assigns privileges based on [roles](#organization-user-roles) assigned to a {{ site.data.products.cloud }} Console user account, which allow these accounts to perform administrative tasks relating to the management of clusters, Console user management, SQL user management, and billing. +1. Folder: {{ site.data.products.cloud }} Console [roles](#organization-user-roles) can be assigned to a folder containing a group of clusters. Role inheritance is transitive; a role granted on the organization or a folder is inherited by descendent resources. {{site.data.alerts.callout_success}} - Organizing clusters using folders is available in [Preview]({% link v23.1/cockroachdb-feature-availability.md %}#feature-availability-phases). To learn more, refer to [Organize {{ site.data.products.db }} Clusters Using Folders]({% link cockroachcloud/folders.md %}). + Organizing clusters using folders is available in [Preview]({% link {{site.current_cloud_version}}/cockroachdb-feature-availability.md %}#feature-availability-phases). To learn more, refer to [Organize {{ site.data.products.db }} Clusters Using Folders]({% link cockroachcloud/folders.md %}). {{site.data.alerts.end}} -1. Cluster: Each CockroachDB cluster defines its own set of [SQL users]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#create-and-manage-users) and [roles]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#roles) which manage permission to execute SQL statements on the cluster. +1. Cluster: Each CockroachDB cluster defines its own set of [SQL users]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#create-and-manage-users) and [roles]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#roles) which manage permission to execute SQL statements on the cluster. The levels within the hierarchy intersect, because administering SQL-level users on specific clusters within an organization is an organization-level function. -For the main pages covering users and roles at the SQL level within a specific database cluster, refer to: - -- [Overview of Cluster Users/Roles and Privilege Grants in CockroachDB]({% link {{site.current_cloud_version}}/security-reference/authorization.md %}) -- [Managing Cluster User Authorization]({% link {{site.current_cloud_version}}/security-reference/authorization.md %}) +SQL users are assigned a separate set of roles and privileges that are specific to data management on the cluster, independent of the {{ site.data.products.cloud }} Console roles and privileges described on this page. For the main pages covering users and roles at the SQL level within a specific database cluster, refer to the main [Authorization in CockroachDB documentation]({% link {{site.current_cloud_version}}/security-reference/authorization.md %}) ## Organization user roles @@ -51,27 +48,27 @@ The following sections describe available CockroachDB {{ site.data.products.clou ### Organization Member -This default role is granted to all organization users when they are invited or provisioned. It grants no permissions to perform cluster or organization actions. +The **Organization Member** role is assigned by default to all organization users when they are invited or provisioned. This role grants no additional permissions. -### Org Administrator +### Organization Admin -Org Administrators can: +The **Organization Admin** role grants the following permissions: - [Invite users to join that organization]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization). - [Create service accounts]({% link cockroachcloud/managing-access.md %}#create-a-service-account). - Grant and revoke roles for both [users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users) and [service accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts). -Org Administrators automatically receive [email alerts]({% link cockroachcloud/alerts-page.md %}) about planned cluster maintenance and when CockroachDB {{ site.data.products.cloud }} detects that a cluster is overloaded or experiencing issues. In addition, Org Administrators can subscribe other members to the email alerts, and can configure how alerts work for the organization. +Organization Admins automatically receive [email alerts]({% link cockroachcloud/alerts-page.md %}) about planned cluster maintenance and when CockroachDB {{ site.data.products.cloud }} detects that a cluster is overloaded or experiencing issues. In addition, Organization Admins can subscribe other members to the email alerts, and configure how alerts work for the organization. -This role can be granted only at the scope of the organization. +This role can be assigned only at the organization scope. ### Billing Coordinator -Users with this role in an organization can [manage billing for that organization]({% link cockroachcloud/billing-management.md %}) through the CockroachDB {{ site.data.products.cloud }} console billing page at [`https://cockroachlabs.cloud/billing/overview`](https://cockroachlabs.cloud/billing/overview). +The **Billing Coordinator** role is granted permissions to [manage billing for that organization]({% link cockroachcloud/billing-management.md %}) through the CockroachDB {{ site.data.products.cloud }} console billing page at [`https://cockroachlabs.cloud/billing/overview`](https://cockroachlabs.cloud/billing/overview). ### Cluster Operator -Cluster Operators can perform a variety of cluster functions: +The **Cluster Operator** role is granted permissions that are dependent on whether it is assigned to a user or a service account. - *Users* with this role can perform the following *console operations*: @@ -113,7 +110,7 @@ This role can be granted at the scope of the organization, on an individual clus ### Cluster Administrator -Cluster Administrators can perform all of the [Cluster Operator actions](#cluster-operator), as well as: +The **Cluster Administrator** role is granted all of the [Cluster Operator actions](#cluster-operator) permissions, as well as the following: - [Provision SQL users for a cluster using the console]({% link cockroachcloud/managing-access.md %}#create-a-sql-user). - [Create Service Accounts]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role). @@ -127,13 +124,13 @@ This role can be granted at the scope of the organization, on an individual clus ### Cluster Creator -Cluster Creators can create clusters in an organization. A cluster's creator is automatically granted the [Cluster Administrator](#cluster-administrator) role for that cluster upon creation. +The **Cluster Creator** role is granted permission to create clusters in an organization. A cluster's creator is automatically granted the [Cluster Administrator](#cluster-administrator) role for that cluster upon creation. This role can be granted at the scope of the organization or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. ### Cluster Developer -Users with this role can view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Administrator to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster. +The **Cluster Developer** role is granted permission to view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Administrator to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster. This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. @@ -151,7 +148,7 @@ This role can be granted at the scope of the organization, on an individual clus Service accounts authenticate with API keys to the CockroachDB {{ site.data.products.cloud }} API, rather than to the CockroachDB {{ site.data.products.cloud }} Console UI. -Service accounts operate under a unified authorization model with organization users, and can be assigned all of the same [organization roles](#organization-user-roles) as users, but note that some actions are available in the console but not the API, or vice versa (For example, in the [Cluster Operator Role](#cluster-operator)). +Service accounts operate under a unified authorization model with organization users, and can be assigned all of the same [roles](#organization-user-roles) as users, but note that some actions are available in the console but not the API, or vice versa (For example, in the [Cluster Operator Role](#cluster-operator)). Refer to [Manage Service Accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts). From 283a283a066692b9f8106e893d233d54449de3f8 Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Thu, 12 Jun 2025 15:54:01 -0400 Subject: [PATCH 3/9] Correct wrong role names --- .../backups/cloud-api-get-put.md | 2 +- .../cockroachcloud/cluster-operator-prereq.md | 2 +- .../cockroachcloud-ask-admin.md | 2 +- .../cockroachcloud/first-org-user-roles.md | 6 ++-- .../cockroachcloud/org-roles/folder-admin.md | 4 +-- .../cockroachcloud/org-roles/folder-mover.md | 4 +-- src/current/advisories/c20230118.md | 4 +-- src/current/cockroachcloud/alerts-page.md | 4 +-- src/current/cockroachcloud/authorization.md | 16 +++++----- src/current/cockroachcloud/aws-privatelink.md | 2 +- src/current/cockroachcloud/ccloud-faq.md | 10 +++---- .../change-plan-between-basic-and-standard.md | 2 +- .../cockroachcloud/client-certs-advanced.md | 6 ++-- src/current/cockroachcloud/cloud-api.md | 30 +++++++++---------- .../cockroachcloud/cloud-org-audit-logs.md | 2 +- src/current/cockroachcloud/cloud-org-sso.md | 6 ++-- .../cockroachcloud/configure-cloud-org-sso.md | 20 ++++++------- .../configure-scim-provisioning.md | 12 ++++---- .../connect-to-a-basic-cluster.md | 4 +-- .../connect-to-an-advanced-cluster.md | 2 +- .../cockroachcloud/connect-to-your-cluster.md | 4 +-- .../cockroachcloud/create-a-basic-cluster.md | 2 +- .../cockroachcloud/create-an-account.md | 4 +-- .../create-an-advanced-cluster.md | 2 +- .../cockroachcloud/create-your-cluster.md | 2 +- .../egress-perimeter-controls.md | 4 +-- .../cockroachcloud/export-logs-advanced.md | 4 +-- src/current/cockroachcloud/export-logs.md | 4 +-- .../cockroachcloud/export-metrics-advanced.md | 2 +- src/current/cockroachcloud/folders.md | 18 +++++------ src/current/cockroachcloud/free-trial.md | 2 +- src/current/cockroachcloud/labels.md | 2 +- .../managed-backups-advanced.md | 2 +- src/current/cockroachcloud/managing-access.md | 10 +++---- src/current/cockroachcloud/migrations-page.md | 2 +- ...rganization-audit-logs-in-cloud-console.md | 2 +- .../cockroachcloud/plan-your-cluster-basic.md | 2 +- .../cockroachcloud/production-checklist.md | 2 +- src/current/cockroachcloud/quickstart.md | 4 +-- src/current/cockroachcloud/sql-shell.md | 4 +-- src/current/cockroachcloud/upgrade-policy.md | 12 ++++---- src/current/releases/cloud.md | 28 ++++++++--------- src/current/v24.1/wal-failover.md | 2 +- src/current/v24.3/wal-failover.md | 2 +- src/current/v25.1/wal-failover.md | 2 +- src/current/v25.2/wal-failover.md | 2 +- src/current/v25.3/wal-failover.md | 2 +- 47 files changed, 134 insertions(+), 134 deletions(-) diff --git a/src/current/_includes/cockroachcloud/backups/cloud-api-get-put.md b/src/current/_includes/cockroachcloud/backups/cloud-api-get-put.md index 98883bd71c9..40decb95e59 100644 --- a/src/current/_includes/cockroachcloud/backups/cloud-api-get-put.md +++ b/src/current/_includes/cockroachcloud/backups/cloud-api-get-put.md @@ -1,7 +1,7 @@ You can use the [CockroachDB Cloud API]({% link cockroachcloud/cloud-api.md %}) to [view](#get-information-on-backup-settings) and [modify](#modify-backup-settings-on-a-cluster) managed backup settings. {{site.data.alerts.callout_info}} -The [service account]({% link cockroachcloud/authorization.md %}#service-accounts) associated with the secret key must have the [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) role. +The [service account]({% link cockroachcloud/authorization.md %}#service-accounts) associated with the secret key must have the [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) role. {{site.data.alerts.end}} ### Get information on backup settings diff --git a/src/current/_includes/cockroachcloud/cluster-operator-prereq.md b/src/current/_includes/cockroachcloud/cluster-operator-prereq.md index eb667985816..11d722ae806 100644 --- a/src/current/_includes/cockroachcloud/cluster-operator-prereq.md +++ b/src/current/_includes/cockroachcloud/cluster-operator-prereq.md @@ -1 +1 @@ -Either the [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) or [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) role on a pre-existing cluster, or the [Cluster Creator](authorization.html#cluster-creator) role in order to create a new cluster. \ No newline at end of file +Either the [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) or [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) role on a pre-existing cluster, or the [Cluster Creator](authorization.html#cluster-creator) role in order to create a new cluster. \ No newline at end of file diff --git a/src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md b/src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md index 8a36e786ff7..8ed100b1769 100644 --- a/src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md +++ b/src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md @@ -1,3 +1,3 @@ {{site.data.alerts.callout_info}} -Only [Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) and [Cluster Administrators]({% link cockroachcloud/authorization.md %}#cluster-administrator) can create SQL users and issue credentials. +Only [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) and [Cluster Admins]({% link cockroachcloud/authorization.md %}#cluster-admin) can create SQL users and issue credentials. {{site.data.alerts.end}} diff --git a/src/current/_includes/cockroachcloud/first-org-user-roles.md b/src/current/_includes/cockroachcloud/first-org-user-roles.md index fda9558c8e6..f5a480a6964 100644 --- a/src/current/_includes/cockroachcloud/first-org-user-roles.md +++ b/src/current/_includes/cockroachcloud/first-org-user-roles.md @@ -1,10 +1,10 @@ {{site.data.alerts.callout_info}} The user who creates a new organization is assigned the following [roles]({% link cockroachcloud/authorization.md %}#organization-user-roles) at the organization scope: -- [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) +- [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) - [Billing Coordinator]({% link cockroachcloud/authorization.md %}#billing-coordinator) -- [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) +- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) - [Folder Administrator]({% link cockroachcloud/authorization.md %}#folder-admin) -Any of these roles may subsequently be removed by a user with both the Org Administrator role and the Cluster Admin role at the organization scope. This is to ensure that at least one user has both of these roles. +Any of these roles may subsequently be removed by a user with both the Organization Admin role and the Cluster Admin role at the organization scope. This is to ensure that at least one user has both of these roles. {{site.data.alerts.end}} diff --git a/src/current/_includes/cockroachcloud/org-roles/folder-admin.md b/src/current/_includes/cockroachcloud/org-roles/folder-admin.md index 0d96e3939a0..f658f84bf25 100644 --- a/src/current/_includes/cockroachcloud/org-roles/folder-admin.md +++ b/src/current/_includes/cockroachcloud/org-roles/folder-admin.md @@ -1,5 +1,5 @@ The {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role is granted permissions to create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. They can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders. - A user with the {% if page.name == 'authorization.md' %}[Org Administrator](#org-administrator){% else %}[Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator){% endif %} role can grant themselves, another user, or a service account the Folder Admin role. + A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin){% endif %} role can grant themselves, another user, or a service account the Folder Admin role. - To create or manage clusters in a folder, a Folder Admin also needs the {% if page.name == 'authorization.md' %}[Cluster Administrator](#cluster-administrator) or [Cluster Creator](#cluster-creator){% else %}[Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator){% endif %} role on that folder directly or by inheritance. To delete a cluster, the Cluster Administrator role is required on the cluster directly or by inheritance. + To create or manage clusters in a folder, a Folder Admin also needs the {% if page.name == 'authorization.md' %}[Cluster Admin](#cluster-admin) or [Cluster Creator](#cluster-creator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator){% endif %} role on that folder directly or by inheritance. To delete a cluster, the Cluster Admin role is required on the cluster directly or by inheritance. diff --git a/src/current/_includes/cockroachcloud/org-roles/folder-mover.md b/src/current/_includes/cockroachcloud/org-roles/folder-mover.md index b47705e0485..40dddcbc523 100644 --- a/src/current/_includes/cockroachcloud/org-roles/folder-mover.md +++ b/src/current/_includes/cockroachcloud/org-roles/folder-mover.md @@ -1,7 +1,7 @@ - The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role is granted permission to rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}). + The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role is granted permission to rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}). {{site.data.alerts.callout_info}} A cluster cannot be renamed. {{site.data.alerts.end}} - A user with the {% if page.name == 'authorization.md' %}[Org Administrator](#org-administrator) or [Folder Admin](#folder-admin){% else %}[Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can grant another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to grant themselves the Folder Mover role. + A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin) or [Folder Admin](#folder-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can grant another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to grant themselves the Folder Mover role. diff --git a/src/current/advisories/c20230118.md b/src/current/advisories/c20230118.md index 55533cb46f9..6db6f6f13c7 100644 --- a/src/current/advisories/c20230118.md +++ b/src/current/advisories/c20230118.md @@ -31,13 +31,13 @@ All users assigned the Developer role in a CockroachDB Cloud organization will n See [Role Options](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/alter-user#{% if site.current_cloud_version == "v22.1" %}parameters{% else %}role-options{% endif %}) for more information on these roles. -The users assigned the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-administrator) in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster [SQL admin user](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization#admin-role), as it is intended to be an all-access, highly privileged role. +The users assigned the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster [SQL admin user](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization#admin-role), as it is intended to be an all-access, highly privileged role. ## Mitigation A fix has been automatically applied to all CockroachDB Cloud organizations. With this change, the risk related to this issue, of the possibility of accessing data from any cluster in a cloud organization by users that have been assigned the Developer role, has been removed. This change follows the least privilege principle by ensuring that users with the lower-privilege Developer role only have the underlying SQL permissions applicable to their role level. -It is recommended that admins in a CockroachDB Cloud organization follow the authorization best practice of the principle of least privilege - whereby a user is granted exactly the minimum set of permissions necessary to perform the task required - and grant the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-administrator) to only those users who are required to have access to all the data in a cluster. In all other cases, the [Developer role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-developer-legacy) should be assigned to reduce the insider risk of data exfiltration. +It is recommended that admins in a CockroachDB Cloud organization follow the authorization best practice of the principle of least privilege - whereby a user is granted exactly the minimum set of permissions necessary to perform the task required - and grant the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) to only those users who are required to have access to all the data in a cluster. In all other cases, the [Developer role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-developer-legacy) should be assigned to reduce the insider risk of data exfiltration. Admins should also ensure that when users access a cluster’s DB Console directly from the CockroachDB Cloud’s [Tools page](https://www.cockroachlabs.com/docs/cockroachcloud/tools-page#access-the-db-console), they authenticate with specific SQL users that have been assigned only the required SQL privileges within the cluster. See [Authorization (Self-Hosted)](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/authorization.html) and [Authorization in CockroachDB](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization) for more information. diff --git a/src/current/cockroachcloud/alerts-page.md b/src/current/cockroachcloud/alerts-page.md index 96eb84afbf3..3c727074fec 100644 --- a/src/current/cockroachcloud/alerts-page.md +++ b/src/current/cockroachcloud/alerts-page.md @@ -9,14 +9,14 @@ The **Alerts** page allows you to enable email alerts, send test alerts, and vie {{site.data.alerts.callout_info}} -The **Alerts** page is applicable for CockroachDB {{ site.data.products.advanced }} clusters in your CockroachDB {{ site.data.products.cloud }} organization. For CockroachDB {{ site.data.products.standard }} and {{ site.data.products.basic }} clusters in your organization, all [Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) automatically receive email alerts when your cluster reaches 50%, 75%, and 100% of your [resource limits]({% link {{site.current_cloud_version}}/architecture/glossary.md %}#resource-limits). +The **Alerts** page is applicable for CockroachDB {{ site.data.products.advanced }} clusters in your CockroachDB {{ site.data.products.cloud }} organization. For CockroachDB {{ site.data.products.standard }} and {{ site.data.products.basic }} clusters in your organization, all [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) automatically receive email alerts when your cluster reaches 50%, 75%, and 100% of your [resource limits]({% link {{site.current_cloud_version}}/architecture/glossary.md %}#resource-limits). {{site.data.alerts.end}} ## Automatic alerts ### Cluster Maintenance -[Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) receive email alerts when: +[Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) receive email alerts when: - A cluster is scheduled for an automatic [patch version upgrade]({% link cockroachcloud/upgrade-policy.md %}#patch-version-upgrades) and again after the upgrade is complete. - When a cluster is scheduled for [maintenance]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) that could temporarily impact the cluster's performance. diff --git a/src/current/cockroachcloud/authorization.md b/src/current/cockroachcloud/authorization.md index 0fa76d67696..6fca49bf5db 100644 --- a/src/current/cockroachcloud/authorization.md +++ b/src/current/cockroachcloud/authorization.md @@ -36,7 +36,7 @@ SQL users are assigned a separate set of roles and privileges that are specific ## Organization user roles -When a user or service account is first added to an organization, they are granted the default role, **Org Member**, which grants no permission and only indicates membership in the organization. Org or Cluster Administrators may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider. +When a user or service account is first added to an organization, they are granted the default role, **Org Member**, which grants no permission and only indicates membership in the organization. Org or Cluster Admins may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider. {% include_cached cockroachcloud/first-org-user-roles.md %} @@ -100,7 +100,7 @@ The **Cluster Operator** role is granted permissions that are dependent on wheth - [View and configure a cluster's Egress Rules]({% link cockroachcloud/egress-perimeter-controls.md %}). - [Configure the export of metrics to DataDog or Amazon CloudWatch]({% link cockroachcloud/export-metrics.md %}). -This role can be considered a more restricted alternative to [Cluster Administrator](#cluster-administrator), as it grants all of the permissions of that role, except that it does **not** allow users to: +This role can be considered a more restricted alternative to [Cluster Admin](#cluster-admin), as it grants all of the permissions of that role, except that it does **not** allow users to: - Manage cluster-scoped roles on organization users. - Manage SQL users from the cloud console. @@ -108,15 +108,15 @@ This role can be considered a more restricted alternative to [Cluster Administra This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. -### Cluster Administrator +### Cluster Admin -The **Cluster Administrator** role is granted all of the [Cluster Operator actions](#cluster-operator) permissions, as well as the following: +The **Cluster Admin** role is granted all of the [Cluster Operator actions](#cluster-operator) permissions, as well as the following: - [Provision SQL users for a cluster using the console]({% link cockroachcloud/managing-access.md %}#create-a-sql-user). - [Create Service Accounts]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role). -- Edit cluster-scope role assignments (specifically, the Cluster Administrator, Cluster Operator, and Cluster Developer roles) on [users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role), and [service accounts]({% link cockroachcloud/managing-access.md %}#edit-roles-on-a-service-account). +- Edit cluster-scope role assignments (specifically, the Cluster Admin, Cluster Operator, and Cluster Developer roles) on [users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role), and [service accounts]({% link cockroachcloud/managing-access.md %}#edit-roles-on-a-service-account). - [Edit or delete a cluster]({% link cockroachcloud/cluster-management.md %}). -- Cluster Administrators for the whole organization (rather than scoped to a single cluster) can [create new clusters]({% link cockroachcloud/create-your-cluster.md %}). +- Cluster Admins for the whole organization (rather than scoped to a single cluster) can [create new clusters]({% link cockroachcloud/create-your-cluster.md %}). - Access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console). - Configure a cluster's [maintenance window]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window). @@ -124,13 +124,13 @@ This role can be granted at the scope of the organization, on an individual clus ### Cluster Creator -The **Cluster Creator** role is granted permission to create clusters in an organization. A cluster's creator is automatically granted the [Cluster Administrator](#cluster-administrator) role for that cluster upon creation. +The **Cluster Creator** role is granted permission to create clusters in an organization. A cluster's creator is automatically granted the [Cluster Admin](#cluster-admin) role for that cluster upon creation. This role can be granted at the scope of the organization or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. ### Cluster Developer -The **Cluster Developer** role is granted permission to view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Administrator to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster. +The **Cluster Developer** role is granted permission to view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Admin to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster. This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. diff --git a/src/current/cockroachcloud/aws-privatelink.md b/src/current/cockroachcloud/aws-privatelink.md index f1aebd57aa3..6c3d86f7138 100644 --- a/src/current/cockroachcloud/aws-privatelink.md +++ b/src/current/cockroachcloud/aws-privatelink.md @@ -67,7 +67,7 @@ Optionally, you can restrict the AWS accounts that can connect to your cluster p Your service account must have one of the following roles on the cluster, either directly or by inheritance: -- [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) to add or remove private endpoint trusted owners. The Cluster Administrator role includes all of the capabilities of the Cluster Operator role. +- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) to add or remove private endpoint trusted owners. The Cluster Admin role includes all of the capabilities of the Cluster Operator role. - [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) to list or get details about private endpoint trusted owners. ### Add a private endpoint trusted owner diff --git a/src/current/cockroachcloud/ccloud-faq.md b/src/current/cockroachcloud/ccloud-faq.md index b17c95c12ce..4ad3c31843a 100644 --- a/src/current/cockroachcloud/ccloud-faq.md +++ b/src/current/cockroachcloud/ccloud-faq.md @@ -15,15 +15,15 @@ Cluster Developer is the minimum access role that can be assigned to a cluster u ### What roles are assigned to the user that creates a CockroachDB {{ site.data.products.cloud }} organization and thus becomes the first and only user in that organization? -The user who creates a new organization is assigned a combination of Org Administrator, Billing Coordinator, and Cluster Admin at the organization scope. Any of these roles may subsequently be removed, although another user must have the Org Adminstrator role, and the Cluster Admin role at the organization scope, before either of those can be removed. This is to ensure that at least one user has each of these roles. +The user who creates a new organization is assigned a combination of Organization Admin, Billing Coordinator, and Cluster Admin at the organization scope. Any of these roles may subsequently be removed, although another user must have the Org Adminstrator role, and the Cluster Admin role at the organization scope, before either of those can be removed. This is to ensure that at least one user has each of these roles. ### Is it possible to assign more than one role to a user in a CockroachDB {{ site.data.products.cloud }} organization? -Yes, it is possible, and often necessary, to assign more than one role to a user. The default minimum access role Org Member is always assigned to every user as long as they’re a part of the CockroachDB {{ site.data.products.cloud }} organization. Beyond that, every other assigned role is additive to the overall entitlements of a user. For example, the initial user is automatically assigned the Org Member, Org Administrator, Cluster Administrator, and Billing Coordinator roles at organization scope when they create the CockroachDB {{ site.data.products.cloud }} organization. +Yes, it is possible, and often necessary, to assign more than one role to a user. The default minimum access role Org Member is always assigned to every user as long as they’re a part of the CockroachDB {{ site.data.products.cloud }} organization. Beyond that, every other assigned role is additive to the overall entitlements of a user. For example, the initial user is automatically assigned the Org Member, Organization Admin, Cluster Admin, and Billing Coordinator roles at organization scope when they create the CockroachDB {{ site.data.products.cloud }} organization. ### Can we follow the least privilege principle by using the roles available in the CockroachDB {{ site.data.products.cloud }} authorization model? -Yes, the roles available in the CockroachDB {{ site.data.products.cloud }} authorization model allow Org Administrators to grant only those entitlements to users that are required for their intended workflows. +Yes, the roles available in the CockroachDB {{ site.data.products.cloud }} authorization model allow Organization Admins to grant only those entitlements to users that are required for their intended workflows. Cluster level roles like Cluster Admin, Cluster Operator and Cluster Developer allow users to perform pertinent actions for one or more clusters, while providing differentiation between admin and non-admin entitlements. @@ -41,7 +41,7 @@ When all role assignments have been removed for a user, they still implicitly ha ### Which roles grant the ability to add, remove, and manage members in a CockroachDB {{ site.data.products.cloud }} organization? -Users with the Org Administrator role are allowed to manage users and roles at both the organization and the cluster scopes. Users with the Cluster Admin role are only allowed to manage role assignments at the cluster scope. +Users with the Organization Admin role are allowed to manage users and roles at both the organization and the cluster scopes. Users with the Cluster Admin role are only allowed to manage role assignments at the cluster scope. ### What is the Cluster Creator role useful for when there’s a Cluster Admin role as well? @@ -70,4 +70,4 @@ Refer to: ### How can we track and audit role-assignment actions in a CockroachDB {{ site.data.products.cloud }} organization? -Any user with the Org Administrator role can access [Cloud Organization audit logs]({% link cockroachcloud/cloud-org-audit-logs.md %}) to track when users are added and removed in the CockroachDB {{ site.data.products.cloud }} organization, and whenever any role assignment changes are performed for those users. +Any user with the Organization Admin role can access [Cloud Organization audit logs]({% link cockroachcloud/cloud-org-audit-logs.md %}) to track when users are added and removed in the CockroachDB {{ site.data.products.cloud }} organization, and whenever any role assignment changes are performed for those users. diff --git a/src/current/cockroachcloud/change-plan-between-basic-and-standard.md b/src/current/cockroachcloud/change-plan-between-basic-and-standard.md index 59afe964f38..64415602abf 100644 --- a/src/current/cockroachcloud/change-plan-between-basic-and-standard.md +++ b/src/current/cockroachcloud/change-plan-between-basic-and-standard.md @@ -14,7 +14,7 @@ To use the CockroachDB Cloud API to change your cluster's plan, refer to [Use th ## Before you begin -You'll need the [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) role on the running {{ site.data.products.standard }} or {{ site.data.products.basic }} cluster in order to change the cluster's [plan]({% link cockroachcloud/index.md %}#plans). +You'll need the [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) role on the running {{ site.data.products.standard }} or {{ site.data.products.basic }} cluster in order to change the cluster's [plan]({% link cockroachcloud/index.md %}#plans). For changing plans from {{ site.data.products.standard }} to {{ site.data.products.basic }}, you must disable {{ site.data.products.standard }}-only features before starting the plan change. diff --git a/src/current/cockroachcloud/client-certs-advanced.md b/src/current/cockroachcloud/client-certs-advanced.md index 24360e769df..99686a863c5 100644 --- a/src/current/cockroachcloud/client-certs-advanced.md +++ b/src/current/cockroachcloud/client-certs-advanced.md @@ -163,7 +163,7 @@ Add a CA certificate to your cluster's trust store for client authentication. Cl Refer to [Transport Layer Security (TLS) and Public Key Infrastructure (PKI): The CockroachDB certificate Trust Store]({% link {{site.current_cloud_version}}/security-reference/transport-layer-security.md %}#the-cockroachdb-certificate-trust-store) {{site.data.alerts.callout_success}} -The [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) Organization role is required to manage the CA certificate for a CockroachDB {{ site.data.products.advanced }} cluster. +The [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) Organization role is required to manage the CA certificate for a CockroachDB {{ site.data.products.advanced }} cluster. {{site.data.alerts.end}}
@@ -243,7 +243,7 @@ Clients must be provisioned with client certificates signed by the cluster's CA This section shows how to replace the CA certificate used by your cluster for certificate-based client authentication. To roll out a new CA certificate gradually instead of following this procedure directly, CockroachDB supports the ability to include multiple CA certificates for a cluster by concatenating them in PEM format. This allows clients to connect as long as the client certificate is signed by either the old CA certificate or the new one. PEM format requires a blank line in between certificates. {{site.data.alerts.callout_success}} -The [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) Organization role is required to manage the CA certificate for a CockroachDB {{ site.data.products.advanced }} cluster. +The [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) Organization role is required to manage the CA certificate for a CockroachDB {{ site.data.products.advanced }} cluster. {{site.data.alerts.end}}
@@ -322,7 +322,7 @@ After this operation is performed, clients can no longer authenticate with certi {{site.data.alerts.end}} {{site.data.alerts.callout_success}} -The [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) Organization role is required to manage the CA certificate for a CockroachDB {{ site.data.products.advanced }} cluster. +The [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) Organization role is required to manage the CA certificate for a CockroachDB {{ site.data.products.advanced }} cluster. {{site.data.alerts.end}}
diff --git a/src/current/cockroachcloud/cloud-api.md b/src/current/cockroachcloud/cloud-api.md index c79418f337c..c41153076ec 100644 --- a/src/current/cockroachcloud/cloud-api.md +++ b/src/current/cockroachcloud/cloud-api.md @@ -89,7 +89,7 @@ Get started by creating a new CockroachDB [Basic](#create-a-basic-cluster), [Sta To create a cluster, send a `POST` request to the `/v1/clusters` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}}
@@ -184,7 +184,7 @@ For details about returned fields, refer to the [response example and schema](ht To create a cluster, send a `POST` request to the `/v1/clusters` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}}
@@ -286,7 +286,7 @@ For details about returned fields, refer to the [response example and schema](ht To create a cluster, send a `POST` request to the `/v1/clusters` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}}
@@ -396,7 +396,7 @@ For details about returned fields, refer to the [response example and schema](ht To retrieve detailed information about a specific cluster, make a `GET` request to the `/v1/clusters/{cluster_id}` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}} {% include_cached copy-clipboard.html %} @@ -423,7 +423,7 @@ For details about returned fields, refer to the [response example and schema](ht To retrieve information about a cluster's nodes, including the node status, make a `GET` request to the `/v1/clusters/{cluster_id}/nodes` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}} {% include_cached copy-clipboard.html %} @@ -478,7 +478,7 @@ The `spend_limit` field, which was deprecated in Serverless, is not supported on {{site.data.alerts.end}} {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}}
@@ -537,7 +537,7 @@ You can decrease the provisioned capacity only three times within a 7-day period {{site.data.alerts.end}} {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}}
@@ -653,7 +653,7 @@ To change a cluster's plan between CockroachDB {{ site.data.products.advanced }} To delete a cluster, send a `DELETE` request to the `/v1/clusters/{cluster_id}` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}} Deleting a cluster will permanently delete the cluster and all the data within the cluster. @@ -686,7 +686,7 @@ If the `DELETE` request was successful the client will not receive a response pa To export audit logs for activities and events related to your Cloud organization, send a `GET` request to the `/v1/auditlogevents` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}} {% include_cached copy-clipboard.html %} @@ -731,7 +731,7 @@ Where: To list all active clusters within an organization, send a `GET` request to the `/v1/clusters` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}} {% include_cached copy-clipboard.html %} @@ -772,7 +772,7 @@ If the request was successful, the client will receive a list of all clusters wi To list the [available regions]({% link cockroachcloud/regions.md %}) for creating new clusters, send a `GET` request to the `/v1/clusters/available-regions?provider={cloud_provider}` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}} {% include_cached copy-clipboard.html %} @@ -806,7 +806,7 @@ Where: To list the SQL users in a cluster, send a `GET` request to the `/v1/clusters/{cluster_id}/sql-users` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Developer [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}} {% include_cached copy-clipboard.html %} @@ -852,7 +852,7 @@ Where: To create a SQL user, send a `POST` request to the `/v1/clusters/{cluster_id}/sql-users` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}} {{site.data.alerts.callout_danger}} @@ -897,7 +897,7 @@ Ensure that you store the password securely, as it cannot be retrieved later. If To delete a SQL user, send a `DELETE` request to the `/v1/clusters/{cluster_id}/sql-users/{sql_username}` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}} {% include_cached copy-clipboard.html %} @@ -933,7 +933,7 @@ Deleting a SQL user cannot be undone. To change a SQL user's password send a `PUT` request to the `/v1/clusters/{cluster_id}/sql-users/{sql_username}/password` endpoint. {{site.data.alerts.callout_success}} -The service account associated with the secret key must have the Cluster Administrator or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). +The service account associated with the secret key must have the Cluster Admin or Cluster Creator [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). {{site.data.alerts.end}} {% include_cached copy-clipboard.html %} diff --git a/src/current/cockroachcloud/cloud-org-audit-logs.md b/src/current/cockroachcloud/cloud-org-audit-logs.md index e0eca321154..004f7e7b5f1 100644 --- a/src/current/cockroachcloud/cloud-org-audit-logs.md +++ b/src/current/cockroachcloud/cloud-org-audit-logs.md @@ -6,7 +6,7 @@ docs_area: manage cloud: true --- -CockroachDB {{ site.data.products.cloud }} captures audit logs when many types of events occur, such as when a cluster is created or when a user is added to or removed from an organization. Any user in an organization with a [service account]({% link cockroachcloud/managing-access.md %}#manage-service-accounts) assigned the [Org Administrator role]({% link cockroachcloud/authorization.md %}#org-administrator) can export these audit logs using the [`auditlogevents` endpoint]({% link cockroachcloud/cloud-api.md %}#cloud-audit-logs) of the [Cloud API]({% link cockroachcloud/cloud-api.md %}). +CockroachDB {{ site.data.products.cloud }} captures audit logs when many types of events occur, such as when a cluster is created or when a user is added to or removed from an organization. Any user in an organization with a [service account]({% link cockroachcloud/managing-access.md %}#manage-service-accounts) assigned the [Organization Admin role]({% link cockroachcloud/authorization.md %}#organization-admin) can export these audit logs using the [`auditlogevents` endpoint]({% link cockroachcloud/cloud-api.md %}#cloud-audit-logs) of the [Cloud API]({% link cockroachcloud/cloud-api.md %}). This page provides some examples of exporting CockroachDB {{ site.data.products.cloud }} organization audit logs. For details about each parameter and its defaults, refer to the API specification for the [`auditlogevents` endpoint]({% link cockroachcloud/cloud-api.md %}#cloud-audit-logs). diff --git a/src/current/cockroachcloud/cloud-org-sso.md b/src/current/cockroachcloud/cloud-org-sso.md index fce790e1dae..893ae2ae99c 100644 --- a/src/current/cockroachcloud/cloud-org-sso.md +++ b/src/current/cockroachcloud/cloud-org-sso.md @@ -44,7 +44,7 @@ If your organization includes members whose identity you don't manage, such as p ### Autoprovisioning -Autoprovisioning is a self-service mechanism that removes the need for a new user to be [invited by an Org Admin]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization). When it is enabled, the first time a user successfully authentications using that method, CockroachDB {{ site.data.products.cloud }} organization account is automatically created for them. Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Org Administrator** role]({% link cockroachcloud/authorization.md %}#org-administrator). +Autoprovisioning is a self-service mechanism that removes the need for a new user to be [invited by an Org Admin]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization). When it is enabled, the first time a user successfully authentications using that method, CockroachDB {{ site.data.products.cloud }} organization account is automatically created for them. Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin). Autoprovisioning is disabled by default, but can be enabled per SSO authentication method. @@ -104,7 +104,7 @@ If Cloud Organization SSO is enabled, then deprovisioning a user at the level of To remove a user's access to CockroachDB {{ site.data.products.cloud }} manually (such as when a user changes teams but does not leave the organization entirely), you can [remove their CockroachDB {{ site.data.products.cloud }} user identity from your {{ site.data.products.db}} organization]({% link cockroachcloud/managing-access.md %}#remove-a-team-member). -#### Can Org Administrators require a particular authentication method for their CockroachDB {{ site.data.products.cloud }} organization? +#### Can Organization Admins require a particular authentication method for their CockroachDB {{ site.data.products.cloud }} organization? Yes. When Cloud Organization SSO is enabled for your CockroachDB {{ site.data.products.cloud }} organization, only the [authentication methods you have enabled]({% link cockroachcloud/configure-cloud-org-sso.md %}#enable-or-disable-an-authentication-method) are displayed to your users. @@ -117,7 +117,7 @@ After SAML is configured, your users can sign in to the CockroachDB {{ site.data #### What default role is assigned to users when autoprovisioning is enabled in a CockroachDB {{ site.data.products.cloud }} organization? -Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Org Administrator** role]({% link cockroachcloud/authorization.md %}#org-administrator). +Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin). ## What's next? - [Configure Cloud Organization SSO]({% link cockroachcloud/configure-cloud-org-sso.md %}) diff --git a/src/current/cockroachcloud/configure-cloud-org-sso.md b/src/current/cockroachcloud/configure-cloud-org-sso.md index 692c4c89648..87814e304ad 100644 --- a/src/current/cockroachcloud/configure-cloud-org-sso.md +++ b/src/current/cockroachcloud/configure-cloud-org-sso.md @@ -44,7 +44,7 @@ Before you enable Cloud Organization SSO, notify your members about what to expe - Which authentication methods they can use and whether they have autoprovisioning enabled. - Some members may need to be re-added to your organization: - All members of your CockroachDB {{ site.data.products.cloud }} organization who were using [Basic SSO]({% link cockroachcloud/cloud-org-sso.md %}#basic-sso) rather than an email and password must sign in again to regain access to your organization. After signing in, members retain the same access they had before the migration. - - Members who are also members of other organizations must be re-added to your organization. If they sign in using an authentication method with [autoprovisioning](#autoprovisioning) enabled, they are automatically added upon successful sign-in. Otherwise, they must be re-invited or [provisioned using SCIM]({% link cockroachcloud/configure-scim-provisioning.md %}). If a re-invited member previously had the [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) role, it must be granted to them again. + - Members who are also members of other organizations must be re-added to your organization. If they sign in using an authentication method with [autoprovisioning](#autoprovisioning) enabled, they are automatically added upon successful sign-in. Otherwise, they must be re-invited or [provisioned using SCIM]({% link cockroachcloud/configure-scim-provisioning.md %}). If a re-invited member previously had the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) role, it must be granted to them again. During enablement of the feature, a list of affected members is shown, and those members are also notified individually. @@ -60,13 +60,13 @@ If your migration fails with the error: `Cloud Organization SSO cannot be enable For your migration to succeed, you must ensure that at least one admin belongs to no other CockroachDB {{ site.data.products.cloud }} organization than the one to be migrated. If all admins belong to multiple organizations, the migration will fail with the generic error `Cloud Organization SSO cannot be enabled`. -If all of your administrators belong to multiple organizations, you can create a temporary user in your SSO provider or directly in CockroachDB {{ site.data.products.cloud }}. Grant the [**Org Administrator** role]({% link cockroachcloud/authorization.md %}#org-administrator) to the temporary user, and use this temporary admin to enable Cloud Organization SSO. After migration, you should delete this temporary user or revoke the **Org Administrator** role. +If all of your administrators belong to multiple organizations, you can create a temporary user in your SSO provider or directly in CockroachDB {{ site.data.products.cloud }}. Grant the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin) to the temporary user, and use this temporary admin to enable Cloud Organization SSO. After migration, you should delete this temporary user or revoke the **Organization Admin** role. ## Enable Cloud Organization SSO To enable Cloud Organization SSO: -1. Log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as an user with the [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) role. +1. Log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as an user with the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) role. 1. Go to **Organization** > **Authentication**. 1. Next to **Enable Authentication**, click **Enable**. 1. In the dialog, configure the custom URL your members will use to sign in. This value must be unique across CockroachDB {{ site.data.products.cloud }}. For more details, refer to [Update the custom URL](#update-the-custom-url). @@ -108,7 +108,7 @@ When you enable or disable an authentication method, a notification is displayed To enable or disable an authentication method: -1. Log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as user with the [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) role. +1. Log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as user with the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) role. 1. Go to **Organization** > **Authentication**. 1. To configure an authentication method, click its name. 1. To enable or disable the authentication method, toggle **Enable**. @@ -131,7 +131,7 @@ The following sections describe the advanced settings you can configure for an S By default, members can access your CockroachDB {{ site.data.products.cloud }} organization from any email domain. To restrict access to a specific list of email domains: -1. Log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as a user with the [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) role. +1. Log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as a user with the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) role. 1. Go to **Organization** > **Authentication**. 1. To configure an authentication method, click its name. 1. At the top of the page, click **Edit**. @@ -140,9 +140,9 @@ By default, members can access your CockroachDB {{ site.data.products.cloud }} o ### Autoprovisioning -Autoprovisioning allows members to sign up for an account without waiting for an invitation. By default, autoprovisioning is disabled, and a member must exist in the SSO provider and must be [invited by a user with the **Org Administrator** role]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization) before they can create an account. When autoprovisioning is enabled, no invitation is required. +Autoprovisioning allows members to sign up for an account without waiting for an invitation. By default, autoprovisioning is disabled, and a member must exist in the SSO provider and must be [invited by a user with the **Organization Admin** role]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization) before they can create an account. When autoprovisioning is enabled, no invitation is required. -Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Org Administrator** role]({% link cockroachcloud/authorization.md %}#org-administrator). +Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin). If a member's identity is removed from the SSO provider, they can no longer log in to CockroachDB {{ site.data.products.cloud }}, but their account is not automatically deprovisioned. If you require automatic deprovisioning or other centralized account automation features, refer to [SCIM Provisioning]({% link cockroachcloud/configure-scim-provisioning.md %}). @@ -150,7 +150,7 @@ Cockroach Labs does not recommend enabling both autoprovisioning and SCIM provis To enable autoprovisioning for an SSO authentication method: -1. Log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as a user with the [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) role. +1. Log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as a user with the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) role. 1. Go to **Organization** > **Authentication**. 1. Click the name of an authentication method. 1. Click **Advanced Settings**. @@ -189,7 +189,7 @@ These instructions work for Okta. If you use a different IdP, refer to its docum 1. Assign at least one Okta identity to the application, such as the identity you already use to sign in to CockroachDB {{ site.data.products.cloud }}. Click **Assignments**, then click **Assign to People**. Find the identity, click **Assign**, then click **Save and go back**. Click **Done** to close the assignment dialog. 1. Click the **Sign-On** tab. Find the link for **OpenID Provider Metadata**. Right-click and copy the URL. This is your issuer URL, which you will provide to CockroachDB {{ site.data.products.cloud }}. 1. Keep this tab open so that you can copy the Client ID and Client Secret to CockroachDB {{ site.data.products.cloud }}. -1. In a separate browser, log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as a user with the [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) role. +1. In a separate browser, log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as a user with the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) role. 1. Go to **Organization** > **Authentication**. 1. Next to **Authentication Methods**, click **Add**. 1. Set **Configuration** to **OIDC (OpenID Connect)** and provide a name for the connection. This name will appear on your custom sign-in page. @@ -235,7 +235,7 @@ To configure a custom SAML authentication method, you need the following informa These instructions work for Okta. If you use a different IdP, refer to its documentation for configuring SAML. -1. Log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as a user with the [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) role. +1. Log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as a user with the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) role. 1. Go to **Organization** > **Authentication**. 1. Next to **Authentication Methods**, click **Add**. 1. Set **Configuration** to **SAML**. diff --git a/src/current/cockroachcloud/configure-scim-provisioning.md b/src/current/cockroachcloud/configure-scim-provisioning.md index a971bbe9e31..3048156ed3e 100644 --- a/src/current/cockroachcloud/configure-scim-provisioning.md +++ b/src/current/cockroachcloud/configure-scim-provisioning.md @@ -16,7 +16,7 @@ This section describes how SCIM provisioning works if you use Okta. Depending on If your IdP is Okta, then it may be helpful to read Okta's [article about SCIM](https://developer.okta.com/docs/concepts/scim/), as well as [Configure provisioning for an app integration ](https://help.okta.com/en-us/Content/Topics/Provisioning/lcm/lcm-provision-application.htm) in the Okta documentation. Otherwise, refer to your IdP's documentation about configuring SCIM. -To configure SCIM provisioning, an IAM admin creates a SCIM app integration in your IdP and configures it to authenticate to CockroachDB {{ site.data.products.cloud }} using a CockroachDB {{ site.data.products.cloud }} service account with the [**Org Administrator**]({% link cockroachcloud/authorization.md %}#org-administrator) role. +To configure SCIM provisioning, an IAM admin creates a SCIM app integration in your IdP and configures it to authenticate to CockroachDB {{ site.data.products.cloud }} using a CockroachDB {{ site.data.products.cloud }} service account with the [**Organization Admin**]({% link cockroachcloud/authorization.md %}#organization-admin) role. From then on, the app integration works as follows. @@ -62,10 +62,10 @@ To learn more about Group Push, refer to [Automate Group Management](#automate-g ## Requirements -1. As a user with the [**Org Administrator**]({% link cockroachcloud/authorization.md %}#org-administrator) role: +1. As a user with the [**Organization Admin**]({% link cockroachcloud/authorization.md %}#organization-admin) role: 1. [Enable Cloud Organization SSO]({% link cockroachcloud/configure-cloud-org-sso.md %}#enable-cloud-organization-sso). - 1. [Create a service account]({% link cockroachcloud/managing-access.md %}#create-a-service-account) with the [**Org Administrator** role]({% link cockroachcloud/authorization.md %}#org-administrator) and make a note of its API token. This is the bearer token the IdP will use to authenticate to the CockroachDB {{ site.data.products.cloud }} API. + 1. [Create a service account]({% link cockroachcloud/managing-access.md %}#create-a-service-account) with the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin) and make a note of its API token. This is the bearer token the IdP will use to authenticate to the CockroachDB {{ site.data.products.cloud }} API. 1. If your IdP is Okta, SCIM provisioning can be enabled only on a [custom SAML authentication method]({% link cockroachcloud/configure-cloud-org-sso.md %}#saml). This requirement is imposed by Okta, and is not part of the SCIM or SAML protocols. @@ -76,7 +76,7 @@ Individual IdPs may impose different requirements, and the exact steps and requi The exact steps and requirements for enabling SCIM provisioning depend upon your IdP. At a minimum, you must provide your IdP two pieces of information: - The endpoint to the CockroachDB {{ site.data.products.cloud }} SCIM API, `https://cockroachlabs.cloud/api/scim/v2`. -- The API token of a CockroachDB {{ site.data.products.cloud }} service account with the [**Org Administrator**]({% link cockroachcloud/authorization.md %}#org-administrator) role. +- The API token of a CockroachDB {{ site.data.products.cloud }} service account with the [**Organization Admin**]({% link cockroachcloud/authorization.md %}#organization-admin) role. Depending on your setup, you can configure SCIM either via the Okta Integration Network (OIN) for a standardized app or manually for a custom SAML app integration. @@ -91,7 +91,7 @@ Depending on your setup, you can configure SCIM either via the Okta Integration 1. Click **Next** > Click **Done**. 1. Go to **Provisioning** Tab and click **Configure API Integration**. 1. Check **Enable API integration**. -1. Provide API authentication token: the API token for a CockroachDB {{ site.data.products.cloud }} service account with the Org Administrator role. +1. Provide API authentication token: the API token for a CockroachDB {{ site.data.products.cloud }} service account with the Organization Admin role. 1. **Test API Credentials** > Click **Save**. 1. Click **To App**. This tab controls assignment of Okta identities to CockroachDB {{ site.data.products.cloud }}. To allow provisioning and deprovisioning of users, ensure that **Create Users** and **Deactivate Users** are selected, and make any other desired changes. 1. Optionally, click **To Okta**. This tab allows you to import a CockroachDB {{ site.data.products.cloud }} organization's existing users into Okta. This helps to maintain an updated list of IAM users when an organization creates IAM users in a variety of ways. Refer to Okta's documentation about mapping individual fields. Make any desired changes. @@ -106,7 +106,7 @@ Depending on your setup, you can configure SCIM either via the Okta Integration 1. In the integration's settings page, click **Provisioning** again, then click **Edit**. 1. Click **Integrations**. This tab controls the app integration's authentication to the CockroachDB {{ site.data.products.cloud }} API. Set: -
  • SCIM connector base URL: https://cockroachlabs.cloud/api/scim/v2
  • API authentication token: the API token for a CockroachDB {{ site.data.products.cloud }} service account with the Org Administrator role
  • Unique identifier field for users: userName
  • Authentication Mode: HTTP Header
+
  • SCIM connector base URL: https://cockroachlabs.cloud/api/scim/v2
  • API authentication token: the API token for a CockroachDB {{ site.data.products.cloud }} service account with the Organization Admin role
  • Unique identifier field for users: userName
  • Authentication Mode: HTTP Header
1. Click **Test Connector Configuration**. 1. Click **Save**. diff --git a/src/current/cockroachcloud/connect-to-a-basic-cluster.md b/src/current/cockroachcloud/connect-to-a-basic-cluster.md index d817965ed3a..bd6efc33399 100644 --- a/src/current/cockroachcloud/connect-to-a-basic-cluster.md +++ b/src/current/cockroachcloud/connect-to-a-basic-cluster.md @@ -58,7 +58,7 @@ Removing or adding an authorized network on your CockroachDB {{ site.data.produc {% include cockroachcloud/postgresql-special-characters.md %} {{site.data.alerts.callout_info}} -If you forget your SQL user's password, an [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) or a Cluster Admin on the cluster can change the password on the **SQL Users** page. +If you forget your SQL user's password, an [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or a Cluster Admin on the cluster can change the password on the **SQL Users** page. {{site.data.alerts.end}} For connection examples and code snippets in your language, see the following: @@ -83,7 +83,7 @@ For connection examples and code snippets in your language, see the following: `{port}` | The port at which the CockroachDB node is listening. `{database}` | The name of the (existing) database. - Additionally, you will need the SQL user's [password]({% link cockroachcloud/managing-access.md %}#create-a-sql-user). If you forget your SQL user's password, an [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) or a Cluster Admin on the cluster can change the password on the **SQL Users** page. + Additionally, you will need the SQL user's [password]({% link cockroachcloud/managing-access.md %}#create-a-sql-user). If you forget your SQL user's password, an [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or a Cluster Admin on the cluster can change the password on the **SQL Users** page.
diff --git a/src/current/cockroachcloud/connect-to-an-advanced-cluster.md b/src/current/cockroachcloud/connect-to-an-advanced-cluster.md index 3ee938e8994..14bd11ad054 100644 --- a/src/current/cockroachcloud/connect-to-an-advanced-cluster.md +++ b/src/current/cockroachcloud/connect-to-an-advanced-cluster.md @@ -135,7 +135,7 @@ To establish an AWS PrivateLink connection, refer to [Managing AWS PrivateLink f 1. Select the **SQL User**. If you have only one SQL user, it is automatically selected. {{site.data.alerts.callout_info}} - If you forget your SQL user's password, an [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) or a Cluster Admin on the cluster can change the password on the **SQL Users** page. + If you forget your SQL user's password, an [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or a Cluster Admin on the cluster can change the password on the **SQL Users** page. {{site.data.alerts.end}} 1. Select the **Database**. If you have only one database, it is automatically selected. diff --git a/src/current/cockroachcloud/connect-to-your-cluster.md b/src/current/cockroachcloud/connect-to-your-cluster.md index 199eea7b4bc..cb806cbfe5a 100644 --- a/src/current/cockroachcloud/connect-to-your-cluster.md +++ b/src/current/cockroachcloud/connect-to-your-cluster.md @@ -135,7 +135,7 @@ To establish an AWS PrivateLink connection, refer to [Managing AWS PrivateLink f {% include cockroachcloud/postgresql-special-characters.md %} {{site.data.alerts.callout_info}} -If you forget your SQL user's password, an [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) or a Cluster Admin on the cluster can change the password on the **SQL Users** page. +If you forget your SQL user's password, an [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or a Cluster Admin on the cluster can change the password on the **SQL Users** page. {{site.data.alerts.end}} 1. In the top right corner of the CockroachDB {{ site.data.products.cloud }} Console, click **Connect**. @@ -164,7 +164,7 @@ If you forget your SQL user's password, an [Org Administrator]({% link cockroach `{port}` | The port at which the CockroachDB node is listening. `{database}` | The name of the (existing) database. - Additionally, you will need the SQL user's [password]({% link cockroachcloud/managing-access.md %}#create-a-sql-user). If you forget your SQL user's password, an [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) or a Cluster Admin on the cluster can change the password on the **SQL Users** page. + Additionally, you will need the SQL user's [password]({% link cockroachcloud/managing-access.md %}#create-a-sql-user). If you forget your SQL user's password, an [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or a Cluster Admin on the cluster can change the password on the **SQL Users** page.
diff --git a/src/current/cockroachcloud/create-a-basic-cluster.md b/src/current/cockroachcloud/create-a-basic-cluster.md index eec9b6a9287..e9fca9fe069 100644 --- a/src/current/cockroachcloud/create-a-basic-cluster.md +++ b/src/current/cockroachcloud/create-a-basic-cluster.md @@ -8,7 +8,7 @@ cloud: true {% include cockroachcloud/filter-tabs/create-cluster-cloud.md %} -This page guides you through the process of creating a cluster using CockroachDB {{ site.data.products.basic }}. Note that only [CockroachDB {{ site.data.products.cloud }} Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) or users with Cluster Creator / Cluster Admin roles assigned at organization scope can create clusters. If you are a Developer and need to create a cluster, contact your CockroachDB {{ site.data.products.cloud }} Administrator. +This page guides you through the process of creating a cluster using CockroachDB {{ site.data.products.basic }}. Note that only [CockroachDB {{ site.data.products.cloud }} Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) or users with Cluster Creator / Cluster Admin roles assigned at organization scope can create clusters. If you are a Developer and need to create a cluster, contact your CockroachDB {{ site.data.products.cloud }} Administrator. New CockroachDB {{ site.data.products.basic }} clusters always use the latest stable version of CockroachDB, and are automatically [upgraded]({% link cockroachcloud/upgrade-cockroach-version.md %}) to new patch versions, as well as new major versions, to maintain uninterrupted support and SLA guarantees. For more details, refer to [CockroachDB Cloud Upgrade Policy]({% link cockroachcloud/upgrade-policy.md %}). diff --git a/src/current/cockroachcloud/create-an-account.md b/src/current/cockroachcloud/create-an-account.md index a126ccd65b2..e973974af3a 100644 --- a/src/current/cockroachcloud/create-an-account.md +++ b/src/current/cockroachcloud/create-an-account.md @@ -8,7 +8,7 @@ docs_area: deploy Before you [create a CockroachDB {{ site.data.products.cloud }} cluster]({% link cockroachcloud/create-your-cluster.md %}), you must first create a CockroachDB {{ site.data.products.cloud }} account. You can register for CockroachDB {{ site.data.products.cloud }} using a GitHub, Google, or Microsoft account or an email address and password. {{site.data.alerts.callout_info}} -If your organization uses [Cloud Organization SSO]({% link cockroachcloud/cloud-org-sso.md %}#cloud-organization-sso), you may be able to sign in without registering or waiting to be invited. Check with an [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator). If you sign in using a URL other than [https://cockroachlabs.cloud](https://cockroachlabs.cloud), Cloud Organization SSO is enabled for your organization. +If your organization uses [Cloud Organization SSO]({% link cockroachcloud/cloud-org-sso.md %}#cloud-organization-sso), you may be able to sign in without registering or waiting to be invited. Check with an [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin). If you sign in using a URL other than [https://cockroachlabs.cloud](https://cockroachlabs.cloud), Cloud Organization SSO is enabled for your organization. {{site.data.alerts.end}} ## Choose an authentication method @@ -110,7 +110,7 @@ Changing your account password will _not_ change your [SQL user]({% link cockroa ### Change your organization name -If you are an [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator), you can change your organization name: +If you are an [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin), you can change your organization name: 1. Navigate to the **Settings** page. diff --git a/src/current/cockroachcloud/create-an-advanced-cluster.md b/src/current/cockroachcloud/create-an-advanced-cluster.md index 3888f886790..56048e1f497 100644 --- a/src/current/cockroachcloud/create-an-advanced-cluster.md +++ b/src/current/cockroachcloud/create-an-advanced-cluster.md @@ -9,7 +9,7 @@ docs_area: deploy This page guides you through the process of creating a CockroachDB {{ site.data.products.advanced }} cluster using the [Cloud Console](https://cockroachlabs.cloud). To use the Cloud API instead, refer to [Create an Advanced cluster]({% link cockroachcloud/cloud-api.md %}#create-an-advanced-cluster) in the API documentation. -Only [CockroachDB {{ site.data.products.cloud }} Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) or users with Cluster Creator / Cluster Admin roles assigned at organization scope can create clusters. If you need permission to create a cluster, contact an CockroachDB {{ site.data.products.cloud }} Org Administrator. +Only [CockroachDB {{ site.data.products.cloud }} Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) or users with Cluster Creator / Cluster Admin roles assigned at organization scope can create clusters. If you need permission to create a cluster, contact an CockroachDB {{ site.data.products.cloud }} Organization Admin. ## Step 1. Start the cluster creation process diff --git a/src/current/cockroachcloud/create-your-cluster.md b/src/current/cockroachcloud/create-your-cluster.md index c4d506f5821..56d807b667c 100644 --- a/src/current/cockroachcloud/create-your-cluster.md +++ b/src/current/cockroachcloud/create-your-cluster.md @@ -13,7 +13,7 @@ CockroachDB Standard, our new, enterprise-ready plan, is currently in [Preview]( This page guides you through the process of creating a CockroachDB {{ site.data.products.standard }} cluster using the [Cloud Console](https://cockroachlabs.cloud). To use the Cloud API instead, refer to [Create a Standard cluster]({% link cockroachcloud/cloud-api.md %}#create-a-standard-cluster) in the API documentation. -If you need permission to create a cluster, contact an CockroachDB {{ site.data.products.cloud }} Org Administrator. +If you need permission to create a cluster, contact an CockroachDB {{ site.data.products.cloud }} Organization Admin. {{site.data.alerts.callout_success}} To create and connect to a 30-day free CockroachDB {{ site.data.products.standard }} cluster and run your first query, refer to the [Quickstart]({% link cockroachcloud/quickstart-trial-cluster.md %}). diff --git a/src/current/cockroachcloud/egress-perimeter-controls.md b/src/current/cockroachcloud/egress-perimeter-controls.md index bc2393bb616..0ed964c47f4 100644 --- a/src/current/cockroachcloud/egress-perimeter-controls.md +++ b/src/current/cockroachcloud/egress-perimeter-controls.md @@ -24,7 +24,7 @@ CockroachDB {{ site.data.products.advanced }} clusters access external resources By default, clusters can access external resources via the internet without restriction, and even [private clusters]({% link cockroachcloud/private-clusters.md %}) can access their private network. This potentially leaves a cluster open to a *data exfiltration* scenario, wherein an attacker, often a [malicious insider](https://www.cisa.gov/defining-insider-threats), steals data by sending backups, changefeeds, data, or logs to a source that they control. -Operators of CockroachDB {{ site.data.products.advanced }} clusters can mitigate against this risk by using Egress Perimeter Controls, which enable Cluster Administrators to restrict egress to a list of specified external destinations. This adds a strong layer of protection against malicious or accidental data exfiltration. Along with other measures such as [Private Clusters]({% link cockroachcloud/private-clusters.md %}), Egress Perimeter Controls are an important component in an overall strategy for maximizing network security. +Operators of CockroachDB {{ site.data.products.advanced }} clusters can mitigate against this risk by using Egress Perimeter Controls, which enable Cluster Admins to restrict egress to a list of specified external destinations. This adds a strong layer of protection against malicious or accidental data exfiltration. Along with other measures such as [Private Clusters]({% link cockroachcloud/private-clusters.md %}), Egress Perimeter Controls are an important component in an overall strategy for maximizing network security. Further reading: [review how CockroachDB products differs in advanced security features]({% link {{site.current_cloud_version}}/security-reference/security-overview.md %}). @@ -40,7 +40,7 @@ Regardless of user-specific Egress Perimeter Control policy, egress is always pe Egress Perimeter Controls are not supported for CockroachDB {{ site.data.products.advanced }} on Azure. -- You need a service account with the [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) role on clusters in your organization. You can provision service accounts and API keys in CockroachDB Cloud Console. Refer to [Service Accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts). +- You need a service account with the [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) role on clusters in your organization. You can provision service accounts and API keys in CockroachDB Cloud Console. Refer to [Service Accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts). {{site.data.alerts.callout_danger}} The operations described in this page require an API key with very broad permissions, such as the potential to modify a cluster's configuration to add malicious egress rules that could allow the type of attack that Egress Perimeter Controls are meant to prevent. Do not allow this key to be copied or transmitted in any form, including by capturing an image of your computer screen. diff --git a/src/current/cockroachcloud/export-logs-advanced.md b/src/current/cockroachcloud/export-logs-advanced.md index 933f9895cfa..02a17e9e756 100644 --- a/src/current/cockroachcloud/export-logs-advanced.md +++ b/src/current/cockroachcloud/export-logs-advanced.md @@ -21,8 +21,8 @@ https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_id}/logexport Access to the `logexport` endpoint requires a valid CockroachDB {{ site.data.products.cloud }} [service account]({% link cockroachcloud/managing-access.md %}#manage-service-accounts) assigned one of the following [roles]({% link cockroachcloud/managing-access.md %}#edit-roles-on-a-service-account): -- [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) -- [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) +- [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) +- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) - [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) The following methods are available for use with the `logexport` endpoint: diff --git a/src/current/cockroachcloud/export-logs.md b/src/current/cockroachcloud/export-logs.md index 894429af987..6aab93e67ba 100644 --- a/src/current/cockroachcloud/export-logs.md +++ b/src/current/cockroachcloud/export-logs.md @@ -21,8 +21,8 @@ https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_id}/logexport Access to the `logexport` endpoint requires a valid CockroachDB {{ site.data.products.cloud }} [service account]({% link cockroachcloud/managing-access.md %}#manage-service-accounts) assigned one of the following [roles]({% link cockroachcloud/managing-access.md %}#edit-roles-on-a-service-account): -- [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) -- [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) +- [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) +- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) - [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) The following methods are available for use with the `logexport` endpoint: diff --git a/src/current/cockroachcloud/export-metrics-advanced.md b/src/current/cockroachcloud/export-metrics-advanced.md index aecc354af2e..38c5faf1535 100644 --- a/src/current/cockroachcloud/export-metrics-advanced.md +++ b/src/current/cockroachcloud/export-metrics-advanced.md @@ -27,7 +27,7 @@ Datadog | `https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_ Prometheus | `https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_id}/metricexport/prometheus` Azure Monitor | `https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_id}/metricexport/azuremonitor` -Access to the `metricexport` endpoints requires a valid CockroachDB {{ site.data.products.cloud }} [service account]({% link cockroachcloud/managing-access.md %}#manage-service-accounts) with the appropriate permissions (`admin` privilege, Cluster Administrator role, or Cluster Operator role). +Access to the `metricexport` endpoints requires a valid CockroachDB {{ site.data.products.cloud }} [service account]({% link cockroachcloud/managing-access.md %}#manage-service-accounts) with the appropriate permissions (`admin` privilege, Cluster Admin role, or Cluster Operator role). The following methods are available for use with the `metricexport` endpoints, and require the listed service account permissions: diff --git a/src/current/cockroachcloud/folders.md b/src/current/cockroachcloud/folders.md index 8d2673e197a..487e7734608 100644 --- a/src/current/cockroachcloud/folders.md +++ b/src/current/cockroachcloud/folders.md @@ -55,20 +55,20 @@ Operations that violate these restrictions result in an error. ### Folders and role assignment -A role granted on a folder is inherited on its descendant folders and clusters. All existing organizational roles, such as [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator), can be granted at the folder scope. +A role granted on a folder is inherited on its descendant folders and clusters. All existing organizational roles, such as [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator), can be granted at the folder scope. A role granted directly on a cluster is unchanged if the cluster is moved into or out of a folder. The following roles, when granted at the organization level, allow reading of the entire folder hierarchy: -- Org Administrator -- Cluster Administrator +- Organization Admin +- Cluster Admin - Cluster Operator - Cluster Developer The following roles allow creation of clusters at the level of the hierarchy where they are granted: -- Cluster Administrator +- Cluster Admin - Cluster Creator The following additional roles explicitly allow management of folders and their contents: @@ -86,7 +86,7 @@ Your user account must have the following roles to manage access to folders: - [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin) {{site.data.alerts.callout_success}} -An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can grant themselves, another user, or a service account the Folder Admin role. +An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can grant themselves, another user, or a service account the Folder Admin role. {{site.data.alerts.end}} ## Grant the `FOLDER_ADMIN` or `FOLDER_MOVER` role @@ -126,7 +126,7 @@ Your service account must have the following roles on the organization, the fold 1. Set **Scope** to the folder you just created. The role is granted on all of the folder's descendants. 1. Set **Role** to **Folder Admin** or **Folder Mover**. - To access a folder's clusters, a user or service account must also have the **Cluster Administrator**, **Cluster Creator**, or **Cluster Operator** role on the folder. The role may be granted by inheritance or directly on a cluster. + To access a folder's clusters, a user or service account must also have the **Cluster Admin**, **Cluster Creator**, or **Cluster Operator** role on the folder. The role may be granted by inheritance or directly on a cluster. 1. Click **Confirm**. @@ -134,9 +134,9 @@ Your service account must have the following roles on the organization, the fold Your service account must have one of the following roles to read a folder's contents: -- [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator). +- [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin). - [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin) or [Folder Mover]({% link cockroachcloud/authorization.md %}#folder-mover). -- [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator), [Cluster Developer]({%link cockroachcloud/authorization.md %}#cluster-developer), [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator), or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator). +- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin), [Cluster Developer]({%link cockroachcloud/authorization.md %}#cluster-developer), [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator), or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator). 1. To list the clusters and folders at the level of the organization, go to **Clusters**. 1. To list the clusters and folders in a folder, click the folder name. @@ -146,7 +146,7 @@ Your service account must have one of the following roles to read a folder's con Your service account must have the following roles on the organization or the folder: -- [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator) +- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator) 1. Go to the **Clusters** page. The folders and clusters at the root of the organization are shown. 1. Browse to the folder where you want to create the cluster. diff --git a/src/current/cockroachcloud/free-trial.md b/src/current/cockroachcloud/free-trial.md index 074c7e34d8e..85d7f293796 100644 --- a/src/current/cockroachcloud/free-trial.md +++ b/src/current/cockroachcloud/free-trial.md @@ -35,7 +35,7 @@ A payment method must be added to the account to be elegible for this benefit, t ## Free trial notifications -During your free trial, you will receive email notifications from Cockroach Labs with information about the status of your trial. These emails are sent to Org Administrators and Billing Coordinators. +During your free trial, you will receive email notifications from Cockroach Labs with information about the status of your trial. These emails are sent to Organization Admins and Billing Coordinators. An email is sent when: diff --git a/src/current/cockroachcloud/labels.md b/src/current/cockroachcloud/labels.md index 4c00095c446..106eb04f7ce 100644 --- a/src/current/cockroachcloud/labels.md +++ b/src/current/cockroachcloud/labels.md @@ -43,7 +43,7 @@ The labels applied to a resource must meet the following requirements: You can apply labels to your cluster or folder through the [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud/) or using the CockroachDB Cloud API (refer to the schema for creating a [cluster](https://www.cockroachlabs.com/docs/api/cloud/v1#post-/api/v1/clusters) or [folder](https://www.cockroachlabs.com/docs/api/cloud/v1#post-/api/v1/folders)) or [Terraform provider](https://registry.terraform.io/providers/cockroachdb/cockroach/latest/docs). -Adding or deleting labels on a cluster requires the [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-administrator) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) role. +Adding or deleting labels on a cluster requires the [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) role. 1. Navigate to the cluster on the [**Clusters** page]({% link cockroachcloud/cluster-management.md %}#view-clusters-page) and click the menu button in the **Action** column. Alternatively, navigate to the [**Overview** page]({% link cockroachcloud/cluster-management.md %}#view-cluster-overview) for the cluster and click **Actions** in the top right corner. 1. In the dropdown menu, select **Edit cluster labels** to open the **Edit labels** window. diff --git a/src/current/cockroachcloud/managed-backups-advanced.md b/src/current/cockroachcloud/managed-backups-advanced.md index 7c90a3a9f3d..4a0d2d477b1 100644 --- a/src/current/cockroachcloud/managed-backups-advanced.md +++ b/src/current/cockroachcloud/managed-backups-advanced.md @@ -130,7 +130,7 @@ For each incomplete backup, the following details display: ### Restore data -Users with the [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator), [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator), or [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) roles can perform the following from the Console: +Users with the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin), [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator), or [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) roles can perform the following from the Console: - [Restore a cluster](#restore-an-advanced-cluster) - [Restore a database](#restore-a-database) diff --git a/src/current/cockroachcloud/managing-access.md b/src/current/cockroachcloud/managing-access.md index 95a0a7e0b30..2790e804a34 100644 --- a/src/current/cockroachcloud/managing-access.md +++ b/src/current/cockroachcloud/managing-access.md @@ -28,7 +28,7 @@ The settings and information about the organization are found on the **Informati ## Manage an organization's users ### Invite team members to an organization -An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can invite team members to CockroachDB {{ site.data.products.cloud }}. To invite team members: +An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can invite team members to CockroachDB {{ site.data.products.cloud }}. To invite team members: 1. If you are a member of multiple organizations, navigate to the organization to which you want to invite a team member. You can navigate to the correct organization by using the drop-down box in the top-right corner. 1. On the **Access Management** page, under the *Members* tab, click **Invite**. @@ -48,14 +48,14 @@ To edit a user's role, perform the following steps: 1. On the **Access Management** page, locate the team member's details whose role you want to change. The **Role** column lists current organization roles granted to each user. 1. In the row for the target member, click the three-dots **Action** button and select **Edit Roles**. -1. A number of fine-grained roles can be assigned to a given user. Each role is represented by a row. Each row has a **scope**, which is one of **Organization**, the name of a particular [folder]({% link cockroachcloud/folders.md %}), or the name of a particular cluster. If the role is Cluster Administrator, Cluster Operator, or Cluster Developer, assigning it at the organization scope means that it applies to all clusters in the organization. +1. A number of fine-grained roles can be assigned to a given user. Each role is represented by a row. Each row has a **scope**, which is one of **Organization**, the name of a particular [folder]({% link cockroachcloud/folders.md %}), or the name of a particular cluster. If the role is Cluster Admin, Cluster Operator, or Cluster Developer, assigning it at the organization scope means that it applies to all clusters in the organization. {{site.data.alerts.callout_info}} When editing roles for a group in the **Groups** tab, the fields for that group's inherited roles are read-only, because inherited roles cannot be edited directly. Instead, you must either remove the role from the parent group from which it is inherited, or remove the member from the parent group. {{site.data.alerts.end}} {{site.data.alerts.callout_danger}} -An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can revoke the Org Administrator role from their own user, but cannot subsequently re-grant the administrator role to themselves. +An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can revoke the Organization Admin role from their own user, but cannot subsequently re-grant the administrator role to themselves. {{site.data.alerts.end}} ### Remove a team member @@ -109,7 +109,7 @@ Service accounts, like users, are given only the **Org Member** role by default 1. On the **Access Management** page, select the **Service Accounts** tab. 1. In the row for the target service account, click, click the three-dots **Action** button and select **Edit Roles**. -1. A number of fine-grained roles can be assigned to a given service account. These are the same [roles that can be assigned to users]({% link cockroachcloud/authorization.md %}#organization-user-roles). Each role is represented by a row. Each row has a **scope**, which is either **Organization** or the name of a particular cluster. If the role is Cluster Administrator, Cluster Operator, or Cluster Developer, assigning it at the organization scope means that it applies to all clusters in the organization. +1. A number of fine-grained roles can be assigned to a given service account. These are the same [roles that can be assigned to users]({% link cockroachcloud/authorization.md %}#organization-user-roles). Each role is represented by a row. Each row has a **scope**, which is either **Organization** or the name of a particular cluster. If the role is Cluster Admin, Cluster Operator, or Cluster Developer, assigning it at the organization scope means that it applies to all clusters in the organization. The fields for a group's inherited roles are read-only, because inherited roles cannot be edited directly. Instead, you must either remove the role from the parent group from which it is inherited, or remove the member from the parent group. @@ -241,7 +241,7 @@ To list all the users in your cluster, use the [`SHOW USERS`]({% link {{site.cur
{{site.data.alerts.callout_info}} -Only users with the [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator), or [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-administrator) can change a user's password. If you do not have the required permissions, ask a user with one of the required roles to change the password. +Only users with the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin), or [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) can change a user's password. If you do not have the required permissions, ask a user with one of the required roles to change the password. {{site.data.alerts.end}} To change a user's password: diff --git a/src/current/cockroachcloud/migrations-page.md b/src/current/cockroachcloud/migrations-page.md index 603d156ac8a..7c7f78ce50d 100644 --- a/src/current/cockroachcloud/migrations-page.md +++ b/src/current/cockroachcloud/migrations-page.md @@ -24,7 +24,7 @@ To view this page, select a cluster from the [**Clusters** page]({% link cockroa To access the **Migrations** page, as user must have either of the following roles: -- [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) +- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) - [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) ## Convert a schema diff --git a/src/current/cockroachcloud/organization-audit-logs-in-cloud-console.md b/src/current/cockroachcloud/organization-audit-logs-in-cloud-console.md index 159b22edab8..49eaa2fd76b 100644 --- a/src/current/cockroachcloud/organization-audit-logs-in-cloud-console.md +++ b/src/current/cockroachcloud/organization-audit-logs-in-cloud-console.md @@ -12,7 +12,7 @@ CockroachDB {{ site.data.products.cloud }} captures audit logs when many types o To access the **Audit Logs** page: -1. Navigate to the [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud/) and log in as a user with the [Organization Admin role]({% link cockroachcloud/authorization.md %}#org-administrator). +1. Navigate to the [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud/) and log in as a user with the [Organization Admin role]({% link cockroachcloud/authorization.md %}#organization-admin). 1. In the top navigation bar, open the **Organization** menu and select **Audit Logs**. ## Filter audit logs diff --git a/src/current/cockroachcloud/plan-your-cluster-basic.md b/src/current/cockroachcloud/plan-your-cluster-basic.md index 01c948e1d2a..aedb0347593 100644 --- a/src/current/cockroachcloud/plan-your-cluster-basic.md +++ b/src/current/cockroachcloud/plan-your-cluster-basic.md @@ -48,7 +48,7 @@ Your cluster's [configured capacity]({% link cockroachcloud/create-a-basic-clust Cockroach Labs recommends setting your resource limits to about 30% higher than your expected usage to prevent cluster disruption. To learn about tuning your workload to reduce costs, refer to [Understand your Resource Usage]({% link cockroachcloud/resource-usage.md %}). -Each [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) will receive email alerts when a cluster reaches 50%, 75%, and 100% of its [resource limits](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/architecture/glossary#resource-limits). +Each [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) will receive email alerts when a cluster reaches 50%, 75%, and 100% of its [resource limits](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/architecture/glossary#resource-limits). ## Multi-region clusters diff --git a/src/current/cockroachcloud/production-checklist.md b/src/current/cockroachcloud/production-checklist.md index 15f1459a6f9..269f41675fb 100644 --- a/src/current/cockroachcloud/production-checklist.md +++ b/src/current/cockroachcloud/production-checklist.md @@ -132,7 +132,7 @@ Since upgrading a cluster can have a significant impact on your workload, make s ### Patch upgrades -For CockroachDB {{ site.data.products.advanced }} clusters, [Organization Admins]({% link cockroachcloud/authorization.md %}#org-administrator) can [set a weekly 6-hour maintenance window]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) during which available maintenance and patch upgrades will be applied. Patch upgrades can also be [deferred for 60 days]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window). If no maintenance window is configured, CockroachDB {{ site.data.products.advanced }} clusters will be automatically upgraded to the latest supported patch version as soon as it becomes available. +For CockroachDB {{ site.data.products.advanced }} clusters, [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) can [set a weekly 6-hour maintenance window]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) during which available maintenance and patch upgrades will be applied. Patch upgrades can also be [deferred for 60 days]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window). If no maintenance window is configured, CockroachDB {{ site.data.products.advanced }} clusters will be automatically upgraded to the latest supported patch version as soon as it becomes available. For more information, refer to [Patch version upgrades]({% link cockroachcloud/upgrade-policy.md %}#patch-version-upgrades). diff --git a/src/current/cockroachcloud/quickstart.md b/src/current/cockroachcloud/quickstart.md index 0d8dd9f3799..7cc8d755b86 100644 --- a/src/current/cockroachcloud/quickstart.md +++ b/src/current/cockroachcloud/quickstart.md @@ -33,7 +33,7 @@ Once you create a SQL user, the **Connect to cluster** dialog will show informat 1. Copy the `JDBC_DATABASE_URL` environment variable command provided and save it in a secure location. {{site.data.alerts.callout_info}} - The connection string is pre-populated with your username, password, cluster name, and other details. Your password, in particular, will be provided *only* once. Save it in a secure place (Cockroach Labs recommends a password manager) to connect to your cluster in the future. If you forget your password, a Cluster Administrator can reset it. Refer to: [Managing SQL users on a cluster]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) + The connection string is pre-populated with your username, password, cluster name, and other details. Your password, in particular, will be provided *only* once. Save it in a secure place (Cockroach Labs recommends a password manager) to connect to your cluster in the future. If you forget your password, a Cluster Admin can reset it. Refer to: [Managing SQL users on a cluster]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) {{site.data.alerts.end}} ## Configure the connection environment variable @@ -115,7 +115,7 @@ Once you create a SQL user, the **Connect to cluster** dialog will show informat 1. Open the **General connection string** section, then copy the connection string provided and save it in a secure location. {{site.data.alerts.callout_info}} - The connection string is pre-populated with your username, password, cluster name, and other details. Your password, in particular, will be provided *only* once. Save it in a secure place (Cockroach Labs recommends a password manager) to connect to your cluster in the future. If you forget your password, a Cluster Administrator can reset it. Refer to: [Managing SQL users on a cluster]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) + The connection string is pre-populated with your username, password, cluster name, and other details. Your password, in particular, will be provided *only* once. Save it in a secure place (Cockroach Labs recommends a password manager) to connect to your cluster in the future. If you forget your password, a Cluster Admin can reset it. Refer to: [Managing SQL users on a cluster]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) {{site.data.alerts.end}} ## Configure the connection environment variable diff --git a/src/current/cockroachcloud/sql-shell.md b/src/current/cockroachcloud/sql-shell.md index fdb588ea4b8..05270c1aa93 100644 --- a/src/current/cockroachcloud/sql-shell.md +++ b/src/current/cockroachcloud/sql-shell.md @@ -19,11 +19,11 @@ To use this feature, select a cluster from the [**Clusters** page](cluster-manag - All statements in the SQL Shell are executed within a transaction, so you cannot use the [SET CLUSTER SETTING]({% link {{ site.current_cloud_version }}/set-cluster-setting.md %}) statement to configure cluster settings. - The SQL Shell does not yet support sessions. - The SQL Shell is not available for CockroachDB {{ site.data.products.advanced }} clusters with [additional security add-ons configured]({% link cockroachcloud/managing-access.md %}). -- The SQL Shell is available to CockroachDB {{ site.data.products.cloud }} users with the [Cluster Administrator role]({% link cockroachcloud/create-an-advanced-cluster.md %}#step-6-configure-advanced-security-features). +- The SQL Shell is available to CockroachDB {{ site.data.products.cloud }} users with the [Cluster Admin role]({% link cockroachcloud/create-an-advanced-cluster.md %}#step-6-configure-advanced-security-features). ## Overview -Above the SQL Shell input field, you will see the active user and cluster details in the format `{user name} @ {cluster-name}:{active-database}`. Note that the user displayed is the **Team member** currently logged into the {{ site.data.products.cloud }} Console, not the active SQL user, which is `root`. Team members without the [Cluster Administrator role]({% link cockroachcloud/managing-access.md %}) needed to access the {{ site.data.products.cloud }} Console SQL Shell can still access CockroachDB's [command line SQL shell]({% link {{site.current_cloud_version}}/cockroach-sql.md %}). +Above the SQL Shell input field, you will see the active user and cluster details in the format `{user name} @ {cluster-name}:{active-database}`. Note that the user displayed is the **Team member** currently logged into the {{ site.data.products.cloud }} Console, not the active SQL user, which is `root`. Team members without the [Cluster Admin role]({% link cockroachcloud/managing-access.md %}) needed to access the {{ site.data.products.cloud }} Console SQL Shell can still access CockroachDB's [command line SQL shell]({% link {{site.current_cloud_version}}/cockroach-sql.md %}). You can change the active database in the dropdown menu above the input field. If you create a new database in the SQL Shell, you will have to reload the page to refresh the database dropdown menu. Reloading the page will also clear your activity. diff --git a/src/current/cockroachcloud/upgrade-policy.md b/src/current/cockroachcloud/upgrade-policy.md index 4191ca1c4b6..55c339d4199 100644 --- a/src/current/cockroachcloud/upgrade-policy.md +++ b/src/current/cockroachcloud/upgrade-policy.md @@ -23,7 +23,7 @@ All CockroachDB {{ site.data.products.basic }} clusters, and CockroachDB {{ site - If you [disable automatic major-version upgrades for CockroachDB {{ site.data.products.standard }}]({% link cockroachcloud/cluster-management.md %}#manage-cluster-upgrades), you are responsible for upgrading the cluster before its version reaches its EOS date to maintain uninterrupted support and SLA guarantees. Clusters that have not upgraded for one year may be upgraded automatically. - You are responsible for upgrading a CockroachDB {{ site.data.products.advanced }} cluster before its current version reaches its EOS date to maintain uninterrupted support and SLA guarantees. -When a CockroachDB {{ site.data.products.advanced }} cluster is nearing its EOS date, you will be reminded to upgrade the cluster at least 30 days before the EOS date to avoid losing support. {% capture who_can_upgrade %}A user with the Cluster Administrator or Cluster Operator [role]({% link cockroachcloud/authorization.md %}) can [upgrade a cluster]({% link cockroachcloud/upgrade-cockroach-version.md %}) directly from the CockroachDB Cloud Console. An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can grant these roles.{% endcapture %}{{ who_can_upgrade }} +When a CockroachDB {{ site.data.products.advanced }} cluster is nearing its EOS date, you will be reminded to upgrade the cluster at least 30 days before the EOS date to avoid losing support. {% capture who_can_upgrade %}A user with the Cluster Admin or Cluster Operator [role]({% link cockroachcloud/authorization.md %}) can [upgrade a cluster]({% link cockroachcloud/upgrade-cockroach-version.md %}) directly from the CockroachDB Cloud Console. An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can grant these roles.{% endcapture %}{{ who_can_upgrade }} {{site.data.alerts.callout_info}} This page describes the support of CockroachDB versions on CockroachDB Cloud, which is not affected by LTS or End of Support timelines specified for CockroachDB Self-Hosted. @@ -56,7 +56,7 @@ v23.1 | Regular | 12 months | 2023-05-15 | 2024-05-15 Patch version [releases]({% link releases/index.md %}), or "maintenance" releases, contain stable, backward-compatible improvements to major versions of CockroachDB. -For CockroachDB {{ site.data.products.advanced }} clusters, [Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) can [set a weekly 6-hour maintenance window]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) during which available maintenance and patch upgrades will be applied. During the window, your cluster may experience node restarts, reduced performance, and, for single-node clusters, downtime. Upgrades may not always be completed by the end of the window, and maintenance that is critical for security or stability may occur outside the window. Patch upgrades can also be [deferred for 60 days]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window). If no maintenance window is configured, CockroachDB {{ site.data.products.advanced }} clusters will be automatically upgraded to the latest supported patch version as soon as it becomes available. +For CockroachDB {{ site.data.products.advanced }} clusters, [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) can [set a weekly 6-hour maintenance window]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) during which available maintenance and patch upgrades will be applied. During the window, your cluster may experience node restarts, reduced performance, and, for single-node clusters, downtime. Upgrades may not always be completed by the end of the window, and maintenance that is critical for security or stability may occur outside the window. Patch upgrades can also be [deferred for 60 days]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window). If no maintenance window is configured, CockroachDB {{ site.data.products.advanced }} clusters will be automatically upgraded to the latest supported patch version as soon as it becomes available. CockroachDB {{ site.data.products.basic }} and {{ site.data.products.standard }} clusters receive automatic upgrades to the latest supported patch version of their current major version. @@ -66,9 +66,9 @@ Single-node clusters will experience some downtime while the node is restarted d ## CockroachDB {{ site.data.products.advanced }} patch upgrades and maintenance windows -CockroachDB {{ site.data.products.advanced }} clusters are automatically upgraded to the latest patch version release of the cluster’s current CockroachDB major version, but a major-version upgrade must be initiated by an Org Administrator. +CockroachDB {{ site.data.products.advanced }} clusters are automatically upgraded to the latest patch version release of the cluster’s current CockroachDB major version, but a major-version upgrade must be initiated by an Organization Admin. -A [Cluster Administrator]({% link cockroachcloud/authorization.md %}#cluster-administrator) can [set a weekly 6-hour maintenance window]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) for a CockroachDB {{ site.data.products.advanced }} cluster. During the maintenance window, patch upgrades may be applied, and the cluster may experience restarts, degraded performance, and, for single-node clusters, downtime. Upgrades may not always be completed by the end of the window, and maintenance that is critical for security or stability may occur outside of the window. A patch upgrade can be [deferred for 60 days]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window). If no maintenance window is configured, a CockroachDB {{ site.data.products.advanced }} cluster will be upgraded automatically to the latest supported patch version soon after it becomes available. +A [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) can [set a weekly 6-hour maintenance window]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) for a CockroachDB {{ site.data.products.advanced }} cluster. During the maintenance window, patch upgrades may be applied, and the cluster may experience restarts, degraded performance, and, for single-node clusters, downtime. Upgrades may not always be completed by the end of the window, and maintenance that is critical for security or stability may occur outside of the window. A patch upgrade can be [deferred for 60 days]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window). If no maintenance window is configured, a CockroachDB {{ site.data.products.advanced }} cluster will be upgraded automatically to the latest supported patch version soon after it becomes available. ### CockroachDB {{ site.data.products.standard }} and {{ site.data.products.basic }} automatic patch upgrades @@ -86,7 +86,7 @@ Major version upgrades are: - Automatic by default for {{ site.data.products.standard }}. - Customer-initiated on CockroachDB {{ site.data.products.advanced }}. -On CockroachDB {{ site.data.products.standard }} with manual upgrades, and on CockroachDB {{ site.data.products.advanced }}, a major-version upgrade can be initiated by an [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator). Major versions labeled Regular releases are required upgrades, and Innovation releases are optional. When a new major version is available, you can [start an upgrade]({% link cockroachcloud/upgrade-cockroach-version.md %}) from the CockroachDB {{ site.data.products.cloud }} Console. The cluster will be upgraded to the latest patch release within that major version. +On CockroachDB {{ site.data.products.standard }} with manual upgrades, and on CockroachDB {{ site.data.products.advanced }}, a major-version upgrade can be initiated by an [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin). Major versions labeled Regular releases are required upgrades, and Innovation releases are optional. When a new major version is available, you can [start an upgrade]({% link cockroachcloud/upgrade-cockroach-version.md %}) from the CockroachDB {{ site.data.products.cloud }} Console. The cluster will be upgraded to the latest patch release within that major version. ### Innovation releases @@ -129,7 +129,7 @@ As CockroachDB releases new major versions, older versions reach their End of Su Clusters running unsupported CockroachDB versions are not eligible for our [availability SLA](https://www.cockroachlabs.com/cloud-terms-and-conditions/). Further downgrades in support may occur as per the [CockroachDB Release Support Policy]({% link releases/release-support-policy.md %}). -If you are running a CockroachDB version nearing EOS, you will be reminded at least one month before that version’s EOS that your clusters must be upgraded by the EOS date to avoid losing support. An Org Administrator can [upgrade your cluster]({% link cockroachcloud/upgrade-cockroach-version.md %}) directly from the CockroachDB {{ site.data.products.cloud }} Console. +If you are running a CockroachDB version nearing EOS, you will be reminded at least one month before that version’s EOS that your clusters must be upgraded by the EOS date to avoid losing support. An Organization Admin can [upgrade your cluster]({% link cockroachcloud/upgrade-cockroach-version.md %}) directly from the CockroachDB {{ site.data.products.cloud }} Console. ## Additional information diff --git a/src/current/releases/cloud.md b/src/current/releases/cloud.md index ee622124bd1..1912cd7cd6b 100644 --- a/src/current/releases/cloud.md +++ b/src/current/releases/cloud.md @@ -84,7 +84,7 @@ The new official [Cockroach Labs Okta app integration]({% link cockroachcloud/co

General updates

-- [CockroachDB v24.3.0-beta.2]({% link releases/v24.3.md %}#v24-3-0-beta-2) is available to CockroachDB {{ site.data.products.advanced }} clusters as a Pre-Production Preview release for testing and experimentation. An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can upgrade your CockroachDB {{ site.data.products.advanced }} cluster from the CockroachDB {{ site.data.products.cloud }} Console. To learn more, refer to [Upgrade a cluster in CockroachDB {{ site.data.products.cloud }}]({% link cockroachcloud/upgrade-cockroach-version.md %}) and the [CockroachDB {{ site.data.products.cloud }} Upgrade Policy]({% link cockroachcloud/upgrade-policy.md %}). +- [CockroachDB v24.3.0-beta.2]({% link releases/v24.3.md %}#v24-3-0-beta-2) is available to CockroachDB {{ site.data.products.advanced }} clusters as a Pre-Production Preview release for testing and experimentation. An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can upgrade your CockroachDB {{ site.data.products.advanced }} cluster from the CockroachDB {{ site.data.products.cloud }} Console. To learn more, refer to [Upgrade a cluster in CockroachDB {{ site.data.products.cloud }}]({% link cockroachcloud/upgrade-cockroach-version.md %}) and the [CockroachDB {{ site.data.products.cloud }} Upgrade Policy]({% link cockroachcloud/upgrade-policy.md %}). ## October 22, 2024 @@ -218,7 +218,7 @@ In addition, this release includes the following features:

Security updates

- [Folders]({% link cockroachcloud/folders.md %}) are now available in [preview](https://www.cockroachlabs.com/docs/stable/cockroachdb-feature-availability). -- The initial [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) is now automatically assigned the [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin) role. +- The initial [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) is now automatically assigned the [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin) role. - A [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin) can now view all users and service accounts. ## April 18, 2024 @@ -246,7 +246,7 @@ In addition, this release includes the following features:

General updates

-- [CockroachDB v24.1.0-beta.1](https://www.cockroachlabs.com/docs/releases/v24.1#v24-1-0-beta-1) is available to CockroachDB {{ site.data.products.dedicated }} clusters as a Pre-Production Preview release for testing and experimentation. An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can upgrade your CockroachDB {{ site.data.products.dedicated }} cluster from the CockroachDB {{ site.data.products.cloud }} Console. To learn more, refer to [Upgrade to v24.1 Pre-Production Preview]({% link cockroachcloud/upgrade-cockroach-version.md %}) and the [CockroachDB {{ site.data.products.cloud }} Upgrade Policy]({% link cockroachcloud/upgrade-policy.md %}). +- [CockroachDB v24.1.0-beta.1](https://www.cockroachlabs.com/docs/releases/v24.1#v24-1-0-beta-1) is available to CockroachDB {{ site.data.products.dedicated }} clusters as a Pre-Production Preview release for testing and experimentation. An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can upgrade your CockroachDB {{ site.data.products.dedicated }} cluster from the CockroachDB {{ site.data.products.cloud }} Console. To learn more, refer to [Upgrade to v24.1 Pre-Production Preview]({% link cockroachcloud/upgrade-cockroach-version.md %}) and the [CockroachDB {{ site.data.products.cloud }} Upgrade Policy]({% link cockroachcloud/upgrade-policy.md %}). ## April 9, 2024 @@ -259,7 +259,7 @@ In addition, this release includes the following features:

Security updates

- All CockroachDB {{ site.data.products.cloud }} organizations have been migrated to use [fine-grained roles]({% link cockroachcloud/authorization.md %}#organization-user-roles). The following deprecated legacy roles have been removed: - - Org Administrator (Legacy) + - Organization Admin (Legacy) - Org Developer (Legacy) ## March 19, 2024 @@ -308,13 +308,13 @@ In addition, this release includes the following features:

General updates

-- [CockroachDB v23.2.0-rc.1](https://www.cockroachlabs.com/docs/releases/v23.2#v23-2-0-rc-1) is available to CockroachDB {{ site.data.products.dedicated }} clusters as a Pre-Production Preview release for testing and experimentation. An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can upgrade your CockroachDB {{ site.data.products.dedicated }} cluster from the CockroachDB {{ site.data.products.cloud }} Console. For clusters previously upgraded to the v23.2.0-beta.3 Pre-Production Preview release, v23.2.0-rc.1 will be applied automatically as a patch upgrade unless you choose to manually upgrade. To learn more, refer to [Upgrade to v23.2 Pre-Production Preview]({% link cockroachcloud/upgrade-cockroach-version.md %}) and the [CockroachDB {{ site.data.products.cloud }} Upgrade Policy]({% link cockroachcloud/upgrade-policy.md %}). +- [CockroachDB v23.2.0-rc.1](https://www.cockroachlabs.com/docs/releases/v23.2#v23-2-0-rc-1) is available to CockroachDB {{ site.data.products.dedicated }} clusters as a Pre-Production Preview release for testing and experimentation. An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can upgrade your CockroachDB {{ site.data.products.dedicated }} cluster from the CockroachDB {{ site.data.products.cloud }} Console. For clusters previously upgraded to the v23.2.0-beta.3 Pre-Production Preview release, v23.2.0-rc.1 will be applied automatically as a patch upgrade unless you choose to manually upgrade. To learn more, refer to [Upgrade to v23.2 Pre-Production Preview]({% link cockroachcloud/upgrade-cockroach-version.md %}) and the [CockroachDB {{ site.data.products.cloud }} Upgrade Policy]({% link cockroachcloud/upgrade-policy.md %}). ## December 19, 2023

General updates

-- [CockroachDB v23.2.0-beta.3](https://www.cockroachlabs.com/docs/releases/v23.2#v23-2-0-beta-3) is available to CockroachDB {{ site.data.products.dedicated }} clusters as a Pre-Production Preview release for testing and experimentation. An [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) can upgrade your CockroachDB {{ site.data.products.dedicated }} cluster from the CockroachDB {{ site.data.products.cloud }} Console. To learn more, refer to [Upgrade to v23.2 Pre-Production Preview]({% link cockroachcloud/upgrade-cockroach-version.md %}) and the [CockroachDB {{ site.data.products.cloud }} Upgrade Policy]({% link cockroachcloud/upgrade-policy.md %}). +- [CockroachDB v23.2.0-beta.3](https://www.cockroachlabs.com/docs/releases/v23.2#v23-2-0-beta-3) is available to CockroachDB {{ site.data.products.dedicated }} clusters as a Pre-Production Preview release for testing and experimentation. An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can upgrade your CockroachDB {{ site.data.products.dedicated }} cluster from the CockroachDB {{ site.data.products.cloud }} Console. To learn more, refer to [Upgrade to v23.2 Pre-Production Preview]({% link cockroachcloud/upgrade-cockroach-version.md %}) and the [CockroachDB {{ site.data.products.cloud }} Upgrade Policy]({% link cockroachcloud/upgrade-policy.md %}). ## December 14, 2023 @@ -366,7 +366,7 @@ In addition, this release includes the following features:

General changes

-- The {{ site.data.products.cloud }} Console's [SQL Shell]({% link cockroachcloud/sql-shell.md %}) is now available in [preview](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/cockroachdb-feature-availability) to all CockroachDB {{ site.data.products.cloud }} users with the [Cluster Administrator role]({% link cockroachcloud/managing-access.md %}). +- The {{ site.data.products.cloud }} Console's [SQL Shell]({% link cockroachcloud/sql-shell.md %}) is now available in [preview](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/cockroachdb-feature-availability) to all CockroachDB {{ site.data.products.cloud }} users with the [Cluster Admin role]({% link cockroachcloud/managing-access.md %}). ## September 22, 2023 @@ -482,7 +482,7 @@ In addition, this release includes the following features: - Cluster Operator - Billing Coordinator - - Org Administrator + - Organization Admin To enroll your organization in the new authorization model, contact your Cockroach Labs account team. @@ -569,7 +569,7 @@ For an in-depth explanation of CockroachDB {{ site.data.products.serverless }} p - CockroachDB {{ site.data.products.cloud }} is transitioning to a new [authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) that offers fine-grained access-control (FGAC), meaning that users can be given access to exactly the actions and resources required to perform their tasks. Changes include [cluster-level roles]({% link cockroachcloud/authorization.md %}#organization-user-roles) and consistent access management across users and service accounts. This feature is in [limited access](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/cockroachdb-feature-availability), and you can enroll your organization by contacting your account team. For more information, see [Managing Access (Authorization) in CockroachDB Cloud]({% link cockroachcloud/managing-access.md %}). -- You can now use client certificates to authenticate to CockroachDB {{ site.data.products.dedicated }} clusters. First, a [cluster administrator]({% link cockroachcloud/authorization.md %}#organization-user-roles) needs to upload a CA certificate for the cluster using the [Cloud API]({% link cockroachcloud/cloud-api.md %}) or [Terraform provider]({% link cockroachcloud/provision-a-cluster-with-terraform.md %}). After that, individual users can be assigned client certificates signed by the uploaded CA certificate, which they can then use to connect to the cluster. This feature is in [limited access](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/cockroachdb-feature-availability), and you can enroll your organization by contacting your account team. +- You can now use client certificates to authenticate to CockroachDB {{ site.data.products.dedicated }} clusters. First, a [Cluster Admin]({% link cockroachcloud/authorization.md %}#organization-user-roles) needs to upload a CA certificate for the cluster using the [Cloud API]({% link cockroachcloud/cloud-api.md %}) or [Terraform provider]({% link cockroachcloud/provision-a-cluster-with-terraform.md %}). After that, individual users can be assigned client certificates signed by the uploaded CA certificate, which they can then use to connect to the cluster. This feature is in [limited access](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/cockroachdb-feature-availability), and you can enroll your organization by contacting your account team.

Bug fixes

@@ -601,7 +601,7 @@ For an in-depth explanation of CockroachDB {{ site.data.products.serverless }} p

Security updates

-- [Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) of organizations that have [enabled Cloud Organization SSO]({% link cockroachcloud/cloud-org-sso.md %}) can now reset the passwords of other users in their organization who authenticate using passwords rather than an SSO authentication method. +- [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) of organizations that have [enabled Cloud Organization SSO]({% link cockroachcloud/cloud-org-sso.md %}) can now reset the passwords of other users in their organization who authenticate using passwords rather than an SSO authentication method.

Bug fixes

@@ -619,7 +619,7 @@ For an in-depth explanation of CockroachDB {{ site.data.products.serverless }} p

Security updates

-- The [**Migrations** page]({% link cockroachcloud/migrations-page.md %}) is now limited to [Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator). +- The [**Migrations** page]({% link cockroachcloud/migrations-page.md %}) is now limited to [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin). ## February 9, 2023 @@ -1142,7 +1142,7 @@ New CockroachDB {{ site.data.products.cloud }} clusters will now run CockroachDB - You can now [restore databases and tables]({% link cockroachcloud/managed-backups.md %}) from backups of CockroachDB {{ site.data.products.cloud }} clusters. This feature is only available to clusters running the paid version of CockroachDB {{ site.data.products.cloud }}. - [reCAPTCHA](https://www.google.com/recaptcha/about/) has been added to the sign up process for new users signing up with an email and password. Some users may need to complete an image challenge. -- An email will now be sent to [Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) when a [30-day free trial of CockroachDB {{ site.data.products.cloud }}]({% link cockroachcloud/quickstart-trial-cluster.md %}) is nearing its end and once it has expired. +- An email will now be sent to [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) when a [30-day free trial of CockroachDB {{ site.data.products.cloud }}]({% link cockroachcloud/quickstart-trial-cluster.md %}) is nearing its end and once it has expired. ## January 22, 2021 @@ -1200,8 +1200,8 @@ At this time, you cannot use the Console to scale up a single-node cluster or sc

General changes

- Updated the layout of the Sign up page. -- [CockroachDB {{ site.data.products.cloud }} Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) can now [update their {{ site.data.products.cloud }} organization's name](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/architecture/glossary#organization). -- [CockroachDB {{ site.data.products.cloud }} Org Administrators]({% link cockroachcloud/authorization.md %}#org-administrator) can now [delete their {{ site.data.products.cloud }} Organization](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/architecture/glossary#organization). +- [CockroachDB {{ site.data.products.cloud }} Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) can now [update their {{ site.data.products.cloud }} organization's name](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/architecture/glossary#organization). +- [CockroachDB {{ site.data.products.cloud }} Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) can now [delete their {{ site.data.products.cloud }} Organization](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/architecture/glossary#organization). ## April 6, 2020 diff --git a/src/current/v24.1/wal-failover.md b/src/current/v24.1/wal-failover.md index cdddb702361..b4c260020f8 100644 --- a/src/current/v24.1/wal-failover.md +++ b/src/current/v24.1/wal-failover.md @@ -400,7 +400,7 @@ The side disk should have the following properties: WAL failover should be enabled for any cloud deployments on AWS, GCP, or Azure. -It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or cluster administrator. +It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or Cluster Admin. ### 4. What is the best practice `storage.max_sync_duration`? diff --git a/src/current/v24.3/wal-failover.md b/src/current/v24.3/wal-failover.md index e372250ac41..f7c096638d9 100644 --- a/src/current/v24.3/wal-failover.md +++ b/src/current/v24.3/wal-failover.md @@ -398,7 +398,7 @@ The side disk should have the following properties: WAL failover should be enabled for any cloud deployments on AWS, GCP, or Azure. -It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or cluster administrator. +It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or Cluster Admin. ### 4. What is the best practice `storage.max_sync_duration`? diff --git a/src/current/v25.1/wal-failover.md b/src/current/v25.1/wal-failover.md index 956d3d341b0..f5b395138df 100644 --- a/src/current/v25.1/wal-failover.md +++ b/src/current/v25.1/wal-failover.md @@ -398,7 +398,7 @@ The side disk should have the following properties: WAL failover should be enabled for any cloud deployments on AWS, GCP, or Azure. -It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or cluster administrator. +It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or Cluster Admin. ### 4. What is the best practice `storage.max_sync_duration`? diff --git a/src/current/v25.2/wal-failover.md b/src/current/v25.2/wal-failover.md index 524feaf8a31..8144d034673 100644 --- a/src/current/v25.2/wal-failover.md +++ b/src/current/v25.2/wal-failover.md @@ -398,7 +398,7 @@ The side disk should have the following properties: WAL failover should be enabled for any cloud deployments on AWS, GCP, or Azure. -It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or cluster administrator. +It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or Cluster Admin. ### 4. What is the best practice `storage.max_sync_duration`? diff --git a/src/current/v25.3/wal-failover.md b/src/current/v25.3/wal-failover.md index 3d5b550150a..8fb98cec6f4 100644 --- a/src/current/v25.3/wal-failover.md +++ b/src/current/v25.3/wal-failover.md @@ -398,7 +398,7 @@ The side disk should have the following properties: WAL failover should be enabled for any cloud deployments on AWS, GCP, or Azure. -It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or cluster administrator. +It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or Cluster Admin. ### 4. What is the best practice `storage.max_sync_duration`? From b812c5f4fd22a16b88fbdcd6fd70bba074b09057 Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Fri, 13 Jun 2025 14:55:30 -0400 Subject: [PATCH 4/9] Correct wording --- src/current/cockroachcloud/authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/current/cockroachcloud/authorization.md b/src/current/cockroachcloud/authorization.md index 6fca49bf5db..52c543ab127 100644 --- a/src/current/cockroachcloud/authorization.md +++ b/src/current/cockroachcloud/authorization.md @@ -110,7 +110,7 @@ This role can be granted at the scope of the organization, on an individual clus ### Cluster Admin -The **Cluster Admin** role is granted all of the [Cluster Operator actions](#cluster-operator) permissions, as well as the following: +The **Cluster Admin** role is granted all of the [Cluster Operator](#cluster-operator) permissions, as well as the following: - [Provision SQL users for a cluster using the console]({% link cockroachcloud/managing-access.md %}#create-a-sql-user). - [Create Service Accounts]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role). From 1f4ce2a8dac5f228dfba01e6429eeb3d64c47861 Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Fri, 13 Jun 2025 14:56:47 -0400 Subject: [PATCH 5/9] Clean up passive verbiage --- .../_includes/cockroachcloud/org-roles/folder-admin.md | 2 +- .../_includes/cockroachcloud/org-roles/folder-mover.md | 2 +- src/current/cockroachcloud/authorization.md | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/current/_includes/cockroachcloud/org-roles/folder-admin.md b/src/current/_includes/cockroachcloud/org-roles/folder-admin.md index f658f84bf25..b235508fb72 100644 --- a/src/current/_includes/cockroachcloud/org-roles/folder-admin.md +++ b/src/current/_includes/cockroachcloud/org-roles/folder-admin.md @@ -1,4 +1,4 @@ - The {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role is granted permissions to create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. They can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders. + The {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role grants permissions to create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. They can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders. A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin){% endif %} role can grant themselves, another user, or a service account the Folder Admin role. diff --git a/src/current/_includes/cockroachcloud/org-roles/folder-mover.md b/src/current/_includes/cockroachcloud/org-roles/folder-mover.md index 40dddcbc523..cd611885ed0 100644 --- a/src/current/_includes/cockroachcloud/org-roles/folder-mover.md +++ b/src/current/_includes/cockroachcloud/org-roles/folder-mover.md @@ -1,4 +1,4 @@ - The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role is granted permission to rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}). + The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role grants permissions to rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}). {{site.data.alerts.callout_info}} A cluster cannot be renamed. diff --git a/src/current/cockroachcloud/authorization.md b/src/current/cockroachcloud/authorization.md index 52c543ab127..b1f87528bb7 100644 --- a/src/current/cockroachcloud/authorization.md +++ b/src/current/cockroachcloud/authorization.md @@ -64,11 +64,11 @@ This role can be assigned only at the organization scope. ### Billing Coordinator -The **Billing Coordinator** role is granted permissions to [manage billing for that organization]({% link cockroachcloud/billing-management.md %}) through the CockroachDB {{ site.data.products.cloud }} console billing page at [`https://cockroachlabs.cloud/billing/overview`](https://cockroachlabs.cloud/billing/overview). +The **Billing Coordinator** role grants permissions to [manage billing for that organization]({% link cockroachcloud/billing-management.md %}) through the CockroachDB {{ site.data.products.cloud }} console billing page at [`https://cockroachlabs.cloud/billing/overview`](https://cockroachlabs.cloud/billing/overview). ### Cluster Operator -The **Cluster Operator** role is granted permissions that are dependent on whether it is assigned to a user or a service account. +The **Cluster Operator** role grants permissions that are dependent on whether it is assigned to a user or a service account. - *Users* with this role can perform the following *console operations*: @@ -110,7 +110,7 @@ This role can be granted at the scope of the organization, on an individual clus ### Cluster Admin -The **Cluster Admin** role is granted all of the [Cluster Operator](#cluster-operator) permissions, as well as the following: +The **Cluster Admin** role grants all of the [Cluster Operator](#cluster-operator) permissions, as well as the following: - [Provision SQL users for a cluster using the console]({% link cockroachcloud/managing-access.md %}#create-a-sql-user). - [Create Service Accounts]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role). @@ -124,13 +124,13 @@ This role can be granted at the scope of the organization, on an individual clus ### Cluster Creator -The **Cluster Creator** role is granted permission to create clusters in an organization. A cluster's creator is automatically granted the [Cluster Admin](#cluster-admin) role for that cluster upon creation. +The **Cluster Creator** role grants permissions to create clusters in an organization. A cluster's creator is automatically granted the [Cluster Admin](#cluster-admin) role for that cluster upon creation. This role can be granted at the scope of the organization or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. ### Cluster Developer -The **Cluster Developer** role is granted permission to view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Admin to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster. +The **Cluster Developer** role grants permissions to view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Admin to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster. This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. From 9bacbc9385a3e18450425b3885d0c566b6543ded Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Fri, 13 Jun 2025 15:47:13 -0400 Subject: [PATCH 6/9] Remove usage of grant and privileges for Console roles, clarify wording --- .../cockroachcloud/org-roles/folder-admin.md | 4 +- .../cockroachcloud/org-roles/folder-mover.md | 4 +- src/current/cockroachcloud/authorization.md | 38 ++++++++++--------- .../v23.1/security-reference/authorization.md | 4 +- .../v23.2/security-reference/authorization.md | 4 +- .../v24.1/security-reference/authorization.md | 4 +- .../v24.2/security-reference/authorization.md | 4 +- .../v24.3/security-reference/authorization.md | 4 +- .../v25.1/security-reference/authorization.md | 4 +- .../v25.2/security-reference/authorization.md | 4 +- .../v25.3/security-reference/authorization.md | 4 +- 11 files changed, 40 insertions(+), 38 deletions(-) diff --git a/src/current/_includes/cockroachcloud/org-roles/folder-admin.md b/src/current/_includes/cockroachcloud/org-roles/folder-admin.md index b235508fb72..792ebf6e42d 100644 --- a/src/current/_includes/cockroachcloud/org-roles/folder-admin.md +++ b/src/current/_includes/cockroachcloud/org-roles/folder-admin.md @@ -1,5 +1,5 @@ - The {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role grants permissions to create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. They can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders. + The {% if page.name == 'authorization.md' %}**Folder Admin**{% else %}[**Folder Admin**]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role allows users to create, rename, move, delete, and manage access to folders where they are assigned the role. Users can also [edit folder labels]({% link cockroachcloud/labels.md %}). This role can be assigned at the level of the organization or on a specific folder. If assigned at the level of the organization, the role allows users to view all users and service accounts in the organization. If assigned to a specific folder, the role is inherited by descendant folders. - A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin){% endif %} role can grant themselves, another user, or a service account the Folder Admin role. + A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin){% endif %} role can assign themselves, another user, or a service account the Folder Admin role. To create or manage clusters in a folder, a Folder Admin also needs the {% if page.name == 'authorization.md' %}[Cluster Admin](#cluster-admin) or [Cluster Creator](#cluster-creator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator){% endif %} role on that folder directly or by inheritance. To delete a cluster, the Cluster Admin role is required on the cluster directly or by inheritance. diff --git a/src/current/_includes/cockroachcloud/org-roles/folder-mover.md b/src/current/_includes/cockroachcloud/org-roles/folder-mover.md index cd611885ed0..440589eb18f 100644 --- a/src/current/_includes/cockroachcloud/org-roles/folder-mover.md +++ b/src/current/_includes/cockroachcloud/org-roles/folder-mover.md @@ -1,7 +1,7 @@ - The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role grants permissions to rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}). + The {% if page.name == 'authorization.md' %}**Folder Mover**{% else %}[**Folder Mover**]({% link cockroachcloud/authorization.md %}#folder-mover){% endif %} role allows users to rename or move descendant folders, and move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as {% if page.name == 'authorization.md' %}[Cluster Creator](#cluster-creator) or [Cluster Operator](#cluster-operator){% else %}[Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator{% endif %}). {{site.data.alerts.callout_info}} A cluster cannot be renamed. {{site.data.alerts.end}} - A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin) or [Folder Admin](#folder-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can grant another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to grant themselves the Folder Mover role. + A user with the {% if page.name == 'authorization.md' %}[Organization Admin](#organization-admin) or [Folder Admin](#folder-admin){% else %}[Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) or [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin){% endif %} role can assign another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to assign themselves the Folder Mover role. diff --git a/src/current/cockroachcloud/authorization.md b/src/current/cockroachcloud/authorization.md index b1f87528bb7..3d0db3e55ad 100644 --- a/src/current/cockroachcloud/authorization.md +++ b/src/current/cockroachcloud/authorization.md @@ -21,22 +21,24 @@ In CockroachDB {{ site.data.products.cloud }}, an organization corresponds to an CockroachDB {{ site.data.products.cloud }} has a hierarchical authorization model, where roles can be assigned at different scopes: -1. Organization: A CockroachDB {{ site.data.products.cloud }} organization assigns privileges based on [roles](#organization-user-roles) assigned to a {{ site.data.products.cloud }} Console user account, which allow these accounts to perform administrative tasks relating to the management of clusters, Console user management, SQL user management, and billing. -1. Folder: {{ site.data.products.cloud }} Console [roles](#organization-user-roles) can be assigned to a folder containing a group of clusters. Role inheritance is transitive; a role granted on the organization or a folder is inherited by descendent resources. +1. Organization: A CockroachDB {{ site.data.products.cloud }} organization assigns permissions based on [roles](#organization-user-roles) assigned to a {{ site.data.products.cloud }} Console user account, which allow these accounts to perform administrative tasks relating to the management of clusters, Console user management, SQL user management, and billing. +1. Folder: {{ site.data.products.cloud }} Console [roles](#organization-user-roles) can be assigned to a folder containing a group of clusters. Role inheritance is transitive; a role applied with the organization or folder scope is inherited by descendent resources. {{site.data.alerts.callout_success}} Organizing clusters using folders is available in [Preview]({% link {{site.current_cloud_version}}/cockroachdb-feature-availability.md %}#feature-availability-phases). To learn more, refer to [Organize {{ site.data.products.db }} Clusters Using Folders]({% link cockroachcloud/folders.md %}). {{site.data.alerts.end}} -1. Cluster: Each CockroachDB cluster defines its own set of [SQL users]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#create-and-manage-users) and [roles]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#roles) which manage permission to execute SQL statements on the cluster. +1. Cluster: Each CockroachDB cluster defines its own set of [SQL users]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#create-and-manage-users) and SQL user [roles]({% link {{ site.current_cloud_version }}/security-reference/authorization.md %}#roles) which manage permission to execute SQL statements on the cluster. The levels within the hierarchy intersect, because administering SQL-level users on specific clusters within an organization is an organization-level function. -SQL users are assigned a separate set of roles and privileges that are specific to data management on the cluster, independent of the {{ site.data.products.cloud }} Console roles and privileges described on this page. For the main pages covering users and roles at the SQL level within a specific database cluster, refer to the main [Authorization in CockroachDB documentation]({% link {{site.current_cloud_version}}/security-reference/authorization.md %}) +{{site.data.alerts.callout_info}} +SQL users are assigned a distinct set of roles and privileges that are specific to data management on the cluster, independent of the {{ site.data.products.cloud }} Console roles and privileges described on this page. For the main pages covering users and roles at the SQL level within a specific database cluster, refer to the main [Authorization in CockroachDB documentation]({% link {{site.current_cloud_version}}/security-reference/authorization.md %}) +{{site.data.alerts.end}} ## Organization user roles -When a user or service account is first added to an organization, they are granted the default role, **Org Member**, which grants no permission and only indicates membership in the organization. Org or Cluster Admins may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider. +When a user or service account is first added to an organization, they are granted the default Console role, **Organization Member**, which adds no permissions and only indicates membership in the organization. Users with the Organization or Cluster Admin role may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} Console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider. {% include_cached cockroachcloud/first-org-user-roles.md %} @@ -44,7 +46,7 @@ To learn more, refer to [Manage organization users]({% link cockroachcloud/manag {% include_cached cockroachcloud/org-roles/cloud-roles-table.md %} -The following sections describe available CockroachDB {{ site.data.products.cloud }} roles in more detail: +The following sections describe the available CockroachDB {{ site.data.products.cloud }} Console roles in more detail: ### Organization Member @@ -52,11 +54,11 @@ The **Organization Member** role is assigned by default to all organization user ### Organization Admin -The **Organization Admin** role grants the following permissions: +The **Organization Admin** role allows users to perform the following actions: - [Invite users to join that organization]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization). - [Create service accounts]({% link cockroachcloud/managing-access.md %}#create-a-service-account). -- Grant and revoke roles for both [users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users) and [service accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts). +- Grant and revoke {{ site.data.products.cloud }} Console roles for both [users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users) and [service accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts). Organization Admins automatically receive [email alerts]({% link cockroachcloud/alerts-page.md %}) about planned cluster maintenance and when CockroachDB {{ site.data.products.cloud }} detects that a cluster is overloaded or experiencing issues. In addition, Organization Admins can subscribe other members to the email alerts, and configure how alerts work for the organization. @@ -64,11 +66,11 @@ This role can be assigned only at the organization scope. ### Billing Coordinator -The **Billing Coordinator** role grants permissions to [manage billing for that organization]({% link cockroachcloud/billing-management.md %}) through the CockroachDB {{ site.data.products.cloud }} console billing page at [`https://cockroachlabs.cloud/billing/overview`](https://cockroachlabs.cloud/billing/overview). +The **Billing Coordinator** role allows users to [manage billing for that organization]({% link cockroachcloud/billing-management.md %}) through the CockroachDB {{ site.data.products.cloud }} console billing page at [`https://cockroachlabs.cloud/billing/overview`](https://cockroachlabs.cloud/billing/overview). ### Cluster Operator -The **Cluster Operator** role grants permissions that are dependent on whether it is assigned to a user or a service account. +The **Cluster Operator** role allows actions that are dependent on whether it is assigned to a user or a service account. - *Users* with this role can perform the following *console operations*: @@ -100,17 +102,17 @@ The **Cluster Operator** role grants permissions that are dependent on whether i - [View and configure a cluster's Egress Rules]({% link cockroachcloud/egress-perimeter-controls.md %}). - [Configure the export of metrics to DataDog or Amazon CloudWatch]({% link cockroachcloud/export-metrics.md %}). -This role can be considered a more restricted alternative to [Cluster Admin](#cluster-admin), as it grants all of the permissions of that role, except that it does **not** allow users to: +This role can be considered a more restricted alternative to [Cluster Admin](#cluster-admin), as it grants all of the permissions of that role but does **not** allow users to: - Manage cluster-scoped roles on organization users. - Manage SQL users from the cloud console. - Create or delete a cluster. -This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. +This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, the role is inherited on the folder's clusters, descendent folders, and their descendants. ### Cluster Admin -The **Cluster Admin** role grants all of the [Cluster Operator](#cluster-operator) permissions, as well as the following: +The **Cluster Admin** role allows users to perform all [Cluster Operator](#cluster-operator) actions, as well as the following: - [Provision SQL users for a cluster using the console]({% link cockroachcloud/managing-access.md %}#create-a-sql-user). - [Create Service Accounts]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role). @@ -120,19 +122,19 @@ The **Cluster Admin** role grants all of the [Cluster Operator](#cluster-operato - Access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console). - Configure a cluster's [maintenance window]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window). -This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. +This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. ### Cluster Creator -The **Cluster Creator** role grants permissions to create clusters in an organization. A cluster's creator is automatically granted the [Cluster Admin](#cluster-admin) role for that cluster upon creation. +The **Cluster Creator** role allows users to create clusters in an organization. A cluster's creator is automatically assigned the [Cluster Admin](#cluster-admin) role for that cluster upon creation. -This role can be granted at the scope of the organization or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. +This role can be assigned at the scope of the organization or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. ### Cluster Developer -The **Cluster Developer** role grants permissions to view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Admin to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster. +The **Cluster Developer** role allows users view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Admin to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster. -This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. +This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants. ### Folder Admin diff --git a/src/current/v23.1/security-reference/authorization.md b/src/current/v23.1/security-reference/authorization.md index 72090c3094a..c9d3915a94b 100644 --- a/src/current/v23.1/security-reference/authorization.md +++ b/src/current/v23.1/security-reference/authorization.md @@ -7,9 +7,9 @@ docs_area: reference.security Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). -This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. +This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. -Learn more: [Overview of the CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) +Learn more about the [CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) ## Authorization models diff --git a/src/current/v23.2/security-reference/authorization.md b/src/current/v23.2/security-reference/authorization.md index 72090c3094a..c9d3915a94b 100644 --- a/src/current/v23.2/security-reference/authorization.md +++ b/src/current/v23.2/security-reference/authorization.md @@ -7,9 +7,9 @@ docs_area: reference.security Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). -This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. +This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. -Learn more: [Overview of the CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) +Learn more about the [CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) ## Authorization models diff --git a/src/current/v24.1/security-reference/authorization.md b/src/current/v24.1/security-reference/authorization.md index 4f1d3d68db5..68e3a526158 100644 --- a/src/current/v24.1/security-reference/authorization.md +++ b/src/current/v24.1/security-reference/authorization.md @@ -7,9 +7,9 @@ docs_area: reference.security Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). -This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. +This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. -Learn more: [Overview of the CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) +Learn more about the [CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) ## Authorization models diff --git a/src/current/v24.2/security-reference/authorization.md b/src/current/v24.2/security-reference/authorization.md index 4f1d3d68db5..68e3a526158 100644 --- a/src/current/v24.2/security-reference/authorization.md +++ b/src/current/v24.2/security-reference/authorization.md @@ -7,9 +7,9 @@ docs_area: reference.security Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). -This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. +This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. -Learn more: [Overview of the CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) +Learn more about the [CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) ## Authorization models diff --git a/src/current/v24.3/security-reference/authorization.md b/src/current/v24.3/security-reference/authorization.md index 4f1d3d68db5..68e3a526158 100644 --- a/src/current/v24.3/security-reference/authorization.md +++ b/src/current/v24.3/security-reference/authorization.md @@ -7,9 +7,9 @@ docs_area: reference.security Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). -This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. +This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. -Learn more: [Overview of the CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) +Learn more about the [CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) ## Authorization models diff --git a/src/current/v25.1/security-reference/authorization.md b/src/current/v25.1/security-reference/authorization.md index 4f1d3d68db5..68e3a526158 100644 --- a/src/current/v25.1/security-reference/authorization.md +++ b/src/current/v25.1/security-reference/authorization.md @@ -7,9 +7,9 @@ docs_area: reference.security Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). -This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. +This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. -Learn more: [Overview of the CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) +Learn more about the [CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) ## Authorization models diff --git a/src/current/v25.2/security-reference/authorization.md b/src/current/v25.2/security-reference/authorization.md index 4f1d3d68db5..68e3a526158 100644 --- a/src/current/v25.2/security-reference/authorization.md +++ b/src/current/v25.2/security-reference/authorization.md @@ -7,9 +7,9 @@ docs_area: reference.security Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). -This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. +This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. -Learn more: [Overview of the CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) +Learn more about the [CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) ## Authorization models diff --git a/src/current/v25.3/security-reference/authorization.md b/src/current/v25.3/security-reference/authorization.md index 4f1d3d68db5..ceb08f21540 100644 --- a/src/current/v25.3/security-reference/authorization.md +++ b/src/current/v25.3/security-reference/authorization.md @@ -7,9 +7,9 @@ docs_area: reference.security Authorization, generally, is the control over **who** (users/roles) can perform **which actions** (e.g read, write, update, delete, grant, etc.) to **which resources or targets** (databases, functions, tables, clusters, schemas, rows, users, jobs, etc.). -This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} users on CockroachDB {{ site.data.products.cloud }} organizations. +This page describes authorization of SQL users on particular [CockroachDB database clusters]({% link {{ page.version.version }}/architecture/glossary.md %}#cluster). This is distinct from authorization of CockroachDB {{ site.data.products.cloud }} Console users on CockroachDB {{ site.data.products.cloud }} organizations. -Learn more: [Overview of the CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) +Learn more about the [CockroachDB {{ site.data.products.cloud }} authorization model]({% link cockroachcloud/authorization.md %}#overview-of-the-cockroachdb-cloud-authorization-model) ## Authorization models From 85867fcaeacf5c518d4bc960979ef027c380cd95 Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Mon, 16 Jun 2025 13:31:06 -0400 Subject: [PATCH 7/9] Finish disassociating 'grant' and 'privilege' from console roles --- .../org-roles/cloud-roles-table.md | 10 +++---- src/current/advisories/c20230118.md | 4 +-- src/current/cockroachcloud/authorization.md | 12 ++++---- src/current/cockroachcloud/ccloud-faq.md | 20 ++++++------- src/current/cockroachcloud/cloud-org-sso.md | 4 +-- .../cockroachcloud/configure-cloud-org-sso.md | 6 ++-- .../configure-scim-provisioning.md | 10 +++---- src/current/cockroachcloud/databases-page.md | 2 +- src/current/cockroachcloud/folders.md | 30 +++++++++---------- src/current/cockroachcloud/managing-access.md | 10 +++---- src/current/cockroachcloud/migrations-page.md | 2 +- src/current/cockroachcloud/upgrade-policy.md | 2 +- src/current/releases/cloud.md | 4 +-- src/current/v24.1/wal-failover.md | 2 +- src/current/v24.3/wal-failover.md | 2 +- src/current/v25.1/wal-failover.md | 2 +- src/current/v25.2/wal-failover.md | 2 +- src/current/v25.3/wal-failover.md | 2 +- 18 files changed, 63 insertions(+), 63 deletions(-) diff --git a/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md b/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md index f6542eb74b1..0f13a949bd9 100644 --- a/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md +++ b/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md @@ -1,13 +1,13 @@ -The following table describes the high level permissions granted to each CockroachDB {{ site.data.products.cloud }} user role. Permissions are additive, so a user with multiple roles that grant different permissions are granted the highest level privileges given by their assigned roles. +The following table describes the high level permissions given by each CockroachDB {{ site.data.products.cloud }} user role. Permissions are additive, so a user with multiple roles is given all permissions in each area across all assigned roles. | **Role name** | **User management** | **Billing management** | **Cluster management** | **Database management** | **Monitoring & observability** | **Security & access** | **Backup & restore** | **Folder management** | **Other permissions** | |---|---|---|---|---|---|---|---|---|---| | `Organization Member` | None | None | None | None | None | None | None | None | None | -| `Organization Admin` | Manage users and service accounts, grant and revoke roles | None | None | None | None | None | None | None | Manage email alerts (maintenance/issues) | +| `Organization Admin` | Manage users and service accounts, assign and revoke roles | None | None | None | None | None | None | None | Manage email alerts (maintenance/issues) | | `Billing Coordinator` | None | Manage billing | None | None | None | None | None | None | None | | `Cluster Operator` | None | None | Scale nodes, upgrade CockroachDB | Manage Databases | View metrics / insights / logs / jobs | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None | Access DB console, configure maintenance windows, send test alerts | -| `Cluster Admin` | Manage SQL users, manage service accounts, grant user roles | None | Create / edit / delete cluster, scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None, unless role is granted with organization scope | Access DB console, configure maintenance windows | -| `Cluster Creator` | None | None | Create cluster (grants `Cluster Admin` role for that cluster), edit / delete clusters created by this user | None | None | None, unless role is granted with organization scope | None | None, unless role is granted with organization scope | None | +| `Cluster Admin` | Manage SQL users, manage service accounts, assign user roles | None | Create / edit / delete cluster, scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None, unless role is assigned with organization scope | Access DB console, configure maintenance windows | +| `Cluster Creator` | None | None | Create cluster (assigns `Cluster Admin` role for that cluster), edit / delete clusters created by this user | None | None | None, unless role is assigned with organization scope | None | None, unless role is assigned with organization scope | None | | `Cluster Developer` | None | None | None | None | None | None | None | None | Access DB console, view cluster details | | `Folder Admin` | Assign roles to folders | None | None | None | None | None | None | Create / delete / manage folders | None | | `Folder Mover` | None | None | Move cluster between folders | None | None | None | None | None | None | @@ -20,4 +20,4 @@ Some roles can be assigned to users at specific levels of scope to provide more | `Folder` | Applies to clusters within a specific folder. Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Creator`, `Cluster Admin`, `Folder Admin`, `Folder Mover` | | `Cluster` | Applies to a specific cluster | `Cluster Admin`, `Cluster Operator`, `Cluster Developer` | -{% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions granted, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %} \ No newline at end of file +{% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions given, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %} \ No newline at end of file diff --git a/src/current/advisories/c20230118.md b/src/current/advisories/c20230118.md index 6db6f6f13c7..46f658a1b30 100644 --- a/src/current/advisories/c20230118.md +++ b/src/current/advisories/c20230118.md @@ -31,13 +31,13 @@ All users assigned the Developer role in a CockroachDB Cloud organization will n See [Role Options](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/alter-user#{% if site.current_cloud_version == "v22.1" %}parameters{% else %}role-options{% endif %}) for more information on these roles. -The users assigned the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster [SQL admin user](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization#admin-role), as it is intended to be an all-access, highly privileged role. +The users assigned the [Organization Admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster [SQL admin user](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization#admin-role), as it is intended to be an all-access, highly privileged role. ## Mitigation A fix has been automatically applied to all CockroachDB Cloud organizations. With this change, the risk related to this issue, of the possibility of accessing data from any cluster in a cloud organization by users that have been assigned the Developer role, has been removed. This change follows the least privilege principle by ensuring that users with the lower-privilege Developer role only have the underlying SQL permissions applicable to their role level. -It is recommended that admins in a CockroachDB Cloud organization follow the authorization best practice of the principle of least privilege - whereby a user is granted exactly the minimum set of permissions necessary to perform the task required - and grant the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) to only those users who are required to have access to all the data in a cluster. In all other cases, the [Developer role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-developer-legacy) should be assigned to reduce the insider risk of data exfiltration. +It is recommended that admins in a CockroachDB Cloud organization follow the authorization best practice of the principle of least privilege - whereby a user is granted exactly the minimum set of permissions necessary to perform the task required - and assign the [Organization Admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) to only those users who are required to have access to all the data in a cluster. In all other cases, the [Developer role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-developer-legacy) should be assigned to reduce the insider risk of data exfiltration. Admins should also ensure that when users access a cluster’s DB Console directly from the CockroachDB Cloud’s [Tools page](https://www.cockroachlabs.com/docs/cockroachcloud/tools-page#access-the-db-console), they authenticate with specific SQL users that have been assigned only the required SQL privileges within the cluster. See [Authorization (Self-Hosted)](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/authorization.html) and [Authorization in CockroachDB](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization) for more information. diff --git a/src/current/cockroachcloud/authorization.md b/src/current/cockroachcloud/authorization.md index 3d0db3e55ad..66dde9c088a 100644 --- a/src/current/cockroachcloud/authorization.md +++ b/src/current/cockroachcloud/authorization.md @@ -33,12 +33,12 @@ CockroachDB {{ site.data.products.cloud }} has a hierarchical authorization mode The levels within the hierarchy intersect, because administering SQL-level users on specific clusters within an organization is an organization-level function. {{site.data.alerts.callout_info}} -SQL users are assigned a distinct set of roles and privileges that are specific to data management on the cluster, independent of the {{ site.data.products.cloud }} Console roles and privileges described on this page. For the main pages covering users and roles at the SQL level within a specific database cluster, refer to the main [Authorization in CockroachDB documentation]({% link {{site.current_cloud_version}}/security-reference/authorization.md %}) -{{site.data.alerts.end}} +SQL users are granted a distinct set of roles and privileges that are specific to data management on the cluster, independent of the {{ site.data.products.cloud }} Console roles and permissions described on this page. For the main pages covering users and roles at the SQL level within a specific database cluster, refer to the main [Authorization in CockroachDB documentation]({% link {{site.current_cloud_version}}/security-reference/authorization.md %}) +{{site.data.alerts.end}}. The [GRANT]({% link {{site.current_cloud_version}}/grant.md %}) SQL statement cannot be used to assign {{ site.data.products.cloud }} Console roles and permissions. ## Organization user roles -When a user or service account is first added to an organization, they are granted the default Console role, **Organization Member**, which adds no permissions and only indicates membership in the organization. Users with the Organization or Cluster Admin role may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} Console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider. +When a user or service account is first added to an organization, they are assigned the default Console role, **Organization Member**, which adds no permissions and only indicates membership in the organization. Users with the Organization or Cluster Admin role may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} Console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider. {% include_cached cockroachcloud/first-org-user-roles.md %} @@ -50,7 +50,7 @@ The following sections describe the available CockroachDB {{ site.data.products. ### Organization Member -The **Organization Member** role is assigned by default to all organization users when they are invited or provisioned. This role grants no additional permissions. +The **Organization Member** role is assigned by default to all organization users when they are invited or provisioned. This role gives no additional permissions. ### Organization Admin @@ -58,7 +58,7 @@ The **Organization Admin** role allows users to perform the following actions: - [Invite users to join that organization]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization). - [Create service accounts]({% link cockroachcloud/managing-access.md %}#create-a-service-account). -- Grant and revoke {{ site.data.products.cloud }} Console roles for both [users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users) and [service accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts). +- Assign and revoke {{ site.data.products.cloud }} Console roles for both [users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users) and [service accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts). Organization Admins automatically receive [email alerts]({% link cockroachcloud/alerts-page.md %}) about planned cluster maintenance and when CockroachDB {{ site.data.products.cloud }} detects that a cluster is overloaded or experiencing issues. In addition, Organization Admins can subscribe other members to the email alerts, and configure how alerts work for the organization. @@ -102,7 +102,7 @@ The **Cluster Operator** role allows actions that are dependent on whether it is - [View and configure a cluster's Egress Rules]({% link cockroachcloud/egress-perimeter-controls.md %}). - [Configure the export of metrics to DataDog or Amazon CloudWatch]({% link cockroachcloud/export-metrics.md %}). -This role can be considered a more restricted alternative to [Cluster Admin](#cluster-admin), as it grants all of the permissions of that role but does **not** allow users to: +This role can be considered a more restricted alternative to [Cluster Admin](#cluster-admin), as it gives all of the permissions of that role but does **not** allow users to: - Manage cluster-scoped roles on organization users. - Manage SQL users from the cloud console. diff --git a/src/current/cockroachcloud/ccloud-faq.md b/src/current/cockroachcloud/ccloud-faq.md index 4ad3c31843a..fa31edc423e 100644 --- a/src/current/cockroachcloud/ccloud-faq.md +++ b/src/current/cockroachcloud/ccloud-faq.md @@ -7,23 +7,23 @@ docs_area: manage ### What role is assigned to new CockroachDB {{ site.data.products.cloud }} members? What entitlements are included? -Org Member is the default and only role assignable to new users as they are added to a CockroachDB {{ site.data.products.cloud }} organization. This role has most minimum entitlements across all the available roles, including the ability to view the list of available clusters and high-level organization information like ID, Name, Label etc. +Organization Member is the default and only role assignable to new users as they are added to a CockroachDB {{ site.data.products.cloud }} organization. This role has most minimum entitlements across all the available roles, including the ability to view the list of available clusters and high-level organization information like ID, Name, Label etc. -### What is the minimum access role that can be granted on a cluster? +### What is the minimum access role that can be assigned on a cluster? Cluster Developer is the minimum access role that can be assigned to a cluster user on a cluster. Cluster Developers can view the details of the target cluster and access DB Console for monitoring. ### What roles are assigned to the user that creates a CockroachDB {{ site.data.products.cloud }} organization and thus becomes the first and only user in that organization? -The user who creates a new organization is assigned a combination of Organization Admin, Billing Coordinator, and Cluster Admin at the organization scope. Any of these roles may subsequently be removed, although another user must have the Org Adminstrator role, and the Cluster Admin role at the organization scope, before either of those can be removed. This is to ensure that at least one user has each of these roles. +The user who creates a new organization is assigned a combination of Organization Admin, Billing Coordinator, and Cluster Admin at the organization scope. Any of these roles may subsequently be removed, although another user must have the Organization Admin role, and the Cluster Admin role at the organization scope, before either of those can be removed. This is to ensure that at least one user has each of these roles. ### Is it possible to assign more than one role to a user in a CockroachDB {{ site.data.products.cloud }} organization? -Yes, it is possible, and often necessary, to assign more than one role to a user. The default minimum access role Org Member is always assigned to every user as long as they’re a part of the CockroachDB {{ site.data.products.cloud }} organization. Beyond that, every other assigned role is additive to the overall entitlements of a user. For example, the initial user is automatically assigned the Org Member, Organization Admin, Cluster Admin, and Billing Coordinator roles at organization scope when they create the CockroachDB {{ site.data.products.cloud }} organization. +Yes, it is possible, and often necessary, to assign more than one role to a user. The default minimum access role Organization Member is always assigned to every user as long as they’re a part of the CockroachDB {{ site.data.products.cloud }} organization. Beyond that, every other assigned role is additive to the overall entitlements of a user. For example, the initial user is automatically assigned the Organization Member, Organization Admin, Cluster Admin, and Billing Coordinator roles at organization scope when they create the CockroachDB {{ site.data.products.cloud }} organization. ### Can we follow the least privilege principle by using the roles available in the CockroachDB {{ site.data.products.cloud }} authorization model? -Yes, the roles available in the CockroachDB {{ site.data.products.cloud }} authorization model allow Organization Admins to grant only those entitlements to users that are required for their intended workflows. +Yes, the roles available in the CockroachDB {{ site.data.products.cloud }} authorization model allow Organization Admins to assign only those entitlements to users that are required for their intended workflows. Cluster level roles like Cluster Admin, Cluster Operator and Cluster Developer allow users to perform pertinent actions for one or more clusters, while providing differentiation between admin and non-admin entitlements. @@ -33,13 +33,13 @@ Yes, service accounts and human users utilize the same authorization model. ### Can I assign a cluster-level role to a few users such that they have the relevant entitlements on all clusters in the CockroachDB {{ site.data.products.cloud }} organization? -Yes, an admin could assign a cluster level role like Cluster Admin, Cluster Operator or Cluster Developer on the entire CockroachDB DB Cloud organization or on one or more specific clusters. There are two scopes in the authorization model - organization and clusters, with organization being the parent, and clusters being the children in the hierarchy. So if an admin assigns cluster level roles at the organization scope, they are automatically applicable on all clusters in the CockroachDB DB Cloud organization. Such access should be granted only to users who need to work with all clusters. +Yes, an admin could assign a cluster level role like Cluster Admin, Cluster Operator or Cluster Developer on the entire CockroachDB DB Cloud organization or on one or more specific clusters. There are two scopes in the authorization model - organization and clusters, with organization being the parent, and clusters being the children in the hierarchy. So if an admin assigns cluster level roles at the organization scope, they are automatically applicable on all clusters in the CockroachDB DB Cloud organization. Such access should be given only to users who need to work with all clusters. ### If an admin removes all role assignments for a particular user, is that user automatically removed from the CockroachDB {{ site.data.products.cloud }} organization? -When all role assignments have been removed for a user, they still implicitly have the Org Member role which is granted to each newly-added CockroachDB {{ site.data.products.cloud }} member, and the member is not automatically removed from the organization. Refer to: [Remove a team member]({% link cockroachcloud/managing-access.md %}#remove-a-team-member) +When all role assignments have been removed for a user, they still implicitly have the Organization Member role which is given to each newly-added CockroachDB {{ site.data.products.cloud }} member, and the member is not automatically removed from the organization. Refer to: [Remove a team member]({% link cockroachcloud/managing-access.md %}#remove-a-team-member) -### Which roles grant the ability to add, remove, and manage members in a CockroachDB {{ site.data.products.cloud }} organization? +### Which roles allow the user to add, remove, and manage members in a CockroachDB {{ site.data.products.cloud }} organization? Users with the Organization Admin role are allowed to manage users and roles at both the organization and the cluster scopes. Users with the Cluster Admin role are only allowed to manage role assignments at the cluster scope. @@ -47,9 +47,9 @@ Users with the Organization Admin role are allowed to manage users and roles at A user with the Cluster Creator role can create new clusters in the CockroachDB {{ site.data.products.cloud }} organization, so this role can be assigned only at the organization scope. -After the cluster is created, its creator is automatically granted the Cluster Admin role on that cluster. If that user already had the Cluster Admin role at the organization scope, this cluster-specific grant appears to have no effect. +After the cluster is created, its creator is automatically assigned the Cluster Admin role on that cluster. If that user already had the Cluster Admin role at the organization scope, this cluster-specific role assignment appears to have no effect. -This overlap allows admins to give users from different projects or teams access to create and fully manage their own clusters without the ability to manage clusters owned by other projects or teams. For example, two different users from different teams could each be granted the Cluster Creator role so that they can fully manage clusters they own but not clusters owned by anyone else. +This overlap allows admins to give users from different projects or teams access to create and fully manage their own clusters without the ability to manage clusters owned by other projects or teams. For example, two different users from different teams could each be assigned the Cluster Creator role so that they can fully manage clusters they own but not clusters owned by anyone else. ### Are SQL roles part of the CockroachDB {{ site.data.products.cloud }} authorization model? diff --git a/src/current/cockroachcloud/cloud-org-sso.md b/src/current/cockroachcloud/cloud-org-sso.md index 893ae2ae99c..186b8524fa1 100644 --- a/src/current/cockroachcloud/cloud-org-sso.md +++ b/src/current/cockroachcloud/cloud-org-sso.md @@ -44,7 +44,7 @@ If your organization includes members whose identity you don't manage, such as p ### Autoprovisioning -Autoprovisioning is a self-service mechanism that removes the need for a new user to be [invited by an Org Admin]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization). When it is enabled, the first time a user successfully authentications using that method, CockroachDB {{ site.data.products.cloud }} organization account is automatically created for them. Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin). +Autoprovisioning is a self-service mechanism that removes the need for a new user to be [invited by an Organization Admin]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization). When it is enabled, the first time a user successfully authentications using that method, CockroachDB {{ site.data.products.cloud }} organization account is automatically created for them. Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which adds no permissions to perform cluster or organization actions. Additional roles can be assigned by a user with the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin). Autoprovisioning is disabled by default, but can be enabled per SSO authentication method. @@ -117,7 +117,7 @@ After SAML is configured, your users can sign in to the CockroachDB {{ site.data #### What default role is assigned to users when autoprovisioning is enabled in a CockroachDB {{ site.data.products.cloud }} organization? -Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin). +Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which adds no permissions to perform cluster or organization actions. Additional roles can be assigned by a user with the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin). ## What's next? - [Configure Cloud Organization SSO]({% link cockroachcloud/configure-cloud-org-sso.md %}) diff --git a/src/current/cockroachcloud/configure-cloud-org-sso.md b/src/current/cockroachcloud/configure-cloud-org-sso.md index 87814e304ad..819a977bb27 100644 --- a/src/current/cockroachcloud/configure-cloud-org-sso.md +++ b/src/current/cockroachcloud/configure-cloud-org-sso.md @@ -44,7 +44,7 @@ Before you enable Cloud Organization SSO, notify your members about what to expe - Which authentication methods they can use and whether they have autoprovisioning enabled. - Some members may need to be re-added to your organization: - All members of your CockroachDB {{ site.data.products.cloud }} organization who were using [Basic SSO]({% link cockroachcloud/cloud-org-sso.md %}#basic-sso) rather than an email and password must sign in again to regain access to your organization. After signing in, members retain the same access they had before the migration. - - Members who are also members of other organizations must be re-added to your organization. If they sign in using an authentication method with [autoprovisioning](#autoprovisioning) enabled, they are automatically added upon successful sign-in. Otherwise, they must be re-invited or [provisioned using SCIM]({% link cockroachcloud/configure-scim-provisioning.md %}). If a re-invited member previously had the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) role, it must be granted to them again. + - Members who are also members of other organizations must be re-added to your organization. If they sign in using an authentication method with [autoprovisioning](#autoprovisioning) enabled, they are automatically added upon successful sign-in. Otherwise, they must be re-invited or [provisioned using SCIM]({% link cockroachcloud/configure-scim-provisioning.md %}). If a re-invited member previously had the [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) role, it must be assigned to them again. During enablement of the feature, a list of affected members is shown, and those members are also notified individually. @@ -60,7 +60,7 @@ If your migration fails with the error: `Cloud Organization SSO cannot be enable For your migration to succeed, you must ensure that at least one admin belongs to no other CockroachDB {{ site.data.products.cloud }} organization than the one to be migrated. If all admins belong to multiple organizations, the migration will fail with the generic error `Cloud Organization SSO cannot be enabled`. -If all of your administrators belong to multiple organizations, you can create a temporary user in your SSO provider or directly in CockroachDB {{ site.data.products.cloud }}. Grant the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin) to the temporary user, and use this temporary admin to enable Cloud Organization SSO. After migration, you should delete this temporary user or revoke the **Organization Admin** role. +If all of your administrators belong to multiple organizations, you can create a temporary user in your SSO provider or directly in CockroachDB {{ site.data.products.cloud }}. Assign the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin) to the temporary user, and use this temporary admin to enable Cloud Organization SSO. After migration, you should delete this temporary user or revoke the **Organization Admin** role. ## Enable Cloud Organization SSO @@ -142,7 +142,7 @@ By default, members can access your CockroachDB {{ site.data.products.cloud }} o Autoprovisioning allows members to sign up for an account without waiting for an invitation. By default, autoprovisioning is disabled, and a member must exist in the SSO provider and must be [invited by a user with the **Organization Admin** role]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization) before they can create an account. When autoprovisioning is enabled, no invitation is required. -Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin). +Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which adds no permissions to perform cluster or organization actions. Additional roles can be assigned by a user with the [**Organization Admin** role]({% link cockroachcloud/authorization.md %}#organization-admin). If a member's identity is removed from the SSO provider, they can no longer log in to CockroachDB {{ site.data.products.cloud }}, but their account is not automatically deprovisioned. If you require automatic deprovisioning or other centralized account automation features, refer to [SCIM Provisioning]({% link cockroachcloud/configure-scim-provisioning.md %}). diff --git a/src/current/cockroachcloud/configure-scim-provisioning.md b/src/current/cockroachcloud/configure-scim-provisioning.md index 3048156ed3e..7b63b113ce2 100644 --- a/src/current/cockroachcloud/configure-scim-provisioning.md +++ b/src/current/cockroachcloud/configure-scim-provisioning.md @@ -53,7 +53,7 @@ Depending on what it supports, your IdP may provide a mechanism to sync IAM grou 1. You can configure the SCIM app integration to selectively synchronize details about an IAM group to CockroachDB {{ site.data.products.cloud }}, including the group's name and membership list. In Okta, this group is said to be _pushed_. 1. Within CockroachDB {{ site.data.products.cloud }}, you can assign roles to a pushed group, and those roles are automatically assigned to the individual group members with provisioned accounts in CockroachDB {{ site.data.products.cloud }}. 1. A user account is only ever automatically provisioned in CockroachDB {{ site.data.products.cloud }} based on assignments in the SCIM app integration. - - If a group is pushed but not assigned to the SCIM app in Okta, roles can be granted to the group in CockroachDB {{ site.data.products.cloud }}, and group members who are already provisioned in CockroachDB {{ site.data.products.cloud }} or who are assigned to the app integration in the future, automatically receive those roles. + - If a group is pushed but not assigned to the SCIM app in Okta, roles can be assigned to the group in CockroachDB {{ site.data.products.cloud }}, and group members who are already provisioned in CockroachDB {{ site.data.products.cloud }} or who are assigned to the app integration in the future, automatically receive those roles. - If a group is assigned to the SCIM app in Okta but is not pushed, the group does not appear in CockroachDB {{ site.data.products.cloud }}, but user accounts are automatically provisioned for its members. 1. When details about a pushed IAM group change, such as the group's name or membership, these changes are automatically reflected in CockroachDB {{ site.data.products.cloud }}, unless group push is subsequently disabled for the group. @@ -202,10 +202,10 @@ To view details about a group: ### Manage a group's roles -Within CockroachDB {{ site.data.products.cloud }}, you can grant [roles]({% link cockroachcloud/authorization.md %}#organization-user-roles) to a pushed group, and those roles are automatically granted to the group's members who have accounts in CockroachDB {{ site.data.products.cloud }}. +Within CockroachDB {{ site.data.products.cloud }}, you can assign {{ site.data.products.cloud }} Console [roles]({% link cockroachcloud/authorization.md %}#organization-user-roles) to a pushed group, and those roles are automatically assigned to the group's members who have accounts in CockroachDB {{ site.data.products.cloud }}. -- When you push a group whose members already exist in CockroachDB {{ site.data.products.cloud }} and assign roles to the group, those members are granted the group's roles, in addition to roles explicitly granted to them. -- When the group's membership changes in your IdP, those changes are synchronized with the group in CockroachDB {{ site.data.products.cloud }}. If a CockroachDB {{ site.data.products.cloud }} account is added to or removed from the group in your IdP, they gain or lose roles granted to the group in CockroachDB {{ site.data.products.cloud }}. +- When you push a group whose members already exist in CockroachDB {{ site.data.products.cloud }} and assign roles to the group, those members are assigned the group's roles, in addition to roles explicitly assigned to them. +- When the group's membership changes in your IdP, those changes are synchronized with the group in CockroachDB {{ site.data.products.cloud }}. If a CockroachDB {{ site.data.products.cloud }} account is added to or removed from the group in your IdP, they gain or lose roles assigned to the group in CockroachDB {{ site.data.products.cloud }}. This section shows how to view and manage a group's roles in the CockroachDB {{ site.data.products.cloud }} Console or using the [Cloud API]({% link cockroachcloud/cloud-api.md %}). @@ -218,7 +218,7 @@ This section shows how to view and manage a group's roles in the CockroachDB {{ 1. In CockroachDB {{ site.data.products.cloud }} Console, click **Access Management > Groups**. 1. In a group's row, click the three-dots **Action** button, then click **Edit Roles**. -1. The group's granted roles are shown. Add or remove roles, then click **Confirm**. +1. The group's assigned roles are shown. Add or remove roles, then click **Confirm**. {{site.data.alerts.callout_info}} The fields for inherited roles are read-only, because inherited roles cannot be edited directly. Instead, you must either remove the role from the parent group from which it is inherited, or remove the child group from the parent group. diff --git a/src/current/cockroachcloud/databases-page.md b/src/current/cockroachcloud/databases-page.md index 97e83f0093f..824471c5510 100644 --- a/src/current/cockroachcloud/databases-page.md +++ b/src/current/cockroachcloud/databases-page.md @@ -11,7 +11,7 @@ The **Databases** page of the CockroachDB {{ site.data.products.cloud }} Console - The databases configured. - The tables in each database and the indexes on each table. -- The grants assigned to each role and user. +- The grants assigned to each role and SQL user. - [Index recommendations](#index-recommendations). To view this information, select a cluster from the [**Clusters** page]({% link cockroachcloud/cluster-management.md %}#view-clusters-page), and click **Databases** in the **Data** section of the left side navigation menu. This will give you access to the following: diff --git a/src/current/cockroachcloud/folders.md b/src/current/cockroachcloud/folders.md index 487e7734608..b0c0344ecd1 100644 --- a/src/current/cockroachcloud/folders.md +++ b/src/current/cockroachcloud/folders.md @@ -55,18 +55,18 @@ Operations that violate these restrictions result in an error. ### Folders and role assignment -A role granted on a folder is inherited on its descendant folders and clusters. All existing organizational roles, such as [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator), can be granted at the folder scope. +A role assigned to a folder is inherited on its descendant folders and clusters. All existing organizational roles, such as [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) or [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator), can be assigned at the folder scope. -A role granted directly on a cluster is unchanged if the cluster is moved into or out of a folder. +A role assigned directly on a cluster is unchanged if the cluster is moved into or out of a folder. -The following roles, when granted at the organization level, allow reading of the entire folder hierarchy: +The following roles, when assigned at the organization scope, allow reading of the entire folder hierarchy: - Organization Admin - Cluster Admin - Cluster Operator - Cluster Developer -The following roles allow creation of clusters at the level of the hierarchy where they are granted: +The following roles allow creation of clusters at the level of the hierarchy where they are assigned: - Cluster Admin - Cluster Creator @@ -86,22 +86,22 @@ Your user account must have the following roles to manage access to folders: - [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin) {{site.data.alerts.callout_success}} -An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can grant themselves, another user, or a service account the Folder Admin role. +An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can assign themselves, another user, or a service account the Folder Admin role. {{site.data.alerts.end}} -## Grant the `FOLDER_ADMIN` or `FOLDER_MOVER` role +## Assign the `FOLDER_ADMIN` or `FOLDER_MOVER` role -Folders inherit roles granted higher in the hierarchy, and folders at the root level inherit roles granted at the organization scope. To create a folder, a team member must have the `FOLDER_ADMIN` role on its parent folder. To create a folder at the root level, a team member must have the `FOLDER_ADMIN` role at the level of the organization. +Folders inherit roles assigned higher in the hierarchy, and folders at the root level inherit roles assigned at the organization scope. To create a folder, a team member must have the `FOLDER_ADMIN` role on its parent folder. To create a folder at the root level, a team member must have the `FOLDER_ADMIN` role at the level of the organization. {{site.data.alerts.callout_success}} To create clusters in a folder, the member must also have the `CLUSTER_ADMIN` or `CLUSTER_CREATOR` role on that folder or by inheritance. {{site.data.alerts.end}} -To grant the `FOLDER_ADMIN` role: +To assign the `FOLDER_ADMIN` role: 1. On the **Access Management** page, locate the team member's details whose role you want to change. 1. In the row for the target member, click the three-dots **Action** button and select **Edit Roles**. -1. Set **Scope** to **Organization** or to a folder in the hierarchy. The role is granted on all of the folder's descendants. +1. Set **Scope** to **Organization** or to a folder in the hierarchy. The role is assigned on all of the folder's descendants. 1. Set **Role** to **Folder Admin** or **Folder Mover**. 1. Click **Confirm**. @@ -123,10 +123,10 @@ Your service account must have the following roles on the organization, the fold 1. To manage access to a folder, go to **Organization** > **Access Management**. 1. In the row for the target member, click the three-dots **Action** button and select **Edit Roles**. -1. Set **Scope** to the folder you just created. The role is granted on all of the folder's descendants. +1. Set **Scope** to the folder you just created. The role is assigned on all of the folder's descendants. 1. Set **Role** to **Folder Admin** or **Folder Mover**. - To access a folder's clusters, a user or service account must also have the **Cluster Admin**, **Cluster Creator**, or **Cluster Operator** role on the folder. The role may be granted by inheritance or directly on a cluster. + To access a folder's clusters, a user or service account must also have the **Cluster Admin**, **Cluster Creator**, or **Cluster Operator** role on the folder. The role may be assigned by inheritance or directly on a cluster. 1. Click **Confirm**. @@ -155,11 +155,11 @@ Your service account must have the following roles on the organization or the fo If you do not have permission to create folders at this location, you will see only **Create cluster**. {{site.data.alerts.end}} 1. Configure the cluster as desired, then click **Create Cluster**. -1. To grant others roles directly on the newly-created cluster: +1. To assign others roles directly on the newly-created cluster: 1. Go to **Organization** > **Access Management**. 1. In the row for the target member, click the three-dots **Action** button and select **Edit Roles**. 1. Set **Scope** to the folder you just created. - 1. Set **Role** to the role you want to grant. + 1. Set **Role** to the role you want to assign. 1. Click **Confirm**. ## Move a cluster into or out of a folder @@ -171,7 +171,7 @@ Your service account must have permission to move clusters at both the source an Folder Movers can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as Cluster Creator or Cluster Operator. {{site.data.alerts.callout_info}} -When you move a cluster into or out of a folder, users or service accounts who had access to the previous location through inheritance may lose access. Roles granted directly on a cluster do not change when the cluster is moved. +When you move a cluster into or out of a folder, users or service accounts who had access to the previous location through inheritance may lose access. Roles assigned directly on a cluster do not change when the cluster is moved. {{site.data.alerts.end}} To move a cluster from the organization level into a folder, or to move it from one folder to another: @@ -198,7 +198,7 @@ Your service account must have permission to move folders at both the source and - [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin) or [Folder Mover]({% link cockroachcloud/authorization.md %}#folder-mover) {{site.data.alerts.callout_info}} -When you move a folder, users or service accounts who had access to the previous location through inheritance may lose access to its descendant folders and clusters. Roles granted directly on a folder or a cluster do not change when the folder or cluster is moved. +When you move a folder, users or service accounts who had access to the previous location through inheritance may lose access to its descendant folders and clusters. Roles assigned directly on a folder or a cluster do not change when the folder or cluster is moved. {{site.data.alerts.end}} To move a folder and its contents into another folder: diff --git a/src/current/cockroachcloud/managing-access.md b/src/current/cockroachcloud/managing-access.md index 2790e804a34..cef6d410a0c 100644 --- a/src/current/cockroachcloud/managing-access.md +++ b/src/current/cockroachcloud/managing-access.md @@ -8,7 +8,7 @@ docs_area: manage This page details procedures for managing CockroachDB {{ site.data.products.cloud }} access to CockroachDB {{ site.data.products.cloud }}. Before proceeding, it is recommended to review the concepts related to the two levels of CockroachDB {{ site.data.products.cloud }} access management model (the organization level and the SQL level in a cluster), which are detailed in [CockroachDB {{ site.data.products.cloud }} Access Management Overview and FAQ]({% link cockroachcloud/authorization.md %}). -Access management tasks for the organization level are performed in the CockroachDB {{ site.data.products.cloud }} console **Access Management** page, found at `https://cockroachlabs.cloud/access`. This page allows organization administrators to invite users to the CockroachDB {{ site.data.products.cloud }} organization, create service accounts, and manage the access roles granted to both. Users with Cluster Admin role on a cluster can also manage the access role grants on that cluster. Roles can be granted at different scopes (levels) of the resource hierarchy. +Access management tasks for the organization level are performed in the CockroachDB {{ site.data.products.cloud }} console **Access Management** page, found at `https://cockroachlabs.cloud/access`. This page allows organization administrators to invite users to the CockroachDB {{ site.data.products.cloud }} organization, create service accounts, and manage the access roles assigned to both. Users with Cluster Admin role on a cluster can also manage the access role assignments on that cluster. Roles can be assigned at different scopes (levels) of the resource hierarchy. Access management tasks for SQL level in a cluster are a bit distributed. SQL users on particular clusters can be created in the console's 'SQL user' page for a specific cluster, found at `https://cockroachlabs.cloud/cluster//users`, or with the `ccloud` command line utility's [`cluster user create`]({% link cockroachcloud/ccloud-get-started.md %}#create-a-sql-user-using-ccloud-cluster-user-create) command, or with a SQL client. However, the SQL roles that govern permissions in the cluster for SQL users must be managed with a SQL client. Furthermore, SQL users created with the console or with `ccloud` utility are granted the `admin` SQL role on the cluster by default; this makes it important from a security perspective to immediately modify this user if needed, revoking the `admin` role and replacing it with a SQL role with privileges required for its task, according to the [principle of least privilege](https://wikipedia.org/wiki/Principle_of_least_privilege). @@ -32,7 +32,7 @@ An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization- 1. If you are a member of multiple organizations, navigate to the organization to which you want to invite a team member. You can navigate to the correct organization by using the drop-down box in the top-right corner. 1. On the **Access Management** page, under the *Members* tab, click **Invite**. -1. In the **Email Address** field, enter the email address of the team member you want to invite. By default, a user is assigned the [Organization member]({% link cockroachcloud/authorization.md %}#organization-member) role; this default role grants no access. After the user is invited, you will be able to [grant additional roles](#change-a-team-members-roles). +1. In the **Email Address** field, enter the email address of the team member you want to invite. By default, a user is assigned the [Organization member]({% link cockroachcloud/authorization.md %}#organization-member) role; this default role adds no permissions. After the user is invited, you will be able to [assign additional roles](#change-a-team-members-roles). 1. If required, you could invite multiple users at the same time by adding a row per email address using **+ Add Member**. It is also possible to enable [autoprovisioning]({% link cockroachcloud/cloud-org-sso.md %}#autoprovisioning) for your organization, which removes the need to invite team members. @@ -46,7 +46,7 @@ In the CockroachDB {{ site.data.products.cloud }} Console, users must be assigne To edit a user's role, perform the following steps: -1. On the **Access Management** page, locate the team member's details whose role you want to change. The **Role** column lists current organization roles granted to each user. +1. On the **Access Management** page, locate the team member's details whose role you want to change. The **Role** column lists current roles assigned to each user. 1. In the row for the target member, click the three-dots **Action** button and select **Edit Roles**. 1. A number of fine-grained roles can be assigned to a given user. Each role is represented by a row. Each row has a **scope**, which is one of **Organization**, the name of a particular [folder]({% link cockroachcloud/folders.md %}), or the name of a particular cluster. If the role is Cluster Admin, Cluster Operator, or Cluster Developer, assigning it at the organization scope means that it applies to all clusters in the organization. @@ -55,7 +55,7 @@ To edit a user's role, perform the following steps: {{site.data.alerts.end}} {{site.data.alerts.callout_danger}} -An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can revoke the Organization Admin role from their own user, but cannot subsequently re-grant the administrator role to themselves. +An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can revoke the Organization Admin role from their own user, but cannot subsequently re-assign the administrator role to themselves. {{site.data.alerts.end}} ### Remove a team member @@ -102,7 +102,7 @@ The access management model for service accounts is unified with the [user model 1. Confirm creation of the service account. {{site.data.alerts.callout_info}} -Service accounts, like users, are given only the **Org Member** role by default upon creation. This role grants no access in the organization. After it is created, you can grant additional roles to the service account. +Service accounts, like users, are given only the **Organization Member** role by default upon creation. This role assigns no access in the organization. After it is created, you can assign additional roles to the service account. {{site.data.alerts.end}} ### Edit roles on a service account diff --git a/src/current/cockroachcloud/migrations-page.md b/src/current/cockroachcloud/migrations-page.md index 7c7f78ce50d..68f89cb68cb 100644 --- a/src/current/cockroachcloud/migrations-page.md +++ b/src/current/cockroachcloud/migrations-page.md @@ -20,7 +20,7 @@ The **Migrations** page on the CockroachDB {{ site.data.products.cloud }} Consol To view this page, select a cluster from the [**Clusters** page]({% link cockroachcloud/cluster-management.md %}#view-clusters-page), and click **Migration** in the **Data** section of the left side navigation. -## Required privileges +## Required permissions To access the **Migrations** page, as user must have either of the following roles: diff --git a/src/current/cockroachcloud/upgrade-policy.md b/src/current/cockroachcloud/upgrade-policy.md index 55c339d4199..947a40473c4 100644 --- a/src/current/cockroachcloud/upgrade-policy.md +++ b/src/current/cockroachcloud/upgrade-policy.md @@ -23,7 +23,7 @@ All CockroachDB {{ site.data.products.basic }} clusters, and CockroachDB {{ site - If you [disable automatic major-version upgrades for CockroachDB {{ site.data.products.standard }}]({% link cockroachcloud/cluster-management.md %}#manage-cluster-upgrades), you are responsible for upgrading the cluster before its version reaches its EOS date to maintain uninterrupted support and SLA guarantees. Clusters that have not upgraded for one year may be upgraded automatically. - You are responsible for upgrading a CockroachDB {{ site.data.products.advanced }} cluster before its current version reaches its EOS date to maintain uninterrupted support and SLA guarantees. -When a CockroachDB {{ site.data.products.advanced }} cluster is nearing its EOS date, you will be reminded to upgrade the cluster at least 30 days before the EOS date to avoid losing support. {% capture who_can_upgrade %}A user with the Cluster Admin or Cluster Operator [role]({% link cockroachcloud/authorization.md %}) can [upgrade a cluster]({% link cockroachcloud/upgrade-cockroach-version.md %}) directly from the CockroachDB Cloud Console. An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can grant these roles.{% endcapture %}{{ who_can_upgrade }} +When a CockroachDB {{ site.data.products.advanced }} cluster is nearing its EOS date, you will be reminded to upgrade the cluster at least 30 days before the EOS date to avoid losing support. {% capture who_can_upgrade %}A user with the Cluster Admin or Cluster Operator [role]({% link cockroachcloud/authorization.md %}) can [upgrade a cluster]({% link cockroachcloud/upgrade-cockroach-version.md %}) directly from the CockroachDB Cloud Console. An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin) can assign these roles.{% endcapture %}{{ who_can_upgrade }} {{site.data.alerts.callout_info}} This page describes the support of CockroachDB versions on CockroachDB Cloud, which is not affected by LTS or End of Support timelines specified for CockroachDB Self-Hosted. diff --git a/src/current/releases/cloud.md b/src/current/releases/cloud.md index 1912cd7cd6b..11843a2ec89 100644 --- a/src/current/releases/cloud.md +++ b/src/current/releases/cloud.md @@ -259,7 +259,7 @@ In addition, this release includes the following features:

Security updates

- All CockroachDB {{ site.data.products.cloud }} organizations have been migrated to use [fine-grained roles]({% link cockroachcloud/authorization.md %}#organization-user-roles). The following deprecated legacy roles have been removed: - - Organization Admin (Legacy) + - Org Administrator (Legacy) - Org Developer (Legacy) ## March 19, 2024 @@ -482,7 +482,7 @@ In addition, this release includes the following features: - Cluster Operator - Billing Coordinator - - Organization Admin + - Org Administrator To enroll your organization in the new authorization model, contact your Cockroach Labs account team. diff --git a/src/current/v24.1/wal-failover.md b/src/current/v24.1/wal-failover.md index b4c260020f8..cdddb702361 100644 --- a/src/current/v24.1/wal-failover.md +++ b/src/current/v24.1/wal-failover.md @@ -400,7 +400,7 @@ The side disk should have the following properties: WAL failover should be enabled for any cloud deployments on AWS, GCP, or Azure. -It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or Cluster Admin. +It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or cluster administrator. ### 4. What is the best practice `storage.max_sync_duration`? diff --git a/src/current/v24.3/wal-failover.md b/src/current/v24.3/wal-failover.md index f7c096638d9..e372250ac41 100644 --- a/src/current/v24.3/wal-failover.md +++ b/src/current/v24.3/wal-failover.md @@ -398,7 +398,7 @@ The side disk should have the following properties: WAL failover should be enabled for any cloud deployments on AWS, GCP, or Azure. -It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or Cluster Admin. +It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or cluster administrator. ### 4. What is the best practice `storage.max_sync_duration`? diff --git a/src/current/v25.1/wal-failover.md b/src/current/v25.1/wal-failover.md index f5b395138df..956d3d341b0 100644 --- a/src/current/v25.1/wal-failover.md +++ b/src/current/v25.1/wal-failover.md @@ -398,7 +398,7 @@ The side disk should have the following properties: WAL failover should be enabled for any cloud deployments on AWS, GCP, or Azure. -It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or Cluster Admin. +It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or cluster administrator. ### 4. What is the best practice `storage.max_sync_duration`? diff --git a/src/current/v25.2/wal-failover.md b/src/current/v25.2/wal-failover.md index 8144d034673..524feaf8a31 100644 --- a/src/current/v25.2/wal-failover.md +++ b/src/current/v25.2/wal-failover.md @@ -398,7 +398,7 @@ The side disk should have the following properties: WAL failover should be enabled for any cloud deployments on AWS, GCP, or Azure. -It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or Cluster Admin. +It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or cluster administrator. ### 4. What is the best practice `storage.max_sync_duration`? diff --git a/src/current/v25.3/wal-failover.md b/src/current/v25.3/wal-failover.md index 8fb98cec6f4..3d5b550150a 100644 --- a/src/current/v25.3/wal-failover.md +++ b/src/current/v25.3/wal-failover.md @@ -398,7 +398,7 @@ The side disk should have the following properties: WAL failover should be enabled for any cloud deployments on AWS, GCP, or Azure. -It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or Cluster Admin. +It's also a good practice in on-premise deployments; however, it is at the discretion of the DBA or cluster administrator. ### 4. What is the best practice `storage.max_sync_duration`? From efbaf0d550fe77297f7a94f82d5940540c0ea624 Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Tue, 17 Jun 2025 11:01:55 -0400 Subject: [PATCH 8/9] Ayushi feedback --- .../cockroachcloud/org-roles/cloud-roles-table.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md b/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md index 0f13a949bd9..61a85be79cb 100644 --- a/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md +++ b/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md @@ -3,21 +3,21 @@ The following table describes the high level permissions given by each Cockroach | **Role name** | **User management** | **Billing management** | **Cluster management** | **Database management** | **Monitoring & observability** | **Security & access** | **Backup & restore** | **Folder management** | **Other permissions** | |---|---|---|---|---|---|---|---|---|---| | `Organization Member` | None | None | None | None | None | None | None | None | None | -| `Organization Admin` | Manage users and service accounts, assign and revoke roles | None | None | None | None | None | None | None | Manage email alerts (maintenance/issues) | +| `Organization Admin` | Manage users and service accounts, assign and revoke roles | None | None | None | None | None | None | None | Manage [enterprise (self-hosted) licenses]({% link {{ site.current_cloud_version }}/licensing-faqs.md %}#obtain-a-license), manage email alerts | | `Billing Coordinator` | None | Manage billing | None | None | None | None | None | None | None | | `Cluster Operator` | None | None | Scale nodes, upgrade CockroachDB | Manage Databases | View metrics / insights / logs / jobs | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None | Access DB console, configure maintenance windows, send test alerts | | `Cluster Admin` | Manage SQL users, manage service accounts, assign user roles | None | Create / edit / delete cluster, scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None, unless role is assigned with organization scope | Access DB console, configure maintenance windows | | `Cluster Creator` | None | None | Create cluster (assigns `Cluster Admin` role for that cluster), edit / delete clusters created by this user | None | None | None, unless role is assigned with organization scope | None | None, unless role is assigned with organization scope | None | | `Cluster Developer` | None | None | None | None | None | None | None | None | Access DB console, view cluster details | -| `Folder Admin` | Assign roles to folders | None | None | None | None | None | None | Create / delete / manage folders | None | +| `Folder Admin` | Apply roles at the folder scope | None | None | None | None | None | None | Create / delete / manage folders | None | | `Folder Mover` | None | None | Move cluster between folders | None | None | None | None | None | None | Some roles can be assigned to users at specific levels of scope to provide more granular permission control: | **Scope level** | **Description** | **Applicable roles** | |---|---|---| -| `Organization` | Applies to the entire CockroachDB {{ site.data.products.cloud }} organization, including all clusters and folders | `Cluster Admin`, `Cluster Creator`, `Billing Coordinator`, `Organization Admin`, `Folder Admin`, `Folder Mover` | -| `Folder` | Applies to clusters within a specific folder. Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Creator`, `Cluster Admin`, `Folder Admin`, `Folder Mover` | -| `Cluster` | Applies to a specific cluster | `Cluster Admin`, `Cluster Operator`, `Cluster Developer` | +| `Organization` | Applies to the entire CockroachDB {{ site.data.products.cloud }} organization, including all clusters and folders | `Cluster Operator`, `Cluster Admin`, `Cluster Creator`, `Cluster Developer`, `Billing Coordinator`, `Organization Admin`, `Folder Admin`, `Folder Mover` | +| `Folder` | Applies to clusters within a specific folder. Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Operator`, `Cluster Admin`, `Cluster Creator`, `Cluster Developer`, `Folder Admin`, `Folder Mover` | +| `Cluster` | Applies to a specific cluster | `Cluster Operator`, `Cluster Admin`, `Cluster Developer` | {% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions given, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %} \ No newline at end of file From 53b29cd82b6266f713f4666b069f78bfc8cefeb1 Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Tue, 17 Jun 2025 15:23:46 -0400 Subject: [PATCH 9/9] Mike feedback --- .../_includes/cockroachcloud/cluster-operator-prereq.md | 2 +- .../_includes/cockroachcloud/cockroachcloud-ask-admin.md | 2 +- .../_includes/cockroachcloud/org-roles/cloud-roles-table.md | 2 +- src/current/cockroachcloud/folders.md | 2 +- src/current/cockroachcloud/managing-access.md | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/current/_includes/cockroachcloud/cluster-operator-prereq.md b/src/current/_includes/cockroachcloud/cluster-operator-prereq.md index 11d722ae806..2c757d2bcf8 100644 --- a/src/current/_includes/cockroachcloud/cluster-operator-prereq.md +++ b/src/current/_includes/cockroachcloud/cluster-operator-prereq.md @@ -1 +1 @@ -Either the [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) or [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) role on a pre-existing cluster, or the [Cluster Creator](authorization.html#cluster-creator) role in order to create a new cluster. \ No newline at end of file +Either the [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) or [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) role on an existing cluster, or the [Cluster Creator](authorization.html#cluster-creator) role in order to create a new cluster. \ No newline at end of file diff --git a/src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md b/src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md index 8ed100b1769..389c8dee223 100644 --- a/src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md +++ b/src/current/_includes/cockroachcloud/cockroachcloud-ask-admin.md @@ -1,3 +1,3 @@ {{site.data.alerts.callout_info}} -Only [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) and [Cluster Admins]({% link cockroachcloud/authorization.md %}#cluster-admin) can create SQL users and issue credentials. +Only [Organization Admins]({% link cockroachcloud/authorization.md %}#organization-admin) and [Cluster Admins]({% link cockroachcloud/authorization.md %}#cluster-admin) can create SQL users using the {{site.data.products.cloud}} Console or API. These SQL users default to the `Admin` role. For granular provisioning of SQL user privileges, refer to documentation on [using the cluster's SQL interface]({% link cockroachcloud/managing-access.md %}?filters=client#create-a-sql-user). {{site.data.alerts.end}} diff --git a/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md b/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md index 61a85be79cb..eb9b15beeb8 100644 --- a/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md +++ b/src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md @@ -5,7 +5,7 @@ The following table describes the high level permissions given by each Cockroach | `Organization Member` | None | None | None | None | None | None | None | None | None | | `Organization Admin` | Manage users and service accounts, assign and revoke roles | None | None | None | None | None | None | None | Manage [enterprise (self-hosted) licenses]({% link {{ site.current_cloud_version }}/licensing-faqs.md %}#obtain-a-license), manage email alerts | | `Billing Coordinator` | None | Manage billing | None | None | None | None | None | None | None | -| `Cluster Operator` | None | None | Scale nodes, upgrade CockroachDB | Manage Databases | View metrics / insights / logs / jobs | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None | Access DB console, configure maintenance windows, send test alerts | +| `Cluster Operator` | None | None | Scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights / logs / jobs | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None | Access DB console, configure maintenance windows, send test alerts | | `Cluster Admin` | Manage SQL users, manage service accounts, assign user roles | None | Create / edit / delete cluster, scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None, unless role is assigned with organization scope | Access DB console, configure maintenance windows | | `Cluster Creator` | None | None | Create cluster (assigns `Cluster Admin` role for that cluster), edit / delete clusters created by this user | None | None | None, unless role is assigned with organization scope | None | None, unless role is assigned with organization scope | None | | `Cluster Developer` | None | None | None | None | None | None | None | None | Access DB console, view cluster details | diff --git a/src/current/cockroachcloud/folders.md b/src/current/cockroachcloud/folders.md index b0c0344ecd1..419547d2c51 100644 --- a/src/current/cockroachcloud/folders.md +++ b/src/current/cockroachcloud/folders.md @@ -99,7 +99,7 @@ To create clusters in a folder, the member must also have the `CLUSTER_ADMIN` or To assign the `FOLDER_ADMIN` role: -1. On the **Access Management** page, locate the team member's details whose role you want to change. +1. On the **Access Management** page, locate the team member whose role you want to change. 1. In the row for the target member, click the three-dots **Action** button and select **Edit Roles**. 1. Set **Scope** to **Organization** or to a folder in the hierarchy. The role is assigned on all of the folder's descendants. 1. Set **Role** to **Folder Admin** or **Folder Mover**. diff --git a/src/current/cockroachcloud/managing-access.md b/src/current/cockroachcloud/managing-access.md index cef6d410a0c..c956710b9b2 100644 --- a/src/current/cockroachcloud/managing-access.md +++ b/src/current/cockroachcloud/managing-access.md @@ -46,7 +46,7 @@ In the CockroachDB {{ site.data.products.cloud }} Console, users must be assigne To edit a user's role, perform the following steps: -1. On the **Access Management** page, locate the team member's details whose role you want to change. The **Role** column lists current roles assigned to each user. +1. On the **Access Management** page, locate the team member whose role you want to change. The **Role** column lists current roles assigned to each user. 1. In the row for the target member, click the three-dots **Action** button and select **Edit Roles**. 1. A number of fine-grained roles can be assigned to a given user. Each role is represented by a row. Each row has a **scope**, which is one of **Organization**, the name of a particular [folder]({% link cockroachcloud/folders.md %}), or the name of a particular cluster. If the role is Cluster Admin, Cluster Operator, or Cluster Developer, assigning it at the organization scope means that it applies to all clusters in the organization. @@ -66,7 +66,7 @@ An [Organization Admin]({% link cockroachcloud/authorization.md %}#organization- ### Revoke a pending invite -1. On the **Access Management** page, locate the team member's details whose pending invite you want to revoke. +1. On the **Access Management** page, locate the team member whose pending invite you want to revoke. 1. In the **Action** column, click the three dots to view the allowed actions. 1. Click **Revoke Invite**.