-
Notifications
You must be signed in to change notification settings - Fork 989
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
## What are you changing in this pull request and why? In this PR: - Update the self-service Team Plan permissions page. - Updated the permissions table - Removed the snippet and integrated the table into the page. Snippet was only used on this page. It would probably be better to have just a single page with the table and link out to it for search optimization. - Update sidebar to present the Enterprise page first. - Generic links point to the enterprise page now. Targeted links remain the same. ## Checklist - [ ] I have reviewed the [Content style guide](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/content-style-guide.md) so my content adheres to these guidelines. - [ ] The topic I'm writing about is for specific dbt version(s) and I have versioned it according to the [version a whole page](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/single-sourcing-content.md#adding-a-new-version) and/or [version a block of content](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/single-sourcing-content.md#versioning-blocks-of-content) guidelines. - [ ] I have added checklist item(s) to this list for anything anything that needs to happen before this PR is merged, such as "needs technical review" or "change base branch." <!-- PRE-RELEASE VERSION OF dbt (if so, uncomment): - [ ] Add a note to the prerelease version [Migration Guide](https://github.com/dbt-labs/docs.getdbt.com/tree/current/website/docs/docs/dbt-versions/core-upgrade) --> <!-- ADDING OR REMOVING PAGES (if so, uncomment): - [ ] Add/remove page in `website/sidebars.js` - [ ] Provide a unique filename for new pages - [ ] Add an entry for deleted pages in `website/vercel.json` - [ ] Run link testing locally with `npm run build` to update the links that point to deleted pages --> --------- Co-authored-by: Mirna Wong <[email protected]>
- Loading branch information
1 parent
58f17d0
commit cc6ee3d
Showing
9 changed files
with
6,238 additions
and
3,943 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
86 changes: 64 additions & 22 deletions
86
website/docs/docs/cloud/manage-access/self-service-permissions.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,42 +1,84 @@ | ||
--- | ||
title: "Self-service permissions" | ||
description: "Learn how dbt Cloud administrators can use self-service permissions to control access in a dbt Cloud account." | ||
title: "Self-service Team account permissions" | ||
description: "Learn how dbt Cloud administrators can use self-service permissions to control access in a dbt Cloud Team account." | ||
sidebar_label: "Team permissions" | ||
id: "self-service-permissions" | ||
--- | ||
|
||
import Permissions from '/snippets/_self-service-permissions-table.md'; | ||
Self-service Team accounts are a quick and easy way to get dbt Cloud up and running for a small team. For teams looking to scale and access advanced features like SSO, group management, and support for larger user bases, upgrading to an [Enterprise](/docs/cloud/manage-access/enterprise-permissions) account unlocks these capabilities. | ||
|
||
If you're interested in upgrading, contact [dbt Labs today](https://www.getdbt.com/contact) | ||
|
||
<Permissions features={'/snippets/_self-service-permissions-table.md'}/> | ||
## Groups and permissions | ||
|
||
## Read-Only vs. Developer License Types | ||
Groups determine a user's permission and there are three groups are available for Team plan dbt Cloud accounts: Owner, Member, and Everyone. The first Owner user is the person who created the dbt Cloud account. | ||
|
||
Users configured with Read-Only license types will experience a restricted set of permissions in dbt Cloud. If a user is associated with a _Member_ permission set and a Read-Only seat license, then they will only have access to what a Read-Only seat allows. See [Seats and Users](/docs/cloud/manage-access/seats-and-users) for more information on the impact of licenses on these permissions. | ||
New users are added to the Member and Everyone groups when they onboard but this can be changed when the invitation is created. These groups only affect users with a [Developer license](#licenses) assigned. | ||
|
||
## Owner and Member Groups in dbt Cloud Enterprise | ||
The group access permissions are as follows: | ||
|
||
By default, new users are added to the Member and Owner groups when they onboard to a new dbt Cloud account. Member and Owner groups are included with every new dbt Cloud account because they provide access for administrators to add users and groups, and to apply permission sets. | ||
- **Owner** — Full access to account features. | ||
- **Member** — Robust access to the account with restrictions on features that can alter billing or security. | ||
- **Everyone** — A catch-all group for all users in the account. This group does not have any permission assignments beyond the user's profile. Users must be assigned to either the Member or Owner group to work in dbt Cloud. | ||
|
||
You will need owner and member groups to help with account onboarding, but these groups can create confusion when initially setting up SSO and RBAC for dbt Cloud Enterprise accounts as described in the [Enterprise Permissions](enterprise-permissions) guide. Owner and Member groups are **account level** groups, so their permissions override any project-level permissions you wish to apply. | ||
## Licenses | ||
|
||
After onboarding administrative users and configuring RBAC/SSO groups, we recommend the following steps for onboarding users to a dbt Cloud Enterprise account. | ||
You assign licenses to every user onboarded into dbt Cloud. You only assign Developer-licensed users to the Owner and Member groups. The groups have no impact on Read-only or IT licensed users. | ||
|
||
There are three license types: | ||
|
||
### Prerequisites | ||
- **Developer** — The default license. Developer licenses don't restrict access to any features, so users with this license should be assigned to either the Owner or Member group. You're allotted up to 8 developer licenses per account. | ||
- **Read-Only** — Read-only access to your project, including environments dbt Explorer. Doesn't have access to account settings at all. Functions the same regardless of group assignments. You're allotted up to 5 read-only licenses per account. | ||
- **IT** — Partial access to the account settings including users, integrations, billing, and API settings. Cannot create or edit connects or access the project at all. Functions the same regardless of group assignments. You're allocated 1 seat per account. | ||
|
||
You need to create an Account Admins group before removing any other groups. | ||
See [Seats and Users](/docs/cloud/manage-access/seats-and-users) for more information on the impact of licenses on these permissions. | ||
|
||
1. Create an Account Admins group. | ||
2. Assign at least one user to the Account Admins group. The assigned user can manage future group, SSO mapping, and user or group assignment. | ||
## Table of groups, licenses, and permissions | ||
|
||
### Remove the Owner and Member groups | ||
Key: | ||
|
||
Follow these steps for both Owner and Member groups: | ||
* (W)rite — Create new or modify existing. Includes `send`, `create`, `delete`, `allocate`, `modify`, and `read`. | ||
* (R)ead — Can view but can not create or change any fields. | ||
* No value — No access to the feature. | ||
|
||
Permissions: | ||
|
||
* [Account-level permissions](#account-permissions-for-account-roles) — Permissions related to management of the dbt Cloud account. For example, billing and account settings. | ||
* [Project-level permissions](#project-permissions-for-account-roles) — Permissions related to the projects in dbt Cloud. For example, Explorer and the IDE. | ||
|
||
The following tables outline the access that users have if they are assigned a Developer license and the Owner or Member group, Read-only license, or IT license. | ||
|
||
#### Account permissions for account roles | ||
|
||
| Account-level permission| Owner | Member | Read-only license| IT license | | ||
|:------------------------|:-----:|:------:|:----------------:|:------------:| | ||
| Account settings | W | W | | W | | ||
| Billing | W | | | W | | ||
| Invitations | W | W | | W | | ||
| Licenses | W | R | | W | | ||
| Users | W | R | | W | | ||
| Project (create) | W | W | | W | | ||
| Connections | W | W | | W | | ||
| Service tokens | W | | | W | | ||
| Webhooks | W | W | | | | ||
|
||
#### Project permissions for account roles | ||
|
||
|Project-level permission | Owner | Member | Read-only | IT license | | ||
|:------------------------|:-----:|:-------:|:---------:|:----------:| | ||
| Adapters | W | W | R | | | ||
| Connections | W | W | R | | | ||
| Credentials | W | W | R | | | ||
| Custom env. variables | W | W | R | | | ||
| Develop (IDE or dbt Cloud CLI)| W | W | | | | ||
| Environments | W | W | R | | | ||
| Jobs | W | W | R | | | ||
| dbt Explorer | W | W | R | | | ||
| Permissions | W | R | | | | ||
| Profile | W | W | R | | | ||
| Projects | W | W | R | | | ||
| Repositories | W | W | R | | | ||
| Runs | W | W | R | | | ||
| Semantic Layer Config | W | W | R | | | ||
|
||
1. Log into dbt Cloud. | ||
2. Click the gear icon at the top right and select **Account settings**. | ||
3. Select **Groups** then select **OWNER** or **MEMBER**** group. | ||
4. Click **Edit**. | ||
5. At the bottom of the Group page, click **Delete**. | ||
|
||
The Account Admin can add additional SSO mapping groups, permission sets, and users as needed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.