From efd05f56bef549d814895cc94796846748201b24 Mon Sep 17 00:00:00 2001
From: Matt Shaver <60105315+matthewshaver@users.noreply.github.com>
Date: Thu, 17 Oct 2024 11:52:20 -0400
Subject: [PATCH 1/6] Updating licenses, access, and RBAC
---
.../best-practices/how-we-mesh/mesh-5-faqs.md | 2 +-
.../docs/cloud/about-cloud/architecture.md | 2 +-
.../docs/cloud/manage-access/about-access.md | 2 +-
.../manage-access/cloud-seats-and-users.md | 2 +-
.../manage-access/enterprise-permissions.md | 18 +--
.../manage-access/environment-permissions.md | 2 +-
.../manage-access/licenses-and-groups.md | 145 ------------------
.../set-up-sso-google-workspace.md | 2 +-
.../cloud/manage-access/set-up-sso-okta.md | 2 +-
.../docs/dbt-cloud-apis/service-tokens.md | 90 +++--------
website/docs/docs/deploy/webhooks.md | 2 +-
11 files changed, 36 insertions(+), 233 deletions(-)
delete mode 100644 website/docs/docs/cloud/manage-access/licenses-and-groups.md
diff --git a/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md b/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
index 1ae49928ae5..9f12f7d2c20 100644
--- a/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
+++ b/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
@@ -215,7 +215,7 @@ There’s model-level access within dbt, role-based access for users and groups
First things first: access to underlying data is always defined and enforced by the underlying data platform (for example, BigQuery, Databricks, Redshift, Snowflake, Starburst, etc.) This access is managed by executing “DCL statements” (namely `grant`). dbt makes it easy to [configure `grants` on models](/reference/resource-configs/grants), which provision data access for other roles/users/groups in the data warehouse. However, dbt does _not_ automatically define or coordinate those grants unless they are configured explicitly. Refer to your organization's system for managing data warehouse permissions.
-[dbt Cloud Enterprise plans](https://www.getdbt.com/pricing) support [role-based access control (RBAC)](/docs/cloud/manage-access/enterprise-permissions#how-to-set-up-rbac-groups-in-dbt-cloud) that manages granular permissions for users and user groups. You can control which users can see or edit all aspects of a dbt Cloud project. A user’s access to dbt Cloud projects also determines whether they can “explore” that project in detail. Roles, users, and groups are defined within the dbt Cloud application via the UI or by integrating with an identity provider.
+[dbt Cloud Enterprise plans](https://www.getdbt.com/pricing) support [role-based access control (RBAC)](/docs/cloud/manage-access/about-user-access#role-based-access-control-) that manages granular permissions for users and user groups. You can control which users can see or edit all aspects of a dbt Cloud project. A user’s access to dbt Cloud projects also determines whether they can “explore” that project in detail. Roles, users, and groups are defined within the dbt Cloud application via the UI or by integrating with an identity provider.
[Model access](/docs/collaborate/govern/model-access) defines where models can be referenced. It also informs the discoverability of those projects within dbt Explorer. Model `access` is defined in code, just like any other model configuration (`materialized`, `tags`, etc).
diff --git a/website/docs/docs/cloud/about-cloud/architecture.md b/website/docs/docs/cloud/about-cloud/architecture.md
index 52614f0cbcd..ecf67b83a96 100644
--- a/website/docs/docs/cloud/about-cloud/architecture.md
+++ b/website/docs/docs/cloud/about-cloud/architecture.md
@@ -48,7 +48,7 @@ The git repo information is stored on dbt Cloud servers to make it accessible du
### Authentication services
-The default settings of dbt Cloud enable local users with credentials stored in dbt Cloud. Still, integrations with various authentication services are offered as an alternative, including [single sign-on services](/docs/cloud/manage-access/sso-overview). Access to features can be granted/restricted by role using [RBAC](/docs/cloud/manage-access/enterprise-permissions).
+The default settings of dbt Cloud enable local users with credentials stored in dbt Cloud. Still, integrations with various authentication services are offered as an alternative, including [single sign-on services](/docs/cloud/manage-access/sso-overview). Access to features can be granted/restricted by role using [RBAC](/docs/cloud/manage-access/about-user-access#role-based-access-control-).
SSO features are essential because they reduce the number of credentials a user must maintain. Users sign in once and the authentication token is shared among integrated services (such as dbt Cloud). The token expires and must be refreshed at predetermined intervals, requiring the user to go through the authentication process again. If the user is disabled in the SSO provider service, their access to dbt Cloud is disabled, and they cannot override this with local auth credentials.
diff --git a/website/docs/docs/cloud/manage-access/about-access.md b/website/docs/docs/cloud/manage-access/about-access.md
index 6b02d9eb17b..b970b0d5763 100644
--- a/website/docs/docs/cloud/manage-access/about-access.md
+++ b/website/docs/docs/cloud/manage-access/about-access.md
@@ -89,7 +89,7 @@ There are three license types in dbt Cloud:
- **Developer** — User can be granted _any_ permissions.
- **Read-Only** — User has read-only permissions applied to all dbt Cloud resources regardless of the role-based permissions that the user is assigned.
-- **IT** — User has [Security Admin](/docs/cloud/manage-access/enterprise-permissions#security-admin) and [Billing Admin](/docs/cloud/manage-access/enterprise-permissions#billing-admin) permissions applied, regardless of the group permissions assigned.
+- **IT** — User has Security Admin and Billing Admin [permissions](/docs/cloud/manage-access/enterprise-permissions) applied, regardless of the group permissions assigned.
Developer licenses will make up a majority of the users in your environment and have the highest impact on billing, so it's important to monitor how many you have at any given time.
diff --git a/website/docs/docs/cloud/manage-access/cloud-seats-and-users.md b/website/docs/docs/cloud/manage-access/cloud-seats-and-users.md
index da19f30ab4c..66d821b90d0 100644
--- a/website/docs/docs/cloud/manage-access/cloud-seats-and-users.md
+++ b/website/docs/docs/cloud/manage-access/cloud-seats-and-users.md
@@ -55,7 +55,7 @@ If you're on an Enterprise plan and have the correct [permissions](/docs/cloud/m
- To add a user, go to **Account Settings** and select **Users**.
- Click the [**Invite Users**](/docs/cloud/manage-access/invite-users) button.
- - For fine-grained permission configuration, refer to [Role based access control](/docs/cloud/manage-access/enterprise-permissions).
+ - For fine-grained permission configuration, refer to [Role based access control](/docs/cloud/manage-access/about-user-access#role-based-access-control-).
diff --git a/website/docs/docs/cloud/manage-access/enterprise-permissions.md b/website/docs/docs/cloud/manage-access/enterprise-permissions.md
index a1f6d795c23..3677c3cc876 100644
--- a/website/docs/docs/cloud/manage-access/enterprise-permissions.md
+++ b/website/docs/docs/cloud/manage-access/enterprise-permissions.md
@@ -22,22 +22,14 @@ The following roles and permission sets are available for assignment in dbt Clou
:::tip Licenses or Permission sets
-The user's [license](/docs/cloud/manage-access/seats-and-users) type always overrides their assigned permission set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.
+The user's [license](/docs/cloud/manage-access/about-access) type always overrides their assigned permission set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.
:::
-## How to set up RBAC Groups in dbt Cloud
+## Additional resources
-Role-Based Access Control (RBAC) is helpful for automatically assigning permissions to dbt admins based on their SSO provider group associations. RBAC does not apply to [model groups](/docs/collaborate/govern/model-access#groups).
+- [Grant users access](/docs/cloud/manage-access/about-user-access#grant-access)
+- [Role-based access control](/docs/cloud/manage-access/about-user-access#role-based-access-control-)
+- [Environment-level permissions](/docs/cloud/manage-access/environment-permissions)
-1. Click the gear icon to the top right and select **Account Settings**. Click **Groups & Licenses**
-
-
-
-2. Select an existing group or create a new group to add RBAC. Name the group (this can be any name you like, but it's recommended to keep it consistent with the SSO groups). If you have configured SSO with SAML 2.0, you may have to use the GroupID instead of the name of the group.
-3. Configure the SSO provider groups you want to add RBAC by clicking **Add** in the **SSO** section. These fields are case-sensitive and must match the source group formatting.
-4. Configure the permissions for users within those groups by clicking **Add** in the **Access** section of the window.
-
-
-5. When you've completed your configurations, click **Save**. Users will begin to populate the group automatically once they have signed in to dbt Cloud with their SSO credentials.
diff --git a/website/docs/docs/cloud/manage-access/environment-permissions.md b/website/docs/docs/cloud/manage-access/environment-permissions.md
index 44cf2dc9a64..b99da64609c 100644
--- a/website/docs/docs/cloud/manage-access/environment-permissions.md
+++ b/website/docs/docs/cloud/manage-access/environment-permissions.md
@@ -77,4 +77,4 @@ If the user has the same roles across projects, you can apply environment access
## Related docs
--[Environment-level permissions setup](/docs/cloud/manage-access/environment-permissions-setup)
+- [Environment-level permissions setup](/docs/cloud/manage-access/environment-permissions-setup)
diff --git a/website/docs/docs/cloud/manage-access/licenses-and-groups.md b/website/docs/docs/cloud/manage-access/licenses-and-groups.md
deleted file mode 100644
index b91af80f9b3..00000000000
--- a/website/docs/docs/cloud/manage-access/licenses-and-groups.md
+++ /dev/null
@@ -1,145 +0,0 @@
----
-title: "Licenses and groups"
-id: "licenses-and-groups"
----
-
-## Overview
-
-dbt Cloud administrators can use dbt Cloud's permissioning model to control
-user-level access in a dbt Cloud account. This access control comes in two flavors:
-License-based and Role-based.
-
-- **License-based Access Controls:** User are configured with account-wide
- license types. These licenses control the specific parts of the dbt Cloud application
- that a given user can access.
-- **Role-based Access Control (RBAC):** Users are assigned to _groups_ that have
- specific permissions on specific projects or the entire account. A user may be
- a member of multiple groups, and those groups may have permissions on multiple
- projects.
-
-## License-based access control
-
-Each user on an account is assigned a license type when the user is first
-invited to a given account. This license type may change over time, but a
-user can only have one type of license at any given time.
-
-A user's license type controls the features in dbt Cloud that the user is able
-to access. dbt Cloud's three license types are:
- - **Read-Only**
- - **Developer**
- - **IT**
-
-For more information on these license types, see [Seats & Users](/docs/cloud/manage-access/seats-and-users).
-At a high-level, Developers may be granted _any_ permissions, whereas Read-Only
-users will have read-only permissions applied to all dbt Cloud resources
-regardless of the role-based permissions that the user is assigned. IT users will have Security Admin and Billing Admin permissions applied regardless of the role-based permissions that the user is assigned.
-
-## Role-based access control
-
-:::info dbt Cloud Enterprise
-
-Role-based access control is a feature of the dbt Cloud Enterprise plan
-
-:::
-
-Role-based access control allows for fine-grained permissioning in the dbt Cloud
-application. With role-based access control, users can be assigned varying
-permissions to different projects within a dbt Cloud account. For teams on the
-Enterprise tier, role-based permissions can be generated dynamically from
-configurations in an [Identity Provider](sso-overview).
-
-Role-based permissions are applied to _groups_ and pertain to _projects_. The
-assignable permissions themselves are granted via _permission sets_.
-
-
-### Groups
-
-A group is a collection of users. Users may belong to multiple groups. Members
-of a group inherit any permissions applied to the group itself.
-
-Users can be added to a dbt Cloud group based on their group memberships in the
-configured [Identity Provider](sso-overview) for the account. In this way, dbt
-Cloud administrators can manage access to dbt Cloud resources via identity
-management software like Microsoft Entra ID (formerly Azure AD), Okta, or GSuite. See _SSO Mappings_ below for
-more information.
-
-You can view the groups in your account or create new groups from the **Team > Groups**
-page in your Account Settings.
-
-
-
-
-### SSO Mappings
-
-SSO Mappings connect Identity Provider (IdP) group membership to dbt Cloud group
-membership. When a user logs into dbt Cloud via a supported identity provider,
-their IdP group memberships are synced with dbt Cloud. Upon logging in
-successfully, the user's group memberships (and therefore, permissions) are
-adjusted accordingly within dbt Cloud automatically.
-
-:::tip Creating SSO Mappings
-
-While dbt Cloud supports mapping multiple IdP groups to a single dbt Cloud
-group, we recommend using a 1:1 mapping to make administration as simple as
-possible. Consider using the same name for your dbt Cloud groups and your IdP
-groups.
-
-:::
-
-
-### Permission Sets
-
-Permission sets are predefined collections of granular permissions. Permission
-sets combine low-level permission grants into high-level roles that can be
-assigned to groups. Some examples of existing permission sets are:
- - Account Admin
- - Git Admin
- - Job Admin
- - Job Viewer
- - ...and more
-
-For a full list of enterprise permission sets, see [Enterprise Permissions](/docs/cloud/manage-access/enterprise-permissions).
-These permission sets are available for assignment to groups and control the ability
-for users in these groups to take specific actions in the dbt Cloud application.
-
-In the following example, the _dbt Cloud Owners_ group is configured with the
-**Account Admin** permission set on _All Projects_ and the **Job Admin** permission
-set on the _Internal Analytics_ project.
-
-
-
-
-### Manual assignment
-
-dbt Cloud administrators can manually assign users to groups independently of
-IdP attributes. If a dbt Cloud group is configured _without_ any
-SSO Mappings, then the group will be _unmanaged_ and dbt Cloud will not adjust
-group membership automatically when users log into dbt Cloud via an identity
-provider. This behavior may be desirable for teams that have connected an identity
-provider, but have not yet configured SSO Mappings between dbt Cloud and the
-IdP.
-
-If an SSO Mapping is added to an _unmanaged_ group, then it will become
-_managed_, and dbt Cloud may add or remove users to the group automatically at
-sign-in time based on the user's IdP-provided group membership information.
-
-
-## FAQs
-- **When are IdP group memberships updated for SSO Mapped groups?** Group memberships
- are updated every time a user logs into dbt Cloud via a supported SSO provider. If
- you've changed group memberships in your identity provider or dbt Cloud, ask your
- users to log back into dbt Cloud for these group memberships to be synchronized.
-
-- **Can I set up SSO without RBAC?** Yes, see the documentation on
- [Manual Assignment](#manual-assignment) above for more information on using
- SSO without RBAC.
-
-- **Can I configure a user's License Type based on IdP Attributes?** Yes, see
- the docs on [managing license types](/docs/cloud/manage-access/seats-and-users#managing-license-types)
- for more information.
diff --git a/website/docs/docs/cloud/manage-access/set-up-sso-google-workspace.md b/website/docs/docs/cloud/manage-access/set-up-sso-google-workspace.md
index e4ff998015c..2b2575efc57 100644
--- a/website/docs/docs/cloud/manage-access/set-up-sso-google-workspace.md
+++ b/website/docs/docs/cloud/manage-access/set-up-sso-google-workspace.md
@@ -117,7 +117,7 @@ If the verification information looks appropriate, then you have completed the c
## Setting up RBAC
Now you have completed setting up SSO with GSuite, the next steps will be to set up
-[RBAC groups](/docs/cloud/manage-access/enterprise-permissions) to complete your access control configuration.
+[RBAC groups](/docs/cloud/manage-access/about-user-access#role-based-access-control-) to complete your access control configuration.
## Troubleshooting
diff --git a/website/docs/docs/cloud/manage-access/set-up-sso-okta.md b/website/docs/docs/cloud/manage-access/set-up-sso-okta.md
index 53986513ce2..fda32f118ef 100644
--- a/website/docs/docs/cloud/manage-access/set-up-sso-okta.md
+++ b/website/docs/docs/cloud/manage-access/set-up-sso-okta.md
@@ -190,4 +190,4 @@ configured in the steps above.
## Setting up RBAC
Now you have completed setting up SSO with Okta, the next steps will be to set up
-[RBAC groups](/docs/cloud/manage-access/enterprise-permissions) to complete your access control configuration.
+[RBAC groups](/docs/cloud/manage-access/about-user-access#role-based-access-control-) to complete your access control configuration.
diff --git a/website/docs/docs/dbt-cloud-apis/service-tokens.md b/website/docs/docs/dbt-cloud-apis/service-tokens.md
index fe8ace5fa34..f0c3167537f 100644
--- a/website/docs/docs/dbt-cloud-apis/service-tokens.md
+++ b/website/docs/docs/dbt-cloud-apis/service-tokens.md
@@ -38,78 +38,34 @@ You can assign service account tokens to any permission set available in dbt Clo
The following permissions can be assigned to a service account token on a Team plan.
-**Account Admin**
-Account Admin service tokens have full `read + write` access to an account, so please use them with caution. A Team plan refers to this permission set as an "Owner role." For more on these permissions, see [Account Admin](/docs/cloud/manage-access/enterprise-permissions#account-admin).
-
-**Metadata Only**
-Metadata-only service tokens authorize requests to the Discovery API.
-
-**Semantic Layer Only**
-Semantic Layer-only service tokens authorize requests to the Semantic Layer APIs.
-
-**Job Admin**
-Job admin service tokens can authorize requests for viewing, editing, and creating environments, triggering runs, and viewing historical runs.
-
-**Job Runner**
-Job runner service tokens can authorize requests for triggering runs and viewing historical runs.
-
-**Member**
-Member service tokens can authorize requests for viewing and editing resources, triggering runs, and inviting members to the account. Tokens assigned the Member permission set will have the same permissions as a Member user. For more information about Member users, see "[Self-service Team plan permissions](/docs/cloud/manage-access/self-service-permissions)".
-
-**Read-only**
-Read-only service tokens can authorize requests for viewing a read-only dashboard, viewing generated documentation, and viewing source freshness reports. This token can access and retrieve account-level information endpoints on the [Admin API](/docs/dbt-cloud-apis/admin-cloud-api) and authorize requests to the [Discovery API](/docs/dbt-cloud-apis/discovery-api).
+- Account Admin — Account Admin service tokens have full `read + write` access to an account, so please use them with caution. A Team plan refers to this permission set as an "Owner role." For more information, see the [Account permissions page](/docs/cloud/manage-access/enterprise-permissions).
+- Metadata Only — Metadata-only service tokens authorize requests to the Discovery API.
+- Semantic Layer Only — Semantic Layer-only service tokens authorize requests to the Semantic Layer APIs.
+- Job Admin
+- Job Runner
+- Member — Member service tokens can authorize requests for viewing and editing resources, triggering runs, and inviting members to the account. Tokens assigned the Member permission set will have the same permissions as a Member user. For more information about Member users, see "[Self-service Team plan permissions](/docs/cloud/manage-access/self-service-permissions)".
+- Read-only — Read-only service tokens can authorize requests for viewing a read-only dashboard, viewing generated documentation, and viewing source freshness reports. This token can access and retrieve account-level information endpoints on the [Admin API](/docs/dbt-cloud-apis/admin-cloud-api) and authorize requests to the [Discovery API](/docs/dbt-cloud-apis/discovery-api).
### Enterprise plans using service account tokens
The following permissions can be assigned to a service account token on an Enterprise plan. For more details about these permissions, see "[Enterprise permissions](/docs/cloud/manage-access/enterprise-permissions)."
-**Account Admin**
-Account Admin service tokens have full `read + write` access to an account, so please use them with caution. For more on these permissions, see [Account Admin](/docs/cloud/manage-access/enterprise-permissions#account-admin).
-
-**Security Admin**
-Security Admin service tokens have certain account-level permissions. For more on these permissions, see [Security Admin](/docs/cloud/manage-access/enterprise-permissions#security-admin).
-
-**Billing Admin**
-Billing Admin service tokens have certain account-level permissions. For more on these permissions, see [Billing Admin](/docs/cloud/manage-access/enterprise-permissions#billing-admin).
-
-**Manage marketplace apps**
-Used only for service tokens assigned to marketplace apps (for example, the [Snowflake Native app](/docs/cloud-integrations/snowflake-native-app)).
-
-**Metadata Only**
-Metadata-only service tokens authorize requests to the Discovery API.
-
-**Semantic Layer Only**
-Semantic Layer-only service tokens authorize requests to the Semantic Layer APIs.
-
-**Job Admin**
-Job Admin service tokens can authorize requests for viewing, editing, and creating environments, triggering runs, and viewing historical runs. For more on these permissions, see [Job Admin](/docs/cloud/manage-access/enterprise-permissions#job-admin).
-
-**Account Viewer**
-Account Viewer service tokens have read-only access to dbt Cloud accounts. For more on these permissions, see [Account Viewer](/docs/cloud/manage-access/enterprise-permissions#account-viewer) on the Enterprise Permissions page.
-
-**Admin**
-Admin service tokens have unrestricted access to projects in dbt Cloud accounts. You have the option to grant that permission all projects in the account or grant the permission only on specific projects. For more on these permissions, see [Admin Service](/docs/cloud/manage-access/enterprise-permissions#admin-service) on the Enterprise Permissions page.
-
-**Git Admin**
-Git admin service tokens have all the permissions listed in [Git admin](/docs/cloud/manage-access/enterprise-permissions#git-admin) on the Enterprise Permissions page.
-
-**Database Admin**
-Database admin service tokens have all the permissions listed in [Database admin](/docs/cloud/manage-access/enterprise-permissions#database-admin) on the Enterprise Permissions page.
-
-**Team Admin**
-Team admin service tokens have all the permissions listed in [Team admin](/docs/cloud/manage-access/enterprise-permissions#team-admin) on the Enterprise Permissions page.
-
-**Job Viewer**
-Job viewer admin service tokens have all the permissions listed in [Job viewer](/docs/cloud/manage-access/enterprise-permissions#job-viewer) on the Enterprise Permissions page.
-
-**Developer**
-Developer service tokens have all the permissions listed in [Developer](/docs/cloud/manage-access/enterprise-permissions#developer) on the Enterprise Permissions page.
-
-**Analyst**
-Analyst admin service tokens have all the permissions listed in [Analyst](/docs/cloud/manage-access/enterprise-permissions#analyst) on the Enterprise Permissions page.
-
-**Stakeholder**
-Stakeholder service tokens have all the permissions listed in [Stakeholder](/docs/cloud/manage-access/enterprise-permissions#stakeholder) on the Enterprise Permissions page.
+- Account Admin — Account Admin service tokens have full `read + write` access to an account, so please use them with caution.
+- Security Admin
+- Billing Admin
+- Manage marketplace apps — Used only for service tokens assigned to marketplace apps (for example, the [Snowflake Native app](/docs/cloud-integrations/snowflake-native-app)).
+- Metadata Only — Metadata-only service tokens authorize requests to the Discovery API.
+- Semantic Layer Only — Semantic Layer-only service tokens authorize requests to the Semantic Layer APIs.
+- Job Admin
+- Account Viewer
+- Admin — Admin service tokens have unrestricted access to projects in dbt Cloud accounts. You have the option to grant that permission all projects in the account or grant the permission only on specific projects.
+- Git Admin
+- Database Admin
+- Team Admin
+- Job Viewer
+- Developer
+- Analyst
+- Stakeholder
## Service token update
diff --git a/website/docs/docs/deploy/webhooks.md b/website/docs/docs/deploy/webhooks.md
index dfb8b7c7406..ffea38b5b84 100644
--- a/website/docs/docs/deploy/webhooks.md
+++ b/website/docs/docs/deploy/webhooks.md
@@ -29,7 +29,7 @@ You can also check out the free [dbt Fundamentals course](https://learn.getdbt.c
## Prerequisites
- You have a dbt Cloud account that is on the [Team or Enterprise plan](https://www.getdbt.com/pricing/).
- For `write` access to webhooks:
- - **Enterprise plan accounts** — Permission sets are the same for both API service tokens and the dbt Cloud UI. You, or the API service token, must have the [Account Admin](/docs/cloud/manage-access/enterprise-permissions#account-admin), [Admin](/docs/cloud/manage-access/enterprise-permissions#admin), or [Developer](/docs/cloud/manage-access/enterprise-permissions#developer) permission set.
+ - **Enterprise plan accounts** — Permission sets are the same for both API service tokens and the dbt Cloud UI. You, or the API service token, must have the Account Admin, Admin, or Developer [permission set](/docs/cloud/manage-access/enterprise-permissions).
- **Team plan accounts** — For the dbt Cloud UI, you need to have a [Developer license](/docs/cloud/manage-access/self-service-permissions). For API service tokens, you must assign the service token to have the [Account Admin or Member](/docs/dbt-cloud-apis/service-tokens#team-plans-using-service-account-tokens) permission set.
- You have a multi-tenant or an AWS single-tenant deployment model in dbt Cloud. For more information, refer to [Tenancy](/docs/cloud/about-cloud/tenancy).
- Your destination system supports [Authorization headers](#troubleshooting).
From 3a0e98882a02116d011124e4291209ea6b33b217 Mon Sep 17 00:00:00 2001
From: Matt Shaver <60105315+matthewshaver@users.noreply.github.com>
Date: Thu, 17 Oct 2024 11:59:20 -0400
Subject: [PATCH 2/6] Update
website/docs/docs/cloud/manage-access/enterprise-permissions.md
---
website/docs/docs/cloud/manage-access/enterprise-permissions.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/website/docs/docs/cloud/manage-access/enterprise-permissions.md b/website/docs/docs/cloud/manage-access/enterprise-permissions.md
index 3677c3cc876..5a56900d529 100644
--- a/website/docs/docs/cloud/manage-access/enterprise-permissions.md
+++ b/website/docs/docs/cloud/manage-access/enterprise-permissions.md
@@ -22,7 +22,7 @@ The following roles and permission sets are available for assignment in dbt Clou
:::tip Licenses or Permission sets
-The user's [license](/docs/cloud/manage-access/about-access) type always overrides their assigned permission set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.
+The user's [license](/docs/cloud/manage-access/about-user-access) type always overrides their assigned permission set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.
:::
From 143b7c6454daeb7cbfbaafe1850166c4aadf5c06 Mon Sep 17 00:00:00 2001
From: Matt Shaver <60105315+matthewshaver@users.noreply.github.com>
Date: Thu, 17 Oct 2024 13:24:12 -0400
Subject: [PATCH 3/6] Rearrange content
---
.../docs/dbt-cloud-apis/service-tokens.md | 36 +++++++++----------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/website/docs/docs/dbt-cloud-apis/service-tokens.md b/website/docs/docs/dbt-cloud-apis/service-tokens.md
index f0c3167537f..968e524088b 100644
--- a/website/docs/docs/dbt-cloud-apis/service-tokens.md
+++ b/website/docs/docs/dbt-cloud-apis/service-tokens.md
@@ -36,36 +36,36 @@ You can assign service account tokens to any permission set available in dbt Clo
### Team plans using service account tokens
-The following permissions can be assigned to a service account token on a Team plan.
+The following permissions can be assigned to a service account token on a Team plan. See the [Enterprise permissions](/docs/cloud/manage-access/enterprise-permissions) article for more information about what these roles are able to do.
-- Account Admin — Account Admin service tokens have full `read + write` access to an account, so please use them with caution. A Team plan refers to this permission set as an "Owner role." For more information, see the [Account permissions page](/docs/cloud/manage-access/enterprise-permissions).
-- Metadata Only — Metadata-only service tokens authorize requests to the Discovery API.
-- Semantic Layer Only — Semantic Layer-only service tokens authorize requests to the Semantic Layer APIs.
-- Job Admin
+- Account Admin — Account Admin service tokens have full `read + write` access to an account, so please use them with caution. A Team plan refers to this permission set as an "Owner role."
+- Job Admin
- Job Runner
-- Member — Member service tokens can authorize requests for viewing and editing resources, triggering runs, and inviting members to the account. Tokens assigned the Member permission set will have the same permissions as a Member user. For more information about Member users, see "[Self-service Team plan permissions](/docs/cloud/manage-access/self-service-permissions)".
-- Read-only — Read-only service tokens can authorize requests for viewing a read-only dashboard, viewing generated documentation, and viewing source freshness reports. This token can access and retrieve account-level information endpoints on the [Admin API](/docs/dbt-cloud-apis/admin-cloud-api) and authorize requests to the [Discovery API](/docs/dbt-cloud-apis/discovery-api).
+- Metadata Only
+- Member
+- Read-only
+- Semantic Layer Only
### Enterprise plans using service account tokens
The following permissions can be assigned to a service account token on an Enterprise plan. For more details about these permissions, see "[Enterprise permissions](/docs/cloud/manage-access/enterprise-permissions)."
- Account Admin — Account Admin service tokens have full `read + write` access to an account, so please use them with caution.
-- Security Admin
-- Billing Admin
-- Manage marketplace apps — Used only for service tokens assigned to marketplace apps (for example, the [Snowflake Native app](/docs/cloud-integrations/snowflake-native-app)).
-- Metadata Only — Metadata-only service tokens authorize requests to the Discovery API.
-- Semantic Layer Only — Semantic Layer-only service tokens authorize requests to the Semantic Layer APIs.
-- Job Admin
- Account Viewer
-- Admin — Admin service tokens have unrestricted access to projects in dbt Cloud accounts. You have the option to grant that permission all projects in the account or grant the permission only on specific projects.
-- Git Admin
+- Admin
+- Analyst
+- Billing Admin
- Database Admin
-- Team Admin
-- Job Viewer
- Developer
-- Analyst
+- Git Admin
+- Job Admin
+- Job Viewer
+- Manage marketplace apps
+- Metadata Only
+- Semantic Layer Only
+- Security Admin
- Stakeholder
+- Team Admin
## Service token update
From 62012f23be9058b23633d7ccb826f4a6a742e0b4 Mon Sep 17 00:00:00 2001
From: "Leona B. Campbell" <3880403+runleonarun@users.noreply.github.com>
Date: Thu, 17 Oct 2024 15:38:34 -0700
Subject: [PATCH 4/6] Update
website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
---
website/docs/best-practices/how-we-mesh/mesh-5-faqs.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md b/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
index 9f12f7d2c20..3f270983924 100644
--- a/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
+++ b/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
@@ -215,7 +215,7 @@ There’s model-level access within dbt, role-based access for users and groups
First things first: access to underlying data is always defined and enforced by the underlying data platform (for example, BigQuery, Databricks, Redshift, Snowflake, Starburst, etc.) This access is managed by executing “DCL statements” (namely `grant`). dbt makes it easy to [configure `grants` on models](/reference/resource-configs/grants), which provision data access for other roles/users/groups in the data warehouse. However, dbt does _not_ automatically define or coordinate those grants unless they are configured explicitly. Refer to your organization's system for managing data warehouse permissions.
-[dbt Cloud Enterprise plans](https://www.getdbt.com/pricing) support [role-based access control (RBAC)](/docs/cloud/manage-access/about-user-access#role-based-access-control-) that manages granular permissions for users and user groups. You can control which users can see or edit all aspects of a dbt Cloud project. A user’s access to dbt Cloud projects also determines whether they can “explore” that project in detail. Roles, users, and groups are defined within the dbt Cloud application via the UI or by integrating with an identity provider.
+[dbt Cloud Enterprise plans](https://www.getdbt.com/pricing) support [role-based access control (RBAC)](/docs/cloud/manage-access/about-access#role-based-access-control-) that manages granular permissions for users and user groups. You can control which users can see or edit all aspects of a dbt Cloud project. A user’s access to dbt Cloud projects also determines whether they can “explore” that project in detail. Roles, users, and groups are defined within the dbt Cloud application via the UI or by integrating with an identity provider.
[Model access](/docs/collaborate/govern/model-access) defines where models can be referenced. It also informs the discoverability of those projects within dbt Explorer. Model `access` is defined in code, just like any other model configuration (`materialized`, `tags`, etc).
From 8c801545635e8acca2884c1a31559aa9ddfbeae3 Mon Sep 17 00:00:00 2001
From: Matt Shaver <60105315+matthewshaver@users.noreply.github.com>
Date: Thu, 17 Oct 2024 18:41:22 -0400
Subject: [PATCH 5/6] Update
website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
---
website/docs/best-practices/how-we-mesh/mesh-5-faqs.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md b/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
index 3f270983924..9f12f7d2c20 100644
--- a/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
+++ b/website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
@@ -215,7 +215,7 @@ There’s model-level access within dbt, role-based access for users and groups
First things first: access to underlying data is always defined and enforced by the underlying data platform (for example, BigQuery, Databricks, Redshift, Snowflake, Starburst, etc.) This access is managed by executing “DCL statements” (namely `grant`). dbt makes it easy to [configure `grants` on models](/reference/resource-configs/grants), which provision data access for other roles/users/groups in the data warehouse. However, dbt does _not_ automatically define or coordinate those grants unless they are configured explicitly. Refer to your organization's system for managing data warehouse permissions.
-[dbt Cloud Enterprise plans](https://www.getdbt.com/pricing) support [role-based access control (RBAC)](/docs/cloud/manage-access/about-access#role-based-access-control-) that manages granular permissions for users and user groups. You can control which users can see or edit all aspects of a dbt Cloud project. A user’s access to dbt Cloud projects also determines whether they can “explore” that project in detail. Roles, users, and groups are defined within the dbt Cloud application via the UI or by integrating with an identity provider.
+[dbt Cloud Enterprise plans](https://www.getdbt.com/pricing) support [role-based access control (RBAC)](/docs/cloud/manage-access/about-user-access#role-based-access-control-) that manages granular permissions for users and user groups. You can control which users can see or edit all aspects of a dbt Cloud project. A user’s access to dbt Cloud projects also determines whether they can “explore” that project in detail. Roles, users, and groups are defined within the dbt Cloud application via the UI or by integrating with an identity provider.
[Model access](/docs/collaborate/govern/model-access) defines where models can be referenced. It also informs the discoverability of those projects within dbt Explorer. Model `access` is defined in code, just like any other model configuration (`materialized`, `tags`, etc).
From 3607feb00a3f0a7f9b5756129944a826215936cf Mon Sep 17 00:00:00 2001
From: Matt Shaver <60105315+matthewshaver@users.noreply.github.com>
Date: Fri, 18 Oct 2024 10:19:58 -0400
Subject: [PATCH 6/6] Apply suggestions from code review
Co-authored-by: Leona B. Campbell <3880403+runleonarun@users.noreply.github.com>
---
website/docs/docs/dbt-cloud-apis/service-tokens.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/website/docs/docs/dbt-cloud-apis/service-tokens.md b/website/docs/docs/dbt-cloud-apis/service-tokens.md
index 968e524088b..93a89922456 100644
--- a/website/docs/docs/dbt-cloud-apis/service-tokens.md
+++ b/website/docs/docs/dbt-cloud-apis/service-tokens.md
@@ -36,7 +36,7 @@ You can assign service account tokens to any permission set available in dbt Clo
### Team plans using service account tokens
-The following permissions can be assigned to a service account token on a Team plan. See the [Enterprise permissions](/docs/cloud/manage-access/enterprise-permissions) article for more information about what these roles are able to do.
+The following permissions can be assigned to a service account token on a Team plan. Refer to [Enterprise permissions](/docs/cloud/manage-access/enterprise-permissions) for more information about these roles.
- Account Admin — Account Admin service tokens have full `read + write` access to an account, so please use them with caution. A Team plan refers to this permission set as an "Owner role."
- Job Admin
@@ -48,7 +48,7 @@ The following permissions can be assigned to a service account token on a Team p
### Enterprise plans using service account tokens
-The following permissions can be assigned to a service account token on an Enterprise plan. For more details about these permissions, see "[Enterprise permissions](/docs/cloud/manage-access/enterprise-permissions)."
+Refer to [Enterprise permissions](/docs/cloud/manage-access/enterprise-permissions) for more information about these roles.
- Account Admin — Account Admin service tokens have full `read + write` access to an account, so please use them with caution.
- Account Viewer