diff --git a/docs/docs-content/clusters/cluster-management/cluster-tag-filter/_category_.json b/docs/deprecated/clusters/cluster-management/cluster-tag-filter/_category_.json
similarity index 100%
rename from docs/docs-content/clusters/cluster-management/cluster-tag-filter/_category_.json
rename to docs/deprecated/clusters/cluster-management/cluster-tag-filter/_category_.json
diff --git a/docs/docs-content/clusters/cluster-management/cluster-tag-filter/cluster-tag-filter.md b/docs/deprecated/clusters/cluster-management/cluster-tag-filter/cluster-tag-filter.md
similarity index 64%
rename from docs/docs-content/clusters/cluster-management/cluster-tag-filter/cluster-tag-filter.md
rename to docs/deprecated/clusters/cluster-management/cluster-tag-filter/cluster-tag-filter.md
index 24e76bee08..414b2444f5 100644
--- a/docs/docs-content/clusters/cluster-management/cluster-tag-filter/cluster-tag-filter.md
+++ b/docs/deprecated/clusters/cluster-management/cluster-tag-filter/cluster-tag-filter.md
@@ -17,16 +17,13 @@ To get started with an attribute access control through tags, check out the
## Resources
- [Cluster Resource Filter](create-add-filter.md)
+
- [Create Resource Filter](create-add-filter.md#create-resource-filter)
- [Add Resource Role](create-add-filter.md#add-resource-role)
-- [Palette Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md)
-
-- [Palette Global Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md#palette-global-resource-roles)
-
-- [Palette Custom Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md#palette-custom-resource-roles)
+- [Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md)
-- [Create Custom Role](../../../user-management/new-user.md#create-custom-role)
+- [Create Custom Role](../../../user-management/palette-rbac/create-custom-role.md)
-- [Create New User in Palette](../../../user-management/new-user.md#create-a-new-user)
+- [Create New User in Palette](../../../user-management/users-and-teams/create-user.md)
diff --git a/docs/docs-content/clusters/cluster-management/cluster-tag-filter/create-add-filter.md b/docs/deprecated/clusters/cluster-management/cluster-tag-filter/create-add-filter.md
similarity index 89%
rename from docs/docs-content/clusters/cluster-management/cluster-tag-filter/create-add-filter.md
rename to docs/deprecated/clusters/cluster-management/cluster-tag-filter/create-add-filter.md
index 4f4624b7a5..d5ebdc7072 100644
--- a/docs/docs-content/clusters/cluster-management/cluster-tag-filter/create-add-filter.md
+++ b/docs/deprecated/clusters/cluster-management/cluster-tag-filter/create-add-filter.md
@@ -62,17 +62,18 @@ the following steps to review the filter is available for use.
You can assign the created resource filter and roles to a user or team to enforce access restrictions. There are two
types of roles that can be assigned:
-- [Palette Global Roles](../../..//user-management/palette-rbac/resource-scope-roles-permissions.md#palette-global-resource-roles)
- are a set of roles that are available in Palette by default.
+- [Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md) are a set of roles that
+ are available in Palette by default.
-- [Custom Resource Roles](../../..//user-management/palette-rbac/resource-scope-roles-permissions.md#palette-custom-resource-roles)
- can be created according to your requirements from the available set of permissions and operations.
+- [Custom Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md) can be created
+ according to your requirements from the available set of permissions and operations.
### Prerequisites
- A [Palette account](https://console.spectrocloud.com) with Tenant scope privileges.
-- A Palette [user](../../../user-management/new-user.md#create-a-new-user) or team to assign the resource privileges.
+- A Palette [user](../../../user-management/users-and-teams/create-user.md#user-creation) or team to assign the resource
+ privileges.
### Assign Resource Roles and Filter
diff --git a/docs/docs-content/user-management/new-user.md b/docs/deprecated/user-management/new-user.md
similarity index 100%
rename from docs/docs-content/user-management/new-user.md
rename to docs/deprecated/user-management/new-user.md
diff --git a/docs/deprecated/user-management/palette-rbac/palette-rbac.md b/docs/deprecated/user-management/palette-rbac/palette-rbac.md
new file mode 100644
index 0000000000..651ce0caf8
--- /dev/null
+++ b/docs/deprecated/user-management/palette-rbac/palette-rbac.md
@@ -0,0 +1,242 @@
+---
+sidebar_label: "Roles"
+title: "Roles"
+description: "Palette User Access control using RBAC"
+icon: ""
+hide_table_of_contents: false
+tags: ["user-management", "rbac"]
+---
+
+RBAC stands for Role-Based Access Control. RBAC allows a single user to have different types of access control based on
+the resource being accessed. RBAC is the scenario that allows the Tenant Admin to grant full and unrestricted access to
+some parts of the system and withhold it for some others.
+
+Palette enforces a very well-structured RBAC design on how to grant granular access to resources and their operations
+within our management console. We maintain precise Roles and Resource Access Control List. Role-based access control
+primarily focuses on assigning permissions to roles instead of individual users and then assigning these roles to users.
+Multiple roles can be assigned to a user, which defines the permitted actions on the resource. This module lists and
+enumerates all the roles available within the Palette console within specific scopes.
+
+Palette enables:
+
+- A role can have multiple permissions. We encourage custom role creation, coupling the wide range of Palette
+ permissions.
+
+- Multiple roles can be assigned to a single user, defining the permitted actions on a Palette resource.
+
+## Palette RBAC Model
+
+The Palette RBAC Model, is based on the following three components:
+
+- Scopes
+- Permissions
+- Roles
+
+### Scopes
+
+A Scope defines the resources on which the role has coverage. The scope will be either `Tenant` or `Project`. For
+example, a role within the scope project can operate within the projects. The combination of user and roles indicates
+the totality of the accessibility available to that user. Scopes are structured in a parent-child relationship. Each
+level of hierarchy makes the Scope more specific. The roles are assigned at any of these levels of Scope. The level you
+select determines how widely the role is applied. Lower levels inherit role permissions from higher levels.
+![palette-rbac-scope.webp](/palette-rbac-scope.webp)
+
+The following are the major properties of Palette driven Scopes:
+
+- Scopes control the visibility of the resource.
+
+- Resource created in the higher scope will be visible in the lower scope as read-only. The cluster profiles created by
+ a tenant will be available to all the projects created by that tenant.
+
+- Resource Isolation: Resources within the same scope will be restricted to the respective scope entity.
+
+ - Cluster Profile created in project-1 will not be available in project-2 of the same tenant
+
+- Resource with the same name can co-exist across scopes and will be distinguished with scope prefix (icon)
+ - A profile with the same name can be created in tenant and project scope. The resource will have the scope
+ information, which helps to distinguish them.
+
+Palette resources can be allocated to roles under **Three Scopes**:
+
+- **System** (The system admin internal to Palette)
+
+- **Tenant**
+
+- **Project**
+
+![A diagram of Palette's RBAC model](/user-management_palette-rback_palette-rbac-model.webp)
+
+### Permissions
+
+Permissions determine the type of operations allowed on a resource. Permissions can be defined in the following format:
+
+`resourceKey.operation`
+
+Examples:
+
+- `cluster.create`
+- `cluster.edit`
+- `cluster.delete`
+
+Each permission has a defined scope. The role creation is based on scope, type and permissions.
+
+#### Palette Permissions
+
+Palette has a wide range of permissions and these permissions can be combined in any combination as per the user
+requirements to create a role. If the Palette built-in roles does not meet the specific needs of your organization,
+custom roles can be created using different combination of these permissions. Just like built-in roles, you can assign
+custom roles to users or teams within a specific scope (Tenant or Project). Refer to the available set of permissions in
+the [Permissions](permissions.md) page.
+
+### Roles
+
+A Role is a collection of permissions. When a role is assigned to a user, it means all the permissions the role contains
+are assigned to that user. The Role will have a **Scope**. The Type signifies the creator's scope and the Scope
+signifies the role visibility. The permissions will be restricted to the permission's scope list based on the role's
+scope. The ProfileEditor will be visible under Tenant, but neither the Tenant nor the Project admins are allowed to
+modify the Project Scopes.
+
+## Access Modes
+
+- Tenant
+- Project
+
+### Tenant
+
+Tenant is an isolated workspace within the Palette. `Users` and `Teams` with specific `Roles` can be associated with the
+Tenant(s) you create. Palette provides a [wide set of permissions](tenant-scope-roles-permissions.md) under the scope of
+a Tenant. Everyone is a user and there should be at least one user with Tenant Admin privilege to control the product
+operations.
+
+### Project
+
+The Global Project Scope holds a group of resources, in a logical grouping, to a specific project. The project acts as a
+namespace for resource management. Users and Teams with specific roles can be associated with the project, cluster, or
+cluster profile you create. Users are members of a tenant who are assigned
+[project scope roles](./project-scope-roles-permissions.md) that control their access within the platform.
+
+## Default Palette Roles
+
+Palette RBAC has several built-in roles that can be assigned to users and teams. Role assignments are the way you
+control access to Palette resources.
+
+### Tenant Scope Default Roles
+
+Global Tenant roles are scoped at the tenant level. Palette has several built-in tenant roles that can be assigned to
+users and teams. Refer to [Tenant Scope Roles](./tenant-scope-roles-permissions.md) for a detailed list of all the roles
+available in Palette.
+
+### Project Scope Default Roles
+
+The Project scope roles can be assigned to users and teams at the project scope. Palette has several built-in project
+scoped roles that can be assigned to users and teams. Refer to
+[Project Scope Roles](./project-scope-roles-permissions.md) for a detailed list of all the roles available Pallete.
+
+## Assign Palette Specific Roles to Users
+
+The Default (built-in) roles of Palette can be directly assigned to a user. The roles needs to be assigned based on who
+needs the access. The roles can be assigned to Users or Teams. The appropriate role needs to be selected from the list
+of several built-in roles. If the built-in roles are not meeting the specific needs of your organization, you can
+[create your own custom roles](./create-custom-role.md).
+
+1. Login to Palette console as `Tenant Admin`.
+
+2. Select **Users and Teams** from the left **Main Menu** to list the created users.
+
+3. From the list of users **select the user** to be assigned with role to open the role addition wizard.
+
+4. Make the choice of role category from the top tabs:
+
+ - Project Role
+ - Tenant Role
+ - Workspace Role
+
+5. Once the choice of category is made Click on **+ New Role**.
+
+6. In the **Add Roles to User-name** wizard, select the project name from the drop down and select the roles from the
+ list.
+
+7. Confirm to complete the wizard.
+
+8. The role user association can be edited and deleted from the **left Main Menu**.
+
+### Assign Custom Roles to Users
+
+1. Login to Palette console as `Tenant Admin`.
+
+2. Select **Users and Teams** from the left ribbon menu to list the [created users](../user-management.md).
+
+3. From the list of users **select the user** to be assigned with role to open the role addition wizard.
+
+4. Make the choice of role category from the top tabs:
+
+ - Project Role
+ - Tenant Role
+ - Workspace Role
+
+5. Once the choice of category is to br made by clicking on **+ New Role**.
+
+6. In the **Add Roles to User-name** wizard, select the project name from the drop down and select the roles from the
+ list.
+
+7. Confirm to complete the wizard.
+
+8. The role user association can be edited and deleted from the `kebab menu`.
+
+## Example Scenario:
+
+Palette has a number of permissions that you can potentially include in your custom role. Here is an example scenario
+enumerating the minimum permissions required for a user to **Create a Cluster** in Palette platform.
+
+#### 1. Decide the actions, scopes and permissions required by the user to Create a Cluster.
+
+The role creation is done from the `Tenant Admin` console. For the above scenario, two roles needs to be created under
+`Project` and `Tenant` scope and attached to the user.
+
+#### 2. Identify the Permissions required under `Project Scope`:
+
+- Add the minimum `Project` management permissions
+
+ - project.list
+ - project.get
+
+- Add the minimum permissions required for `Cloud Account` creation
+
+ - cloudaccount.create
+ - cloudaccount.get
+ - cloudaccount.list
+
+- Add the `ClusterProfile` permissions
+
+ - clusterProfile.create
+ - clusterProfile.delete
+ - clusterProfile.get
+ - clusterProfile.list
+ - clusterProfile.publish
+ - clusterProfile.update
+
+- Add the `Cluster` permissions (for creating and listing the cluster)
+
+ - cluster.create
+ - cluster.list
+ - cluster.get
+
+- Add the `Location` permission.
+
+ - location.list
+
+- Add the `Cloud Configuration` permissions for node pool management
+ - cloudconfig.create
+
+#### 3. Identify the Permissions required under `Tenant Scope`:
+
+To attach the Packs and Integrations from Palette public repository, add the `Registry Permissions`. The minimum
+permission required in this scenario is:
+
+- packRegistry.get
+
+#### 4. Attach Roles to the User and Create the Cluster
+
+- Once both the roles are created with the above scopes, attach them to the user.
+
+- Login to Palette console using the user credentials to create the cluster profile and the cluster.
diff --git a/docs/docs-content/user-management/project-association.md b/docs/deprecated/user-management/project-association.md
similarity index 94%
rename from docs/docs-content/user-management/project-association.md
rename to docs/deprecated/user-management/project-association.md
index 1fd2df7e44..c9fa640f7d 100644
--- a/docs/docs-content/user-management/project-association.md
+++ b/docs/deprecated/user-management/project-association.md
@@ -27,8 +27,8 @@ To associate a user or team with a project, use the following steps.
- Tenant Admin access.
-- An available project. Check out the [Create a Project](../tenant-settings/projects/create-manage-projects.md) guide to
- learn how to create a project.
+- An available project. Check out the [Create a Project](../../tenant-settings/projects/create-manage-projects.md) guide
+ to learn how to create a project.
- A user or a team.
diff --git a/docs/deprecated/user-management/user-management.md b/docs/deprecated/user-management/user-management.md
new file mode 100644
index 0000000000..f4c173fd23
--- /dev/null
+++ b/docs/deprecated/user-management/user-management.md
@@ -0,0 +1,72 @@
+---
+sidebar_label: "User & Role Management"
+title: "User Management"
+description:
+ "Learn how to manage users and roles in Palette. Palette has a rich RBAC system that allows you to manage user access
+ to resources."
+hide_table_of_contents: false
+sidebar_custom_props:
+ icon: "roles"
+tags: ["user-management"]
+---
+
+This section touches upon the initial login aspects for Tenant Admins and non-admin users and the RBAC setup within
+Palette.
+
+## User Login
+
+For a Tenant admin, the password shall be set upon the initial login. The Tenant admin can add non-admin users. For all
+users, login can be made available using the following options:
+
+- Using Palette credentials on the login page.
+- SSO using Identity Providers that use SAML 2.0:
+ - Azure Active Directory
+ - Okta
+ - Keycloak
+ - OneLogin
+ - Microsoft ADFS
+ - Others
+
+## RBAC
+
+Palette allows the users that have been added to be allowed or restricted access to resources based on the roles set by
+the tenant admin. This Role-Based Access Control is explained in detail on the RBAC
+[page](palette-rbac/palette-rbac.md#permissions).
+
+## Roles and Permissions
+
+The Tenant admin can allow or restrict access of resources to users which can differ as per the scenario. A user can
+have complete access to a specific project but can be restricted access to other projects in which there is no
+involvement. An intermediate stage is also possible where read-only access can be provided in some projects. The Roles
+and Permissions sections on the [RBAC](./palette-rbac/palette-rbac.md) page provide more details on this.
+
+To add a user to a project:
+
+1. Sign in as a Tenant admin and navigate to the **Users and Teams** section of the Tenant settings Menu.
+
+1. Click on the user that you want to enable access to.
+
+1. In the **Role** editor that opens to the side, find the **Project Roles** section and click **Add Role**.
+
+1. Select the required **Project** from the dropdown menu and enable the **Roles** as needed.
+
+## Multi-Organization Support for Users
+
+Palette is incorporating multi-organization support for its users. With this feature, we provide our users with the
+flexibility of having a unique email address ID across multiple organizations. Hence, the users can maintain SSO
+credentials across multiple organizations/tenants.
+
+The key benefits of this feature are:
+
+- The use of a single email address ID across multiple organizations.
+- Within an organization, maintain a unique email ID.
+- In the case of password-based authentication, the same password is applicable across multiple organizations. The
+ change of password, made under a particular organization, is applied across other organizations to maintain a single
+ password across all organizations.
+- The password policy stays independent of organizations/tenants. Each tenant retains individual password policy.
+- For SSO-based authentication, for each organization/tenant, the individual identity provider client application can be
+ configured. Hence, allowing the configuration of a single SSO with multiple identity providers across multiple
+ tenants/organizations mapping each client app to a tenant.
+- However, for self-sign-up, the unique email address ID is enforced across tenants to avoid conflicts.
+- In the Palette console, the users can switch between the organizations/tenants using the Organization drop down menu
+ of the login page.
diff --git a/docs/docs-content/clusters/cluster-management/cluster-management.md b/docs/docs-content/clusters/cluster-management/cluster-management.md
index c3e1dc28e8..efb9702247 100644
--- a/docs/docs-content/clusters/cluster-management/cluster-management.md
+++ b/docs/docs-content/clusters/cluster-management/cluster-management.md
@@ -79,10 +79,10 @@ The following sections describe these capabilities in detail:
displays the location on the UI Map. For private cloud clusters the user can set the location through the Palette UI.
The user can monitor the location details of all the clusters running under a specific scope.
-- [Palette Access Control](cluster-tag-filter/cluster-tag-filter.md) - Palette provides the ability to manage user and
- role access privileges through tags. This feature helps you reduce the overhead in managing user and role access to
- clusters by assigning tags. Tags can be used to group clusters, allowing you to apply access controls to the tag
- rather than to each cluster, user, or role. This reduces the overhead of managing access controls for individual users
- and clusters.
+- [Palette Access Control](../../user-management/palette-rbac/implement-abac.md) - Palette provides the ability to
+ manage user and role access privileges through tags. This feature helps you reduce the overhead in managing user and
+ role access to clusters by assigning tags. Tags can be used to group clusters, allowing you to apply access controls
+ to the tag rather than to each cluster, user, or role. This reduces the overhead of managing access controls for
+ individual users and clusters.
- [Image Swap](image-swap.md) - Learn how to use image swap capabilities with Palette.
diff --git a/docs/docs-content/clusters/cluster-management/cluster-rbac.md b/docs/docs-content/clusters/cluster-management/cluster-rbac.md
index 826f16f8f6..9c41b29c77 100644
--- a/docs/docs-content/clusters/cluster-management/cluster-rbac.md
+++ b/docs/docs-content/clusters/cluster-management/cluster-rbac.md
@@ -99,11 +99,9 @@ Use the steps below to create a RoleBinding or ClusterRoleBinding for your host
## Palette Roles and Kubernetes Roles
-Palette offers a set of
-[default roles](../../user-management/palette-rbac/palette-rbac.md#assign-palette-specific-roles-to-users) you can
-assign to your users. The Palette roles are only in scope at the platform level. This means you can manage the
-permissions for users' actions in Palette, such as creating or deleting clusters, creating projects, creating users, and
-more.
+Palette offers a set of [default roles](../../user-management/palette-rbac/palette-rbac.md) you can assign to your
+users. The Palette roles are only in scope at the platform level. This means you can manage the permissions for users'
+actions in Palette, such as creating or deleting clusters, creating projects, creating users, and more.
The Kubernetes roles are used to control the actions users are allowed to do inside the cluster. For example, a user in
Palette could have the _Cluster Profile Viewer_ role, which grants them the ability to view cluster profiles for a
diff --git a/docs/docs-content/clusters/public-cloud/aws/architecture.md b/docs/docs-content/clusters/public-cloud/aws/architecture.md
index b199317acc..8281a784ab 100644
--- a/docs/docs-content/clusters/public-cloud/aws/architecture.md
+++ b/docs/docs-content/clusters/public-cloud/aws/architecture.md
@@ -99,8 +99,8 @@ spot price falls in the specified range.
You can assign tags to clusters deployed to AWS. Tags can help you with user access control management and more
granularly restrict access to various Palette resources, including clusters. Check out the
-[Resource Filters](../../cluster-management/cluster-tag-filter/create-add-filter.md) documentation page to learn more
-about using tags to restrict resource access.
+[Resource Filters](../../../tenant-settings/filters.md) documentation page to learn more about using tags to restrict
+resource access.
The custom tags you create are assigned to the clusters during the creation process. Tags follow the key-value-pair
format: `department: finance`. In addition to the custom tags provided by you, Palette-provisioned AWS resources will
diff --git a/docs/docs-content/clusters/public-cloud/azure/architecture.md b/docs/docs-content/clusters/public-cloud/azure/architecture.md
index e2604c76a3..24d1e415d0 100644
--- a/docs/docs-content/clusters/public-cloud/azure/architecture.md
+++ b/docs/docs-content/clusters/public-cloud/azure/architecture.md
@@ -149,8 +149,8 @@ To learn more about the upgrade channels, refer to the
You can assign tags to clusters deployed to Azure. Tags can help you with user access control management and more
granularly restrict access to various Palette resources, including clusters. Check out the
-[Resource Filters](../../cluster-management/cluster-tag-filter/create-add-filter.md) documentation page to learn more
-about using tags to restrict resource access.
+[Resource Filters](../../../tenant-settings/filters.md) documentation page to learn more about using tags to restrict
+resource access.
The custom tags you create are assigned to the clusters during the creation process. Tags follow the key-value pair
format: `department:finance`.
diff --git a/docs/docs-content/integrations/community_packs.md b/docs/docs-content/integrations/community_packs.md
index 889cbc1171..ed4261bc8c 100644
--- a/docs/docs-content/integrations/community_packs.md
+++ b/docs/docs-content/integrations/community_packs.md
@@ -44,7 +44,7 @@ Registry. If your environment does not include the registry, contact our
## Prerequisites
- Your Palette account role must have the `clusterProfile.create` permission to create a profile. Refer to the
- [Roles and Permissions](../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin)
+ [Roles and Permissions](../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
documentation for more information.
- Ensure that the community registry is available in your Palette [environment](#supported-environments).
diff --git a/docs/docs-content/integrations/verified_packs.md b/docs/docs-content/integrations/verified_packs.md
index 0047773c35..6409301d0d 100644
--- a/docs/docs-content/integrations/verified_packs.md
+++ b/docs/docs-content/integrations/verified_packs.md
@@ -35,7 +35,7 @@ Palette paid subscriptions cover access to our Support team and product updates.
## Prerequisites
- Your Palette account role must have the `clusterProfile.create` permission to create a profile. Refer to the
- [Roles and Permissions](../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin)
+ [Roles and Permissions](../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
documentation for more information.
## Use Verified Packs
diff --git a/docs/docs-content/introduction/dashboard.md b/docs/docs-content/introduction/dashboard.md
index 2c9011ae8c..f5fc167829 100644
--- a/docs/docs-content/introduction/dashboard.md
+++ b/docs/docs-content/introduction/dashboard.md
@@ -75,10 +75,9 @@ described in the list below.
5. [Cluster groups](../clusters/cluster-groups/cluster-groups.md) are a collection of one or more host clusters that
together form a computing platform for deploying virtual clusters.
-6. Tenant admins can assign [Roles and Permissions](../user-management/user-management.md#rbac).
+6. Tenant admins can assign [Roles and Permissions](../user-management/palette-rbac/palette-rbac.md).
-7. Tenant admins can create
- [Users and Teams](../user-management/user-management.md#multi-organization-support-for-users).
+7. Tenant admins can create [Users and Teams](../user-management/users-and-teams/users-and-teams.md).
8. [Audit logs](../audit-logs/audit-logs.md) in the **Tenant Admin** dashboard allow tracking user interaction with
application resources for all projects and users. For admin users, the **Audit Log** button is visible for each
diff --git a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-helm-addon.md b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-helm-addon.md
index 4593f40381..4a1a029111 100644
--- a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-helm-addon.md
+++ b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-helm-addon.md
@@ -13,7 +13,7 @@ Use the following steps to create a cluster profile by adding layers using Helm
## Prerequisites
- Your Palette account role must have the `clusterProfile.create` permission to create a profile. Refer to the
- [Roles and Permissions](../../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin)
+ [Roles and Permissions](../../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
documentation for more information.
## Add Helm Chart to Add-on Profile
diff --git a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-manifest-addon.md b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-manifest-addon.md
index 6a4709936d..f608769a25 100644
--- a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-manifest-addon.md
+++ b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-manifest-addon.md
@@ -13,7 +13,7 @@ create a cluster profile by adding layers using manifests.
## Prerequisites
- Your Palette account role must have the `clusterProfile.create` permission to create a profile. Refer to the
- [Roles and Permissions](../../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin)
+ [Roles and Permissions](../../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
documentation for more information.
## Add Manifest to Add-on Profile
diff --git a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-pack-addon.md b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-pack-addon.md
index d3ff01ecf2..5b13d60a0d 100644
--- a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-pack-addon.md
+++ b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-addon-profile/create-pack-addon.md
@@ -12,7 +12,7 @@ Use the following steps to create a cluster profile by adding one or more layers
## Prerequisites
- Your Palette account role must have the `clusterProfile.create` permission to create a profile. Refer to the
- [Roles and Permissions](../../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin)
+ [Roles and Permissions](../../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
documentation for more information.
## Add Pack to Add-on Profile
diff --git a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-full-profile.md b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-full-profile.md
index a7be11b8dd..2305719d36 100644
--- a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-full-profile.md
+++ b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-full-profile.md
@@ -13,7 +13,7 @@ and Storage. Next, add layers using add-on profiles to expand the functionality
## Prerequisites
- Your Palette account role must have the `clusterProfile.create` permission to create a cluster profile. Refer to the
- [Roles and Permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin)
+ [Roles and Permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
documentation for more information.
## Create Full Profile
diff --git a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md
index e432a06689..2516ffc220 100644
--- a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md
+++ b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/create-infrastructure-profile.md
@@ -13,7 +13,7 @@ packs.
## Prerequisites
- Your Palette account role must have the `clusterProfile.create` permission to create a profile. Refer to the
- [Cluster Profile permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin)
+ [Cluster Profile permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
reference for more information about roles and permissions.
## Create Infrastructure Profile
diff --git a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/duplicate-pack-in-profile.md b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/duplicate-pack-in-profile.md
index 119dd560a5..a3dcb70c58 100644
--- a/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/duplicate-pack-in-profile.md
+++ b/docs/docs-content/profiles/cluster-profiles/create-cluster-profiles/duplicate-pack-in-profile.md
@@ -28,7 +28,7 @@ could arise if the original pack has Kubernetes resources with the same names as
- Your Palette account role must have the `clusterProfile.create` permission to create a profile. Refer to the
- [Cluster Profile Permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin)
+ [Cluster Profile Permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
page for more information about roles and permissions.
@@ -36,7 +36,7 @@ could arise if the original pack has Kubernetes resources with the same names as
- Your Palette account role must have the `clusterProfile.Create` and `clusterProfile.Publish` permissions to create and
publish a profile. Refer to the
- [Cluster Profile Permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin)
+ [Cluster Profile Permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
page for more information about roles and permissions.
- A Palette API key. Refer to the [Create API Key](../../../user-management/authentication/api-key/create-api-key.md)
diff --git a/docs/docs-content/profiles/cluster-profiles/delete-cluster-profile.md b/docs/docs-content/profiles/cluster-profiles/delete-cluster-profile.md
index 2bba6eb05d..4dba972e41 100644
--- a/docs/docs-content/profiles/cluster-profiles/delete-cluster-profile.md
+++ b/docs/docs-content/profiles/cluster-profiles/delete-cluster-profile.md
@@ -22,7 +22,7 @@ before deleting the profile.
- An existing cluster profile.
- Your Palette account role must have the `clusterProfile.delete` permission to delete a profile. Refer to the
- [Cluster Profile permissions](../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin).
+ [Cluster Profile permissions](../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile).
## Delete Profile
diff --git a/docs/docs-content/profiles/cluster-profiles/export-import-cluster-profile.md b/docs/docs-content/profiles/cluster-profiles/export-import-cluster-profile.md
index addab04453..ba55f533d1 100644
--- a/docs/docs-content/profiles/cluster-profiles/export-import-cluster-profile.md
+++ b/docs/docs-content/profiles/cluster-profiles/export-import-cluster-profile.md
@@ -18,7 +18,7 @@ add-ons and integrations.
- Your Palette account role must have the `clusterProfile.get` permission to export a cluster profile and
`clusterProfile.create` to import a cluster profile. Refer to the
- [Cluster Profile permissions](../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin).
+ [Cluster Profile permissions](../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile).
- [Macros](../../registries-and-packs/pack-constraints.md#pack-macros) used in the profile you want to export must be
available in the target environment _before_ you import the profile.
diff --git a/docs/docs-content/profiles/cluster-profiles/modify-cluster-profiles/update-cluster-profile.md b/docs/docs-content/profiles/cluster-profiles/modify-cluster-profiles/update-cluster-profile.md
index e3668335d4..5857efa703 100644
--- a/docs/docs-content/profiles/cluster-profiles/modify-cluster-profiles/update-cluster-profile.md
+++ b/docs/docs-content/profiles/cluster-profiles/modify-cluster-profiles/update-cluster-profile.md
@@ -27,7 +27,7 @@ profiles, check out [Version a Cluster Profile](version-cluster-profile.md).
- A cluster profile created in Palette.
- Your Palette account role must have the `clusterProfile.update` permission to update a profile. Refer to the
- [Cluster Profile permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile-admin)
+ [Cluster Profile permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
reference for more information about roles and permissions.
## Modify Basic Profile Information
@@ -62,6 +62,16 @@ To learn how to apply the changes, review [Apply Profile Updates to Clusters](#a
## Update a Profile Layer
+### Prerequisites
+
+- A cluster profile created in Palette.
+
+- Your Palette account role must have the `clusterProfile.update` permission to update a profile. Refer to the
+ [Cluster Profile permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
+ reference for more information about roles and permissions.
+
+### Update Layer
+
1. Log in to [Palette](https://console.spectrocloud.com).
2. From the left **Main Menu**, click on **Profiles** and select the profile you want to update. Palette displays the
@@ -112,6 +122,101 @@ To learn how to apply the changes, review [Apply Profile Updates to Clusters](#a
To learn how to apply the changes, review [Apply Profile Updates to Clusters](#apply-profile-updates-to-clusters).
+# <<<<<<< HEAD
+
+## Accept Updates to a Cluster Profile
+
+Palette will automatically display the **Update** button when a new version of a pack is available. For example, if you
+have the Container Network Interface (CNI) Calico pack version 3.28.0 in your profile, and a new version becomes
+available, for example, version 3.28.2, Palette will automatically display the **Update** button when you visit the
+cluster profile's details page. If you click on the **Update** button, Palette will display the new versions available
+for each pack in the profile.
+
+Review the following steps to accept incoming pack updates to a cluster profile.
+
+### Prerequisites
+
+- A cluster profile created in Palette.
+
+- There are updates available for at least one pack in the profile.
+
+- Your Palette account role must have the `clusterProfile.update` permission to update a profile. Refer to the
+ [Cluster Profile permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
+ reference for more information about roles and permissions.
+
+### Review Update Changes
+
+1. Log in to [Palette](https://console.spectrocloud.com).
+
+2. From the left **Main Menu**, select **Profiles**.
+
+3. Select the profile you want to update to access the profile details page.
+
+4. Palette displays profile details and the profile stack. If there are pending updates, Palette displays a green
+ **Update** button in the top right-hand corner of the page. Click on the **Update** button to view the changes
+ summary modal.
+
+5. If the changes can be applied without any issues, then Palette will display the **Apply Changes** button.
+
+ ![A view of the cluster profile update widget displaying a new version of Calico is available.](/profiles_cluster-profiles_modify-cluster-profiles_new-version-notifcation.webp)
+
+ Otherwise, you will be presented with the **Review changes in Editor** button, which allows you to review the changes
+ before applying them.
+
+ :::tip
+
+ If a pack row has an information icon, hover over the icon to learn more about the changes.
+
+ :::
+
+ ![A view of the cluster profile update widget displaying a new packs versions but changes that require the user's input.](/profiles_cluster-profiles_modify-cluster-profiles_new-version-notifcation-changes-required.webp)
+
+6. Click on the **Apply Changes** button to apply the updates to the profile. If there are changes that require your
+ attention, click on the **Review changes in Editor** button to start the review process.
+
+7. The differential editor will display the changes between the current YAML configuration and new incoming YAML
+ changes. The left side of the editor displays the current configuration. The right side displays the new pack
+ version's incoming changes. Review the changes and apply them as needed. Use the three buttons at the bottom to
+ navigate through the changes.
+
+ - **Prev**: Click to navigate to the previous change.
+ - **Next**: Click to navigate to the next change.
+ - **Keep**: Click to apply the current change.
+ - **Revert**: Click to revert the accepted change. This button will only appear after you have clicked the **Keep**
+ button.
+
+ The differential editor will display the changes by highlighting the differences between the configurations. The
+ color-coded highlights indicate the following:
+
+ - _Yellow highlight_ indicates text that is not present in the new configuration. These may be lines you have added
+ in the current configuration or lines that have been removed because they are no longer valid in the new
+ configuration. If you need them, use the **Keep** button to transfer the lines to the new pack version. Otherwise,
+ click on **Next** to proceed.
+
+ - _Blue highlight_ indicates additions in the new configuration that are not present in the pack version you are
+ using.
+
+ ![Screenshot that shows Palette's pack diff user interface with yellow highlight at left and blue highlight at right](/profiles_cluster-profiles_modify-cluster-incoming-updates.webp)
+
+8. Repeat step 7 until you have reviewed all the changes for each pack layer. You can select a different pack layer from
+ the left-hand side of the editor. Once a pack layer is reviewed, a gray checkmark will appear next to the pack name.
+
+9. Click on the **Apply Changes** button to apply the updates to the profile.
+
+### Validate
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. From the left **Main Menu**, select **Profiles**.
+
+3. Click the profile you updated to access the profile details page.
+
+4. Check that the updated layer displays the new pack versions.
+
+5. Click on the pack layer and review its configuration to ensure the changes are applied.
+
+> > > > > > > 38a1cc420 (docs: DOC-1479 DOC-1481 DOC-462 User Management Refactor (#4712))
+
## Update the Pack Version
Packs typically contain changes between versions, such as the addition or removal of parameters and policies. The
@@ -129,6 +234,22 @@ Ensure you follow these practices when updating to a new pack version.
:::
+# <<<<<<< HEAD
+
+### Prerequisites
+
+- A cluster profile created in Palette.
+
+- There are updates available for at least one pack in the profile.
+
+- Your Palette account role must have the `clusterProfile.update` permission to update a profile. Refer to the
+ [Cluster Profile permissions](../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
+ reference for more information about roles and permissions.
+
+### Update Pack Version
+
+> > > > > > > 38a1cc420 (docs: DOC-1479 DOC-1481 DOC-462 User Management Refactor (#4712))
+
1. Log in to [Palette](https://console.spectrocloud.com).
2. From the left **Main Menu**, select **Profiles**.
diff --git a/docs/docs-content/tenant-settings/api-key-management.md b/docs/docs-content/tenant-settings/api-key-management.md
index 7dd8908afa..6ecf18d296 100644
--- a/docs/docs-content/tenant-settings/api-key-management.md
+++ b/docs/docs-content/tenant-settings/api-key-management.md
@@ -4,7 +4,7 @@ title: "API Key Management"
description: "Learn how to set a login banner for your Palette tenant."
icon: ""
hide_table_of_contents: false
-sidebar_position: 20
+sidebar_position: 25
tags: ["tenant-administration", "authentication", "api-key"]
---
diff --git a/docs/docs-content/tenant-settings/filters.md b/docs/docs-content/tenant-settings/filters.md
new file mode 100644
index 0000000000..1051b9e7da
--- /dev/null
+++ b/docs/docs-content/tenant-settings/filters.md
@@ -0,0 +1,67 @@
+---
+sidebar_label: "Add a Resource Filter"
+title: "Add a Resource Filter"
+description: "Learn how to add a resource filter to your Palette tenant."
+icon: ""
+hide_table_of_contents: false
+sidebar_position: 20
+tags: ["tenant-administration", "filter"]
+---
+
+Resource filters are used to limit the visibility of resources or actions to a
+[Resource role](../user-management/palette-rbac/resource-scope-roles-permissions.md). A filter is a collection of
+expressions that together define the scope that Resource roles can access.
+
+Use the following steps to add a filter to your Palette tenant.
+
+## Prerequisites
+
+- You must have tenant administrator permissions to add a filter to your Palette tenant.
+
+## Add a Filter
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Next, click on **Platform Settings** from the **Tenant Settings Menu**.
+
+4. Click on **Filters** to open the **Filters** page.
+
+5. Click on **New Resource Filter** to add a new filter.
+
+6. Provide a name for the filter in the **Name** field.
+
+7. Next, select the Palette resource type you want to apply the filter to. For example, **Tag**.
+
+8. Next, define the query for the filter. You can chose between **is** and **is not**. Complete the expression by
+ providing a value for the query.
+
+ ![A view of the Add Resource Filter wizard with two tag expressions - tag is not equal to the value sensitive, and the tag is equal to the value claims.](/tenant-settings_filters_add-resource-filter-wizard.webp)
+
+9. If you want to add more expressions to the filter, click on **Add condition**.
+
+10. Select a **Conjunction**. You can choose between **and** and **or**.
+
+11. Repeat steps 7-10 to add more expressions to the filter.
+
+12. Click on **Confirm** to save the filter.
+
+## Validate
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Next, click on **Platform Settings** from the **Tenant Settings Menu**.
+
+4. Click on **Filters** to open the **Filters** page.
+
+5. Verify that the filter you added is listed in the **Filters** page.
+
+6. To validate the impact of the filter, assign the filter to a Resource role. For more information, refer to the
+ [Resource Roles and Permissions](../user-management/palette-rbac/resource-scope-roles-permissions.md) page.
+
+## Resources
+
+- [Resource Roles ](../user-management/palette-rbac/resource-scope-roles-permissions.md)
diff --git a/docs/docs-content/tenant-settings/projects/create-manage-projects.md b/docs/docs-content/tenant-settings/projects/create-manage-projects.md
index 3d4e1fd8e6..294de34082 100644
--- a/docs/docs-content/tenant-settings/projects/create-manage-projects.md
+++ b/docs/docs-content/tenant-settings/projects/create-manage-projects.md
@@ -9,7 +9,7 @@ tags: ["projects"]
Tenant administrators can create and manage projects in Palette. A tenant administrator automatically has access to all
projects within the tenant. You can associate users and teams with a project. Check out the
-[Project Association](../../user-management/project-association.md) page to learn more.
+[Assign a Role](../../user-management/palette-rbac/assign-a-role.md) page to learn more.
## Create a Project
diff --git a/docs/docs-content/tenant-settings/tenant-settings.md b/docs/docs-content/tenant-settings/tenant-settings.md
index a895c0e285..7441867937 100644
--- a/docs/docs-content/tenant-settings/tenant-settings.md
+++ b/docs/docs-content/tenant-settings/tenant-settings.md
@@ -34,6 +34,8 @@ Use the following resources to become familiar with the available tenant setting
- [Add Tenant-Level Registry](add-registry.md)
+- [Add a Filter](./filters.md)
+
- [API Key Management](api-key-management.md)
- [Default Resource Limits](./palette-resource-limits.md)
diff --git a/docs/docs-content/user-management/authentication/authentication.md b/docs/docs-content/user-management/authentication/authentication.md
index bf0ba40b69..c3cc150e8f 100644
--- a/docs/docs-content/user-management/authentication/authentication.md
+++ b/docs/docs-content/user-management/authentication/authentication.md
@@ -53,3 +53,5 @@ To learn more about the authorization token, refer to the [Authorization Token](
- [API Key](api-key/api-key.md)
- [UI Authentication](authentication.md)
+
+- [Switch Tenant](switch-tenant.md)
diff --git a/docs/docs-content/user-management/authentication/switch-tenant.md b/docs/docs-content/user-management/authentication/switch-tenant.md
new file mode 100644
index 0000000000..c76bf161bd
--- /dev/null
+++ b/docs/docs-content/user-management/authentication/switch-tenant.md
@@ -0,0 +1,51 @@
+---
+sidebar_label: "Switch Tenant"
+title: "Switch Tenant"
+description: "Learn how to switch between tenants in Palette"
+hide_table_of_contents: false
+sidebar_position: 30
+tags: ["user-management", "users", "tenants"]
+---
+
+You can switch between tenants in Palette to access resources and manage configurations in different tenants without
+having to log in again. This feature is available to self-hosted Palette, VerteX, and Palette SaaS.
+
+## Prerequisites
+
+- You must have a user account in the tenant you want to switch to.
+
+- At least two tenants must be available in the Palette instance. System administrators for self-hosted Palette or
+ VerteX instances can create multiple tenants. Refer to the Palette
+ [Tenant Management](../../enterprise-version/system-management/tenant-management.md) or the Vertex
+ [Tenant Management](../../vertex/system-management/tenant-management.md) page for guidance on how to create tenants.
+ Users of Palette SaaS, contact our support team at [support@spectrocloud.com](mailto:support@spectrocloud.com) for
+ additional tenants.
+
+## Switch Tenant
+
+1. Log in to [Palette](https://console.spectrocloud.com).
+
+2. Click on the **drop-down Menu** at the top of the page.
+
+3. Select **Switch Tenant**.
+
+4. Select the tenant you want to switch to from the list of available tenants.
+
+ ![A view of the tenant switch menu](/user-management_authentication_switch-tenant_tenant-selection.webp)
+
+You are now switched to the selected tenant and can access its resources and configurations. Keep in mind that your
+access is limited to the permissions assigned to your user account in the tenant.
+
+## Validate
+
+1. Log in to [Palette](https://console.spectrocloud.com).
+
+2. Click on the **drop-down Menu** at the top of the page.
+
+3. Select **Switch Tenant**.
+
+4. Select the tenant you want to switch to from the list of available tenants.
+
+5. Click on the **drop-down Menu** at the top of the page.
+
+6. Verify the expected tenant name is displayed at the bottom of the option list.
diff --git a/docs/docs-content/user-management/authentication/ui-autentication.md b/docs/docs-content/user-management/authentication/ui-autentication.md
index 2ff381a0b9..4348712775 100644
--- a/docs/docs-content/user-management/authentication/ui-autentication.md
+++ b/docs/docs-content/user-management/authentication/ui-autentication.md
@@ -4,7 +4,7 @@ title: "User Authentication"
description: "Learn about User Interface authentication method in Palette."
icon: ""
hide_table_of_contents: false
-sidebar_position: 10
+sidebar_position: 20
tags: ["user-management", "authentication", "user-interface"]
---
@@ -18,29 +18,25 @@ identity provider, such as GitHub or Google.
## Account Sign Up
-You can sign up for a Palette SaaS account by visiting [Palette](https://console.spectrocloud.com) or an Enterprise
-Palette account under your organization by using your organization's custom Palette URL.
-
-When you create an account, you can create a username and password or create the account through a third-party identity
-provider, GitHub, Google, or other OIDC providers that are enabled for your organization. For Palette SaaS, GitHub and
-Google are automatically enabled for SSO integration.
+To sign up for a Palette account, ask you Palette tenant administrator to send you an invitation email. Check out the
+[Create and Manage a User](../users-and-teams/create-user.md) guide for more information.
## Sign In Flow
-Starting with Palette 3.2, the user sign-in flow can be different depending on how you created your Palette account. If
-you created your user with a username and password, then you may be prompted to select the organization you wish to log
-in to. If you are a member of a single organization, then you will not be prompted for an organization selection.
-
-If you created an account through SSO and are a member of different organizations, then you must first select the
-organization name you wish to log in to. Click on the **Sign in to your organization** button for the option to specify
-the organization name. If you need help remembering the organization name, click on the **Forgot your organization
-name?** button and provide your email address to receive an email containing your organization name and its login URL.
+If you created your user with a username and password, then you may be prompted to select the tenant you wish to log in
+to. If you are a member of a single tenant, then you will not be prompted for a tenant selection.
-
+If you created an account through SSO and are a member of different tenant, then you must first select the tenant name
+you wish to log in to. Click on the **Sign in to your tenant** button for the option to specify the tenant name.
:::info
-If you are a Palette Enterprise user, use the custom Palette URL for an optimized login experience and avoid specifying
-the organization name. Ask your Palette system administrator for the custom Palette URL.
+If you are a self-hosted Palette user, use the custom Palette URL for an optimized login experience and avoid specifying
+the tenant name. Ask your Palette system administrator for the custom Palette URL.
:::
+
+## Switch Tenant
+
+If you are a member of multiple tenants, you can switch between tenants in Palette without logging out. Check out the
+[Switch Tenant](./switch-tenant.md) guide for more information.
diff --git a/docs/docs-content/user-management/palette-rbac/assign-a-role.md b/docs/docs-content/user-management/palette-rbac/assign-a-role.md
new file mode 100644
index 0000000000..5a0df5b242
--- /dev/null
+++ b/docs/docs-content/user-management/palette-rbac/assign-a-role.md
@@ -0,0 +1,198 @@
+---
+sidebar_label: "Create and Manage a Role Assignment"
+title: "Create and Manage a Role Assignment"
+description: "Learn how to assign a role to a user or team in Palette"
+hide_table_of_contents: false
+sidebar_position: 20
+tags: ["user-management", "users", "teams", "roles"]
+---
+
+Assigning a role to a user or team in Palette is critical in managing user access and permissions. By assigning roles,
+you can control users' access to various resources and actions in Palette. Users and teams can have multiple roles
+assigned to them, each with different permissions and access levels. We recommend assigning roles at the team level to
+reduce the complexity of managing user access.
+
+This guide explains how to assign a role to a user or team in Palette.
+
+## Assign a Role to a User
+
+Use the following steps to assign a role to a user.
+
+### Prerequisites
+
+- Tenant admin access to Palette with the permissions `user.update` and `role.list`.
+
+- An available user. Check out the [Create a User](../users-and-teams/create-user.md) guide to learn how to create a
+ user.
+
+- If you want to assign a custom role to a user, you must have the role created. Check out the
+ [Create and Manage a Custom Role](./create-custom-role.md) guide to learn how to create a custom role.
+
+### Assign User Role
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
+
+3. Select **Users & Teams**.
+
+4. Click on the **Users** tab.
+
+5. Click on the row of the user to display its overview page.
+
+6. Select the tab of the role you want to assign to the user. For example, click on **Project Roles** to assign a
+ built-in project role or a custom project role you created.
+
+ ![A view of the role assignment menu for a user](/user-management_palette-rback_assign-a-role_user-role-assign.webp)
+
+7. Click on the **New Role** button.
+
+8. Depending on the role you want to assign, you may have to select projects, workspaces, filters, or other resources
+ associated with the role. Provide a selection for each resource required by the role.
+
+9. Check the box next to the role you want to assign to the user. The built-in roles are listed first, followed by
+ custom roles.
+
+10. Click **Confirm** to assign the roles to the user.
+
+11. Repeat steps 7 to 10 to assign additional roles to the user.
+
+### Validate
+
+1. Have the user log in to [Palette](https://console.spectrocloud.com). If a self-hosted Palette instance is used, have
+ the user log in to Palette using the instance URL.
+
+2. The user can now access the resources and perform the actions associated with the assigned roles in the projects you
+ assigned them to.
+
+If the user is unable to access a project or a resource, review the projects and roles assigned to the user.
+
+## Assign a Role to a Team
+
+Use the following steps to assign a role to a team.
+
+### Prerequisites
+
+- Tenant admin access to Palette with the permissions `team.update` and `role.list`.
+
+- An available team. Check out the [Create a Team](../users-and-teams/create-a-team.md) guide to learn how to create a
+ team.
+
+- If you want to assign a custom role to a user, you must have the role created. Check out the
+ [Create and Manage a Custom Role](./create-custom-role.md) guide to learn how to create a custom role.
+
+### Assign Team Role
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
+
+3. Select **Users & Teams**.
+
+4. Click on the **Team** tab.
+
+5. Click on the row of the team to display its overview page.
+
+6. Select the tab of the role you want to assign to the team. For example, click on **Project Roles** to assign a
+ built-in project role or a custom project role you created.
+
+ ![A view of the role assignment menu for a team](/user-management_palette-rback_assign-a-role_team-role-assign.webp)
+
+7. Click on the **New Role** button.
+
+8. Depending on the role you want to assign, you may have to select projects, workspaces, filters, or other resources
+ associated with the role. Provide a selection for each resource required by the role.
+
+9. Check the box next to the role you want to assign to the team. The built-in roles are listed first, followed by
+ custom roles.
+
+10. Click **Confirm** to assign the roles to the team.
+
+11. Repeat steps 7 to 10 to assign additional roles to the team.
+
+### Validate
+
+1. Have a member of the team log in to [Palette](https://console.spectrocloud.com). If a self-hosted Palette instance is
+ used, have the team member log in to Palette using the instance URL.
+
+2. The team member can now access the resources and perform the actions associated with the assigned roles in the
+ projects you assigned them to.
+
+If the team member is unable to access a project or a resource, review the projects and roles assigned to the team.
+Also, ensure the user is a member of the team to inherit the access permissions assigned to the team.
+
+## Remove a Role From a User
+
+Use the following steps to remove a role from a user.
+
+### Prerequisites
+
+- Tenant admin access to Palette with the permissions `user.update` and `role.list`.
+
+- An available user. Check out the [Create a User](../users-and-teams/create-user.md) guide to learn how to create a
+ user.
+
+### Remove User Role
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
+
+3. Select **Users & Teams**.
+
+4. Click on the **Users** tab.
+
+5. Click on the row of the user to display its overview page.
+
+6. Select the tab of the role you want to remove from the user. For example, click on **Project Roles** to unassign a
+ built-in project role or a custom project role you created.
+
+7. Identify the role you want to remove from the user and click on **three-dot Menu** next to the role.
+
+8. Click on **Remove**.
+
+### Validate
+
+1. Have the user log in to [Palette](https://console.spectrocloud.com). If a self-hosted Palette instance is used, have
+ the user log in to Palette using the instance URL.
+
+2. Verify that the user can no longer access the resources and perform the actions associated with the removed role in
+ the projects you assigned them to.
+
+## Remove a Role From a Team
+
+Use the following steps to remove a role from a team.
+
+### Prerequisites
+
+- Tenant admin access to Palette with the permissions `team.update` and `role.list`.
+
+- An available team. Check out the [Create a Team](../users-and-teams/create-a-team.md) guide to learn how to create a
+ team.
+
+### Remove Team Role
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
+
+3. Select **Users & Teams**.
+
+4. Click on the **Team** tab.
+
+5. Click on the row of the team to display its overview page.
+
+6. Select the tab of the role you want to remove from the team. For example, click on **Project Roles** to unassign a
+ built-in project role or a custom project role you created.
+
+7. Identify the role you want to remove from the team and click on **three-dot Menu** next to the role.
+
+8. Click on **Remove**.
+
+### Validate
+
+1. Have a member of the team log in to [Palette](https://console.spectrocloud.com). If a self-hosted Palette instance is
+ used, have the team member log in to Palette using the instance URL.
+
+2. Verify that the team member can no longer access the resources and perform the actions associated with the removed
+ role in the projects you assigned them to.
diff --git a/docs/docs-content/user-management/palette-rbac/create-custom-role.md b/docs/docs-content/user-management/palette-rbac/create-custom-role.md
new file mode 100644
index 0000000000..bd8e30fb9a
--- /dev/null
+++ b/docs/docs-content/user-management/palette-rbac/create-custom-role.md
@@ -0,0 +1,218 @@
+---
+sidebar_label: "Create and Manage a Custom Role"
+title: "Create and Manage a Custom Role"
+description: "Learn how to create and manage a custom role in Palette."
+icon: ""
+hide_table_of_contents: false
+sidebar_position: 5
+tags: ["user-management", "role", "rbac"]
+---
+
+For each role type in Palette, you can create a custom role with specific permissions. This allows you to create roles
+that are tailored to your organization's needs.
+
+:::tip
+
+Palette provides several built-in roles that you can use to assign permissions to users. To learn more about the
+built-in roles in Palette, refer to the following pages:
+
+- [Project Roles](./project-scope-roles-permissions.md)
+- [Resource Roles](./resource-scope-roles-permissions.md)
+- [Tenant Roles](./tenant-scope-roles-permissions.md)
+
+:::
+
+The following sections provide instructions on how to create a custom role for each of the role types in Palette.
+
+## Project Roles
+
+To create a custom project role in Palette, use the following steps.
+
+### Prerequisites
+
+- You need tenant admin permissions to create a custom Project role.
+
+### Create a Custom Project Role
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Roles**.
+
+3. Navigate to the **Project Roles** tab.
+
+4. Click on the **Create Project Role** button at the top right corner of the page.
+
+5. Provide a name for the custom role in the **Role Name** field.
+
+6. Select the permissions you want to assign to the custom role.
+
+7. Click on the **Save** button.
+
+### Validate
+
+To validate that the custom Project role is created successfully, follow these steps:
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Roles**.
+
+3. Navigate to the **Project Roles** tab.
+
+4. Verify that the custom role is listed in the **Project Roles** tab.
+
+5. Assign the custom Project role to a user or group to validate that the permissions are applied correctly.
+
+## Resource Roles
+
+To create a custom resource role in Palette, use the following steps.
+
+### Prerequisites
+
+- You need Tenant admin permissions to create a custom Resource role.
+
+### Create a Custom Resource Role
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Roles**.
+
+3. Navigate to the **Resource Roles** tab.
+
+4. Click on the **Create Resource Role** button at the top right corner of the page.
+
+5. Provide a name for the custom role in the **Role Name** field.
+
+6. Select the permissions you want to assign to the custom role.
+
+7. Click on the **Save** button.
+
+### Validate
+
+To validate that the custom Resource role is created successfully, follow these steps:
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Roles**.
+
+3. Navigate to the **Project Roles** tab.
+
+4. Verify that the custom role is listed in the **Project Roles** tab.
+
+5. Assign the custom Resource role to a user or group to validate that the permissions are applied correctly.
+
+## Tenant Roles
+
+To create a custom tenant role in Palette, use the following steps.
+
+### Prerequisites
+
+- You need Tenant admin permissions to create a custom Tenant role.
+
+### Create a Custom Tenant Role
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Roles**.
+
+3. Navigate to the **Tenant Roles** tab.
+
+4. Click on the **Create Tenant Role** button at the top right corner of the page.
+
+5. Provide a name for the custom role in the **Role Name** field.
+
+6. Select the permissions you want to assign to the custom role.
+
+7. Click on the **Save** button.
+
+### Validate
+
+To validate that the custom Tenant role is created successfully, follow these steps:
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Roles**.
+
+3. Navigate to the **Project Roles** tab.
+
+4. Verify that the custom role is listed in the **Project Roles** tab.
+
+5. Assign the custom Tenant role to a user or group to validate that the permissions are applied correctly.
+
+## Custom Role Edit
+
+To edit a custom role in Palette, use the following steps.
+
+### Prerequisites
+
+- You need a Tenant admin role with the `role.update` permission to edit a custom role.
+
+### Edit a Custom Role
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Roles**.
+
+3. Navigate to the tab that corresponds to the role type you want to edit. For example, if you want to edit a custom
+ Project role, navigate to the **Project Roles** tab.
+
+4. Locate the custom role you want to edit and click on the row to expose the details drawer.
+
+5. Click on the **Actions** button and select **Edit Role**.
+
+6. Make the necessary changes to the custom role.
+
+7. Click on the **Save Changes** button at the bottom of the page.
+
+### Validate
+
+To validate that the custom role is edited successfully, follow these steps.
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Roles**.
+
+3. Navigate to the tab that corresponds to the role type from which you edited the role.
+
+4. Verify that the custom role is listed in the roles list.
+
+5. Assign the custom role to a user or group to validate that the permissions are applied correctly.
+
+6. Log in as a user with the custom role assigned and verify that the permissions are applied correctly.
+
+## Custom Role Deletion
+
+To delete a custom role in Palette, use the following steps.
+
+### Prerequisites
+
+- You need a Tenant admin role with the `role.delete` permission to delete a custom role.
+
+### Delete a Custom Role
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Roles**.
+
+3. Navigate to the tab that corresponds to the role type you want to delete. For example, if you want to delete a custom
+ Project role, navigate to the **Project Roles** tab.
+
+4. Locate the custom role you want to delete and click on the row to expose the details drawer.
+
+5. Click on the **Actions** button and select **Delete Role**.
+
+6. Confirm the deletion by clicking on the **OK** button in the confirmation dialog.
+
+### Validate
+
+To validate that the custom role is deleted successfully, follow these steps.
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Roles**.
+
+3. Navigate to the tab that corresponds to the role type from which you deleted the role.
+
+4. Verify that the custom role is no longer listed in the roles list.
+
+5. Review the permissions assigned to the users or groups that had the custom role assigned to ensure that the
+ permissions are removed.
diff --git a/docs/docs-content/user-management/palette-rbac/implement-abac.md b/docs/docs-content/user-management/palette-rbac/implement-abac.md
new file mode 100644
index 0000000000..668d01da11
--- /dev/null
+++ b/docs/docs-content/user-management/palette-rbac/implement-abac.md
@@ -0,0 +1,111 @@
+---
+sidebar_label: "ABAC in Palette"
+title: "Attribute-Based Access Control in Palette"
+description: "Learn how to implement Attribute-Based Access Control (ABAC) in Palette."
+hide_table_of_contents: false
+sidebar_position: 60
+tags: ["user-management", "users", "teams", "roles"]
+---
+
+Attribute-Based Access Control (ABAC) is a security model that uses attributes to determine access to resources. In
+Palette, ABAC is implemented using [Resource roles](./resource-scope-roles-permissions.md) and
+[Resource filters](../../tenant-settings/filters.md).
+
+The Resource role defines the permissions a user has on resources, and the Resource filters define the scope of the
+resources the user can access. When a Resource role is assigned to a user or team, it must be paired with a Resource
+filter to control access based on a tag value.
+
+This guide will teach you how to implement ABAC in Palette.
+
+:::info
+
+ABAC in Palette can be achieved with a handful of resources. You can identify the Palette components eligible for ABAC
+on the [Permissions](./permissions.md#operations) page. Review the components table and all components that have a
+checkmark in the Resource Role Scope column.
+
+:::
+
+## Prerequisites
+
+- Tenant admin access to Palette with the permissions `user.update`, `role.list`, `team.update`, and `filter.list`.
+
+- A user or team available. Check out the [Create and Manage a User](../users-and-teams/create-user.md) or
+ [Create and Manage a Team](../users-and-teams/create-a-team.md) guide to learn how to create a user or team.
+
+## Implement ABAC
+
+To implement ABAC in Palette, use the following steps.
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
+
+3. From the **Tenant Settings Menu** page, expand the **Platform** section and click on **Filters**.
+
+4. Create a filter by clicking on the **New Resource Filter** button. The resource filter creation page will open.
+ Refer to the [Add a Resource Filter](../../tenant-settings/filters.md) for detailed steps on creating a filter.
+
+5. After creating the filter, navigate to the left **Main Menu** and click on **Roles**.
+
+6. Click on the **Resource Roles** tab.
+
+7. Click on **Create Resource Role**. Provide the role a name and select the desired permissions. You can find detailed
+ steps for how to create a Resource role in the
+ [Create and Manage a Custom Role](./create-custom-role.md#create-a-custom-resource-role) guide.
+
+
+
+ What permissions do I select?
+
+ The permissions you select depend on the use case you want to regulate. For example, if you are going to control what cluster profiles a user can view and use,
+ you would select the **Cluster permissions** resource type and check the
+ boxes for the `clusterprofile.get` and `clusterprofile.list` permissions. This would allow the user to view and list
+ cluster profiles when creating a cluster.
+
+ The next important step is to ensure all cluster profiles match the
+ conditions defined in the resource filter you created in step 4. This ensures that the user can only view and use cluster
+ profiles that match the filter conditions. For example, if you created a filter that only allows users to view
+ cluster profiles with the tag `development`, the user would only be able to view and use cluster profiles with that
+ tag.
+
+ You could build on this example use case by adding the **Cluster permissions** resource type and selecting the `cluster.get` and `cluster.list` permissions.
+ This would allow the user to use only clusters that match the resource filter condition.
+ The tenant admin or user with permission to create clusters would need to ensure that all clusters created have the `development` tag.
+
+ To learn more about the resource types and permissions available in Palette, refer to the
+ [Permissions](./permissions.md) page.
+
+
+
+8. After creating the Resource role, navigate to the left **Main Menu** and click on **Users & Teams**.
+
+9. Select the tab of the resource you want to assign with the Resource role, either a user or a team.
+
+10. Click on the row of the user or team to display its overview page.
+
+11. Click on the **Resource Roles** tab.
+
+12. Click on the **New Resource Role** button.
+
+13. Select the projects you want the Resource to have access to.
+
+14. Assign the Resource filter you created in step 4.
+
+15. Select the Resource role you created in step 7.
+
+16. Click **Confirm** to assign the Resource role to the user or team.
+
+The user or team can now interact with the Palette components that match the conditions defined in the Resource filter
+and the permissions defined in the Resource role.
+
+## Validate
+
+1. Log in to [Palette](https://console.spectrocloud.com).
+
+2. Create a resource that matches the conditions defined in the Resource filter. For example, if you created a filter
+ that only allows users to view cluster profiles with the tag `development`, create a cluster profile with that tag.
+
+3. Have the user or team log in to [Palette](https://console.spectrocloud.com).
+
+4. Verify the user or team can only view and interact with resources that match the conditions defined in the Resource
+ filter and the permissions defined in the Resource role.
diff --git a/docs/docs-content/user-management/palette-rbac/palette-rbac.md b/docs/docs-content/user-management/palette-rbac/palette-rbac.md
index 86af7ffc6c..f6d0ce27d4 100644
--- a/docs/docs-content/user-management/palette-rbac/palette-rbac.md
+++ b/docs/docs-content/user-management/palette-rbac/palette-rbac.md
@@ -1,384 +1,176 @@
---
-sidebar_label: "Palette RBAC"
-title: "Palette User Access using RBAC "
+sidebar_label: "Roles and Permissions"
+title: "Roles and Permissions"
description: "Palette User Access control using RBAC"
icon: ""
hide_table_of_contents: false
tags: ["user-management", "rbac"]
---
-RBAC stands for Role-Based Access Control. RBAC allows a single user to have different types of access control based on
-the resource being accessed. RBAC is the scenario that allows the Tenant Admin to grant full and unrestricted access to
-some parts of the system and withhold it for some others.
+Palette provides you with the ability to create and manage roles to control access to resources. Roles are a collection
+of [permissions](./permissions.md) that define the actions a user or a team can perform on a resource. By assigning
+roles to users or teams, you can control the level of access they have to resources in Palette.
-Palette enforces a very well-structured RBAC design on how to grant granular access to resources and their operations
-within our management console. We maintain precise Roles and Resource Access Control List. Role-based access control
-primarily focuses on assigning permissions to roles instead of individual users and then assigning these roles to users.
-Multiple roles can be assigned to a user, which defines the permitted actions on the resource. This module lists and
-enumerates all the roles available within the Palette console within specific scopes.
+## Role-Based Access Control
-Palette enables:
+Role-Based Access Control (RBAC) allows a user or team to have different types of access control based on the resource
+being accessed. Palette supports an RBAC approach for granting users granular access to resources and their operations
+within the Palette platform.
-- A role can have multiple permissions. We encourage custom role creation, coupling the wide range of Palette
- permissions.
+RBAC focuses on assigning permissions to roles rather than individual users or teams. Users and teams are then assigned
+these roles, which specify their access to various resources. A user or team can be assigned multiple roles, each
+defining their permitted actions on those resources.
-- Multiple roles can be assigned to a single user, defining the permitted actions on a Palette resource.
+:::info
-## Palette RBAC Model
+Palette RBAC is separate from Kubernetes RBAC and is used to manage access to the Palette platform and its resources.
+The access control inside a Kubernetes cluster is managed by Kubernetes RBAC and requires the usage of
+[Kubernetes roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) and
+[role bindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings). For
+fine-grained access control to Kubernetes resources, use the
+[Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) system. You can use OpenID Connect
+(OIDC) to integrate Kubernetes RBAC with Palette RBAC. Refer to the [OIDC](../saml-sso/saml-sso.md) page for more
+information.
-The Palette RBAC Model, is based on the following three components:
+:::
-- Scopes
-- Permissions
-- Roles
-
-### Scopes
-
-A Scope defines the resources on which the role has coverage. The scope will be either `Tenant` or `Project`. For
-example, a role within the scope project can operate within the projects. The combination of user and roles indicates
-the totality of the accessibility available to that user. Scopes are structured in a parent-child relationship. Each
-level of hierarchy makes the Scope more specific. The roles are assigned at any of these levels of Scope. The level you
-select determines how widely the role is applied. Lower levels inherit role permissions from higher levels.
-![palette-rbac-scope.webp](/palette-rbac-scope.webp)
-
-The following are the major properties of Palette driven Scopes:
-
-- Scopes control the visibility of the resource.
-
-- Resource created in the higher scope will be visible in the lower scope as read-only. The cluster profiles created by
- a tenant will be available to all the projects created by that tenant.
-
-- Resource Isolation: Resources within the same scope will be restricted to the respective scope entity.
-
- - Cluster Profile created in project-1 will not be available in project-2 of the same tenant
-
-- Resource with the same name can co-exist across scopes and will be distinguished with scope prefix (icon)
- - A profile with the same name can be created in tenant and project scope. The resource will have the scope
- information, which helps to distinguish them.
-
-Palette resources can be allocated to roles under **Three Scopes**:
-
-- **System** (The system admin internal to Palette)
-
-- **Tenant**
-
-- **Project**
-
-
-
-![A diagram of Palette's RBAC model](/user-management_palette-rback_palette-rbac-model.webp)
-
-
-
-### Permissions
-
-Permissions determine the type of operations allowed on a resource. Permissions can be defined in the following format:
-
-`resourceKey.operation`
-
-Examples:
-
-- `cluster.create`
-- `cluster.edit`
-- `cluster.delete`
-
-Each permission has a defined scope. The role creation is based on scope, type and permissions.
-
-
-
-#### Palette Permissions
-
-Palette has a wide range of permissions and these permissions can be combined in any combination as per the user
-requirements to create a role. If the Palette built-in roles does not meet the specific needs of your organization,
-custom roles can be created using different combination of these permissions. Just like built-in roles, you can assign
-custom roles to users or teams within a specific scope (Tenant or Project). Refer to the available set of permissions in
-the [Palette Resource Scope Matrix](#resource-scope-matrix).
-
-
-
-
-### Roles
-
-A Role is a collection of permissions. When a role is assigned to a user, it means all the permissions the role contains
-are assigned to that user. The Role will have a **Scope**. The Type signifies the creator's scope and the Scope
-signifies the role visibility. The permissions will be restricted to the permission's scope list based on the role's
-scope. The ProfileEditor will be visible under Tenant, but neither the Tenant nor the Project admins are allowed to
-modify the Project Scopes.
-
-
-
-## Access Modes
-
-- Tenant
-- Project
-
-### Tenant
-
-Tenant is an isolated workspace within the Palette. `Users` and `Teams` with specific `Roles` can be associated with the
-Tenant(s) you create. Palette provides a [wide set of permissions](tenant-scope-roles-permissions.md) under the scope of
-a Tenant. Everyone is a user and there should be at least one user with Tenant Admin privilege to control the product
-operations.
-
-
-
-### Project
-
-The Global Project Scope holds a group of resources, in a logical grouping, to a specific project. The project acts as a
-namespace for resource management. Users and Teams with specific roles can be associated with the project, cluster, or
-cluster profile you create. Users are members of a tenant who are assigned
-[project scope roles](./project-scope-roles-permissions.md) that control their access within the platform.
-
-
-
-## Palette Specific (Default) Roles:
-
-Palette RBAC has several built-in roles that can be assigned to users and teams. Role assignments are the way you
-control access to Palette resources.
-
-
-
-### Tenant Scope Default Roles:
-
-The Global Tenant Scope holds all the tenant resources of Palette. The list of `Role` types within the `Tenant Scope`
-are as follows:
-
-
-
-1. [Tenant Administrator Role](tenant-scope-roles-permissions.md#tenant-admin)
+## RBAC Model
-2. [Tenant Viewer Role](tenant-scope-roles-permissions.md#tenant-viewer)
+The Palette RBAC Model is based on the following three components:
-3. [Tenant Project Admin Role](tenant-scope-roles-permissions.md#tenant-project-admin)
-
-4. [Tenant Cluster Profile Admin Role](tenant-scope-roles-permissions.md#tenant-cluster-group-admin)
-
-5. [Tenant Role Admin Role](tenant-scope-roles-permissions.md#tenant-team)
-
-6. [Tenant Team Admin Role](tenant-scope-roles-permissions.md#tenant-admin)
-
-7. [Tenant User Admin Role](tenant-scope-roles-permissions.md#tenant-user)
-
-
-
-### Project Scope Default Roles:
-
-The Global Project Scope holds a group of resources in a logical grouping. Users and Teams with specific Roles can be
-associated with the Project(s) you create. Below is a list of Role types within the Project Scope built in to the
-Palette console. These Roles can neither be deleted nor edited.
-
-
-
-1. [Project Administrator Role](project-scope-roles-permissions.md#project-admin)
-
-2. [Project Editor Role](project-scope-roles-permissions.md#project-editor)
-
-3. [Project Viewer Role](project-scope-roles-permissions.md#project-viewer)
-
-4. [Cluster Profile Admin Role](project-scope-roles-permissions.md#cluster-profile-admin)
-
-5. [Cluster Profile Editor Role](project-scope-roles-permissions.md#cluster-profile-editor)
-
-6. [Cluster Profile Viewer Role](project-scope-roles-permissions.md#cluster-profile-viewer)
-
-7. [Cluster Admin Role](project-scope-roles-permissions.md#cluster-account-admin)
-
-8. [Cluster Editor Role](project-scope-roles-permissions.md#cluster-account-editor)
-
-9. [Cluster Viewer Role](project-scope-roles-permissions.md#cluster-account-viewer)
-
-10. [Cluster Account Admin Role](project-scope-roles-permissions.md#cluster-admin)
-
-11. [Cluster Account Editor Role](project-scope-roles-permissions.md#cluster-editor)
-
-12. [Cluster Account Viewer Role](project-scope-roles-permissions.md#cluster-viewer)
-
-13. [Workspace Admin Role](project-scope-roles-permissions.md#workspace-admin)
-
-14. [Workspace Operator Role](project-scope-roles-permissions.md#workspace-operator)
-
-## Assign Palette Specific Roles to Users
-
-The Default (built-in) roles of Palette can be directly assigned to a user. The roles needs to be assigned based on who
-needs the access. The roles can be assigned to `Users` or `Teams`. The appropriate role needs to be selected from the
-list of several built-in roles. If the built-in roles are not meeting the specific needs of your organization, you can
-[create your own custom roles](#custom-roles-in-palette).
-
-
-
-1. Login to Palette console as `Tenant Admin`.
-
-2. Select **Users and Teams** from the left **Main Menu** to list the created users.
-
-3. From the list of users **select the user** to be assigned with role to open the role addition wizard.
-
-4. Make the choice of role category from the top tabs:
-
- - Project Role
- - Tenant Role
- - Workspace Role
-
-5. Once the choice of category is made Click on **+ New Role**.
-
-6. In the **Add Roles to User-name** wizard, select the project name from the drop down and select the roles from the
- list.
-
-7. Confirm to complete the wizard.
-
-8. The role user association can be edited and deleted from the **left Main Menu**.
-
-
-
-## Custom Roles in Palette
-
-Palette enables the users to have custom Roles. These custom roles can be created either under the Tenant Scope or the
-Project Scope, but not both. These roles need to have unique names for identification. The names are case-insensitive.
-To create custom role in Palette Platform, we need to understand the components and operations in the Palette Platform
-enumerated as a `Resource Scope Matrix` as below:
-
-## Resource Scope Matrix
-
-| Component | Resource Key | Operations | Scope | Usage |
-| --------------- | -------------- | -------------------------------------------- | -------------- | ----------------------------------------------------------- |
-| API Key | apiKey | create, get, list, update, delete | Tenant | API Key related operations |
-| Appliance | edgehost | create,get,list,update,delete | Project | Edge appliance deployment and management |
-| Audit | audit | get, list | Tenant Project | Audit log access |
-| Cloud Account | cloudaccount | create, get,list,update,delete | Tenant Project | Cloud account creation and management |
-| Cloud Config | cloudconfig | create,update,delete,get,list | Project | Cluster level cloud configuration |
-| Cluster | cluster | create,get,list,update,delete | Project | Creation and management of Palette workload clusters |
-| Cluster Profile | clusterProfile | update,publish,delete,create,get,list | Tenant Project | Creation and management of Palette cluster profiles |
-| DNS Mapping | dnsMapping | create,get,list,update,delete | Project | Domain Name Server mapping services creation and management |
-| Location | location | create,get,list,update,delete | Tenant Project | location services related to backup and restore |
-| Macro | macro | create,get,list,update,delete | Tenant Project | Key value management for Palette resources |
-| Machine | machine | create,get,list,delete,update | Project | Palette node pool management |
-| Private Gateway | privateGateway | create,get,list,update,delete | Tenant | PCG creation and maintenance |
-| Registry | packRegistry | create, get, list, update, delete | Tenant | Creation and management of registries |
-| Role | role | create,update,delete,get,list | Tenant | creation and management of Palette roles |
-| Project | project | create,get,list,delete,update | Project | Creation and management of Palette roles |
-| Workspace | workspace | create,list,update,delete,backup,restore,get | Project | Workspace operations including backup and restore |
-| Team | team | create,list,update,delete,get | Tenant | Creation and management of user teams in Palette |
-| User | user | create,update,delete,get,list | Tenant | Creation and management of users in Palette |
-
-## Create Custom Role in Palette
-
-To create a custom role, login to the Palette console as `Tenant Admin`:
-
-1.From the left **Main Menu**, click on **Tenant Settings** and select **Roles**.
-
-2. Click **Create Role**, to open the `Add New Role` wizard
+- Scope
+- Permissions
+- Roles
-3. Give a `Role Name` of user choice.
+### Scope
-4. Clicking on a `Role Name` will show the permissions available under this role. `Default Roles` (built-in into the
- Palette system) cannot be edited or deleted. Select the scope from the available options:
+Scope defines the context in which the resources are located and their visibility. The scope can be either Tenant or
+Project. For example, a role within the project scope can conduct actions within a project, whereas a role within the
+tenant scope can conduct actions across all projects within the tenant.
- - Tenant
- - Project
+:::info
-5. Make your choice of **Permissions** and **Operations** to create a custom Palette role. After entering the
- `Role Name`, use the checkboxes to select the permissions. The checkbox list can be expanded to fine-tune the
- required permissions.
+Self-hosted Palette and VerteX instances have an additional scope called the System Scope. The system scope applies to
+the entire system. Only users with the system administrator role can perform actions in the system scope. System
+administrator access is only available to self-hosted instances.
-6. The created role can be viewed under the `Global Roles` list
+:::
-7. Click on the name of the role to:
+Scopes are organized hierarchically, with each level becoming more specific. Roles can be assigned at different scope
+levels, and the level you choose determines the role's range of influence. Use the scope to control the visibility of
+resources and to reduce the number of resources a role has access to.
- - `View`
- - `Edit Role`
- - `Delete Role`
+![palette-rbac-scope.webp](/user-management_palette-rbac_palette-rbac_scope-overview.webp)
-
+Key points to remember about scopes:
-**Example:**
+- Scopes control the visibility of the resource. The resource created in the higher scope will be visible and accessible
+ for use in the lower scope. For example, a cluster profile created in the tenant scope will be visible and accessible
+ in the project scope.
-If the user is creating a role under the Tenant scope for API Key operations, select the `API Key Permissions` and then
-from the drop-down menu of that permission, check (tick) the required API operations listed under API Key permissions.
-Similarly, several permissions can be combined to create a **Custom Role**. The created role can be assigned to an
-existing or new user.
+- Resource isolation is achieved by creating resources in the lower scope.
-
-
+- Resources with the same name may co-exist across different project scopes and will be distinguished with a scope icon
+ in the context column.
-### Assign Custom Roles to Users
+- In Terraform, when using the Spectro Cloud provider, the term context is used instead of scope. Refer to the
+ [Spectro Cloud provider](https://registry.terraform.io/providers/spectrocloud/spectrocloud/latest/docs) for more
+ information.
-1. Login to Palette console as `Tenant Admin`.
+### Visiblity
-2. Select **Users and Teams** from the left ribbon menu to list the [created users](../user-management.md).
+As a user, you can only view the resources that are in the same scope as your role, or what is allowed by the highest
+scope role you have. For example, if you have a role in the project scope, you can only view resources in the defined
+project or projects allowed by the role. If you have a role in the tenant scope, you can view resources in the tenant
+scope and all projects within the tenant.
-3. From the list of users **select the user** to be assigned with role to open the role addition wizard.
+When you log in to Palette, depending on the roles you have, you can change the scope from the
+[Project Dashboard](../../introduction/dashboard.md) page. Use the **drop-down Menu** at the top to change the project
+or switch to the tenant scope.
-4. Make the choice of role category from the top tabs:
+### Resource
- - Project Role
- - Tenant Role
- - Workspace Role
+Different resources in Palette exist at different scopes. Some resources are global and can be accessed across all
+scopes, while others are specific to a particular scope. For example, Users and Teams are managed at the Tenant scope,
+and are only accessible to Tenant administrators or Tenant roles with user modification permissions. Cloud accounts, on
+the other hand, can be defined at the Tenant scope and at the Project scope. However, if a cloud account is defined at
+the Tenant scope, it is accessible to all projects within the tenant. If a cloud account is defined at the Project
+scope, it is only accessible to that project.
-5. Once the choice of category is to br made by clicking on **+ New Role**.
+![A diagram of Palette's RBAC model](/user-management_palette-rback_palette-rbac-model.webp)
-6. In the **Add Roles to User-name** wizard, select the project name from the drop down and select the roles from the
- list.
+## Permissions
-7. Confirm to complete the wizard.
+Permissions determine the type of operations allowed on a resource. Permissions can be defined in the format
+`resourceKey.operation`. The resource key is the resource type, and the operation is the action that can be performed on
+the resource. For example, `cluster.create` allows the role to create a cluster. Permissions are assigned to roles.
-8. The role user association can be edited and deleted from the `kebab menu`.
+Review the [Permissions](permissions.md) page for a detailed list of all the permissions available in Palette.
-## Example Scenario:
+## Roles
-Palette has a number of permissions that you can potentially include in your custom role. Here is an example scenario
-enumerating the minimum permissions required for a user to **Create a Cluster** in Palette platform.
+A Role is a collection of permissions. When a role is assigned to a user or team, it means all the permissions the role
+contains are applied to the user or users in the team. The role's scope is determined by the type of role. Palette
+supports three types of roles. Refer to the table below for more information about the role types.
-
+| Role Type | Scope | Description |
+| --------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Tenant | Tenant | Tenant roles are assigned at the Tenant scope. These roles are used to manage resources at the Tenant scope and have access to all projects within the tenant. |
+| Project | Project | Project roles are assigned at the Project scope. These roles are used to limit a role's access to a specific project or set of projects. |
+| Resource | Project | Resource roles are unique roles that can be assigned at the project scope. They are more granular in nature and can be used to achieve Attribute-Based Access Control (ABAC). |
-#### 1. Decide the actions, scopes and permissions required by the user to Create a Cluster.
+For each role type, Palette provides a set of predefined roles out-of-the-box that you may use. Check out the following
+pages for more information:
-The role creation is done from the `Tenant Admin` console. For the above scenario, two roles needs to be created under
-`Project` and `Tenant` scope and attached to the user.
+- [Default Tenant Roles](./tenant-scope-roles-permissions.md)
-
+- [Default Project Roles](./project-scope-roles-permissions.md)
-#### 2. Identify the Permissions required under `Project Scope`:
+- [Default Resource Roles](./resource-scope-roles-permissions.md)
-- Add the minimum `Project` management permissions
+You can also create your own custom role of any type. To create a custom role, refer to the
+[Creating a Custom Role](./create-custom-role.md) page for detailed instructions.
- - project.list
- - project.get
+## Attribute-Based Access Control
-- Add the minimum permissions required for `Cloud Account` creation
+Attribute-Based Access Control (ABAC) is a model that uses attributes to determine access control. In Palette, ABAC is
+supported for a limited set of resources using [Resource roles](./resource-scope-roles-permissions.md). Resource roles
+are unique roles that can be assigned at the project scope. Each Resource role must be paired with a
+[Resource Filter](../../tenant-settings/filters.md), which is a set of attributes that define the resources the role can
+access. When a user is assigned a Resource role, they can only access resources that match the Resource Filter.
- - cloudaccount.create
- - cloudaccount.get
- - cloudaccount.list
+To illustrate ABAC with Resource roles, consider a scenario where you have a Resource role called **security-enforcer**
+that has the permission `clusterProfile.update`. This Resource role is paired with a Resource Filter that specifies the
+attribute, Tag, with a value `prodAllowed`. When a user is assigned the **security-enforcer** role, they can only update
+cluster profiles that have the tag `prodAllowed`.
-- Add the `ClusterProfile` permissions
+:::info
- - clusterProfile.create
- - clusterProfile.delete
- - clusterProfile.get
- - clusterProfile.list
- - clusterProfile.publish
- - clusterProfile.update
+In the example provided, assume the user with the Resource role assigned has other permissions required to view projects
+and list cluster profiles. For brevity, these permissions are not listed.
-- Add the `Cluster` permissions (for creating and listing the cluster)
+:::
- - cluster.create
- - cluster.list
- - cluster.get
+In the diagram below, the Resource role **security-enforcer** is allowed to update the cluster profile in Project A,
+which has the tag `prodAllowed`. If the user attempts to update the cluster profile in Project B, which lacks the tag
+`productionAllowed`, the operation is denied. If the cluster profile in Project B had the tag `prodAllowed`, the user
+would be able to update the cluster profile.
-- Add the `Location` permission.
+![ABAC with Resource roles](/user-management_palette-rback_abac_example.webp)
- - location.list
+If you are interested in using ABAC with Palette, check out the [ABAC in Palette](implement-abac.md) guide for a
+step-by-step guide on how to implement ABAC in Palette.
-- Add the `Cloud Configuration` permissions for node pool management
- - cloudconfig.create
+## Resources
-#### 3. Identify the Permissions required under `Tenant Scope`:
+- [Creating a Custom Role](./create-custom-role.md)
-To attach the Packs and Integrations from Palette public repository, add the `Registry Permissions`. The minimum
-permission required in this scenario is:
+- [Create and Manage a Role Assignment](./assign-a-role.md)
-- packRegistry.get
+- [Permissions](permissions.md)
-#### 4. Attach Roles to the User and Create the Cluster
+- [Default Tenant Roles](./tenant-scope-roles-permissions.md)
-- Once both the roles are created with the above scopes, attach them to the user.
+- [Default Project Roles](./project-scope-roles-permissions.md)
-- Login to Palette console using the user credentials to create the cluster profile and the cluster.
+- [Default Resource Roles](./resource-scope-roles-permissions.md)
diff --git a/docs/docs-content/user-management/palette-rbac/permissions.md b/docs/docs-content/user-management/palette-rbac/permissions.md
new file mode 100644
index 0000000000..3ca2e55dc6
--- /dev/null
+++ b/docs/docs-content/user-management/palette-rbac/permissions.md
@@ -0,0 +1,310 @@
+---
+sidebar_label: "Permissions"
+title: "Permissions"
+description: "Review the available permissions in Palette."
+icon: ""
+hide_table_of_contents: false
+sidebar_position: 25
+tags: ["user-management", "permissions", "rbac"]
+---
+
+All actions in Palette are controlled by permissions. Permissions are assigned to roles, and roles are assigned to users
+or teams. Each Palette component has a corresponding _resource key_ and a set of operations that can be performed on
+that component.
+
+Palette components are managed at different scopes. The available scopes are Tenant and Project. The Tenant scope is
+global and applies to all projects within the tenant. The Project scope is specific to a project.
+
+## Components and Resource Keys
+
+The following table lists the available Palette components, their corresponding resource keys, and the applicable Role
+scopes you can assign permissions to.
+
+| Component | Resource Key | Tenant Role Scope | Project Role Scope | Resource Role Scope | Description |
+| -------------------- | -------------------- | ----------------- | ------------------ | ------------------- | -------------------------------------------------------------------------- |
+| API Key | `apiKey` | ✅ | | | API Key related operations |
+| Audit | `audit` | ✅ | | | Audit log access |
+| App Deployment | `appDeployment` | ✅ | ✅ | | Application deployment and management in the context of Palette Dev Engine |
+| App Profile | `appProfile` | | ✅ | | Management of Application profiles |
+| Cloud Account | `cloudaccount` | ✅ | ✅ | ✅ | Cloud account creation and management |
+| Cloud Config | `cloudconfig` | ✅ | ✅ | ✅ | Cluster level cloud configuration |
+| Cluster | `cluster` | ✅ | ✅ | ✅ | Creation and management of Palette workload clusters |
+| Cluster Group | `clusterGroup` | ✅ | ✅ | | Creation and management of cluster groups |
+| Cluster Profile | `clusterProfile` | ✅ | ✅ | ✅ | Creation and management of Palette cluster profiles |
+| DNS Mapping | `dnsMapping` | | ✅ | ✅ | Domain Name Server mapping services creation and management |
+| Edge Host | `edgehost` | ✅ | ✅ | | Edge host deployment and management |
+| Edge Host Token | `edgeToken` | ✅ | | | Edge host registration token management |
+| Filter | `filter` | ✅ | | | Creation and management of resource filters |
+| Location | `location` | ✅ | ✅ | ✅ | Location services related to backup and restore |
+| Macro | `macro` | ✅ | ✅ | ✅ | Key value management for Palette resources |
+| Machine | `machine` | ✅ | ✅ | ✅ | Palette node pool management |
+| Private Gateway | `privateGateway` | ✅ | | | Private Cloud Gateway creation and maintenance |
+| Registry | `packRegistry` | ✅ | ✅ | ✅ | Creation and management of registries |
+| Role | `role` | ✅ | | | Creation and management of Palette roles |
+| Project | `project` | ✅ | ✅ | | Creation and management of Palette projects |
+| Tag | `tag` | ✅ | ✅ | | Creation and management of tags |
+| Team | `team` | ✅ | | | Creation and management of user teams |
+| User | `user` | ✅ | | | Creation and management of users |
+| Virtual Cloud Config | `virtualCloudConfig` | | ✅ | | Allows the user to deploy and manage applications in virtual clusters |
+| Virtual Cluster | `virtualCluster` | | ✅ | | Creation and management of virtual clusters |
+| Virtual Machine | `virtualMachine` | | ✅ | | Creation and management of virtual machines |
+| Workspace | `workspace` | | ✅ | | Workspace operations including backup and restore |
+
+## Operations
+
+To review the operations that can be performed on each component, click on the Palette component name below to display
+the list of operations.
+
+
+
+
+- create
+- get
+- list
+- update
+- delete
+
+
+
+
+- get
+- list
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+- publish
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+- clone
+- migrate
+- pause
+- restart
+- resume
+- snapshotCreate
+- snapshotDelete
+- snapshotGet
+- snapshotList
+- snapshotUpdate
+- start
+- stop
+
+
+
+
+- create
+- delete
+- get
+- list
+- update
+- restore
+- backup
+
+
+
diff --git a/docs/docs-content/user-management/palette-rbac/project-scope-roles-permissions.md b/docs/docs-content/user-management/palette-rbac/project-scope-roles-permissions.md
index 54ce4d5425..45a61f5bc8 100644
--- a/docs/docs-content/user-management/palette-rbac/project-scope-roles-permissions.md
+++ b/docs/docs-content/user-management/palette-rbac/project-scope-roles-permissions.md
@@ -1,32 +1,31 @@
---
-sidebar_label: "Project Scope Roles and Permissions"
+sidebar_label: "Project Roles"
title: "Project Roles"
-description: "The list of Global Project Roles under Project Scope"
+description: "Learn about the predefined roles available in Palette for managing resources within a project scope."
icon: ""
hide_table_of_contents: false
-sidebar_position: 10
-tags: ["user-management", "rbac"]
+sidebar_position: 40
+tags: ["user-management", "project", "rbac"]
---
-# Global Project Scope
+Palette provides the following Project roles out-of-the-box. These roles are predefined and cannot be modified. You can
+assign these roles to users and teams to manage the resources within the project scope. The roles are categorized based
+on the resources they can manage. If you need to manage resources across multiple projects, consider using a
+[Tenant](./tenant-scope-roles-permissions.md) role instead.
-The Global Project Scope holds a group of resources, in a logical grouping, to a specific project. Users and Teams with
-specific Roles can be associated with the Project, Cluster, or Cluster Profile you create.
+:::tip
-Palette has adopted the security principle of least privilege. Each user is assigned Roles and Permissions to the
-Scopes, Resources, and Components. The Permissions format is `resourceKey.operation`, where **resourceKey** refers to a
-resource or the API functionality, and _operation_ refers to the action or activity allowed.
+Create your own custom project role if none of the predefined roles meet your requirements. Refer to the
+[Create a Custom Role](./create-custom-role.md#project-roles) guide for more information.
-To view a list of the predefined roles and permissions, go to **Tenant Settings** > **Roles**, and you will find the
-list of **Global Roles**. If you need to extend your permissions, use the **Create Role** option.
+:::
-Below is the predefined list of Roles and Permissions for the Global Project Scope:
+## Default Project Roles
-
+Palette comes with a set of immutable predefined Project roles out-of-the-box that you can assign to users or teams. To
+review the permissions associated with each Project role, click on the role name to expand the list of permissions.
-## App Deployment
-
----
+### App Deployment
| Role Name | Description |
| --------------------- | ---------------------------------------------------------------------------------------- |
@@ -34,878 +33,960 @@ Below is the predefined list of Roles and Permissions for the Global Project Sco
| App Deployment Editor | Allows the user to perform edit operations on an App but not to create or delete an App. |
| App Deployment Viewer | Allows the user to view all the App resources but not to make modifications. |
-
-
-
-
-
-
-
-## App Deployment Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **appDeployment** | √ | √ | √ | √ | √ | | | | |
-| **appProfile** | | | √ | √ | | | | | |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **clusterGroup** | | | √ | √ | | | | | |
-| **location** | √ | √ | √ | √ | √ | | | | |
-| **machine** | | | √ | √ | | | | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **project** | | | √ | √ | | | | | |
-| **sshKey** | √ | √ | √ | √ | √ | | | | |
-| **tag** | | | | | √ | | | | |
-| **virtualCloudconfig** | √ | √ | √ | √ | √ | | | | |
-| **virtualCluster** | √ | √ | √ | √ | √ | | | | |
-
-
-
-
-
-
-## App Deployment Editor
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **appDeployment** | | | √ | √ | √ | | | | |
-| **appProfile** | | | √ | √ | | | | | |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **clusterGroup** | | | √ | √ | | | | | |
-| **location** | | | √ | √ | √ | | | | |
-| **machine** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **project** | | | √ | √ | | | | | |
-| **sshKey** | | | √ | √ | √ | | | | |
-| **tag** | | | | | √ | | | | |
-| **virtualCloudconfig** | | | √ | √ | √ | | | | |
-| **virtualCluster** | | | √ | √ | √ | | | | |
-
-
-
-
-
-
-
-
-## App Deployment Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **appDeployment** | | | √ | √ | | | | | |
-| **appProfile** | | | √ | √ | | | | | |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **clusterGroup** | | | √ | √ | | | | | |
-| **location** | | | √ | √ | | | | | |
-| **machine** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **project** | | | √ | √ | | | | | |
-| **sshKey** | | | √ | √ | | | | | |
-| **virtualCloudconfig** | | | √ | √ | | | | | |
-| **virtualCluster** | | | √ | √ | | | | | |
-
-
-
-
-
-
-## App Profile
-
----
-
-| Role Names | Description |
+
+
+
+- appDeployment.create
+- appDeployment.delete
+- appDeployment.get
+- appDeployment.list
+- appDeployment.update
+- appProfile.get
+- appProfile.list
+- cloudaccount.get
+- cloudaccount.list
+- clusterGroup.get
+- clusterGroup.list
+- location.create
+- location.delete
+- location.get
+- location.list
+- location.update
+- machine.get
+- machine.list
+- macro.create
+- macro.delete
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- project.get
+- project.list
+- sshKey.create
+- sshKey.delete
+- sshKey.get
+- sshKey.list
+- sshKey.update
+- tag.update
+- virtualCloudconfig.create
+- virtualCloudconfig.delete
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.create
+- virtualCluster.delete
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+
+
+
+
+- appDeployment.get
+- appDeployment.list
+- appDeployment.update
+- appProfile.get
+- appProfile.list
+- cloudaccount.get
+- cloudaccount.list
+- clusterGroup.get
+- clusterGroup.list
+- location.get
+- location.list
+- location.update
+- machine.get
+- machine.list
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- project.get
+- project.list
+- sshKey.get
+- sshKey.list
+- sshKey.update
+- tag.update
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+
+
+
+
+- appDeployment.get
+- appDeployment.list
+- appProfile.get
+- appProfile.list
+- cloudaccount.get
+- cloudaccount.list
+- clusterGroup.get
+- clusterGroup.list
+- location.get
+- location.list
+- machine.get
+- machine.list
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+- project.get
+- project.list
+- sshKey.get
+- sshKey.list
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCluster.get
+- virtualCluster.list
+
+
+
+
+### App Profile
+
+| Role Name | Description |
| ------------------ | ------------------------------------------------------------------------------------------------------ |
| App Profile Admin | Provides administrative privilege to perform all the App operations on App profile resources. |
| App Profile Editor | Allows the user to perform edit operations on App profiles but not to create or delete an App profile. |
| App Profile Viewer | Allows the user to view all the App profile resources but not to modify them. |
-
-
-
-
-
-
-
-## App Profile Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **appProfile** | √ | √ | √ | √ | √ | | | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **project** | | | √ | √ | | | | | |
-
-
-
-
-
-
-## App Profile Editor
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **appProfile** | | | √ | √ | √ | | | | |
-| **macro** | | | √ | √ | √ | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **project** | | | √ | √ | | | | | |
-
-
-
-
-
-
-
-
-## App Profile Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **appProfile** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **project** | | | √ | √ | | | | | |
-
-
-
-
-
-
-## Project
-
----
-
-| Role Names | Description |
-| -------------- | ----------------------------------------------------------------------------------------------------------------------------- |
-| Project Admin | The Project Admin role is a closure of all the project operations. It is a administrative privilege for the project resources |
-| Project Editor | The Project Editor role can perform edit operations within a project, but the user is not able to create or delete a project |
-| Project Viewer | The Project Viewer will be able to view all the resources within a project, but not privileged to make modifications |
-
-
-
-
-
-
-
-
-## Project Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **audit** | | | √ | √ | | | | | |
-| **cloudaccount** | √ | √ | √ | √ | √ | | | | |
-| **cloudconfig** | √ | √ | √ | √ | √ | | | | |
-| **cluster** | √ | √ | √ | √ | √ | √ | | | |
-| **clusterProfile** | √ | √ | √ | √ | √ | | √ | | |
-| **clusterRbac** | √ | √ | √ | √ | √ | | | | |
-| **dnsMapping** | √ | √ | √ | √ | √ | | | | |
-| **edgehost** | √ | √ | √ | √ | √ | | | | |
-| **location** | √ | √ | √ | √ | √ | | | | |
-| **machine** | √ | √ | √ | √ | √ | | | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **privateGateway** | √ | √ | √ | √ | √ | | | | |
-| **project** | | | √ | √ | √ | | | | |
-| **sshKey** | √ | √ | √ | √ | √ | | | | |
-| **tag** | | | | | √ | | | | |
-| **workspace** | √ | √ | √ | √ | √ | | | √ | √ |
-
-
-
-
-
-
-## Project Editor
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **audit** | | | √ | √ | | | | | |
-| **cloudaccount** | | | √ | √ | √ | | | | |
-| **cloudconfig** | √ | | √ | √ | √ | | | | |
-| **cluster** | | | √ | √ | √ | | | | |
-| **clusterProfile** | | | √ | √ | √ | | √ | | |
-| **clusterRbac** | | | √ | √ | √ | | | | |
-| **dnsMapping** | | | √ | √ | √ | | | | |
-| **edgehost** | | | √ | √ | √ | | | | |
-| **location** | | | √ | √ | √ | | | | |
-| **machine** | | √ | √ | √ | √ | | | | |
-| **macro** | | | √ | √ | √ | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **privateGateway** | | | √ | √ | √ | | | | |
-| **project** | | | √ | √ | √ | | | | |
-| **sshKey** | | | √ | √ | √ | | | | |
-| **tag** | | | | | √ | | | | |
-| **workspace** | | | √ | √ | √ | | | √ | √ |
-
-
-
-
-
-
-
-
-## Project Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **audit** | √ | | | | √ | | | | |
-| **cloudaccount** | √ | | | | √ | | | | |
-| **cloudconfig** | √ | | | | √ | | | | |
-| **cluster** | √ | | | | √ | | | | |
-| **clusterProfile** | √ | | | | √ | | | | |
-| **dnsMapping** | √ | | | | √ | | | | |
-| **edgehost** | √ | | | | √ | | | | |
-| **location** | √ | | | | √ | | | | |
-| **machine** | √ | | | | √ | | | | |
-| **macro** | √ | | | | √ | | | | |
-| **packRegistry** | √ | | | | √ | | | | |
-| **privateGateway** | √ | | | | √ | | | | |
-| **project** | √ | | | | √ | | | | |
-| **sshKey** | √ | | | | √ | | | | |
-| **workspace** | √ | | | | √ | | | | |
-
-
-
-
-
-
-## Cluster Profile
-
----
-
-The user with these permissions can manage the Cluster Profiles within a project.
-
-
-
-| Role Names | Description |
-| ---------------------- | --------------------------------------------------------------------------------------------- |
-| Cluster Profile Admin | Cluster Profile Admin role has admin privileges to all the cluster profile operations |
-| Cluster Profile Editor | Cluster Profile Editor role has privileges to edit and list operations on the cluster profile |
-| Cluster Profile Viewer | Cluster Profile Viewer role has read-only privileges to cluster profiles |
-
-
-
-
-
-
-
-## Cluster Profile Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **clusterProfile** | √ | √ | √ | √ | √ | | √ | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **packRegistry** | √ | √ | | | | | | | |
-| **tag** | | | | | √ | | | | |
-
-
-
-
-
-
-
-
-## Cluster Profile Editor
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **clusterProfile** | | | √ | √ | √ | | √ | | |
-| **macro** | | | √ | √ | √ | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **tag** | | | | | √ | | | | |
-
-
-
-
-
-
-
-
-## Cluster Profile Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **clusterProfile** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-
-
-
-
-
-
-
-
-## Cluster
-
----
-
-
-
-
-
-| Role Names | Description |
-| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Cluster Admin | A cluster admin in Project scope has all the privileges related to cluster operation |
-| Cluster Editor | A cluster editor in Project scope has the privileges to update, delete,get and list cluster resources. This role is not privileged for cluster creation |
-| Cluster Viewer | A cluster viewer in Project scope is a read-only privilege to cluster operations |
-
-
-
-
-
-
-
-
-
-## Cluster Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **cloudconfig** | √ | √ | √ | √ | √ | | | | |
-| **cluster** | √ | √ | √ | √ | √ | √ | | | |
-| **clusterProfile** | √ | √ | | | | | | | |
-| **clusterRbac** | √ | √ | √ | √ | √ | | | | |
-| **dnsMapping** | √ | √ | √ | √ | √ | | | | |
-| **edgehost** | √ | √ | √ | √ | √ | | | | |
-| **location** | √ | √ | √ | √ | √ | | | | |
-| **machine** | √ | √ | √ | √ | √ | | | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **packRegistry** | √ | √ | | | | | | | |
-| **privateGateway** | √ | √ | | | | | | | |
-| **tag** | | | | | √ | | | | |
-| **sshKey** | √ | √ | √ | √ | √ | | | | |
-
-
-
-
-
-
-
-
-## Cluster Editor
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **cloudconfig** | | | √ | √ | √ | | | | |
-| **cluster** | | | √ | √ | √ | | | | |
-| **clusterProfile** | | | √ | √ | | | | | |
-| **clusterRbac** | | | √ | √ | √ | | | | |
-| **dnsMapping** | | | √ | √ | √ | | | | |
-| **edgehost** | | | √ | √ | √ | | | | |
-| **location** | | | √ | √ | √ | | | | |
-| **machine** | | √ | √ | √ | √ | | | | |
-| **macro** | | | √ | √ | √ | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **privateGateway** | | | √ | √ | | | | | |
-| **tag** | | | | | √ | | | | |
-| **sshKey** | | | √ | √ | √ | | | | |
-
-
-
-
-
-
-
-
-## Cluster Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **cloudconfig** | | | √ | √ | | | | | |
-| **cluster** | | | √ | √ | | | | | |
-| **clusterProfile** | | | √ | √ | | | | | |
-| **clusterRbac** | | | √ | √ | | | | | |
-| **dnsMapping** | | | √ | √ | | | | | |
-| **edgehost** | | | √ | √ | | | | | |
-| **location** | | | √ | √ | | | | | |
-| **machine** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **privateGateway** | | | √ | √ | | | | | |
-| **sshKey** | | | √ | √ | | | | | |
-
-
-
-
-
-
-
-
-## Cloud Account
-
----
-
-
-
-| Role Names | Description |
-| ---------------------- | ---------------------------------------------------- |
-| Cluster Account Admin | An administrative access to cloud account operations |
-| Cluster Account Editor | An editor access to cloud cloud account operations |
-| Cluster Account Viewer | A read-only role for cloud account operations |
-
-
-
-
-
-
-
-
-## Cluster Account Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cloudaccount** | √ | √ | √ | √ | √ | | | | |
-
-
-
-
-
-
-
-
-## Cluster Account Editor
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cloudaccount** | | | √ | √ | √ | | | | |
-
-
-
-
-
-
-
-
-## Cluster Account Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cloudaccount** | | | √ | √ | | | | | |
-
-
-
-
-
-
-## Workspace
-
----
-
-
-
-| Role Names | Description |
-| ---------------- | ------------------------------------------ |
-| Workspace Admin | Administrator role to workspace operations |
-| Workspace Editor | Editor role to workspace operations |
-
-
-
-
-
-
-
-
-## Workspace Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **workspace** | √ | √ | √ | √ | √ | | | √ | √ |
-
-
-
-
-
-
-
-
-## Workspace Operator
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **workspace** | | | √ | √ | | | | √ | √ |
-
-
-
-
-
-
-
-
-## Virtual Cluster
-
----
-
-| Role Names | Description |
+
+
+
+- appProfile.create
+- appProfile.delete
+- appProfile.get
+- appProfile.list
+- appProfile.update
+- macro.create
+- macro.delete
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- project.get
+- project.list
+
+
+
+
+- appProfile.get
+- appProfile.list
+- appProfile.update
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- project.get
+- project.list
+
+
+
+
+- appProfile.get
+- appProfile.list
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+- project.get
+- project.list
+
+
+
+
+### Cloud Account
+
+| Role Name | Description |
+| -------------------- | ----------------------------------------------------- |
+| Cloud Account Admin | An administrative access to cloud account operations. |
+| Cloud Account Editor | An editor access to cloud account operations. |
+| Cloud Account Viewer | A read-only role for cloud account operations. |
+
+
+
+
+- cloudaccount.create
+- cloudaccount.delete
+- cloudaccount.get
+- cloudaccount.list
+- cloudaccount.update
+- project.get
+- project.list
+
+
+
+
+- cloudaccount.get
+- cloudaccount.list
+- cloudaccount.update
+- project.get
+- project.list
+
+
+
+
+- cloudaccount.get
+- cloudaccount.list
+- project.get
+- project.list
+
+
+
+
+### Cluster
+
+| Role Name | Description |
+| -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Cluster Admin | A cluster admin in the Project scope has all the privileges related to the cluster operation. |
+| Cluster Editor | A cluster editor in the Project scope has the privileges to update, delete, get, and list cluster resources. This role is not privileged for cluster creation. |
+| Cluster Viewer | A cluster viewer in Project scope is a read-only privilege to cluster operations. |
+
+
+
+
+- cloudaccount.get
+- cloudaccount.list
+- cloudconfig.create
+- cloudconfig.delete
+- cloudconfig.get
+- cloudconfig.list
+- cloudconfig.update
+- cluster.create
+- cluster.delete
+- cluster.get
+- cluster.import
+- cluster.list
+- cluster.update
+- clusterGroup.get
+- clusterGroup.list
+- clusterProfile.get
+- clusterProfile.list
+- dnsMapping.create
+- dnsMapping.delete
+- dnsMapping.get
+- dnsMapping.list
+- dnsMapping.update
+- edgehost.create
+- edgehost.delete
+- edgehost.get
+- edgehost.list
+- edgehost.update
+- location.create
+- location.delete
+- location.get
+- location.list
+- location.update
+- machine.create
+- machine.delete
+- machine.get
+- machine.list
+- machine.update
+- macro.create
+- macro.delete
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- privateGateway.get
+- privateGateway.list
+- project.get
+- project.list
+- sshKey.create
+- sshKey.delete
+- sshKey.get
+- sshKey.list
+- sshKey.update
+- tag.update
+- virtualCloudconfig.create
+- virtualCloudconfig.delete
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.create
+- virtualCluster.delete
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+- virtualMachine.clone
+- virtualMachine.create
+- virtualMachine.delete
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.migrate
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+
+
+
+
+- cloudaccount.get
+- cloudaccount.list
+- cloudconfig.get
+- cloudconfig.list
+- cloudconfig.update
+- cluster.get
+- cluster.list
+- cluster.update
+- clusterGroup.get
+- clusterGroup.list
+- clusterProfile.get
+- clusterProfile.list
+- dnsMapping.get
+- dnsMapping.list
+- dnsMapping.update
+- edgehost.get
+- edgehost.list
+- edgehost.update
+- location.get
+- location.list
+- location.update
+- machine.delete
+- machine.get
+- machine.list
+- machine.update
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- privateGateway.get
+- privateGateway.list
+- project.get
+- project.list
+- sshKey.get
+- sshKey.list
+- sshKey.update
+- tag.update
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+
+
+
+
+- cloudaccount.get
+- cloudaccount.list
+- cloudconfig.get
+- cloudconfig.list
+- cluster.get
+- cluster.list
+- clusterGroup.get
+- clusterGroup.list
+- clusterProfile.get
+- clusterProfile.list
+- dnsMapping.get
+- dnsMapping.list
+- edgehost.get
+- edgehost.list
+- location.get
+- location.list
+- machine.get
+- machine.list
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+- privateGateway.get
+- privateGateway.list
+- project.get
+- project.list
+- sshKey.get
+- sshKey.list
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCluster.get
+- virtualCluster.list
+- virtualMachine.get
+- virtualMachine.list
+
+
+
+
+### Cluster Profile
+
+| Role Name | Description |
+| ---------------------- | ---------------------------------------------------------------------------------------------- |
+| Cluster Profile Admin | Cluster Profile Admin role has admin privileges to all the cluster profile operations. |
+| Cluster Profile Editor | Cluster Profile Editor role has privileges to edit and list operations on the cluster profile. |
+| Cluster Profile Viewer | Cluster Profile Viewer role has read-only privileges to cluster profiles. |
+
+
+
+
+- clusterProfile.create
+- clusterProfile.delete
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.publish
+- clusterProfile.update
+- macro.create
+- macro.delete
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- project.get
+- project.list
+- tag.update
+
+
+
+
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.publish
+- clusterProfile.update
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- project.get
+- project.list
+- tag.update
+
+
+
+
+- clusterProfile.get
+- clusterProfile.list
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+- project.get
+- project.list
+
+
+
+
+### Project
+
+| Role Name | Description |
+| -------------- | ------------------------------------------------------------------------------------------------------------------------------- |
+| Project Admin | The Project Admin role is a closure of all the project operations. It is an administrative privilege for the project resources. |
+| Project Editor | The Project Editor role can perform edit operations within a project, but the user is not able to create or delete a project. |
+| Project Viewer | The Project Viewer will be able to view all the resources within a project, but is not privileged to make modifications. |
+
+
+
+
+- appDeployment.create
+- appDeployment.delete
+- appDeployment.get
+- appDeployment.list
+- appDeployment.update
+- appProfile.create
+- appProfile.delete
+- appProfile.get
+- appProfile.list
+- appProfile.update
+- audit.get
+- audit.list
+- cloudaccount.create
+- cloudaccount.delete
+- cloudaccount.get
+- cloudaccount.list
+- cloudaccount.update
+- cloudconfig.create
+- cloudconfig.delete
+- cloudconfig.get
+- cloudconfig.list
+- cloudconfig.update
+- cluster.create
+- cluster.delete
+- cluster.get
+- cluster.import
+- cluster.list
+- cluster.update
+- clusterGroup.create
+- clusterGroup.delete
+- clusterGroup.get
+- clusterGroup.list
+- clusterGroup.update
+- clusterProfile.create
+- clusterProfile.delete
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.publish
+- clusterProfile.update
+- dnsMapping.create
+- dnsMapping.delete
+- dnsMapping.get
+- dnsMapping.list
+- dnsMapping.update
+- edgehost.create
+- edgehost.delete
+- edgehost.get
+- edgehost.list
+- edgehost.update
+- location.create
+- location.delete
+- location.get
+- location.list
+- location.update
+- machine.create
+- machine.delete
+- machine.get
+- machine.list
+- machine.update
+- macro.create
+- macro.delete
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- privateGateway.create
+- privateGateway.delete
+- privateGateway.get
+- privateGateway.list
+- privateGateway.update
+- project.get
+- project.list
+- project.update
+- sshKey.create
+- sshKey.delete
+- sshKey.get
+- sshKey.list
+- sshKey.update
+- tag.update
+- virtualCloudconfig.create
+- virtualCloudconfig.delete
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.create
+- virtualCluster.delete
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+- virtualMachine.clone
+- virtualMachine.create
+- virtualMachine.delete
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.migrate
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+- workspace.backup
+- workspace.create
+- workspace.delete
+- workspace.get
+- workspace.list
+- workspace.restore
+- workspace.update
+
+
+
+
+- appDeployment.get
+- appDeployment.list
+- appDeployment.update
+- appProfile.get
+- appProfile.list
+- appProfile.update
+- audit.get
+- audit.list
+- cloudaccount.get
+- cloudaccount.list
+- cloudaccount.update
+- cloudconfig.create
+- cloudconfig.get
+- cloudconfig.list
+- cloudconfig.update
+- cluster.get
+- cluster.list
+- cluster.update
+- clusterGroup.get
+- clusterGroup.list
+- clusterGroup.update
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.publish
+- clusterProfile.update
+- dnsMapping.get
+- dnsMapping.list
+- dnsMapping.update
+- edgehost.get
+- edgehost.list
+- edgehost.update
+- location.get
+- location.list
+- location.update
+- machine.delete
+- machine.get
+- machine.list
+- machine.update
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- privateGateway.get
+- privateGateway.list
+- privateGateway.update
+- project.get
+- project.list
+- project.update
+- sshKey.get
+- sshKey.list
+- sshKey.update
+- tag.update
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+- workspace.backup
+- workspace.get
+- workspace.list
+- workspace.restore
+- workspace.update
+
+
+
+
+- appDeployment.get
+- appDeployment.list
+- appProfile.get
+- appProfile.list
+- audit.get
+- audit.list
+- cloudaccount.get
+- cloudaccount.list
+- cloudconfig.get
+- cloudconfig.list
+- cluster.get
+- cluster.list
+- clusterGroup.get
+- clusterGroup.list
+- clusterProfile.get
+- clusterProfile.list
+- dnsMapping.get
+- dnsMapping.list
+- edgehost.get
+- edgehost.list
+- location.get
+- location.list
+- machine.get
+- machine.list
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+- privateGateway.get
+- privateGateway.list
+- project.get
+- project.list
+- sshKey.get
+- sshKey.list
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCluster.get
+- virtualCluster.list
+- workspace.get
+- workspace.list
+
+
+
+
+### Project Cluster Group
+
+| Role Name | Description |
+| ---------------------------- | ---------------------------------------------------------------------------------------------------------- |
+| Project Cluster Group Admin | Provides administrative privilege to perform all the operations on the cluster group resources. |
+| Project Cluster Group Editor | Allows the user to perform edit operations on a cluster group but not to create or delete a cluster group. |
+| Project Cluster Group Viewer | Allows the user to view all the cluster group resources but not to modify them. |
+
+
+
+
+- cluster.get
+- cluster.list
+- clusterGroup.create
+- clusterGroup.delete
+- clusterGroup.get
+- clusterGroup.list
+- clusterGroup.update
+- project.get
+- project.list
+- tag.update
+
+
+
+
+- cluster.get
+- cluster.list
+- clusterGroup.get
+- clusterGroup.list
+- clusterGroup.update
+- project.get
+- project.list
+- tag.update
+
+
+
+
+- cluster.get
+- cluster.list
+- clusterGroup.get
+- clusterGroup.list
+- project.get
+- project.list
+
+
+
+
+### Virtual Cluster
+
+| Role Name | Description |
| ---------------------- | -------------------------------------------------------------------------------------------------------------- |
| Virtual Cluster Admin | Provides administrative privilege to perform all virtual cluster operations on App resources. |
| Virtual Cluster Editor | Allows the user to perform edit operations on a virtual cluster but not to create or delete a virtual cluster. |
| Virtual Cluster Viewer | Allows the user to view all the virtual cluster resources but not to modify them. |
-
-
-
-
-
-
-
-## Virtual Cluster Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **clusterGroup** | | | √ | √ | | | | | |
-| **location** | | | √ | √ | | | | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **project** | | | √ | √ | | | | | |
-| **tag** | | | | | √ | | | | |
-| **virtualCloudconfig** | √ | √ | √ | √ | √ | | | | |
-| **virtualCluster** | √ | √ | √ | √ | √ | | | | |
-
-
-
-
-
-
-## Virtual Cluster Editor
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **clusterGroup** | | | √ | √ | | | | | |
-| **location** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | √ | | | | |
-| **project** | | | √ | √ | | | | | |
-| **tag** | | | | | √ | | | | |
-| **virtualCloudconfig** | | | √ | √ | √ | | | | |
-| **virtualCluster** | | | √ | √ | √ | | | | |
-
-
-
-
-
-
-
-
-## Virtual Cluster Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **clusterGroup** | | | √ | √ | | | | | |
-| **location** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | | | | | |
-| **project** | | | √ | √ | | | | | |
-| **virtualCloudconfig** | | | √ | √ | | | | | |
-| **virtualCluster** | | | √ | √ | | | | | |
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+- clusterGroup.get
+- clusterGroup.list
+- location.get
+- location.list
+- macro.create
+- macro.delete
+- macro.get
+- macro.list
+- macro.update
+- project.get
+- project.list
+- tag.update
+- virtualCloudconfig.create
+- virtualCloudconfig.delete
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.create
+- virtualCluster.delete
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+
+
+
+
+- clusterGroup.get
+- clusterGroup.list
+- location.get
+- location.list
+- macro.get
+- macro.list
+- macro.update
+- project.get
+- project.list
+- tag.update
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+
+
+
+
+- clusterGroup.get
+- clusterGroup.list
+- location.get
+- location.list
+- macro.get
+- macro.list
+- project.get
+- project.list
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCluster.get
+- virtualCluster.list
+
+
+
+
+### Virtual Machine
+
+| Role Name | Description |
+| -------------------------- | --------------------------------------------------------------------------------------------- |
+| Virtual Machine Admin | Provides administrative privilege to perform all the virtual machine operations. |
+| Virtual Machine Power User | Provides the user with the ability to most of the virtual machine operations. |
+| Virtual Machine User | Provides the user with the ability to perform non-destructive operations on virtual machines. |
+| Virtual Machine Viewer | Provides the user with the ability to view virtual machines. |
+
+
+
+
+- project.get
+- virtualMachine.clone
+- virtualMachine.create
+- virtualMachine.delete
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.migrate
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+
+
+
+
+- project.get
+- virtualMachine.clone
+- virtualMachine.create
+- virtualMachine.delete
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.migrate
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+
+
+
+
+- project.get
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+
+
+
+
+- project.get
+- virtualMachine.get
+- virtualMachine.list
+
+
+
+
+### Workspace
+
+| Role Name | Description |
+| ---------------- | ------------------------------------------- |
+| Workspace Admin | Administrator role to workspace operations. |
+| Workspace Editor | Editor role to workspace operations. |
+
+
+
+
+- cluster.list
+- location.list
+- project.get
+- project.list
+- tag.update
+- workspace.backup
+- workspace.create
+- workspace.delete
+- workspace.get
+- workspace.list
+- workspace.restore
+- workspace.update
+
+
+
+
+- cluster.list
+- location.list
+- project.get
+- project.list
+- workspace.backup
+- workspace.get
+- workspace.list
+- workspace.restore
+
+
+
+
+## Resources
+
+- [Permissions](./permissions.md)
diff --git a/docs/docs-content/user-management/palette-rbac/resource-scope-roles-permissions.md b/docs/docs-content/user-management/palette-rbac/resource-scope-roles-permissions.md
index bb9f232947..a9cdbfad53 100644
--- a/docs/docs-content/user-management/palette-rbac/resource-scope-roles-permissions.md
+++ b/docs/docs-content/user-management/palette-rbac/resource-scope-roles-permissions.md
@@ -1,317 +1,224 @@
---
-sidebar_label: "Palette Resource Roles"
-title: "Palette Global and Custom Resource Roles "
+sidebar_label: "Resource Roles"
+title: "Resource Roles "
description: "Palette contains global resource roles and supports the ability to create custom resource roles."
hide_table_of_contents: false
-sidebar_position: 20
+sidebar_position: 50
tags: ["user-management", "rbac"]
---
-Palette support two types of resource roles, global resource roles and custom resource roles:
+A Resource role is scoped at the project level and has a set of permissions that define the actions a user can perform
+on Palette resources within a project. Resource roles have limited resource keys available compared to Project or Tenant
+roles. You can use Resource roles to achieve Attribute-Based Access Control (ABAC) by pairing them with
+[Resource filters](../../tenant-settings/filters.md)
-
+All resource roles must be paired with a Filter when assigned to a User or Team. The combination of a Resource role and
+a Resource filter allows you to control access based on a tag value.
-- Global Resource Roles are a set of roles built in and available to you.
+For example, a Resource role that grants all cluster permissions, `cluster.*`, can be assigned to a user for a specific
+project, with a Resource filter where the tag value is `claims`. This user will have full access to all clusters in the
+project that have the tag `claims`.
-- Custom Resource Roles, are roles you can create in Palette using a set of permissions and operations.
+:::tip
-To learn how to create a custom role. Review the [Create Custom Role](#palette-custom-resource-roles) guide.
+Create your own custom Resource role if none of the predefined roles meet your requirements. Refer to the
+[Create a Custom Role](./create-custom-role.md#create-a-custom-resource-role) guide for more information.
-## Palette Global Resource Roles
+:::
-Palette provides the following built-in global resource roles:
+## Default Resource Roles
-
+Palette comes with a set of immutable predefined Resource roles out-of-the-box that you can assign to users or teams. To
+review the permissions associated with each Resource role, click on the role name to expand the list of permissions.
-- [Cluster](#cluster)
+### Cluster
- - Resource Cluster Admin
-
- - Resource Cluster Editor
-
- - Resource Cluster Viewer
-
-- [Cluster Profile](#cluster-profile)
-
- - Resource Cluster Profile Admin
-
- - Resource Cluster Profile Editor
-
- - Resource Cluster Profile Viewer
-
-
-
-## Cluster
-
-
-
-| Role Names | Description |
+| Role Name | Description |
| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Resource Cluster Admin | A cluster admin in Project scope has all the privileges related to cluster operation |
| Resource Cluster Editor | A cluster editor in Project scope has the privileges to update, delete,get and list cluster resources. This role is not privileged for cluster creation |
| Resource Cluster Viewer | A cluster viewer in Project scope is a read-only privilege to cluster operations |
-
-
-
-
-
-
-
-
-### Resource Cluster Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **cloudconfig** | √ | √ | √ | √ | √ | | | | |
-| **cluster** | √ | √ | √ | √ | √ | √ | | | |
-| **clusterProfile** | √ | √ | | | | | | | |
-| **clusterRbac** | √ | √ | √ | √ | √ | | | | |
-| **dnsMapping** | √ | √ | √ | √ | √ | | | | |
-| **edgehost** | √ | √ | √ | √ | √ | | | | |
-| **location** | √ | √ | √ | √ | √ | | | | |
-| **machine** | √ | √ | √ | √ | √ | | | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **packRegistry** | √ | √ | | | | | | | |
-| **privateGateway** | √ | √ | | | | | | | |
-| **sshKey** | √ | √ | √ | √ | √ | | | | |
-
-
-
-
-
-
-
-
-### Resource Cluster Editor
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **cloudconfig** | | | √ | √ | √ | | | | |
-| **cluster** | | | √ | √ | √ | | | | |
-| **clusterProfile** | | | √ | √ | | | | | |
-| **clusterRbac** | | | √ | √ | √ | | | | |
-| **dnsMapping** | | | √ | √ | √ | | | | |
-| **edgehost** | | | √ | √ | √ | | | | |
-| **location** | | | √ | √ | √ | | | | |
-| **machine** | | √ | √ | √ | √ | | | | |
-| **macro** | | | √ | √ | √ | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **privateGateway** | | | √ | √ | | | | | |
-| **sshKey** | | | √ | √ | √ | | | | |
-
-
-
-
-
-
-
-
-### Resource Cluster Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **cloudconfig** | | | √ | √ | | | | | |
-| **cluster** | | | √ | √ | | | | | |
-| **clusterProfile** | | | √ | √ | | | | | |
-| **clusterRbac** | | | √ | √ | | | | | |
-| **dnsMapping** | | | √ | √ | | | | | |
-| **edgehost** | | | √ | √ | | | | | |
-| **location** | | | √ | √ | | | | | |
-| **machine** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **privateGateway** | | | √ | √ | | | | | |
-| **sshKey** | | | √ | √ | | | | | |
-
-
-
-
-
-
-
-
-## Cluster Profile
-
-The user with these permissions can manage the Cluster Profiles within a project.
-
-
-
-| Role Names | Description |
-| ---------------------- | --------------------------------------------------------------------------------------------- |
-| Cluster Profile Admin | Cluster Profile Admin role has admin privileges to all the cluster profile operations |
-| Cluster Profile Editor | Cluster Profile Editor role has privileges to edit and list operations on the cluster profile |
-| Cluster Profile Viewer | Cluster Profile Viewer role has read-only privileges to cluster profiles |
-
-
-
-
-
-
-
-### Resource Cluster Profile Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **clusterProfile** | √ | √ | √ | √ | √ | | √ | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **packRegistry** | √ | √ | | | | | | | |
-
-
-
-
-
-
-
-
-### Resource Cluster Profile Editor
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **clusterProfile** | | | √ | √ | √ | | √ | | |
-| **macro** | | | √ | √ | √ | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-
-
-
-
-
-
-
-
-### Resource Cluster Profile Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **clusterProfile** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-
-
-
-
-
-
-
-
-## Palette Custom Resource Roles
-
-
-
-The following is a list of platform permissions and operations supported by Palette. Use these permissions to
-[create custom role](../new-user.md#create-custom-role) to control the cluster access. For every **Resource Keys**
-available **operations** can be added as per your requirements.
-
-
-
-## List of Custom Permissions
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **cloudconfig** | | √ | √ | √ | √ | | | | |
-| **cluster** | | √ | √ | √ | √ | | | | |
-| **clusterProfile** | | √ | √ | √ | √ | | √ | | |
-| **dnsMapping** | | | √ | √ | | | | | |
-| **location** | | | √ | √ | | | | | |
-| **machine** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
+
+
+
+- cloudaccount.get
+- cloudaccount.list
+- cloudconfig.delete
+- cloudconfig.get
+- cloudconfig.list
+- cloudconfig.update
+- cluster.delete
+- cluster.get
+- cluster.list
+- cluster.update
+- clusterProfile.delete
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.update
+- dnsMapping.get
+- dnsMapping.list
+- location.get
+- location.list
+- machine.get
+- machine.list
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+- sshKey.get
+- sshKey.list
+- virtualCloudconfig.delete
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.delete
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+- virtualMachine.clone
+- virtualMachine.create
+- virtualMachine.delete
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.migrate
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+
+
+
+
+- cloudaccount.get
+- cloudaccount.list
+- cloudconfig.get
+- cloudconfig.list
+- cloudconfig.update
+- cluster.get
+- cluster.list
+- cluster.update
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.update
+- dnsMapping.get
+- dnsMapping.list
+- location.get
+- location.list
+- machine.get
+- machine.list
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+- sshKey.get
+- sshKey.list
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+
+
+
+
+- cloudaccount.get
+- cloudaccount.list
+- cloudconfig.get
+- cloudconfig.list
+- cluster.get
+- cluster.list
+- clusterProfile.get
+- clusterProfile.list
+- dnsMapping.get
+- dnsMapping.list
+- location.get
+- location.list
+- machine.get
+- machine.list
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+- sshKey.get
+- sshKey.list
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCluster.get
+- virtualCluster.list
+- virtualMachine.get
+- virtualMachine.list
+
+
+
+
+### Cluster Profile
+
+| Role Name | Description |
+| ------------------------------- | ------------------------------------------------------------------------ |
+| Resource Cluster Profile Admin | A role has admin privileges to all the cluster profile operations |
+| Resource Cluster Profile Editor | A role has privileges to edit and list operations on the cluster profile |
+| Resource Cluster Profile Viewer | A role has read-only privileges to cluster profiles |
+
+
+
+
+- clusterProfile.delete
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.publish
+- clusterProfile.update
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+
+
+
+
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.publish
+- clusterProfile.update
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+
+
+
+
+- clusterProfile.get
+- clusterProfile.list
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+
+
+
## Resources
-[Resource Scope Matrix](palette-rbac.md#resource-scope-matrix)
+- [Permissions](./permissions.md)
diff --git a/docs/docs-content/user-management/palette-rbac/tenant-scope-roles-permissions.md b/docs/docs-content/user-management/palette-rbac/tenant-scope-roles-permissions.md
index 5392995be2..3e142e01a6 100644
--- a/docs/docs-content/user-management/palette-rbac/tenant-scope-roles-permissions.md
+++ b/docs/docs-content/user-management/palette-rbac/tenant-scope-roles-permissions.md
@@ -1,358 +1,531 @@
---
-sidebar_label: "Tenant Scope Roles and Permissions"
+sidebar_label: "Tenant Roles"
title: "Tenant Roles"
-description: "The list of Global Tenant Roles under Tenant Scope"
+description: "Learn about the predefined roles and permissions for the Tenant scope in Palette."
icon: ""
hide_table_of_contents: false
-sidebar_position: 0
-tags: ["user-management", "rbac"]
+sidebar_position: 30
+tags: ["user-management", "teanant", "rbac"]
---
-## Global Tenant Scope
+Palette provides the following Tenant roles out-of-the-box. These roles are predefined and cannot be modified. You can
+assign these roles to users and teams. The roles are categorized based on the resources they can manage. Each of these
+roles is scoped at the tenant level. This means the permissions granted to a user or team span across all projects. If
+you need to narrow the scope down to a single project or a handful of projects, consider using a
+[Project](./project-scope-roles-permissions.md) role instead.
-Tenant is an isolated workspace within the Palette Console. Users and teams with specific roles can be associated with
-the [tenants](../../glossary-all.md#organization) and [projects](../../glossary-all.md#project) you create.
+:::tip
-Each user is assigned a role and permissions, which apply to the scopes, resources, and resourceKey. The Permissions
-format is `resourceKey.operation`, where resourceKey refers to resource or the API functionality, and Operation refers
-to the permitted action or activity.
-
-To view the list of the predefined roles and permissions, ensure you are in the project scope **Tenant**. Next, navigate
-to the left **Main Menu** and click on **Tenant Settings** > **Roles**, and you will find the list of **Global Roles**.
-If you need to extend permissions, create a custom role by using the
-[Create Role](palette-rbac.md#create-custom-role-in-palette) option.
-
-Below is the list of Roles and Permissions that already predefined for the Global Tenant Scope.
-
-
-
-:::info
-
-All users can view tags assigned to a resource. In technical terms, all users inherit the permission `tag.get` by
-default.
+Create your own custom tenant role if none of the predefined roles meet your requirements. Refer to the
+[Create a Custom Role](./create-custom-role.md#tenant-roles) guide for more information.
:::
-
-
-## Tenants
-
----
-
-| Role Names | Description |
-| -------------------- | -------------------------------------------------------------------------------------------------------------------------- |
-| Tenant Admin | Allows the user to create projects and manage projects within the tenant, covered under all operations related to projects |
-| Tenant Viewer | Provides a read only access to all the project resources |
-| Tenant Project Admin | The role with complete access to an existing project |
-
-The table enlists the role wise resourceKeys and Operations that are predefined under the Global Tenant Scope:
-
-
-
-
-
-
-
-
-
-
-## Tenant Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **apiKey** | √ | √ | √ | √ | √ | | | | |
-| **audit** | | | √ | √ | | | | | |
-| **cloudaccount** | √ | √ | √ | √ | √ | | | | |
-| **cloudconfig** | √ | √ | √ | √ | √ | | | | |
-| **cluster** | √ | √ | √ | √ | √ | √ | | | |
-| **clusterProfile** | √ | √ | √ | √ | √ | | √ | | |
-| **clusterRbac** | √ | √ | √ | √ | √ | | | | |
-| **dnsMapping** | √ | √ | √ | √ | √ | | | | |
-| **edgehost** | √ | √ | √ | √ | √ | | | | |
-| **location** | √ | √ | √ | √ | √ | | | | |
-| **machine** | √ | √ | √ | √ | √ | | | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **packRegistry** | √ | √ | √ | √ | √ | | | | |
-| **privateGateway** | √ | √ | √ | √ | √ | | | | |
-| **project** | √ | √ | √ | √ | √ | | | | |
-| **role** | √ | √ | √ | √ | √ | | | | |
-| **sshKey** | √ | √ | √ | √ | √ | | | | |
-| **team** | √ | √ | √ | √ | √ | | | | |
-| **tag** | | | | | √ | | | | |
-| **user** | √ | √ | √ | √ | √ | | | | |
-| **workspace** | √ | √ | √ | √ | √ | | | √ | √ |
-
-
-
-
-
-
-
-
-## Tenant Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **apiKey** | | | √ | √ | | | | | |
-| **audit** | | | √ | √ | | | | | |
-| **cloudaccount** | | | √ | √ | | | | | |
-| **cloudconfig** | | | √ | √ | | | | | |
-| **cluster** | | | √ | √ | | | | | |
-| **clusterProfile** | | | √ | √ | | | | | |
-| **clusterRbac** | | | √ | √ | | | | | |
-| **dnsMapping** | | | √ | √ | | | | | |
-| **edgehost** | | | √ | √ | | | | | |
-| **location** | | | √ | √ | | | | | |
-| **machine** | | | √ | √ | | | | | |
-| **macro** | | | √ | √ | | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **privateGateway** | | | √ | √ | | | | | |
-| **project** | | | √ | √ | | | | | |
-| **role** | | | √ | √ | | | | | |
-| **sshKey** | | | √ | √ | | | | | |
-| **team** | | | √ | √ | | | | | |
-| **user** | | | √ | √ | | | | | |
-| **workspace** | | | √ | √ | | | | | |
-
-
-
-
-
-
-## Tenant Project Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **apiKey** | | | √ | √ | | | | | |
-| **audit** | | | √ | √ | | | | | |
-| **cloudaccount** | √ | √ | √ | √ | √ | | | | |
-| **cloudconfig** | √ | √ | √ | √ | √ | | | | |
-| **cluster** | √ | √ | √ | √ | √ | √ | | | |
-| **clusterProfile** | √ | √ | √ | √ | √ | | √ | | |
-| **clusterRbac** | √ | √ | √ | √ | √ | | | | |
-| **dnsMapping** | √ | √ | √ | √ | √ | | | | |
-| **edgehost** | √ | √ | √ | √ | √ | | | | |
-| **location** | √ | √ | √ | √ | √ | | | | |
-| **machine** | √ | √ | √ | √ | √ | | | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **packRegistry** | √ | √ | √ | √ | √ | | | | |
-| **privateGateway** | √ | √ | √ | √ | √ | | | | |
-| **project** | √ | √ | √ | √ | √ | | | | |
-| **sshKey** | √ | √ | √ | √ | √ | | | | |
-| **tag** | | | | | √ | | | | |
-| **workspace** | √ | √ | √ | √ | √ | | | √ | √ |
-
-
-
-
-
-
-
-## Cluster Profile
-
----
-
-| Role Names | Description |
-| ---------------------------- | -------------------------------------------------------------------------------- |
-| Tenant Cluster Profile Admin | A role which has complete access to all the `Cluster Profile` related operations |
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ------------------ | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **clusterProfile** | √ | √ | √ | √ | √ | | √ | | |
-| **macro** | √ | √ | √ | √ | √ | | | | |
-| **packRegistry** | | | √ | √ | | | | | |
-| **tag** | | | | | √ | | | | |
-
-
-
-
-
-## Tenant Role
-
----
-
-| Role Names | Description |
+## Default Tenant Roles
+
+Palette comes with a set of immutable predefined Tenant roles out-of-the-box that you can assign to users or teams. To
+review the permissions associated with each Tenant role, click on the role name to expand the list of permissions.
+
+### Admin
+
+| Role Name | Description |
+| ------------- | --------------------------------------------------------- |
+| Tenant Admin | Grants access to all resources in all projects. |
+| Tenant Viewer | Provides a read only access to all the project resources. |
+
+
+
+
+- apiKey.create
+- apiKey.delete
+- apiKey.get
+- apiKey.list
+- apiKey.update
+- appDeployment.create
+- appDeployment.delete
+- appDeployment.get
+- appDeployment.list
+- appDeployment.update
+- appProfile.create
+- appProfile.delete
+- appProfile.get
+- appProfile.list
+- appProfile.update
+- audit.get
+- audit.list
+- cloudaccount.create
+- cloudaccount.delete
+- cloudaccount.get
+- cloudaccount.list
+- cloudaccount.update
+- cloudconfig.create
+- cloudconfig.delete
+- cloudconfig.get
+- cloudconfig.list
+- cloudconfig.update
+- cluster.create
+- cluster.delete
+- cluster.get
+- cluster.import
+- cluster.list
+- cluster.update
+- clusterGroup.create
+- clusterGroup.delete
+- clusterGroup.get
+- clusterGroup.list
+- clusterGroup.update
+- clusterProfile.create
+- clusterProfile.delete
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.publish
+- clusterProfile.update
+- dnsMapping.create
+- dnsMapping.delete
+- dnsMapping.get
+- dnsMapping.list
+- dnsMapping.update
+- edgeToken.create
+- edgeToken.delete
+- edgeToken.get
+- edgeToken.list
+- edgeToken.update
+- edgehost.create
+- edgehost.delete
+- edgehost.get
+- edgehost.list
+- edgehost.update
+- filter.create
+- filter.delete
+- filter.get
+- filter.list
+- filter.update
+- location.create
+- location.delete
+- location.get
+- location.list
+- location.update
+- machine.create
+- machine.delete
+- machine.get
+- machine.list
+- machine.update
+- macro.create
+- macro.delete
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.create
+- packRegistry.delete
+- packRegistry.get
+- packRegistry.list
+- packRegistry.update
+- privateGateway.create
+- privateGateway.delete
+- privateGateway.get
+- privateGateway.list
+- privateGateway.update
+- project.create
+- project.delete
+- project.get
+- project.list
+- project.update
+- role.create
+- role.delete
+- role.get
+- role.list
+- role.update
+- sshKey.create
+- sshKey.delete
+- sshKey.get
+- sshKey.list
+- sshKey.update
+- tag.update
+- team.create
+- team.delete
+- team.get
+- team.list
+- team.update
+- user.create
+- user.delete
+- user.get
+- user.list
+- user.update
+- virtualCloudconfig.create
+- virtualCloudconfig.delete
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.create
+- virtualCluster.delete
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+- virtualMachine.clone
+- virtualMachine.create
+- virtualMachine.delete
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.migrate
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+- workspace.backup
+- workspace.create
+- workspace.delete
+- workspace.get
+- workspace.list
+- workspace.restore
+- workspace.update
+
+
+
+
+- apiKey.get
+- apiKey.list
+- appDeployment.get
+- appDeployment.list
+- appProfile.get
+- appProfile.list
+- audit.get
+- audit.list
+- cloudaccount.get
+- cloudaccount.list
+- cloudconfig.get
+- cloudconfig.list
+- cluster.get
+- cluster.list
+- clusterGroup.get
+- clusterGroup.list
+- clusterProfile.get
+- clusterProfile.list
+- dnsMapping.get
+- dnsMapping.list
+- edgeToken.get
+- edgeToken.list
+- edgehost.get
+- edgehost.list
+- filter.get
+- filter.list
+- location.get
+- location.list
+- machine.get
+- machine.list
+- macro.get
+- macro.list
+- packRegistry.get
+- packRegistry.list
+- privateGateway.get
+- privateGateway.list
+- project.get
+- project.list
+- role.get
+- role.list
+- sshKey.get
+- sshKey.list
+- team.get
+- team.list
+- user.get
+- user.list
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCluster.get
+- virtualCluster.list
+- virtualMachine.get
+- virtualMachine.list
+- workspace.get
+- workspace.list
+
+
+
+
+### Cluster Group
+
+| Role Name | Description |
+| --------------------------- | --------------------------------------------------------------------------- |
+| Tenant Cluster Group Admin | Allows the user to create and manage cluster groups in all projects. |
+| Tenant Cluster Group Editor | Allows the user to view, access, and update cluster groups in all projects. |
+| Tenant Cluster Group Viewer | Grants read-only access to cluster groups in all projects. |
+
+
+
+
+- cluster.get
+- cluster.list
+- clusterGroup.create
+- clusterGroup.delete
+- clusterGroup.get
+- clusterGroup.list
+- clusterGroup.update
+- tag.update
+
+
+
+
+- cluster.get
+- cluster.list
+- clusterGroup.get
+- clusterGroup.list
+- clusterGroup.update
+- tag.update
+
+
+
+
+- cluster.get
+- cluster.list
+- clusterGroup.get
+- clusterGroup.list
+
+
+
+
+### Cluster Profile
+
+| Role Name | Description |
+| ---------------------------- | ---------------------------------------------------------------------- |
+| Tenant Cluster Profile Admin | Allows the user to create and manage cluster profiles in all projects. |
+
+
+
+
+- clusterProfile.create
+- clusterProfile.delete
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.publish
+- clusterProfile.update
+- macro.create
+- macro.delete
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.get
+- packRegistry.list
+- tag.update
+
+
+
+
+### Project
+
+| Role Name | Description |
+| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
+| Tenant Project Admin | Grants the user complete access to all the project resources. Unlike the Tenant Admin role, this role cannot create projects, users, and teams. |
+
+
+
+
+- apiKey.get
+- apiKey.list
+- appDeployment.create
+- appDeployment.delete
+- appDeployment.get
+- appDeployment.list
+- appDeployment.update
+- appProfile.create
+- appProfile.delete
+- appProfile.get
+- appProfile.list
+- appProfile.update
+- audit.get
+- audit.list
+- cloudaccount.create
+- cloudaccount.delete
+- cloudaccount.get
+- cloudaccount.list
+- cloudaccount.update
+- cloudconfig.create
+- cloudconfig.delete
+- cloudconfig.get
+- cloudconfig.list
+- cloudconfig.update
+- cluster.create
+- cluster.delete
+- cluster.get
+- cluster.import
+- cluster.list
+- cluster.update
+- clusterGroup.create
+- clusterGroup.delete
+- clusterGroup.get
+- clusterGroup.list
+- clusterGroup.update
+- clusterProfile.create
+- clusterProfile.delete
+- clusterProfile.get
+- clusterProfile.list
+- clusterProfile.publish
+- clusterProfile.update
+- dnsMapping.create
+- dnsMapping.delete
+- dnsMapping.get
+- dnsMapping.list
+- dnsMapping.update
+- edgeToken.create
+- edgeToken.delete
+- edgeToken.get
+- edgeToken.list
+- edgeToken.update
+- edgehost.create
+- edgehost.delete
+- edgehost.get
+- edgehost.list
+- edgehost.update
+- filter.create
+- filter.delete
+- filter.get
+- filter.list
+- filter.update
+- location.create
+- location.delete
+- location.get
+- location.list
+- location.update
+- machine.create
+- machine.delete
+- machine.get
+- machine.list
+- machine.update
+- macro.create
+- macro.delete
+- macro.get
+- macro.list
+- macro.update
+- packRegistry.create
+- packRegistry.delete
+- packRegistry.get
+- packRegistry.list
+- packRegistry.update
+- privateGateway.create
+- privateGateway.delete
+- privateGateway.get
+- privateGateway.list
+- privateGateway.update
+- project.create
+- project.delete
+- project.get
+- project.list
+- project.update
+- sshKey.create
+- sshKey.delete
+- sshKey.get
+- sshKey.list
+- sshKey.update
+- tag.update
+- virtualCloudconfig.create
+- virtualCloudconfig.delete
+- virtualCloudconfig.get
+- virtualCloudconfig.list
+- virtualCloudconfig.update
+- virtualCluster.create
+- virtualCluster.delete
+- virtualCluster.get
+- virtualCluster.list
+- virtualCluster.update
+- virtualMachine.clone
+- virtualMachine.create
+- virtualMachine.delete
+- virtualMachine.get
+- virtualMachine.list
+- virtualMachine.migrate
+- virtualMachine.pause
+- virtualMachine.restart
+- virtualMachine.resume
+- virtualMachine.snapshotCreate
+- virtualMachine.snapshotDelete
+- virtualMachine.snapshotGet
+- virtualMachine.snapshotList
+- virtualMachine.snapshotUpdate
+- virtualMachine.start
+- virtualMachine.stop
+- virtualMachine.update
+- workspace.backup
+- workspace.create
+- workspace.delete
+- workspace.get
+- workspace.list
+- workspace.restore
+- workspace.update
+
+
+
+
+### Role
+
+| Role Name | Description |
+| ----------------- | -------------------------------------------------------------- |
+| Tenant Role Admin | This role allows the user to create, update, and delete roles. |
+
+
+
+
+- role.create
+- role.delete
+- role.get
+- role.list
+- role.update
+
+
+
+
+### Team
+
+| Role Name | Description |
| ----------------- | -------------------------------------------------------------------- |
-| Tenant Role Admin | A role which has complete access to all the `Role` related perations |
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| -------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **role** | √ | √ | √ | √ | √ | | | | |
-
-
-
-
-
-## Tenant Team
-
----
-
-| Role Names | Description |
-| ----------------- | --------------------------------------------------------------------- |
-| Tenant Team Admin | A role which has complete access to all the `Team` related operations |
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **apiKey** | | | √ | √ | | | | | |
-| **audit** | | | √ | √ | | | | | |
-| **team** | √ | √ | √ | √ | √ | | | | |
-| **user** | | | √ | √ | | | | | |
-
-
-
-
-
-## Tenant User
-
----
-
-| Role Names | Description |
-| ---------------------- | --------------------------------------------------------------------- |
-| Tenant User Admin Role | A role which has complete access to all the `User` related operations |
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **apiKey** | √ | √ | √ | √ | √ | | | | |
-| **audit** | | | √ | √ | | | | | |
-| **user** | √ | √ | √ | √ | √ | | | |
-
-
-
-## Tenants Cluster Group
-
----
-
-| Role Names | Description |
-| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
-| Tenants Cluster Group Admin | Allows the user to create and manage cluster groups within the tenant, covered under all operations related to cluster groups |
-| Tenants Cluster Group Editor | The role can perform edit operations related to a cluster group, but the user is not able to create or delete a cluster group |
-| Tenants Cluster Group Viewer | Provides a read only access to all the cluster group resources |
-
-The table lists role resourceKeys and operations that are predefined under the Global Tenant Scope:
-
-
-
-
-
-
-
-
-
-
-## Tenant Cluster Group Admin
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cluster** | | | √ | √ | | | | | |
-| **clusterGroup** | √ | √ | √ | √ | √ | | | | |
-| **tag** | | | | | √ | | | | |
-
-
-
-
-
-
-
-
-## Tenant Cluster Group Editor
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cluster** | | | √ | √ | | | | | |
-| **clusterGroup** | | | √ | √ | √ | | | | |
-| **tag** | | | | | √ | | | | |
-
-
-
-
-
-
-## Tenant Cluster Group Viewer
-
-
-
-
-
- resourceKeys
- |
-
- Operations
- |
-
-
-
-
-| | **Create** | **Delete** | **Get** | **List** | **Update** | **Import** | **Publish** | **Backup** | **Restore** |
-| ---------------- | ---------- | ---------- | ------- | -------- | ---------- | ---------- | ----------- | ---------- | ----------- |
-| **cluster** | | | √ | √ | | | | | |
-| **clusterGroup** | | | √ | √ | | | | | |
-
-
-
-
-
+| Tenant Team Admin | This role grants the user complete access to all the team resources. |
+
+
+
+
+- apiKey.get
+- apiKey.list
+- audit.get
+- audit.list
+- team.create
+- team.delete
+- team.get
+- team.list
+- team.update
+- user.get
+- user.list
+
+
+
+
+### User
+
+| Role Name | Description |
+| ---------------------- | ----------------------------------------------------------------- |
+| Tenant User Admin Role | This role grants the user complete access to all user operations. |
+
+
+
+
+- apiKey.create
+- apiKey.delete
+- apiKey.get
+- apiKey.list
+- apiKey.update
+- audit.get
+- audit.list
+- user.create
+- user.delete
+- user.get
+- user.list
+- user.update
+
+
+
+
+## Resources
+
+- [Permissions](./permissions.md)
diff --git a/docs/docs-content/user-management/saml-sso/_category_.json b/docs/docs-content/user-management/saml-sso/_category_.json
index ae9ddb024d..e7e7c54966 100644
--- a/docs/docs-content/user-management/saml-sso/_category_.json
+++ b/docs/docs-content/user-management/saml-sso/_category_.json
@@ -1,3 +1,3 @@
{
- "position": 50
+ "position": 40
}
diff --git a/docs/docs-content/user-management/saml-sso/saml-sso.md b/docs/docs-content/user-management/saml-sso/saml-sso.md
index 9112d74e3a..1a195595f5 100644
--- a/docs/docs-content/user-management/saml-sso/saml-sso.md
+++ b/docs/docs-content/user-management/saml-sso/saml-sso.md
@@ -1,7 +1,7 @@
---
-sidebar_label: "SAML and OIDC SSO Setup"
-title: "SAML and OIDC SSO Setup"
-description: "Detailed instructions on creating Single Sign-on to log in to Palette using SAML 2.0"
+sidebar_label: "SAML and OIDC SSO"
+title: "SAML and OIDC SSO"
+description: "Learn how to enable Single Sign-On (SSO) in Palette with SAML and OIDC."
icon: ""
hide_table_of_contents: false
tags: ["user-management", "saml-sso", "oidc", "saml", "sso"]
@@ -18,7 +18,12 @@ the following protocols for authentication and authorization.
[OAuth 2.0](https://www.rfc-editor.org/rfc/rfc6749), a widely used authorization framework. OIDC supports distributed
identity providers and supports social login providers such as Google or GitHub.
-## Limitations
+## Palette OIDC and PXK
+
+
+Palette can act as an Identity Provider (IDP) when is used as the Kubernetes distribution in a cluster profile. Palette eXtended Kubernetes (PXK) is a recompiled version of the open source Cloud Native Computing Foundation (CNCF) distribution of Kubernetes. This Kubernetes version can be deployed through Palette to all major infrastructure providers, public cloud providers, and private data center providers. This is the default distribution when deploying a Kubernetes cluster through Palette. To learn more about PXK, refer to the page.
+
+## OIDC Limitations
Palette [API keys](../authentication/api-key/api-key.md) that belong to Palette users removed from the organization
through OIDC/SAML are not automatically removed. We recommend that you remove these keys to ensure that they are no
diff --git a/docs/docs-content/user-management/user-management.md b/docs/docs-content/user-management/user-management.md
index c4303c5051..a210fed0d2 100644
--- a/docs/docs-content/user-management/user-management.md
+++ b/docs/docs-content/user-management/user-management.md
@@ -1,72 +1,53 @@
---
-sidebar_label: "User Management"
+sidebar_label: "User & Role Management"
title: "User Management"
description:
- "Dive into Palette's user management capabilities and how to manage users' access and setting up controls,
- integrations, and more."
+ "Learn how to manage users and roles in Palette. Palette has a rich RBAC system that allows you to manage user access
+ to resources."
hide_table_of_contents: false
sidebar_custom_props:
icon: "roles"
tags: ["user-management"]
---
-This section touches upon the initial login aspects for Tenant Admins and non-admin users and the RBAC setup within
-Palette.
+Palette is designed to help you implement a least-privilege access model. It allows you to manage users and teams
+effectively and supports multiple authentication methods. Additionally, Palette features a comprehensive Role-Based
+Access Control (RBAC) system and the ability to apply Attribute-Based Access Control (ABAC).
-## User Login
+## User Authentication
-For a Tenant admin, the password shall be set upon the initial login. The Tenant admin can add non-admin users. For all
-users, login can be made available using the following options:
+You can log into Palette through the Palette user interface and interact with the platform through a web browser. You
+can also interact with Palette programmatically through the API. Review the
+[User Authentication](./authentication/authentication.md) section to learn more about the different supported
+authentication methods.
-- Using Palette credentials on the login page.
-- SSO using Identity Providers that use SAML 2.0:
- - Azure Active Directory
- - Okta
- - Keycloak
- - OneLogin
- - Microsoft ADFS
- - Others
+## Users and Teams
-## RBAC
-
-Palette allows the users that have been added to be allowed or restricted access to resources based on the roles set by
-the tenant admin. This Role-Based Access Control is explained in detail on the RBAC
-[page](palette-rbac/palette-rbac.md#permissions).
+You can create users and teams in Palette to manage access and permissions. Users are individual entities that can log
+in to Palette and perform actions based on their assigned roles. Teams are groups of users to whom you can assign roles,
+reducing the challenges of managing user access at the individual level. Check out the
+[Users and Teams](./users-and-teams/users-and-teams.md) section to learn more about managing users and teams.
## Roles and Permissions
-The Tenant admin can allow or restrict access of resources to users which can differ as per the scenario. A user can
-have complete access to a specific project but can be restricted access to other projects in which there is no
-involvement. An intermediate stage is also possible where read-only access can be provided in some projects. The Roles
-and Permissions sections on the [RBAC](./palette-rbac/palette-rbac.md) page provide more details on this.
-
-To add a user to a project:
-
-1. Sign in as a Tenant admin and navigate to the **Users and Teams** section of the Tenant settings Menu.
+Roles are assigned to users and teams and determine a user's actions in Palette. Palette roles are designed to be
+flexible and can be customized to meet your organization's needs. Actions in Palette are controlled by permissions, for
+every component in Palette, a set of permissions is exposed for you to apply granular access control. To learn more
+about roles and permissions in Palette, review the [Roles and Permissions](./palette-rbac/palette-rbac.md) section.
-1. Click on the user that you want to enable access to.
+## SAML and OIDC SSO
-1. In the **Role** editor that opens to the side, find the **Project Roles** section and click **Add Role**.
+Palette supports integration with Identity Providers (IDP) to manage user access. Palette supports the Security
+Assertion Markup Language (SAML) and OpenID Connect (OIDC) protocols for Single Sign-On (SSO). You can use an IDP to
+authenticate users and manage their access to Palette, including cluster access. To learn how to configure an IDP, refer
+to the [SAML and OIDC SSO](./saml-sso/saml-sso.md) section.
-1. Select the required **Project** from the dropdown menu and enable the **Roles** as needed.
+## Resources
-## Multi-Organization Support for Users
+- [User Authentication](./authentication/authentication.md)
-Palette is incorporating multi-organization support for its users. With this feature, we provide our users with the
-flexibility of having a unique email address ID across multiple organizations. Hence, the users can maintain SSO
-credentials across multiple organizations/tenants.
+- [Users and Teams](./users-and-teams/users-and-teams.md)
-The key benefits of this feature are:
+- [Roles and Permissions](./palette-rbac/palette-rbac.md)
-- The use of a single email address ID across multiple organizations.
-- Within an organization, maintain a unique email ID.
-- In the case of password-based authentication, the same password is applicable across multiple organizations. The
- change of password, made under a particular organization, is applied across other organizations to maintain a single
- password across all organizations.
-- The password policy stays independent of organizations/tenants. Each tenant retains individual password policy.
-- For SSO-based authentication, for each organization/tenant, the individual identity provider client application can be
- configured. Hence, allowing the configuration of a single SSO with multiple identity providers across multiple
- tenants/organizations mapping each client app to a tenant.
-- However, for self-sign-up, the unique email address ID is enforced across tenants to avoid conflicts.
-- In the Palette console, the users can switch between the organizations/tenants using the Organization drop down menu
- of the login page.
+- [SAML and OIDC SSO](./saml-sso/saml-sso.md)
diff --git a/docs/docs-content/user-management/users-and-teams/_category_.json b/docs/docs-content/user-management/users-and-teams/_category_.json
new file mode 100644
index 0000000000..094470741d
--- /dev/null
+++ b/docs/docs-content/user-management/users-and-teams/_category_.json
@@ -0,0 +1,3 @@
+{
+ "position": 10
+}
diff --git a/docs/docs-content/user-management/users-and-teams/create-a-team.md b/docs/docs-content/user-management/users-and-teams/create-a-team.md
new file mode 100644
index 0000000000..d0e50b9fbc
--- /dev/null
+++ b/docs/docs-content/user-management/users-and-teams/create-a-team.md
@@ -0,0 +1,96 @@
+---
+sidebar_label: "Create and Manage a Team"
+title: "Create and Manage a Team"
+description: "Learn how to create and manage a team in Palette"
+hide_table_of_contents: false
+sidebar_position: 20
+tags: ["user-management", "team"]
+---
+
+Teams are a collection of users that share a common set of permissions through [roles](../palette-rbac/palette-rbac.md)
+that grants them access to resources. By grouping users together, you can manage their access to projects and resources.
+
+## Team Creation
+
+Use the following steps to create a team.
+
+### Prerequisites
+
+- Tenant Admin access with the permissions `team.create` and `user.list`.
+
+- At least one user in the tenant. Check out the [Create a User](../users-and-teams/create-user.md) guide to learn how
+ to create a user.
+
+### Create a Team
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a Tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Select **Users & Teams**.
+
+4. Click on the **Teams** tab.
+
+5. Click **Create Team**.
+
+6. Enter the team name and select the users you want to add to the team.
+
+7. Click **Confirm** to create the team.
+
+### Validate
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a Tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Select **Users & Teams**.
+
+4. Click on the **Teams** tab.
+
+5. Verify that the team you created is listed.
+
+6. Switch to the **Users** tab and select a user that you added to the team.
+
+7. Verify that the user is associated with the team you created.
+
+## Team Deletion
+
+Use the following steps to delete a team from Palette.
+
+### Prerequisites
+
+- Tenant Admin access with the permissions `team.delete`.
+
+- At least one team in the tenant. Check out the [Create a Team](#create-a-team) guide to learn how to create a team.
+
+### Delete a Team
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a Tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Select **Users & Teams**.
+
+4. Click on the **Teams** tab.
+
+5. Click on the row of the team you want to delete.
+
+6. Click on the **Delete Team** button.
+
+7. Click **OK** to delete the team.
+
+### Validate
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a Tenant admin.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Select **Users & Teams**.
+
+4. Click on the **Teams** tab.
+
+5. Verify that the team you deleted is no longer listed.
+
+6. Switch to the **Users** tab and select a user that was associated with the team you deleted.
+
+7. Verify that the user is no longer associated with the team you deleted.
diff --git a/docs/docs-content/user-management/users-and-teams/create-user.md b/docs/docs-content/user-management/users-and-teams/create-user.md
new file mode 100644
index 0000000000..5f67aeef17
--- /dev/null
+++ b/docs/docs-content/user-management/users-and-teams/create-user.md
@@ -0,0 +1,142 @@
+---
+sidebar_label: "Create and Manage a User"
+title: "Create and Manage a User"
+description: "Learn how to create and manage a new user in Palette"
+hide_table_of_contents: false
+sidebar_position: 10
+tags: ["user-management", "users"]
+---
+
+You can create a user in Palette to allow them access to the tenant and its resources. Users can be assigned to teams
+and projects, and their permissions are determined by the roles assigned to them.
+
+## User Creation
+
+Use the following steps to create a new user in Palette.
+
+### Prerequisites
+
+- Tenant admin access with the `user.create` permission.
+
+- Name and email address of the user you want to create.
+
+- If you are using self-hosted Palette or VerteX, ensure you have configured Simple Mail Transfer Protocol (SMTP)
+ settings to send email invitations to the user. You can configure SMTP settings in the self-hosted Palette system
+ console.
+
+### Create a User
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
+
+3. Click on **Users & Teams**.
+
+4. Select the **Users** tab.
+
+5. Click on the **Create User** button.
+
+6. Fill in the user details, including the user's name, email address, and assign them to a team. You can assign the
+ user to a team later if you prefer.
+
+7. Click **Confirm** to create the user.
+
+An email invitation is sent to the user with a link to set their password and log in to Palette.
+
+### Validate
+
+Use the following steps to validate the user creation.
+
+1. Have the user check their email for the invitation.
+
+2. Have the user click on the link in the email to set their password.
+
+3. Have the user log in to [Palette](https://console.spectrocloud.com) using their email address and the password they
+ set. If you are using self-hosted Palette or VerteX, use the URL provided by your system administrator.
+
+## User Deletion
+
+Use the following steps to delete a user in Palette.
+
+### Prerequisites
+
+- Tenant admin access with the `user.create` permission.
+
+- Name and email address of the user you want to create.
+
+- If you are using self-hosted Palette or VerteX, ensure you have configured Simple Mail Transfer Protocol (SMTP)
+ settings to send email invitations to the user. You can configure SMTP settings in the self-hosted Palette system
+ console.
+
+### Delete a User
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
+
+3. Click on **Users & Teams**.
+
+4. Select the **Users** tab.
+
+5. Click on the row of the user you want to delete.
+
+6. Click on the **Delete User** button.
+
+7. Click **OK** to confirm the deletion.
+
+The user is now removed from the tenant and all associated teams and projects.
+
+### Validate
+
+Use the following steps to validate the user deletion.
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
+
+3. Click on **Users & Teams**.
+
+4. Select the **Users** tab.
+
+5. Verify that the user you deleted is no longer listed in the users list.
+
+## Password Reset
+
+Use the following steps to reset a user's password in Palette.
+
+### Prerequisites
+
+- Tenant admin access with the `user.update` permission.
+
+- If you are using self-hosted Palette or VerteX, ensure you have configured Simple Mail Transfer Protocol (SMTP)
+ settings to send email invitations to the user. You can configure SMTP settings in the self-hosted Palette system
+ console.
+
+### Reset Password
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant admin.
+
+2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
+
+3. Click on **Users & Teams**.
+
+4. Select the **Users** tab.
+
+5. Click on the row of the user whose password you want to reset.
+
+6. Click on the **Reset password** button.
+
+7. Click **OK** to confirm the password reset.
+
+An email is sent to the user with a link to set a new password.
+
+### Validate
+
+Use the following steps to validate the password reset.
+
+1. Have the user check their email for the password reset link.
+
+2. Have the user click on the link in the email to set their new password.
+
+3. Have the user log in to [Palette](https://console.spectrocloud.com) using their email address and the new password
+ they set. If you are using self-hosted Palette or VerteX, use the URL provided by your system administrator.
diff --git a/docs/docs-content/user-management/users-and-teams/users-and-teams.md b/docs/docs-content/user-management/users-and-teams/users-and-teams.md
new file mode 100644
index 0000000000..fe8a94b48c
--- /dev/null
+++ b/docs/docs-content/user-management/users-and-teams/users-and-teams.md
@@ -0,0 +1,41 @@
+---
+sidebar_label: "Users and Teams"
+title: "Users and Teams"
+description: "Manage users and teams in Palette"
+hide_table_of_contents: false
+sidebar_position: 10
+tags: ["user-management", "teams", "users"]
+---
+
+Users and teams are the core entities in Palette that help you manage access and permissions. Users are individual
+entities that can log in to Palette and perform actions based on their assigned roles. Teams are groups of users to whom
+you can assign roles, reducing the challenges of managing user access at the individual level.
+
+## Users
+
+Users can be created by tenant administrators or other users with a tenant role that has the `user.create` permission.
+To learn how to create and manage users, refer to the [Create and Manage a User](./create-user.md) guide.
+
+## Teams
+
+Teams are made up of users. A team can have multiple users, and each user can belong to multiple teams. Teams are
+assigned roles, which determine the permissions and access levels of the users in the team. To learn how to create and
+manage teams, refer to the [Create and Manage a Team](./create-a-team.md) guide.
+
+## Manage User Access with Identity Providers
+
+Palette supports integration with Identity Providers (IDP) to manage user access. You can use an IDP to authenticate
+users and manage their access to Palette. If you use an IDP, user management is handled by the IDP, meaning you no
+longer create and manage the user accounts in Palette. User permissions are determined by the Palette team to which
+users are mapped in the IDP and the Palette roles assigned to that team.
+
+To learn how to configure an IDP, refer to the [SAML and OIDC SSO Setup](../saml-sso/saml-sso.md) section and the
+various IDP-specific guides.
+
+## Resources
+
+- [Create and Manage a User](./create-user.md)
+
+- [Create and Manage a Team](./create-a-team.md)
+
+- [SAML and OIDC SSO Setup](../saml-sso/saml-sso.md)
diff --git a/docs/docs-content/workspace/workload-features.md b/docs/docs-content/workspace/workload-features.md
index 25012eb2bd..8ee5dee666 100644
--- a/docs/docs-content/workspace/workload-features.md
+++ b/docs/docs-content/workspace/workload-features.md
@@ -63,8 +63,8 @@ To create your **Workspace Role**, follow the steps below:
2. Go to the **Users and Teams** option.
-3. From the listed users, select the user to be assigned with Workspace Roles. See here for
- [User Creation](../user-management/new-user.md).
+3. From the listed users, select the user to be assigned with Workspace Roles. Check out the
+ [Create a User](../user-management/users-and-teams/create-user.md) guide to learn how to create a user.
4. Select the **Workspace Roles** tab and click **+ New Workspace Role** to create a new role.
diff --git a/redirects.js b/redirects.js
index a52aeffd84..1e03c4016f 100644
--- a/redirects.js
+++ b/redirects.js
@@ -572,6 +572,35 @@ let redirects = [
],
to: "/integrations/",
},
+ {
+ from: [
+ "/security-bulletins/reports/cve-2020-1971",
+ "/security-bulletins/reports/cve-2021-3449",
+ "/security-bulletins/reports/cve-2021-3711",
+ "/security-bulletins/reports/cve-2021-45079",
+ "/security-bulletins/reports/cve-2022-0778",
+ "/security-bulletins/reports/cve-2023-52425",
+ "/security-bulletins/reports/cve-2023-5528",
+ "/security-bulletins/reports/prisma-2022-0227",
+ ],
+ to: "/security-bulletins/reports/",
+ },
+ {
+ from: "/clusters/cluster-management/cluster-tag-filter/",
+ to: "tenant-settings/filters/",
+ },
+ {
+ from: "/clusters/cluster-management/cluster-tag-filter/create-add-filter/",
+ to: "tenant-settings/filters/",
+ },
+ {
+ from: "/user-management/new-user/",
+ to: "/user-management/users-and-teams/create-user/",
+ },
+ {
+ from: "/user-management/project-association/",
+ to: "/user-management/palette-rbac/assign-a-role/",
+ },
];
if (packRedirects.length > 0) {
diff --git a/src/components/Accordion/Accordion.module.css b/src/components/Accordion/Accordion.module.css
new file mode 100644
index 0000000000..2e595bf292
--- /dev/null
+++ b/src/components/Accordion/Accordion.module.css
@@ -0,0 +1,30 @@
+.content {
+ padding: 10px;
+ color: var(--ifm-font-color-base) !important;
+}
+
+.ant-collapse {
+ background-color: transparent !important; /* Transparent accordion background */
+ border: none;
+}
+
+.ant-collapse-item {
+ background-color: transparent !important;
+}
+
+.ant-collapse-header {
+ background-color: transparent !important;
+ color: var(--ifm-font-color-base) !important;
+ font-weight: 500;
+ padding: 12px 16px;
+}
+
+.ant-collapse-content > .ant-collapse-content-box {
+ background-color: transparent !important;
+ color: var(--ifm-font-color-base) !important;
+ padding: 12px 16px;
+}
+
+.ant-collapse-header:hover {
+ color: var(--ifm-color-primary) !important;
+}
diff --git a/src/components/Accordion/Accordion.tsx b/src/components/Accordion/Accordion.tsx
new file mode 100644
index 0000000000..291b90e970
--- /dev/null
+++ b/src/components/Accordion/Accordion.tsx
@@ -0,0 +1,32 @@
+import React, { ReactNode } from "react";
+import { Collapse } from "antd";
+import styles from "./Accordion.module.css";
+
+interface AccordionPanelProps {
+ title: string;
+ children: ReactNode;
+}
+
+interface AccordionProps {
+ children: ReactNode[];
+}
+
+const Accordion: React.FC = ({ children }) => {
+ const mappedItems = React.Children.map(children, (child) => {
+ if (React.isValidElement(child) && child.props.title) {
+ return {
+ key: child.props.title,
+ label: child.props.title,
+ children: {child.props.children}
,
+ };
+ }
+ return null;
+ });
+
+ // To avoid issues - let's remove any null items or undefined items
+ const items = mappedItems?.filter((item): item is NonNullable => item !== null) ?? [];
+
+ return ;
+};
+
+export default Accordion;
diff --git a/src/components/Accordion/index.ts b/src/components/Accordion/index.ts
new file mode 100644
index 0000000000..cf371dc582
--- /dev/null
+++ b/src/components/Accordion/index.ts
@@ -0,0 +1,3 @@
+import Accordion from "./Accordion";
+
+export default Accordion;
diff --git a/src/components/AccordionPanel/AccordionPanel.tsx b/src/components/AccordionPanel/AccordionPanel.tsx
new file mode 100644
index 0000000000..c85d1cc154
--- /dev/null
+++ b/src/components/AccordionPanel/AccordionPanel.tsx
@@ -0,0 +1,12 @@
+import React, { ReactNode } from "react";
+
+interface AccordionPanelProps {
+ title: string;
+ children: ReactNode;
+}
+
+const AccordionPanel: React.FC = ({ children }) => {
+ return <>{children}>;
+};
+
+export default AccordionPanel;
diff --git a/src/components/AccordionPanel/index.ts b/src/components/AccordionPanel/index.ts
new file mode 100644
index 0000000000..1df4f2f570
--- /dev/null
+++ b/src/components/AccordionPanel/index.ts
@@ -0,0 +1,3 @@
+import AccordionPanel from "./AccordionPanel";
+
+export default AccordionPanel;
diff --git a/src/theme/MDXComponents/MDXComponents.ts b/src/theme/MDXComponents/MDXComponents.ts
index 830db1569c..19460ec378 100644
--- a/src/theme/MDXComponents/MDXComponents.ts
+++ b/src/theme/MDXComponents/MDXComponents.ts
@@ -15,10 +15,14 @@ import ReleaseNotesVersions from "@site/src/components/ReleaseNotesVersions/inde
import PartialsComponent from "@site/src/components/PartialsComponent";
import VersionedLink from "@site/src/components/VersionedLink";
import PaletteVertexUrlMapper from "@site/src/components/PaletteVertexUrlMapper/PaletteVertexUrlMapper";
+import Accordion from "@site/src/components/Accordion";
+import AccordionPanel from "@site/src/components/AccordionPanel";
export default {
...MDXComponents,
...customMdxComponents,
+ Accordion,
+ AccordionPanel,
Tabs,
TabItem,
Tooltip,
diff --git a/static/assets/docs/images/palette-rbac-scope.webp b/static/assets/docs/images/palette-rbac-scope.webp
deleted file mode 100644
index aac7b9ee55..0000000000
Binary files a/static/assets/docs/images/palette-rbac-scope.webp and /dev/null differ
diff --git a/static/assets/docs/images/tenant-settings_filters_add-resource-filter-wizard.webp b/static/assets/docs/images/tenant-settings_filters_add-resource-filter-wizard.webp
new file mode 100644
index 0000000000..7014691025
Binary files /dev/null and b/static/assets/docs/images/tenant-settings_filters_add-resource-filter-wizard.webp differ
diff --git a/static/assets/docs/images/user-management_authentication_switch-tenant_tenant-selection.webp b/static/assets/docs/images/user-management_authentication_switch-tenant_tenant-selection.webp
new file mode 100644
index 0000000000..216b98b410
Binary files /dev/null and b/static/assets/docs/images/user-management_authentication_switch-tenant_tenant-selection.webp differ
diff --git a/static/assets/docs/images/user-management_palette-rbac_palette-rbac_scope-overview.webp b/static/assets/docs/images/user-management_palette-rbac_palette-rbac_scope-overview.webp
new file mode 100644
index 0000000000..787e2a0b31
Binary files /dev/null and b/static/assets/docs/images/user-management_palette-rbac_palette-rbac_scope-overview.webp differ
diff --git a/static/assets/docs/images/user-management_palette-rback_abac_example.webp b/static/assets/docs/images/user-management_palette-rback_abac_example.webp
new file mode 100644
index 0000000000..7ac861fb5f
Binary files /dev/null and b/static/assets/docs/images/user-management_palette-rback_abac_example.webp differ
diff --git a/static/assets/docs/images/user-management_palette-rback_assign-a-role_team-role-assign.webp b/static/assets/docs/images/user-management_palette-rback_assign-a-role_team-role-assign.webp
new file mode 100644
index 0000000000..e2f995819f
Binary files /dev/null and b/static/assets/docs/images/user-management_palette-rback_assign-a-role_team-role-assign.webp differ
diff --git a/static/assets/docs/images/user-management_palette-rback_assign-a-role_user-role-assign.webp b/static/assets/docs/images/user-management_palette-rback_assign-a-role_user-role-assign.webp
new file mode 100644
index 0000000000..2ec161cbce
Binary files /dev/null and b/static/assets/docs/images/user-management_palette-rback_assign-a-role_user-role-assign.webp differ