spectrocloud · karl-cardenas-coding · Nov 22, 2024 · Nov 22, 2024 · Nov 22, 2024 · Nov 22, 2024
@@ -17,16 +17,13 @@ To get started with an attribute access control through tags, check out the
 ## Resources
 
 - [Cluster Resource Filter](create-add-filter.md)
+
 - [Create Resource Filter](create-add-filter.md#create-resource-filter)
 
 - [Add Resource Role](create-add-filter.md#add-resource-role)
 
-- [Palette Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md)
-
-- [Palette Global Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md#palette-global-resource-roles)
-
-- [Palette Custom Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md#palette-custom-resource-roles)
+- [Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md)
 
-- [Create Custom Role](../../../user-management/new-user.md#create-custom-role)
+- [Create Custom Role](../../../user-management/palette-rbac/create-custom-role.md)
 
-- [Create New User in Palette](../../../user-management/new-user.md#create-a-new-user)
+- [Create New User in Palette](../../../user-management/users-and-teams/create-user.md)
@@ -62,17 +62,18 @@ the following steps to review the filter is available for use.
 You can assign the created resource filter and roles to a user or team to enforce access restrictions. There are two
 types of roles that can be assigned:
 
-- [Palette Global Roles](../../..//user-management/palette-rbac/resource-scope-roles-permissions.md#palette-global-resource-roles)
-  are a set of roles that are available in Palette by default.
+- [Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md) are a set of roles that
+  are available in Palette by default.
 
-- [Custom Resource Roles](../../..//user-management/palette-rbac/resource-scope-roles-permissions.md#palette-custom-resource-roles)
-  can be created according to your requirements from the available set of permissions and operations.
+- [Custom Resource Roles](../../../user-management/palette-rbac/resource-scope-roles-permissions.md) can be created
+  according to your requirements from the available set of permissions and operations.
 
 ### Prerequisites
 
 - A [Palette account](https://console.spectrocloud.com) with Tenant scope privileges.
 
-- A Palette [user](../../../user-management/new-user.md#create-a-new-user) or team to assign the resource privileges.
+- A Palette [user](../../../user-management/users-and-teams/create-user.md#user-creation) or team to assign the resource
+  privileges.
 
 ### Assign Resource Roles and Filter
 

@@ -0,0 +1,242 @@
+---
+sidebar_label: "Roles"
+title: "Roles"
+description: "Palette User Access control using RBAC"
+icon: ""
+hide_table_of_contents: false
+tags: ["user-management", "rbac"]
+---
+
+RBAC stands for Role-Based Access Control. RBAC allows a single user to have different types of access control based on
+the resource being accessed. RBAC is the scenario that allows the Tenant Admin to grant full and unrestricted access to
+some parts of the system and withhold it for some others.
+
+Palette enforces a very well-structured RBAC design on how to grant granular access to resources and their operations
+within our management console. We maintain precise Roles and Resource Access Control List. Role-based access control
+primarily focuses on assigning permissions to roles instead of individual users and then assigning these roles to users.
+Multiple roles can be assigned to a user, which defines the permitted actions on the resource. This module lists and
+enumerates all the roles available within the Palette console within specific scopes.
+
+Palette enables:
+
+- A role can have multiple permissions. We encourage custom role creation, coupling the wide range of Palette
+  permissions.
+
+- Multiple roles can be assigned to a single user, defining the permitted actions on a Palette resource.
+
+## Palette RBAC Model
+
+The Palette RBAC Model, is based on the following three components:
+
+- Scopes
+- Permissions
+- Roles
+
+### Scopes
+
+A Scope defines the resources on which the role has coverage. The scope will be either `Tenant` or `Project`. For
+example, a role within the scope project can operate within the projects. The combination of user and roles indicates
+the totality of the accessibility available to that user. Scopes are structured in a parent-child relationship. Each
+level of hierarchy makes the Scope more specific. The roles are assigned at any of these levels of Scope. The level you
+select determines how widely the role is applied. Lower levels inherit role permissions from higher levels.
+![palette-rbac-scope.webp](/palette-rbac-scope.webp)
+
+The following are the major properties of Palette driven Scopes:
+
+- Scopes control the visibility of the resource.
+
+- Resource created in the higher scope will be visible in the lower scope as read-only. The cluster profiles created by
+  a tenant will be available to all the projects created by that tenant.
+
+- Resource Isolation: Resources within the same scope will be restricted to the respective scope entity.
+
+  - Cluster Profile created in project-1 will not be available in project-2 of the same tenant
+
+- Resource with the same name can co-exist across scopes and will be distinguished with scope prefix (icon)
+  - A profile with the same name can be created in tenant and project scope. The resource will have the scope
+    information, which helps to distinguish them.
+
+Palette resources can be allocated to roles under **Three Scopes**:
+
+- **System** (The system admin internal to Palette)
+
+- **Tenant**
+
+- **Project**
+
+![A diagram of Palette's RBAC model](/user-management_palette-rback_palette-rbac-model.webp)
+
+### Permissions
+
+Permissions determine the type of operations allowed on a resource. Permissions can be defined in the following format:
+
+`resourceKey.operation`
+
+Examples:
+
+- `cluster.create`
+- `cluster.edit`
+- `cluster.delete`
+
+Each permission has a defined scope. The role creation is based on scope, type and permissions.
+
+#### Palette Permissions
+
+Palette has a wide range of permissions and these permissions can be combined in any combination as per the user
+requirements to create a role. If the Palette built-in roles does not meet the specific needs of your organization,
+custom roles can be created using different combination of these permissions. Just like built-in roles, you can assign
+custom roles to users or teams within a specific scope (Tenant or Project). Refer to the available set of permissions in
+the [Permissions](permissions.md) page.
+
+### Roles
+
+A Role is a collection of permissions. When a role is assigned to a user, it means all the permissions the role contains
+are assigned to that user. The Role will have a **Scope**. The Type signifies the creator's scope and the Scope
+signifies the role visibility. The permissions will be restricted to the permission's scope list based on the role's
+scope. The ProfileEditor will be visible under Tenant, but neither the Tenant nor the Project admins are allowed to
+modify the Project Scopes.
+
+## Access Modes
+
+- Tenant
+- Project
+
+### Tenant
+
+Tenant is an isolated workspace within the Palette. `Users` and `Teams` with specific `Roles` can be associated with the
+Tenant(s) you create. Palette provides a [wide set of permissions](tenant-scope-roles-permissions.md) under the scope of
+a Tenant. Everyone is a user and there should be at least one user with Tenant Admin privilege to control the product
+operations.
+
+### Project
+
+The Global Project Scope holds a group of resources, in a logical grouping, to a specific project. The project acts as a
+namespace for resource management. Users and Teams with specific roles can be associated with the project, cluster, or
+cluster profile you create. Users are members of a tenant who are assigned
+[project scope roles](./project-scope-roles-permissions.md) that control their access within the platform.
+
+## Default Palette Roles
+
+Palette RBAC has several built-in roles that can be assigned to users and teams. Role assignments are the way you
+control access to Palette resources.
+
+### Tenant Scope Default Roles
+
+Global Tenant roles are scoped at the tenant level. Palette has several built-in tenant roles that can be assigned to
+users and teams. Refer to [Tenant Scope Roles](./tenant-scope-roles-permissions.md) for a detailed list of all the roles
+available in Palette.
+
+### Project Scope Default Roles
+
+The Project scope roles can be assigned to users and teams at the project scope. Palette has several built-in project
+scoped roles that can be assigned to users and teams. Refer to
+[Project Scope Roles](./project-scope-roles-permissions.md) for a detailed list of all the roles available Pallete.
+
+## Assign Palette Specific Roles to Users
+
+The Default (built-in) roles of Palette can be directly assigned to a user. The roles needs to be assigned based on who
+needs the access. The roles can be assigned to Users or Teams. The appropriate role needs to be selected from the list
+of several built-in roles. If the built-in roles are not meeting the specific needs of your organization, you can
+[create your own custom roles](./create-custom-role.md).
+
+1. Login to Palette console as `Tenant Admin`.
+
+2. Select **Users and Teams** from the left **Main Menu** to list the created users.
+
+3. From the list of users **select the user** to be assigned with role to open the role addition wizard.
+
+4. Make the choice of role category from the top tabs:
+
+   - Project Role
+   - Tenant Role
+   - Workspace Role
+
+5. Once the choice of category is made Click on **+ New Role**.
+
+6. In the **Add Roles to User-name** wizard, select the project name from the drop down and select the roles from the
+   list.
+
+7. Confirm to complete the wizard.
+
+8. The role user association can be edited and deleted from the **left Main Menu**.
+
+### Assign Custom Roles to Users
+
+1. Login to Palette console as `Tenant Admin`.
+
+2. Select **Users and Teams** from the left ribbon menu to list the [created users](../user-management.md).
+
+3. From the list of users **select the user** to be assigned with role to open the role addition wizard.
+
+4. Make the choice of role category from the top tabs:
+
+   - Project Role
+   - Tenant Role
+   - Workspace Role
+
+5. Once the choice of category is to br made by clicking on **+ New Role**.
+
+6. In the **Add Roles to User-name** wizard, select the project name from the drop down and select the roles from the
+   list.
+
+7. Confirm to complete the wizard.
+
+8. The role user association can be edited and deleted from the `kebab menu`.
+
+## Example Scenario:
+
+Palette has a number of permissions that you can potentially include in your custom role. Here is an example scenario
+enumerating the minimum permissions required for a user to **Create a Cluster** in Palette platform.
+
+#### 1. Decide the actions, scopes and permissions required by the user to Create a Cluster.
+
+The role creation is done from the `Tenant Admin` console. For the above scenario, two roles needs to be created under
+`Project` and `Tenant` scope and attached to the user.
+
+#### 2. Identify the Permissions required under `Project Scope`:
+
+- Add the minimum `Project` management permissions
+
+  - project.list
+  - project.get
+
+- Add the minimum permissions required for `Cloud Account` creation
+
+  - cloudaccount.create
+  - cloudaccount.get
+  - cloudaccount.list
+
+- Add the `ClusterProfile` permissions
+
+  - clusterProfile.create
+  - clusterProfile.delete
+  - clusterProfile.get
+  - clusterProfile.list
+  - clusterProfile.publish
+  - clusterProfile.update
+
+- Add the `Cluster` permissions (for creating and listing the cluster)
+
+  - cluster.create
+  - cluster.list
+  - cluster.get
+
+- Add the `Location` permission.
+
+  - location.list
+
+- Add the `Cloud Configuration` permissions for node pool management
+  - cloudconfig.create
+
+#### 3. Identify the Permissions required under `Tenant Scope`:
+
+To attach the Packs and Integrations from Palette public repository, add the `Registry Permissions`. The minimum
+permission required in this scenario is:
+
+- packRegistry.get
+
+#### 4. Attach Roles to the User and Create the Cluster
+
+- Once both the roles are created with the above scopes, attach them to the user.
+
+- Login to Palette console using the user credentials to create the cluster profile and the cluster.
@@ -27,8 +27,8 @@ To associate a user or team with a project, use the following steps.
 
 - Tenant Admin access.
 
-- An available project. Check out the [Create a Project](../tenant-settings/projects/create-manage-projects.md) guide to
-  learn how to create a project.
+- An available project. Check out the [Create a Project](../../tenant-settings/projects/create-manage-projects.md) guide
+  to learn how to create a project.
 
 - A user or a team.
 

@@ -0,0 +1,72 @@
+---
+sidebar_label: "User & Role Management"
+title: "User Management"
+description:
+  "Learn how to manage users and roles in Palette. Palette has a rich RBAC system that allows you to manage user access
+  to resources."
+hide_table_of_contents: false
+sidebar_custom_props:
+  icon: "roles"
+tags: ["user-management"]
+---
+
+This section touches upon the initial login aspects for Tenant Admins and non-admin users and the RBAC setup within
+Palette.
+
+## User Login
+
+For a Tenant admin, the password shall be set upon the initial login. The Tenant admin can add non-admin users. For all
+users, login can be made available using the following options:
+
+- Using Palette credentials on the login page.
+- SSO using Identity Providers that use SAML 2.0:
+  - Azure Active Directory
+  - Okta
+  - Keycloak
+  - OneLogin
+  - Microsoft ADFS
+  - Others
+
+## RBAC
+
+Palette allows the users that have been added to be allowed or restricted access to resources based on the roles set by
+the tenant admin. This Role-Based Access Control is explained in detail on the RBAC
+[page](palette-rbac/palette-rbac.md#permissions).
+
+## Roles and Permissions
+
+The Tenant admin can allow or restrict access of resources to users which can differ as per the scenario. A user can
+have complete access to a specific project but can be restricted access to other projects in which there is no
+involvement. An intermediate stage is also possible where read-only access can be provided in some projects. The Roles
+and Permissions sections on the [RBAC](./palette-rbac/palette-rbac.md) page provide more details on this.
+
+To add a user to a project:
+
+1. Sign in as a Tenant admin and navigate to the **Users and Teams** section of the Tenant settings Menu.
+
+1. Click on the user that you want to enable access to.
+
+1. In the **Role** editor that opens to the side, find the **Project Roles** section and click **Add Role**.
+
+1. Select the required **Project** from the dropdown menu and enable the **Roles** as needed.
+
+## Multi-Organization Support for Users
+
+Palette is incorporating multi-organization support for its users. With this feature, we provide our users with the
+flexibility of having a unique email address ID across multiple organizations. Hence, the users can maintain SSO
+credentials across multiple organizations/tenants.
+
+The key benefits of this feature are:
+
+- The use of a single email address ID across multiple organizations.
+- Within an organization, maintain a unique email ID.
+- In the case of password-based authentication, the same password is applicable across multiple organizations. The
+  change of password, made under a particular organization, is applied across other organizations to maintain a single
+  password across all organizations.
+- The password policy stays independent of organizations/tenants. Each tenant retains individual password policy.
+- For SSO-based authentication, for each organization/tenant, the individual identity provider client application can be
+  configured. Hence, allowing the configuration of a single SSO with multiple identity providers across multiple
+  tenants/organizations mapping each client app to a tenant.
+- However, for self-sign-up, the unique email address ID is enforced across tenants to avoid conflicts.
+- In the Palette console, the users can switch between the organizations/tenants using the Organization drop down menu
+  of the login page.
@@ -31,7 +31,6 @@ The following list contains all the supported Palette CLI subcommands. Click on
 
 - [`validator`](validator.md) - Deploy a kind cluster and install the Validator framework to validate your environment
   is ready for Palette.
-
 - [`vmo`](vmo.md) - Migrate, import and deploy VMs to Palette VMO.
 
 ## Global Flags

@@ -79,10 +79,10 @@ The following sections describe these capabilities in detail:
   displays the location on the UI Map. For private cloud clusters the user can set the location through the Palette UI.
   The user can monitor the location details of all the clusters running under a specific scope.
 
-- [Palette Access Control](cluster-tag-filter/cluster-tag-filter.md) - Palette provides the ability to manage user and
-  role access privileges through tags. This feature helps you reduce the overhead in managing user and role access to
-  clusters by assigning tags. Tags can be used to group clusters, allowing you to apply access controls to the tag
-  rather than to each cluster, user, or role. This reduces the overhead of managing access controls for individual users
-  and clusters.
+- [Palette Access Control](../../user-management/palette-rbac/implement-abac.md) - Palette provides the ability to
+  manage user and role access privileges through tags. This feature helps you reduce the overhead in managing user and
+  role access to clusters by assigning tags. Tags can be used to group clusters, allowing you to apply access controls
+  to the tag rather than to each cluster, user, or role. This reduces the overhead of managing access controls for
+  individual users and clusters.
 
 - [Image Swap](image-swap.md) - Learn how to use image swap capabilities with Palette.