dashboard database user

docs-2.0/7.data-security/1.authentication/2.management-user.md

@@ -30,7 +30,7 @@ The `root` user with the **GOD** role can run `CREATE USER` to create a new user
   ```ngql
   CREATE USER [IF NOT EXISTS] <user_name> [WITH PASSWORD '<password>'][WITH IP WHITELIST <ip_list>];
   ```
-  - `ip_list`: Sets the IP address whitelist. The user can connect to NebulaGraph only from IP addresses in the list. Use commas to separate multiple IP addresses.
+  - `ip_list`: Sets the IP address whitelist. Any IP can connect to the database without this option. When this option is used, only IPs in the list can connect to the database. Use commas to separate multiple IP addresses.
 
 {{ ent.ent_end }}
 

docs-2.0/nebula-dashboard-ent/4.cluster-operator/1.overview.md

@@ -1,4 +1,4 @@
-# Cluster Overview
+# Cluster overview
 
 This topic introduces the **Cluster Overview** page of Dashboard, which contains the following parts:
 

docs-2.0/nebula-dashboard-ent/4.cluster-operator/10.database-user.md

@@ -0,0 +1,35 @@
+# Database member
+
+Users can manage account permissions for databases within the cluster, including managing database members and authorizing graph space permissions.
+
+!!! note
+
+    For managing account privileges in each cluster on the platform, see [Platform member management](../5.account-management.md).
+
+## Entry
+
+1. At the top navigation bar of the Dashboard Enterprise Edition page, click **Cluster Management**.
+2. On the right side of the target cluster, click **Detail**.
+3. On the left-side navigation bar of the page, click **Database user**.
+
+## Managing database members
+
+1. Select the **Database user** tab.
+2. Click **Create database user** and fill in the username, password, and IP whitelist.
+
+  !!! note
+
+        To create database users in batches, click **Add** in the upper left corner to add a new line of configuration items.
+
+1. Click **Confirm**.
+
+## Authorizing graph space permissions
+
+1. Select the **Authorization** tab.
+2. Click **Grant Role** and select the username, the graph space to be authorized, and the role to be authorized. For details on role permissions, see [Roles and privileges](../../7.data-security/1.authentication/3.role-list.md).
+
+  !!! note
+
+        To authorize in batches, click **Add** in the upper left corner to add a new line of configuration items.
+
+1. Click **Confirm**.

docs-2.0/nebula-dashboard-ent/4.cluster-operator/7.data-synchronization.md

@@ -1,4 +1,4 @@
-# Data Synchronization
+# Data synchronization
 
 The **Data Synchronization** function of Dashboard Enterprise Edition is used to realize data synchronization between clusters.
 

docs-2.0/nebula-dashboard-ent/5.account-management.md

@@ -1,83 +1,89 @@
-# Authority management
+# Platform member management
 
 You can log into NebulaGraph Dashboard Enterprise Edition with different types of accounts. Different accounts have different permissions. This article introduces account types, roles, and permissions.
 
 !!! note
 
-    You need to configure the related protocols before using LDAP accounts or OAuth2.0 accounts. For details, see [Single sign-on](system-settings/single-sign-on.md).
+    For managing account privileges on databases within a cluster, see [Database member](4.cluster-operator/10.database-user.md).
 
 ## Account types
 
-Once you log into Dashboard Enterprise Edition using the initialized account name `nebula` and password `nebula`, you can create different types of accounts: LDAP accounts, OAuth2.0 accounts and general accounts.
+Once you log into Dashboard Enterprise Edition using the initialized account name `nebula` and password `nebula`, you can create different types of accounts: general accounts and SSO accounts.
 
-### LDAP accounts
+### General accounts
 
-Dashboard Enterprise Edition enables you to log into it with your enterprise account by accessing [LDAP (Lightweight Directory Access Protocol)](https://ldap.com/).
+Dashboard Enterprise Edition enables you to create local accounts.
 
-### OAuth2.0 accounts
+### SSO accounts
 
-!!! caution
+!!! note
 
-    The feature is still in beta. It will continue to be optimized.
+    SSO (Single Sign On) supports LDAP, OAuth2.0 and CAS. You need to configure the related protocols before using it. For details, see [Single sign-on](system-settings/single-sign-on.md).
 
-Dashboard Enterprise Edition enables you to use access_token to authorize the third-party applications to access the protected information based on [OAuth2.0](https://oauth.net/2/).
+- LDAP accounts
 
-### General accounts
+  Dashboard Enterprise Edition enables you to log into it with your enterprise account by accessing [LDAP (Lightweight Directory Access Protocol)](https://ldap.com/).
 
-Dashboard Enterprise Edition enables you to create local accounts.
+- OAuth2.0 accounts
 
-## Account roles
+  !!! caution
 
-You can set different roles for your accounts. Roles are different in permissions. There are two types of account roles in Dashboard Enterprise Edition: system roles (`admin` and `user`) and cluster roles (`owner` and `operator`).
+        The feature is still in beta. It will continue to be optimized.
 
-The relationship between system roles and cluster roles and their descriptions are as follows.
+  Dashboard Enterprise Edition enables you to use access_token to authorize the third-party applications to access the protected information based on [OAuth2.0](https://oauth.net/2/).
 
-![roles](https://docs-cdn.nebula-graph.com.cn/figures/ds_roles_en.png)
+-  accounts
 
-**System roles**:
+  Dashboard Enterprise Edition enables you to verify your identity based on [CAS (Central Authentication Service)](https://apereo.github.io/cas) 2.0 protocol.
 
-| Roles | Permission                                                         | Description                                                         |
-| ------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
-| admin  | 1. Create accounts.<br>2. Modify the role of an existing account.<br>3. Perform platform settings, system-level alert settings.<br>4. Delete accounts. | 1. There can be multiple `admin` roles, i.e. system administrators.<br/> 2. An `admin` is the `operator` of all clusters by default, i.e. an `admin` can manage all clusters. <br/>3. An `admin` can assign a `user` to be the `operator` of a cluster.<br/>4. Displayed in the cluster member list by default. An `owner` cannot remove an `admin` unless the `admin` is converted to `user`, and the system will automatically remove the `admin` from the cluster member list. |
-| user   | 1. Has read-only permissions for the system dimension. <br/>2. After an `admin` creates a new account with the `user` role, the `user` account cannot view any clusters if the corresponding cluster is not assigned to the account.  <br/>3. Can create clusters and become the `owner` of the clusters. | 1. General role. <br/>2. There can be multiple `user` roles.           |
+## Account roles
 
+You can set different roles for your accounts. Roles have different permissions. There are two types of account roles in Dashboard Enterprise Edition.
 
-**Cluster roles**: 
+![roles](https://docs-cdn.nebula-graph.com.cn/figures/eo_dash_role_231007_en.png)
 
-| Roles     | Permission                                                         | Description                                                       |
-| ---------- | ------------------------------------------------------------ | ---------------------------------------------------------- |
-| `operator` | 1. Scale clusters. <br/>2. Set cluster alerts. <br/>3. Manage cluster nodes.<br/>4. Manage cluster services. | 1. The cluster operator.<br/> 2. There can be multiple `operator` roles in a cluster. |
-| `owner`    | 1. Have all the permissions of `operator`. <br/>2. Unbind and delete clusters.<br/>3. Add and remove accounts with `operator` roles. <br/>4. Transfer the `owner` role. | 1. The cluster owner. <br/>2. There can only be one `owner` in a cluster.    |
+- Platform roles: `admin` and `user`.
+  - The `admin` role is equivalent to the administrator of the platform, who can manage the platform roles of all accounts, and can perform daily operation and maintenance operations on all clusters.
+  - The `user` role is equivalent to a general user of the platform, who can only manage the clusters that the user has created or been authorized to manage.
+- Cluster roles: `owner` and `operator`.
+  - The `owner` role represents the owner of a cluster, you can authorize other accounts to manage your clusters. You set yourself up as the `owner` when you create a cluster, and you can transfer the `owner` role to other accounts.
+  - The `operator` role means that you can perform daily operations on the cluster, but you cannot transfer the `owner` role, change the cluster database password, unbind the cluster, and delete the cluster.
 
 ## Create accounts
 
 Accounts with `admin` roles can create other accounts. The steps are as follows:
 
-1. At the top navigation bar of the Dashboard Enterprise Edition page, click **Authority**, and click **Create**.
+1. At the top navigation bar of the Dashboard Enterprise Edition page, click **Members**, and click **Add**.
 2. Select one method and input information to create an account, and click **OK**.
 
-  - Invite (LDAP or OAuth2.0 accounts): Set the invitee's account type, enterprise email and role. After the invitee clicks the **Accept** button in the email to activate the account, the invitee needs to click **Login** to automatically jump to the Dashboard Enterprise Edition login page. The invitee can log into Dashboard with his/her enterprise email account and password.
+  - Invite (LDAP or OAuth2.0 accounts): Set the invitee's account type, enterprise email, role and authorize cluster. After the invitee clicks the **Accept** button in the email to activate the account, the invitee needs to click **Login** to automatically jump to the Dashboard Enterprise Edition login page. The invitee can log into Dashboard with his/her enterprise email account and password.
 
   !!! note
 
         Automatic registration is also supported after LDAP is enabled. When you enter an unregistered account in LDAP mode on the login page, the Dashboard automatically registers the account, but the role permission is `user`.
 
-  - Create Account (general accounts): Set the login name, password, and role for the new account. For information about roles, see the above content.
+  - Create Account (general accounts): Set the login name, password, role and authorize cluster for the new account. For information about roles, see the **Account roles** section above.
 
 ## View accounts
 
 The created accounts are displayed on the **Authority** page.
 
 - You can view the username, account type, role, associated cluster, and create time of accounts.
 
-  - **Account Type**: Includes **ldap**, **oauth2.0** and **platform**. **platform** is a general account.
-  - **Role**: Displays the role of an account, including **admin** and **user**. For more information about roles, see the above content.
+  - **Account Type**: Includes **ldap**, **oauth2.0**, **cas** and **platform**. **platform** is a general account.
+  - **Role**: Displays the role of an account, including **admin** and **user**. For more information about roles, see the **Account roles** section above.
   - **Associated Clusters**: Displays all the clusters that can be operated by an account. If the cluster was created by the account, the associated cluster has the `owner` tag.
 
 - You can search for accounts in the search box, and filter accounts by selecting an associated cluster.
 
 ## Other operations
 
-- In the **Action** column on the **Authority** page, click ![alert-edit](https://docs-cdn.nebula-graph.com.cn/figures/alert_edit.png) to edit account information.
+Performing the following operations requires the account to have the associated role permissions. For details on roles, see the **Account Roles** section above.
+
+- Edit account
+
+  In the **Action** column, click ![alert-edit](https://docs-cdn.nebula-graph.com.cn/figures/alert_edit.png) to edit account information. This includes modifying the account platform role, or authorizing the `operator` role to the account for clusters where you have the `owner` role.
+
+- Delete account
 
-- In the **Action** column on the **Authority** page, click ![alert-delete](https://docs-cdn.nebula-graph.com.cn/figures/alert_delete.png) to delete an account.
+  In the **Action** column, click ![alert-delete](https://docs-cdn.nebula-graph.com.cn/figures/alert_delete.png) to delete an account. Accounts without the `owner` role can be deleted.

docs-2.0/nebula-dashboard-ent/system-settings/single-sign-on.md

@@ -1,11 +1,11 @@
 # Single sign-on
 
-NebulaGraph Dashboard Enterprise Edition supports general accounts, LDAP accounts, and OAuth2.0 accounts. This article introduces how to configure the protocols of LDAP and OAuth2.0.
+NebulaGraph Dashboard Enterprise Edition supports general accounts, LDAP accounts, OAuth2.0 accounts, and CAS accounts. This article introduces how to configure the protocols of LDAP, OAuth2.0 and CAS.
 
 !!! note
 
     - After the configuration is complete, you can create the account and activate the invitation. For details，see [Authority management](../5.account-management.md).
-    - You can quickly switch on or off LDAP or OAuth2.0 in the left navigation bar.
+    - You can quickly switch on or off a login method in the left navigation bar.
 
 ## LDAP configuration
 
@@ -61,3 +61,24 @@ After LDAP is enabled, you can register an LDAP account in two ways:
 ### Instruction
 
 After OAuth2.0 is enabled, you can invite others to register by [email](../5.account-management.md).
+
+## CAS configuration
+
+### Entry
+
+1. At the top navigation bar of the Dashboard Enterprise Edition page, click **System Settings**.
+2. On the left-side navigation bar of the page, click **Single Sign-on**->**CAS**.
+
+### Configuration description
+
+|Parameter|Example|Description|
+|:--|:--|:--|
+|`CAS server address` | `https://192.168.8.100:8080/cas`| CAS server address.  |
+|`Organization` | `yueshu` | The name of the organization displayed on the login page. |
+
+### Instruction
+
+After enabling CAS, select SSO login on the login page.
+
+- If the login ticket is already saved in the browser cache, you can login NebulaGraph Dashboard Enterprise Edition directly.
+- If there is no login ticket in the browser cache, it will jump to the central server for login verification.

mkdocs.yml

@@ -616,7 +616,6 @@ nav:
   #         - Scale: nebula-dashboard-ent/4.cluster-operator/operator/scale.md
   #         - Service: nebula-dashboard-ent/4.cluster-operator/operator/service.md
   #         - Config Management: nebula-dashboard-ent/4.cluster-operator/operator/config-management.md
-  #         - Member management: nebula-dashboard-ent/4.cluster-operator/operator/member-management.md
   #         - Version upgrade: nebula-dashboard-ent/4.cluster-operator/operator/version-upgrade.md
   #         - Backup and restore: nebula-dashboard-ent/4.cluster-operator/operator/backup-and-restore.md
   #       - Analysis:
@@ -628,10 +627,11 @@ nav:
   #         - Audit log: nebula-dashboard-ent/4.cluster-operator/cluster-information/audit-log.md
   #         - Runtime log: nebula-dashboard-ent/4.cluster-operator/cluster-information/runtime-log.md
   #       - Notification: nebula-dashboard-ent/4.cluster-operator/9.notification.md
+  #       - Database user: nebula-dashboard-ent/4.cluster-operator/10.database-user.md
   #       - Data Synchronization: nebula-dashboard-ent/4.cluster-operator/7.data-synchronization.md
   #       - Operation records: nebula-dashboard-ent/4.cluster-operator/5.operation-record.md
   #       - Other settings: nebula-dashboard-ent/4.cluster-operator/6.settings.md
-  #     - Authority management: nebula-dashboard-ent/5.account-management.md
+  #     - Platform member management: nebula-dashboard-ent/5.account-management.md
   #     - Task center: nebula-dashboard-ent/10.tasks.md
   #     - NebulaGraph Dashboard Enterprise Edition LM: nebula-dashboard-ent/11.license-manager.md
   #     - System settings: