Clarify device group read-only permission

The documentation was reworded. The changes should help clarify that members with read-only permission can still view other groups and devices. QA: Viewed rendered html, edited with linter plugin. Ran linkcheck. This commit addresses ticket FFTK-3602, "clarify device group read permission details" Signed-off-by: Katrina Prosise <[email protected]>
foundriesio · Nov 18, 2024 · cb06851 · cb06851
1 parent 68e2b44
commit cb06851
Showing 1 changed file with 17 additions and 16 deletions.
diff --git a/source/user-guide/account-management/team-based-access.rst b/source/user-guide/account-management/team-based-access.rst
@@ -77,15 +77,15 @@ The member then has a combined list of scopes:
 
  * From read-only-users:
 
-   * ci:read
-   * source:read
-   * devices:read
-   * targets:read
-   * containers:read
+   * ``ci:read``
+   * ``source:read``
+   * ``devices:read``
+   * ``targets:read``
+   * ``containers:read``
 
  * From read-write-ci
 
-   * ci:read-update
+   * ``ci:read-update``
 
 The user now has read **and** write (update) access to the CI,
 while retaining the read-only scopes for the other resources.
@@ -95,6 +95,7 @@ while retaining the read-only scopes for the other resources.
 
 Team Based Access to Device Groups
 ----------------------------------
+
 By default, a user can access:
 
     1. device groups they created,
@@ -104,19 +105,19 @@ By default, a user can access:
 A factory admin can grant a user access to any device groups.
 To do so, an admin should:
 
-    1. add a user to a team if is not a team member yet;
+    1. add a user to a team if they are not yet a team member;
     2. add a device group to the team;
-    3. set ``devices:*`` scopes for the team.
+    3. set the ``devices:*`` scopes for the team.
 
-As a result, the user will get a permission to perform the set actions over the group and its devices.
+As a result, the user will get permission to perform the set actions over the group and its devices.
 
 .. note::
 
-    The ``devices:*`` scopes determine actions team members can perform over device groups and their devices.
+    The ``devices:*`` scopes determine the actions team members can perform over device groups and their devices.
 
-    *  ``devices:read`` - view device/group details and its configuration.
-    *  ``devices:read-update`` - view and modify device/group details and its configuration, including config file deletion.
-    *  ``devices:delete`` - delete device/group.
+    *  ``devices:read`` - permission to view the details and configuration of a device/group.
+    *  ``devices:read-update`` - permission to modify device/group details and configuration, including config file deletion.
+    *  ``devices:delete`` - Ability to delete device/group.
 
     See :ref:`API Scopes <ref-scopes>` for more details on the scopes.
 
@@ -125,15 +126,15 @@ Example
 
 A Factory has two teams in place and one device group, ``test-lab-devices``.
 
-Members of the "read-only-users" team have read-only access to all factory resources with one exception—device groups and devices.
-They can see only the ``test-lab-devices`` group and devices included into it.
+Members of the "read-only-users" team have read-only access to all factory resources.
+They can only *see* the ``test-lab-devices`` group and devices included into it, they can not make any modifications.
 
 .. figure:: /_static/userguide/account-management/team-with-group-and-read-access.png
    :align: center
    :alt: "read-only-users" scopes: read-only team with a device group
 
 The "lab-dev-users" team includes ``devices:read-update`` scope.
-Therefore, members of this team can modify the ``test-lab-devices`` group and its devices.
+Therefore, members of this team can *modify* the ``test-lab-devices`` group and its devices.
 
 .. figure:: /_static/userguide/account-management/team-with-group-and-write-access.png
    :align: center