From cb0685138a5ce0520884d93ee381a05ec9db29a4 Mon Sep 17 00:00:00 2001 From: Katrina Prosise Date: Mon, 18 Nov 2024 09:43:27 -0500 Subject: [PATCH] Clarify device group read-only permission The documentation was reworded. The changes should help clarify that members with read-only permission can still view other groups and devices. QA: Viewed rendered html, edited with linter plugin. Ran linkcheck. This commit addresses ticket FFTK-3602, "clarify device group read permission details" Signed-off-by: Katrina Prosise --- .../account-management/team-based-access.rst | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/source/user-guide/account-management/team-based-access.rst b/source/user-guide/account-management/team-based-access.rst index e370e330..a014bc13 100644 --- a/source/user-guide/account-management/team-based-access.rst +++ b/source/user-guide/account-management/team-based-access.rst @@ -77,15 +77,15 @@ The member then has a combined list of scopes: * From read-only-users: - * ci:read - * source:read - * devices:read - * targets:read - * containers:read + * ``ci:read`` + * ``source:read`` + * ``devices:read`` + * ``targets:read`` + * ``containers:read`` * From read-write-ci - * ci:read-update + * ``ci:read-update`` The user now has read **and** write (update) access to the CI, while retaining the read-only scopes for the other resources. @@ -95,6 +95,7 @@ while retaining the read-only scopes for the other resources. Team Based Access to Device Groups ---------------------------------- + By default, a user can access: 1. device groups they created, @@ -104,19 +105,19 @@ By default, a user can access: A factory admin can grant a user access to any device groups. To do so, an admin should: - 1. add a user to a team if is not a team member yet; + 1. add a user to a team if they are not yet a team member; 2. add a device group to the team; - 3. set ``devices:*`` scopes for the team. + 3. set the ``devices:*`` scopes for the team. -As a result, the user will get a permission to perform the set actions over the group and its devices. +As a result, the user will get permission to perform the set actions over the group and its devices. .. note:: - The ``devices:*`` scopes determine actions team members can perform over device groups and their devices. + The ``devices:*`` scopes determine the actions team members can perform over device groups and their devices. - * ``devices:read`` - view device/group details and its configuration. - * ``devices:read-update`` - view and modify device/group details and its configuration, including config file deletion. - * ``devices:delete`` - delete device/group. + * ``devices:read`` - permission to view the details and configuration of a device/group. + * ``devices:read-update`` - permission to modify device/group details and configuration, including config file deletion. + * ``devices:delete`` - Ability to delete device/group. See :ref:`API Scopes ` for more details on the scopes. @@ -125,15 +126,15 @@ Example A Factory has two teams in place and one device group, ``test-lab-devices``. -Members of the "read-only-users" team have read-only access to all factory resources with one exception—device groups and devices. -They can see only the ``test-lab-devices`` group and devices included into it. +Members of the "read-only-users" team have read-only access to all factory resources. +They can only *see* the ``test-lab-devices`` group and devices included into it, they can not make any modifications. .. figure:: /_static/userguide/account-management/team-with-group-and-read-access.png :align: center :alt: "read-only-users" scopes: read-only team with a device group The "lab-dev-users" team includes ``devices:read-update`` scope. -Therefore, members of this team can modify the ``test-lab-devices`` group and its devices. +Therefore, members of this team can *modify* the ``test-lab-devices`` group and its devices. .. figure:: /_static/userguide/account-management/team-with-group-and-write-access.png :align: center