docs(authz): authorization webhook documentation#1974
Merged
Conversation
4 tasks
github-actions
Bot
added
size/L
documentation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds user-facing documentation for Greenhouse’s authorization webhook (support-group-scoped access control), and links it from related RBAC/Teams/Ownership docs to help users configure greenhouse.sap/owned-by correctly and troubleshoot access issues.
Changes:
- Adds a new documentation page describing the authorization webhook’s purpose, identity resolution, configuration steps, and troubleshooting.
- Links the new page from the Ownership guide and the Teams core-concepts page.
- Adds a cross-reference from the Team RBAC (remote clusters) guide to the authorization webhook docs for central Greenhouse resources.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| docs/user-guides/team/rbac.md | Adds a “Related” section pointing readers to the authorization webhook docs for central-cluster Greenhouse resources. |
| docs/getting-started/operations/ownership.md | Connects ownership labeling to authorization-webhook behavior via a new explanatory sentence/link. |
| docs/getting-started/operations/authorization-webhook.md | Introduces the new end-user documentation page for the authorization webhook (overview, how it works, setup, troubleshooting). |
| docs/getting-started/core-concepts/teams.md | Adds a short note linking support-groups to authorization-webhook enforcement. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
this documentation shows up at top level -
Who is the audience this documentation is being targeted? because authz is mentioned across 3 different sections, describing everything from "How it works?", to debugging. But has no section to say how to install this in our installation guide.
Should we focus on end-user documentation first and then slowly bring in the rest?
What I mean is condense the documentation to customer / end user focus -
Fine grained access on team owned resources? put under user guide?
- How to work with resources using an SA
- How to work with resources as a team user
etc. what are your thoughts @Zaggy21
Contributor
Author
|
@abhijith-darshan You're right. I've split the docs for different audiences and added installation section (based on authz chart readme; fixed some links) - should I include the AuthorizationConfiguration here as well? |
Contributor
Let’s Skip the installation docs for now as it should be handled in #1864 Let’s focus on one section for Team / end user docs so that they understand elevated authorization to interact with greenhouse resources owned by a team. i would recommend to put it under team management as a separate section. Does that sound good? @Zaggy21 |
abhijith-darshan
requested changes
May 25, 2026
abhijith-darshan
approved these changes
May 26, 2026
abhijith-darshan
force-pushed
the
feat/authorization-webhook-documentation
branch
from
56ffc6b to
0c7179d
Compare
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
… guide and team user guide On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
…authz install section On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
Zaggy21
force-pushed
the
feat/authorization-webhook-documentation
branch
from
0c7179d to
2b6e642
Compare
k-fabryczny
pushed a commit
that referenced
this pull request
May 29, 2026
* add documentation for authorization webhook On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: clarify authz webhook scope and RBAC interaction On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: scope webhook capabilities and add SA creation prerequisites On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: reconcile support-group multiplicity with teams docs On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: restructure authorization webhook docs by audience, add install guide and team user guide On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs(authz): split team-owned resources into dedicated guide, remove authz install section On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * fix(docs): change reversed to HA VPN tunnel On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * fix(docs): change remaining reversed to HA VPN tunnel On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> --------- Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
k-fabryczny
pushed a commit
that referenced
this pull request
May 29, 2026
* add documentation for authorization webhook On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: clarify authz webhook scope and RBAC interaction On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: scope webhook capabilities and add SA creation prerequisites On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: reconcile support-group multiplicity with teams docs On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: restructure authorization webhook docs by audience, add install guide and team user guide On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs(authz): split team-owned resources into dedicated guide, remove authz install section On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * fix(docs): change reversed to HA VPN tunnel On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * fix(docs): change remaining reversed to HA VPN tunnel On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> --------- Signed-off-by: Zaggy21 <k.zaggy@gmail.com> Signed-off-by: Klaudiusz Fabryczny <klaudiusz.fabryczny@sap.com>
k-fabryczny
pushed a commit
that referenced
this pull request
May 29, 2026
* add documentation for authorization webhook On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: clarify authz webhook scope and RBAC interaction On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: scope webhook capabilities and add SA creation prerequisites On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: reconcile support-group multiplicity with teams docs On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: restructure authorization webhook docs by audience, add install guide and team user guide On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs(authz): split team-owned resources into dedicated guide, remove authz install section On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * fix(docs): change reversed to HA VPN tunnel On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * fix(docs): change remaining reversed to HA VPN tunnel On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> --------- Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
k-fabryczny
pushed a commit
that referenced
this pull request
May 29, 2026
* add documentation for authorization webhook On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: clarify authz webhook scope and RBAC interaction On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: scope webhook capabilities and add SA creation prerequisites On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: reconcile support-group multiplicity with teams docs On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs: restructure authorization webhook docs by audience, add install guide and team user guide On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * docs(authz): split team-owned resources into dedicated guide, remove authz install section On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * fix(docs): change reversed to HA VPN tunnel On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> * fix(docs): change remaining reversed to HA VPN tunnel On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com> --------- Signed-off-by: Zaggy21 <k.zaggy@gmail.com> Signed-off-by: Klaudiusz Fabryczny <klaudiusz.fabryczny@sap.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds user-facing documentation for the authorization webhook component, explaining how support-group-scoped access control works and how to properly configure resource ownership.
What type of PR is this? (check all applicable)
Related Tickets & Documents
Added tests?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Added to documentation?
Checklist