Merge pull request layer5io#38 from layer5io/theBeginner86/chore/4

leecalcote · web-flow · commit 43d9ab812e74 · 2023-11-03T08:17:19.000-05:00
[Roles] Docs
diff --git a/content/en/cloud/security/roles.md b/content/en/cloud/security/roles.md
@@ -1,11 +1,12 @@
 ---
 title: Roles
 description: >
-  A short lead description about this content page. It can be **bold** or _italic_ and can be split over multiple paragraphs.
+  Roles map permissions to users. Roles contain any number of keychains, which contain any number of keys (permissions). Assign roles to users to grant permissions. 
 date: 2023-10-30
 categories: [Security]
 tags: [roles, permissions]
 ---
+Roles map permissions to users. Roles contain any number of keychains, which contain any number of keys (permissions). Assign roles to users to grant permissions.
 
 ## Provider Admin Role
 
@@ -22,22 +23,141 @@ tags: [roles, permissions]
 - Applicable to platform engineering team and on-prem users.
 
 **Who can assign this role?**
+
 - Provider Admins
 
 **When this role first assigned?**
+
 - On ☁️ boot-up (using build args)
 
 **How many instances of these roles?**
+
 - Min: 1, Max: many (based on plan)
 
 **Who can remove assignment of this role?**
+
 - Provider Admins
 
 **What permissions does this role have?**
+
 - Can perform CRUD on all resources
+
+{{% /card %}}
+{{< /cardpane >}}
+
+## Organization Roles
+
+{{< cardpane >}}
+{{% card header="Organization Adminstrator" %}}
+
+**What is the purpose of this role?**
+
+- Administration of an organization
+
+**Who can assign this role?**
+
+- The Organization Owner
+
+**When this role first assigned?**
+
+- Creation of new organization or User Account creation
+
+**How many instances of these roles?**
+
+- Min: 1, Max: many (based on plan)
+- By default, the first Organization Admin is the owner (the creator of the organization).
+
+**Who can remove assignment of this role?**
+
+- Organization Owner
+
+{{% /card %}}
+{{% card header="Organization Billing Manager" %}}
+
+**What is the purpose of this role?**
+
+- Administration of subscriptions, plans, payments, billing methods and information, spending limits, invoice mgmt etc.
+
+**Who can assign this role?**
+
+- Organization Owner
+
+**When this role first assigned?**
+
+- Manually by Organization Owner
+
+**How many instances of these roles?**
+
+- Min: 0, Max: many
+
+**Who can remove assignment of this role?**
+
+- Organization Owner
+
+{{% /card %}}
+{{< /cardpane >}}
+
+{{< alert title="Organization owners as entitlements" >}}
+It's essential to understand that owners are not roles, but entitlements.
+
+Organization owners carry the organization administrator role, and may be joined in their organization administration duties by any number of other users carrying the organization administrator role. However, the organization owner also has the administrative privilege to delete the organization.
+
+The entitlement of "organization owner" is automatically bestowed to the creator of a organization. The individual user who created a given organization initially is therefore granted certain administrative privileges beyond that of other organization administrators. Specifically, organization owners retain the sole permission to delete the organization.
+
+For more information, see [Organization](/cloud/identity/organizations).
+{{< /alert >}}
+
+## Team Roles
+
+{{< cardpane >}}
+{{% card header="Team Adminstrator" %}}
+**What is the purpose of this role?**
+
+- Administration of teams
+
+**Who can assign and unassign this role?**
+
+- Organization Administrator or Team owner
+
+**When this role first assigned?**
+
+- Creation of new team or User Account creation
+- By default, the first Team Admin is owner (the team creator)
+
+**How many instances of these roles?**
+Min: 1, Max: many
+
+{{% /card %}}
+{{% card header="Team Manager" %}}
+**What is the purpose of this role?**
+
+- Administration of teams (without delete access)
+
+**Who can assign and unassign this role?**
+
+- Organization Administrators or Team Owner
+
+**When this role first assigned?**
+
+- Manually by Organization Administrator or Team Owner
+
+**How many instances of these roles?**
+
+- Min: 0, Max: many
 {{% /card %}}
 {{< /cardpane >}}
 
+{{< alert title="Owners as entitlements, not roles" >}}
+It's essential to understand that owners are not roles, but entitlements.
+
+Team owners carry the team administrator role, and may be joined in their team administration duties by any number of other users carrying the team administrator role. However, the team owner also has the administrative privilege to delete the team.
+
+The entitlement of "team owner" is automatically bestowed to the creator of a team. The individual user who created a given team initially is therefore granted certain administrative privileges beyond that of other team administrators. Specifically, team owners retain the sole permission to delete the team.
+
+For more information, see [Teams](/cloud/identity/teams).
+{{< /alert >}}
+
+
 <!-- Text can be **bold**, _italic_, or ~~strikethrough~~. [Links](https://gohugo.io) should be blue with no underlines (unless hovered over).
 
 There should be whitespace between paragraphs. Vape migas chillwave sriracha poutine try-hard distillery. Tattooed shabby chic small batch, pabst art party heirloom letterpress air plant pop-up. Sustainable chia skateboard art party banjo cardigan normcore affogato vexillologist quinoa meggings man bun master cleanse shoreditch readymade. Yuccie prism four dollar toast tbh cardigan iPhone, tumblr listicle live-edge VHS. Pug lyft normcore hot chicken biodiesel, actually keffiyeh thundercats photo booth pour-over twee fam food truck microdosing banh mi. Vice activated charcoal raclette unicorn live-edge post-ironic. Heirloom vexillologist coloring book, beard deep v letterpress echo park humblebrag tilde.
