From 23ebb6136102150246eba9ca46583d3faf5b51d6 Mon Sep 17 00:00:00 2001
From: Igor Lukanin <igor@cube.dev>
Date: Thu, 6 Mar 2025 16:39:21 +0100
Subject: [PATCH 1/3] Edits

---
 .../product/workspace/access-control.mdx      | 59 +++++++++++++------
 1 file changed, 42 insertions(+), 17 deletions(-)

diff --git a/docs/pages/product/workspace/access-control.mdx b/docs/pages/product/workspace/access-control.mdx
index 92e96785ae6c5..335f74df5eb85 100644
--- a/docs/pages/product/workspace/access-control.mdx
+++ b/docs/pages/product/workspace/access-control.mdx
@@ -1,12 +1,7 @@
----
-redirect_from:
-  - /cloud/access-control/
----
-
 # Access Control
 
-As an account administrator, you can define roles with specific permissions for
-resources and apply those roles to users within the account.
+As a Cube Cloud account administrator, you can define roles with specific permissions
+for Cube Cloud resources and apply those roles to users within the account.
 
 <SuccessBox>
 
@@ -15,25 +10,55 @@ Access control is available in Cube Cloud on
 
 </SuccessBox>
 
-## List all roles
+## Managing accounts
+
+Account administrators have ultimate control over the Cube Cloud account, including
+[managing roles](#managing-roles) and assigning them to users.
+
+You can see which users are account administrators on the <Btn>Members</Btn> tab of the
+<Btn>Team & Security</Btn> page in your Cube Cloud. Account administrators have the
+<Btn>Admin</Btn> toggle enabled next to their name.
+
+## Managing roles
+
+In Cube Cloud, users are not assigned permissions directly. Instead, they are assigned
+_roles_ that are associated with _policies_. Each policy define what _actions_ they can
+perform and on what _resources_ they can perform those actions. This approach makes it
+easier to manage permissions at scale.
+
+Each role can be associated with one or more of the following policies:
+
+| Policy | Description |
+| --- | --- |
+| **Global** | Controls account-level functionality, e.g., as Billing. |
+| **Deployment** | Controls deployment-level functionality, e.g., as Playground. |
+| **Report** | Controls access to specific reports in Saved Reports. |
+| **ReportFolder** | Controls access to specific folders in Saved Reports. |
+
+Each policy can apply to _all resources_ or _specific resources_. For example, a policy
+could apply to all deployments or only to a specific deployment.
+
+Also, each policy can have _all actions_ or only _specific actions_ associated with it.
+For example, a policy could allow a user to view, create, or delete one or more
+deployments if it's associated with those specific actions.
+
+
 
-To see a list of roles in your account, first go to the Team settings page by
-clicking on your avatar in the top right corner, then clicking on the "Team"
-button.
+### Browsing roles
 
-On the Team settings page, click the "Roles" tab to see all the roles in your
-account:
+To see a list of roles, go to the <Btn>Team & Security</Btn> page in your Cube Cloud
+account, then navigate to the <Btn>Roles</Btn> tab:
 
 <Screenshot
   alt="Cube Cloud Team Roles tab"
   src="https://ucarecdn.com/476cb30f-4939-41a8-a399-53d4f8a47dee/"
 />
 
-## Create a role
+### Creating a role
 
-To create a new role, click the "Add Role" button. Enter a name and optional
-description for the role, then click "Add Policy" and select either "Deployment"
-or "Global" for this policy's scope.
+To create a new role, click the <Btn>Add Role</Btn> button. Enter a name and an optional
+description for the role, then click <Btn>Add Policy</Btn> and select either <Btn>Deployment</Btn>
+or <Btn>Global</Btn> for this policy's scope.
 
 Deployment policies apply to deployment-level functionality, such as the
 Playground and Data Model editor. Global policies apply to account-level

From ca4e4c9b4e3cf4d6d7c5fa5f0f08945b514f03ef Mon Sep 17 00:00:00 2001
From: Igor Lukanin <igor@cube.dev>
Date: Fri, 7 Mar 2025 16:15:12 +0100
Subject: [PATCH 2/3] docs: Add actions to Access Control

---
 .../product/workspace/access-control.mdx      | 62 +++++++++++++++++--
 1 file changed, 57 insertions(+), 5 deletions(-)

diff --git a/docs/pages/product/workspace/access-control.mdx b/docs/pages/product/workspace/access-control.mdx
index 335f74df5eb85..38bb75ca0ee79 100644
--- a/docs/pages/product/workspace/access-control.mdx
+++ b/docs/pages/product/workspace/access-control.mdx
@@ -10,6 +10,10 @@ Access control is available in Cube Cloud on
 
 </SuccessBox>
 
+You can [manage accounts](#managing-accounts) as an account administrator,
+[manage roles](#managing-roles), [assign them](#assigning-roles-to-users) to users,
+and associate [supported actions](#actions) with those roles.
+
 ## Managing accounts
 
 Account administrators have ultimate control over the Cube Cloud account, including
@@ -30,10 +34,10 @@ Each role can be associated with one or more of the following policies:
 
 | Policy | Description |
 | --- | --- |
-| **Global** | Controls account-level functionality, e.g., as Billing. |
-| **Deployment** | Controls deployment-level functionality, e.g., as Playground. |
-| **Report** | Controls access to specific reports in Saved Reports. |
-| **ReportFolder** | Controls access to specific folders in Saved Reports. |
+| `Global` | Controls account-level functionality, e.g., as Billing. |
+| `Deployment` | Controls deployment-level functionality, e.g., as Playground. |
+| `Report` | Controls access to specific reports in Saved Reports. |
+| `ReportFolder` | Controls access to specific folders in Saved Reports. |
 
 Each policy can apply to _all resources_ or _specific resources_. For example, a policy
 could apply to all deployments or only to a specific deployment.
@@ -42,7 +46,7 @@ Also, each policy can have _all actions_ or only _specific actions_ associated w
 For example, a policy could allow a user to view, create, or delete one or more
 deployments if it's associated with those specific actions.
 
-
+See [actions reference](#actions) for a list of available actions.
 
 ### Browsing roles
 
@@ -88,3 +92,51 @@ Existing users' roles can be modified from the "Members" tab on the Team page:
   alt="Cube Cloud Team Roles tab"
   src="https://ucarecdn.com/a72cad30-487b-484a-b557-0f0e157c89b1/"
 />
+
+## Actions
+
+Policies can have the following actions associated with them.
+
+Actions for the `Global` policy:
+
+| Action | Description |
+| --- | --- |
+| `Alerts Access`<br/>`Alerts Create`<br/>`Alerts Edit`<br/>`Alerts Delete` | View, create, edit, and delete [budgets][ref-budgets]. |
+| `Billing Access` | Access the billing data of the Cube Cloud account. |
+| `Deployment Manage` | Create and delete deployments in the Cube Cloud account. |
+
+Actions for the `Deployment` policy:
+
+| Action | Description |
+| --- | --- |
+| `Deployment View`<br/>`Deployment Edit` | Access the deployment, change its settings. |
+| `Playground Access` | Use [Playground][ref-playground]. |
+| `Data Model View` | View the source code in the [data model][ref-data-model] editor, use [Visual Model][ref-visual-model]. |
+| `Data Model Edit (all branches)`<br/>`Data Model Edit (dev branches only)` | Use the [development mode][ref-dev-mode], edit the data model, perform Git operations (e.g., commit, pull, push). |
+| `Queries & Metrics Access` | Use [Query History][ref-query-history] and [Performance Insights][ref-perf-insights]. |
+| `SQL Runner Access` | Use [SQL Runner][ref-sql-runner]. |
+| `Data Assets Access` | Use [Semantic Catalog][ref-semantic-catalog] and [AI Assistant][ref-ai-assistant]. |
+
+Actions for the `Report` policy:
+
+| Action | Description |
+| --- | --- |
+| `ReportRead`<br/>`ReportManage` | View and create/delete reports. |
+
+Actions for the `ReportFolder` policy:
+
+| Action | Description |
+| --- | --- |
+| `ReportRead`<br/>`ReportManage` | View and create/delete report folders. |
+
+
+[ref-budgets]: /product/workspace/budgets
+[ref-playground]: /product/workspace/playground
+[ref-data-model]: /product/workspace/data-model
+[ref-visual-model]: /product/workspace/visual-model
+[ref-dev-mode]: /product/workspace/dev-mode
+[ref-query-history]: /product/workspace/query-history
+[ref-perf-insights]: /product/workspace/performance
+[ref-sql-runner]: /product/workspace/sql-runner
+[ref-semantic-catalog]: /product/workspace/semantic-catalog
+[ref-ai-assistant]: /product/workspace/ai-assistant
\ No newline at end of file

From 77620fdd933bd0e24e2afaa5ad7846f8f2f68efb Mon Sep 17 00:00:00 2001
From: Igor Lukanin <igor@cube.dev>
Date: Fri, 7 Mar 2025 18:19:40 +0100
Subject: [PATCH 3/3] Fix

---
 docs/pages/product/workspace/access-control.mdx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/pages/product/workspace/access-control.mdx b/docs/pages/product/workspace/access-control.mdx
index 38bb75ca0ee79..ef06077aa6e96 100644
--- a/docs/pages/product/workspace/access-control.mdx
+++ b/docs/pages/product/workspace/access-control.mdx
@@ -121,13 +121,13 @@ Actions for the `Report` policy:
 
 | Action | Description |
 | --- | --- |
-| `ReportRead`<br/>`ReportManage` | View and create/delete reports. |
+| `Report Read`<br/>`Report Manage` | View and create/delete reports. |
 
 Actions for the `ReportFolder` policy:
 
 | Action | Description |
 | --- | --- |
-| `ReportRead`<br/>`ReportManage` | View and create/delete report folders. |
+| `Report Read`<br/>`Report Manage` | View and create/delete report folders. |
 
 
 [ref-budgets]: /product/workspace/budgets