eclipse-che · themr0c · Jul 2, 2020 · Jul 1, 2020 · Jul 1, 2020 · Jul 2, 2020
diff --git a/src/main/pages/che-7/administration-guide/assembly_authenticating-users.adoc b/src/main/pages/che-7/administration-guide/assembly_authenticating-users.adoc
@@ -24,6 +24,10 @@ All authentication types use the link:https://jwt.io/introduction/[JWT open stan
 
 Authentication in workspaces implies the issuance of self-signed per-workspace JWT tokens and their verification on a dedicated service based on link:https://github.com/eclipse/che-jwtproxy/[JWTProxy].
 
+ifeval::["{project-context}" == "che"]
+include::con_authentication-modes.adoc[leveloffset=+1]
+endif::[]
+
 include::assembly_authenticating-to-the-che-server.adoc[leveloffset=+1]
 
 include::assembly_authenticating-in-a-che-workspace.adoc[leveloffset=+1]

diff --git a/src/main/pages/che-7/administration-guide/con_authentication-modes.adoc b/src/main/pages/che-7/administration-guide/con_authentication-modes.adoc
@@ -0,0 +1,58 @@
+// authenticating-users
+
+[id="authentication-modes_{context}"]
+= Authentication modes
+
+{prod-short} supports `multiuser` and `singleuser` mode.
+
+.Single-user mode
+`singleuser` mode is a mode that requires no authentication and anyone can access all cluster resources. In `singleuser` mode server performs all operations as the predefined user, regardless of who accesses the server. Therefore, this mode is suitable only for use in a private instance for testing product possibilities and configurations.
+
+* H2 database is used. 
+
+If {prod-short} is deployed in `singleuser` mode then there is no authentication and anyone who can access the URL of the {prod-short} deployment sees all workspaces and owns all resources. Since the deployment in this mode has fewer containers, RAM and CPU usage requirements are decreased. This mode is useful if the whole {prod-short} deployment is used by a single person or for lowering resources which are used for {prod-short} itself, but since the server does not authenticate, actions of several users logged in the same workspace can easily interfere with each other.
+
+Usually, in `singleuser` mode {prod-short} has protection by third party services such as `haproxy` and `nginix`, but it is the responsibility of the user to configure them.
+
+.Multi-user mod 
+`multiuser` mode is the default mode for {prod-short} that requires user authentication and offers isolated workspaces and their resources. In multi-user mode workspaces are used in the scope of registered users and workspace definitions, the devfiles of particular workspaces, can be shared and reused between many users.
+
+* {identity-provider} is used to authenticate users.
+* PostgreSQL database is used. 
+
+["changing-the-authentication-mode_{context}"]
+== Changing the authentication mode
+
+By default, the Che operator deploys {prod-short} in `multiuser` mode. To change that: 
+
+. Update the Che custom resource (CR) `CHE_MULTIUSER` property to `false`:
++
+[source, yaml]
+----
+spec:
+ server:
+   customCheProperties:
+      CHE_MULTIUSER: "false"
+----
+
+If {prod-short} is deployed via Helm installer, it defaults to `singleuser` mode. 
+
+** To deploy {prod-short} in `multiuser` mode with Helm installer:
+
+. Set the `multiuser` Helm chart field to `true`:
++
+----
+$ helm upgrade --install che --force --namespace che --set global.cheDomain=__<Che-domain-address>__  -f multi-user.yaml
+----
+
+** To deploy {prod-short} in `multiuser` mode with {prod-cli}:
+
+. Use `--multiuser` flag, or `-m` option to `chectl server:start` command:
++
+----
+$ chectl server:start --platfrom=minikube --installer=helm --multiuser
+----
+
+////
+.Additional resources
+////
diff --git a/src/main/pages/che-7/end-user-guide/assembly_configuring-openshift-oauth.adoc b/src/main/pages/che-7/end-user-guide/assembly_configuring-openshift-oauth.adoc
@@ -74,3 +74,11 @@ pass:[CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL]: _<verify-token-url>_
 +
 * See {link-advanced-configuration-options}.
 ====
+
+ifeval::["{project-context}" == "che"]
+.Additional resources
+
+For additional information about `singleuser` and `multiuser` authentication mods, see the link:{site-baseurl}che-7/authenticating-users/#authentication-mods_authenticating-users[Authentication modes] chapter. 
+endif::[]
+
+
diff --git a/src/main/pages/che-7/overview/assembly_che-workspace-controller.adoc b/src/main/pages/che-7/overview/assembly_che-workspace-controller.adoc
@@ -21,6 +21,10 @@ The workspaces controller manages the container-based development environments:
 * *Single-user*: No authentication service is set up. Development environments are not secured. This configuration requires fewer resources. It is more adapted for local installations, such as when using Minikube.
 
 * *Multi-user*: This is a multi-tenant configuration. Development environments are secured, and this configuration requires more resources. Appropriate for cloud installations.
+ifeval::["{project-context}" == "che"]
++
+For additional information, see the link:{site-baseurl}che-7/authenticating-users/#authentication-mods_authenticating-users[Authentication modes] chapter. 
+endif::[]
 
 The different services that are a part of the {prod-short} workspaces controller are shown in the following diagram. Note that {identity-provider} and PostgreSQL are only needed in the multi-user configuration.