From 2ce6e8bf448a6310bace87435c634db8b6ffbd80 Mon Sep 17 00:00:00 2001 From: Roger Zhou Date: Wed, 22 Oct 2025 11:00:52 +0800 Subject: [PATCH 01/15] Add manage user access documentation for premium --- tidb-cloud/premium/manage-user-access-premium.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 tidb-cloud/premium/manage-user-access-premium.md diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md new file mode 100644 index 0000000000000..2f4e349d1dceb --- /dev/null +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -0,0 +1 @@ +sdf From 35052120a9a52932a7352ae622ae28f3f12a018c Mon Sep 17 00:00:00 2001 From: Roger Zhou Date: Wed, 22 Oct 2025 11:05:29 +0800 Subject: [PATCH 02/15] initial commit --- .../premium/manage-user-access-premium.md | 337 +++++++++++++++++- 1 file changed, 336 insertions(+), 1 deletion(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index 2f4e349d1dceb..5215ec656fe5f 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -1 +1,336 @@ -sdf +--- +title: Identity Access Management +summary: Learn how to manage identity access in TiDB Cloud. +--- + +# Identity Access Management + +This document describes how to manage access to organizations, projects, roles, and user profiles in TiDB Cloud. + +Before accessing TiDB Cloud, [create a TiDB Cloud account](https://tidbcloud.com/free-trial). You can either sign up with email and password so that you can [manage your password using TiDB Cloud](/tidb-cloud/tidb-cloud-password-authentication.md), or choose your Google, GitHub, or Microsoft account for single sign-on (SSO) to TiDB Cloud. + +## Organizations and projects + +TiDB Cloud provides a hierarchical structure based on organizations and projects to facilitate the management of TiDB Cloud users and clusters. If you are an organization owner, you can create multiple projects in your organization. + +For example: + +``` +- Your organization + - Project 1 + - Cluster 1 + - Cluster 2 + - Project 2 + - Cluster 3 + - Cluster 4 + - Project 3 + - Cluster 5 + - Cluster 6 +``` + +Under this structure: + +- To access an organization, a user must be a member of that organization. +- To access a project in an organization, a user must at least have the read access to the project in that organization. +- To manage clusters in a project, a user must be in the `Project Owner` role. + +For more information about user roles and permissions, see [User Roles](#user-roles). + +### Organizations + +An organization can contain multiple projects. + +TiDB Cloud calculates billing at the organization level and provides the billing details for each project. + +If you are an organization owner, you have the highest permission in your organization. + +For example, you can do the following: + +- Create different projects (such as development, staging, and production) for different purposes. +- Assign different users with different organization roles and project roles. +- Configure organization settings. For example, configure the time zone for your organization. + +### Projects + +A project can contain multiple clusters. + +If you are a project owner, you can manage clusters and project settings for your project. + +For example, you can do the following: + +- Create multiple clusters according to your business need. +- Assign different users with different project roles. +- Configure project settings. For example, configure different alert settings for different projects. + +## User roles + +TiDB Cloud defines different user roles to manage different permissions of TiDB Cloud users in organizations, projects, or both. + +You can grant roles to a user at the organization level or at the project level. Make sure to carefully plan the hierarchy of your organizations and projects for security considerations. + +### Organization roles + +At the organization level, TiDB Cloud defines four roles, in which `Organization Owner` can invite members and grant organization roles to members. + +| Permission | `Organization Owner` | `Organization Billing Manager` | `Organization Billing Viewer` | `Organization Console Audit Manager` | `Organization Viewer` | +|---|---|---|---|---|---| +| Manage organization settings, such as projects, API keys, and time zones. | ✅ | ❌ | ❌ | ❌ | ❌ | +| Invite users to or remove users from an organization, and edit organization roles of users. | ✅ | ❌ | ❌ | ❌ | ❌ | +| All the permissions of `Project Owner` for all projects in the organization. | ✅ | ❌ | ❌ | ❌ | ❌ | +| Create projects with Customer-Managed Encryption Key (CMEK) enabled. | ✅ | ❌ | ❌ | ❌ | ❌ | +| Edit payment information for the organization. | ✅ | ✅ | ❌ | ❌ | ❌ | +| View bills and use [cost explorer](/tidb-cloud/tidb-cloud-billing.md#cost-explorer). | ✅ | ✅ | ✅ | ❌ | ❌ | +| Manage TiDB Cloud [console audit logging](/tidb-cloud/tidb-cloud-console-auditing.md) for the organization. | ✅ | ❌ | ❌ | ✅ | ❌ | +| View users in the organization and projects in which the member belong to. | ✅ | ✅ | ✅ | ✅ | ✅ | + +> **Note:** +> +> - The `Organization Console Audit Manager` role (renamed from `Organization Console Audit Admin`) is used to manage audit logging in the TiDB Cloud console, instead of database audit logging. To manage database auditing, use the `Project Owner` role at the project level. +> - The `Organization Billing Manager` role is renamed from `Organization Billing Admin`, and the `Organization Viewer` role is renamed from `Organization Member`. + +### Project roles + +At the project level, TiDB Cloud defines three roles, in which `Project Owner` can invite members and grant project roles to members. + +> **Note:** +> +> - `Organization Owner` has all the permissions of Project Owner for all projects so `Organization Owner` can invite project members and grant project roles to members too. +> - Each project role has all the permissions of Organization Viewer by default. +> - If a user in your organization does not belong to any projects, the user does not have any project permissions. + +| Permission | `Project Owner` | `Project Data Access Read-Write` | `Project Data Access Read-Only` | `Project Viewer` | +|---|---|---|---|---| +| Manage project settings | ✅ | ❌ | ❌ | ❌ | +| Invite users to or remove users from a project, and edit project roles of users. | ✅ | ❌ | ❌ | ❌ | +| Manage [database audit logging](/tidb-cloud/tidb-cloud-auditing.md) of the project. | ✅ | ❌ | ❌ | ❌ | +| Manage [spending limit](/tidb-cloud/manage-serverless-spend-limit.md) for all {{{ .starter }}} clusters in the project. | ✅ | ❌ | ❌ | ❌ | +| Manage cluster operations in the project, such as cluster creation, modification, and deletion. | ✅ | ❌ | ❌ | ❌ | +| Manage branches for {{{ .starter }}} and {{{ .essential }}} clusters in the project, such as branch creation, connection, and deletion. | ✅ | ❌ | ❌ | ❌ | +| Manage [recovery groups](/tidb-cloud/recovery-group-overview.md) for TiDB Cloud Dedicated clusters in the project, such as recovery group creation and deletion. | ✅ | ❌ | ❌ | ❌ | +| Manage cluster data such as data import, data backup and restore, and data migration. | ✅ | ✅ | ❌ | ❌ | +| Manage [Data Service](/tidb-cloud/data-service-overview.md) for data read-only operations such as using or creating endpoints to read data. | ✅ | ✅ | ✅ | ❌ | +| Manage [Data Service](/tidb-cloud/data-service-overview.md) for data read and write operations. | ✅ | ✅ | ❌ | ❌ | +| View cluster data using [SQL Editor](/tidb-cloud/explore-data-with-chat2query.md). | ✅ | ✅ | ✅ | ❌ | +| Modify and delete cluster data using [SQL Editor](/tidb-cloud/explore-data-with-chat2query.md). | ✅ | ✅ | ❌ | ❌ | +| Manage [changefeeds](/tidb-cloud/changefeed-overview.md). | ✅ | ✅ | ✅ | ❌ | +| Review and reset cluster passwords. | ✅ | ❌ | ❌ | ❌ | +| View cluster overview, backup records, metrics, events, and [changefeeds](/tidb-cloud/changefeed-overview.md) in the project. | ✅ | ✅ | ✅ | ✅ | + +## Manage organization access + +### View and switch between organizations + +To view and switch between organizations, take the following steps: + +1. In the [TiDB Cloud console](https://tidbcloud.com), click the combo box in the upper-left corner. The list of organizations and projects you belong to is displayed. + + > **Tip:** + > + > - If you are currently on the page of a specific cluster, after clicking the combo box in the upper-left corner, you also need to click ← in the combo box to return to the organization and project list. + > - If you are a member of multiple organizations, you can click the target organization name in the combo box to switch your account between organizations. + +2. To view the detailed information of your organization such as the organization ID and time zone, click the organization name, and then click **Organization Settings** > **General** in the left navigation pane. + +### Set the time zone for your organization + +If you are in the `Organization Owner` role, you can modify the system display time according to your time zone. + +To change the local timezone setting, take the following steps: + +1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. + +2. In the left navigation pane, click **Organization Settings** > **General**. + +3. In the **Time Zone** section, select your time zone from the drop-down list. + +4. Click **Update**. + +### Invite an organization member + +If you are in the `Organization Owner` role, you can invite users to your organization. + +> **Note:** +> +> You can also [invite a user to your project](#invite-a-project-member) directly according to your need, which also makes the user your organization member. + +To invite a member to an organization, take the following steps: + +1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. + +2. In the left navigation pane, click **Organization Settings** > **Users**. + +3. On the **Users** page, click the **By Organization** tab. + +4. Click **Invite**. + +5. Enter the email address of the user to be invited, and then select an organization role for the user. + + > **Tip:** + > + > - If you want to invite multiple members at one time, you can enter multiple email addresses. + > - The invited user does not belong to any projects by default. To invite a user to a project, see [Invite a project member](#invite-a-project-member). + +6. Click **Confirm**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. + +7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. + +8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. If the email address has been signed up for a TiDB Cloud account, the user is directed to the sign-in page, and after sign-in, the account joins the organization automatically. + +> **Note:** +> +> The verification link in the email expires in 24 hours. If the user you want to invite does not receive the email, click **Resend**. + +### Modify organization roles + +If you are in the `Organization Owner` role, you can modify organization roles of all members in your organization. + +To modify the organization role of a member, take the following steps: + +1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. + +2. In the left navigation pane, click **Organization Settings** > **Users**. + +3. On the **Users** page, click the **By Organization** tab. + +4. Click the role of the target member, and then modify the role. + +### Remove an organization member + +If you are in the `Organization Owner` role, you can remove organization members from your organization. + +To remove a member from an organization, take the following steps: + +> **Note:** +> +> If a member is removed from an organization, the member is removed from the belonged projects either. + +1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. + +2. In the left navigation pane, click **Organization Settings** > **Users**. + +3. On the **Users** page, click the **By Organization** tab. + +4. In the row of the target member, click **...** > **Delete**. + +## Manage project access + +### View and switch between projects + +To view and switch between projects, take the following steps: + +1. In the [TiDB Cloud console](https://tidbcloud.com), click the combo box in the upper-left corner. The list of organizations and projects you belong to is displayed. + + > **Tip:** + > + > - If you are currently on the page of a specific cluster, after clicking the combo box in the upper-left corner, you also need to click ← in the combo box to return to the organization and project list. + > - If you are a member of multiple projects, you can click the target project name in the combo box to switch between projects. + +2. To view the detailed information of your project, click the project name, and then click **Project Settings** in the left navigation pane. + +### Create a project + +> **Note:** +> +> For free trial users, you cannot create a new project. + +If you are in the `Organization Owner` role, you can create projects in your organization. + +To create a new project, take the following steps: + +1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. + +2. In the left navigation pane, click **Projects**. + +3. On the **Projects** page, click **Create New Project**. + +4. Enter your project name. + +5. Click **Confirm**. + +### Rename a project + +If you are in the `Organization Owner` role, you can rename any projects in your organization. If you are in the `Project Owner` role, you can rename your project. + +To rename a project, take the following steps: + +1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. + +2. In the left navigation pane, click **Projects**. + +3. In the row of your project to be renamed, click **...** > **Rename**. + +4. Enter a new project name. + +5. Click **Confirm**. + +### Invite a project member + +If you are in the `Organization Owner` or `Project Owner` role, you can invite members to your projects. + +> **Note:** +> +> When a user not in your organization joins your project, the user automatically joins your organization as well. + +To invite a member to a project, take the following steps: + +1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. + +2. In the left navigation pane, click **Organization Settings** > **Users**. + +3. On the **Users** page, click the **By Project** tab, and then choose your project in the drop-down list. + +4. Click **Invite**. + +5. Enter the email address of the user to be invited, and then select a project role for the user. + + > **Tip:** + > + > If you want to invite multiple members at one time, you can enter multiple email addresses. + +6. Click **Confirm**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. + +7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. + +8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. If the email address has been signed up for a TiDB Cloud account, the user is directed to the sign-in page. After sign-in, the account joins the project automatically. + +> **Note:** +> +> The verification link in the email will expire in 24 hours. If your user doesn't receive the email, click **Resend**. + +### Modify project roles + +If you are in the `Organization Owner` role, you can modify project roles of all project members in your organization. If you are in the `Project Owner` role, you can modify project roles of all members in your project. + +To modify the project role of a member, take the following steps: + +1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. + +2. In the left navigation pane, click **Organization Settings** > **Users**. + +3. On the **Users** page, click the **By Project** tab, and then choose your project in the drop-down list. + +4. In the row of the target member, click the role in the **Role** column, and then choose a new role from the drop-down list. + +### Remove a project member + +If you are in the `Organization Owner` or `Project Owner` role, you can remove project members. + +To remove a member from a project, take the following steps: + +1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. + +2. In the left navigation pane, click **Organization Settings** > **Users**. + +3. On the **Users** page, click the **By Project** tab, and then choose your project in the drop-down list. + +4. In the row of the target member, click **...** > **Delete**. + +## Manage user profiles + +In TiDB Cloud, you can easily manage your profile, including your first name, last name, and phone number. + +1. In the [TiDB Cloud console](https://tidbcloud.com), click in the lower-left corner. + +2. Click **Account Settings**. + +3. In the displayed dialog, update the profile information, and then click **Update**. \ No newline at end of file From cdd78e0475151134043d488dbd0cf7fcd59c72d2 Mon Sep 17 00:00:00 2001 From: Roger Zhou Date: Wed, 22 Oct 2025 14:55:43 +0800 Subject: [PATCH 03/15] First round update to remove Project roles and management details --- .../premium/manage-user-access-premium.md | 180 ++++++------------ 1 file changed, 58 insertions(+), 122 deletions(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index 5215ec656fe5f..573b13373055e 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -5,11 +5,11 @@ summary: Learn how to manage identity access in TiDB Cloud. # Identity Access Management -This document describes how to manage access to organizations, projects, roles, and user profiles in TiDB Cloud. +This document describes how to manage access to organizations, instances, roles, and user profiles in TiDB Cloud. Before accessing TiDB Cloud, [create a TiDB Cloud account](https://tidbcloud.com/free-trial). You can either sign up with email and password so that you can [manage your password using TiDB Cloud](/tidb-cloud/tidb-cloud-password-authentication.md), or choose your Google, GitHub, or Microsoft account for single sign-on (SSO) to TiDB Cloud. -## Organizations and projects +## Organizations and instances TiDB Cloud provides a hierarchical structure based on organizations and projects to facilitate the management of TiDB Cloud users and clusters. If you are an organization owner, you can create multiple projects in your organization. @@ -17,56 +17,47 @@ For example: ``` - Your organization - - Project 1 - - Cluster 1 - - Cluster 2 - - Project 2 - - Cluster 3 - - Cluster 4 - - Project 3 - - Cluster 5 - - Cluster 6 + - Instance 1 + - Instance 2 + - Instance 3 + ... ``` Under this structure: - To access an organization, a user must be a member of that organization. -- To access a project in an organization, a user must at least have the read access to the project in that organization. -- To manage clusters in a project, a user must be in the `Project Owner` role. +- To access an instance, a user must at least have the read access to the instnace in that organization. For more information about user roles and permissions, see [User Roles](#user-roles). ### Organizations -An organization can contain multiple projects. +An organization can contain multiple instances. -TiDB Cloud calculates billing at the organization level and provides the billing details for each project. +TiDB Cloud calculates billing at the organization level and provides the billing details for each instance. If you are an organization owner, you have the highest permission in your organization. For example, you can do the following: -- Create different projects (such as development, staging, and production) for different purposes. -- Assign different users with different organization roles and project roles. +- Create different instances for different purposes. +- Assign different users with different organization roles and instance roles. - Configure organization settings. For example, configure the time zone for your organization. -### Projects +### Instances -A project can contain multiple clusters. - -If you are a project owner, you can manage clusters and project settings for your project. +If you are a instance admin, you can manage instance settings. For example, you can do the following: -- Create multiple clusters according to your business need. -- Assign different users with different project roles. -- Configure project settings. For example, configure different alert settings for different projects. +- Delete the instance according to your business nee. +- Configure instance settings. ## User roles -TiDB Cloud defines different user roles to manage different permissions of TiDB Cloud users in organizations, projects, or both. +TiDB Cloud defines different user roles to manage different permissions of TiDB Cloud users in organizations, instances, or both. -You can grant roles to a user at the organization level or at the project level. Make sure to carefully plan the hierarchy of your organizations and projects for security considerations. +You can grant roles to a user at the organization level or at the instance level. Make sure to carefully plan the hierarchy of your organizations and instances for security considerations. ### Organization roles @@ -74,47 +65,41 @@ At the organization level, TiDB Cloud defines four roles, in which `Organization | Permission | `Organization Owner` | `Organization Billing Manager` | `Organization Billing Viewer` | `Organization Console Audit Manager` | `Organization Viewer` | |---|---|---|---|---|---| -| Manage organization settings, such as projects, API keys, and time zones. | ✅ | ❌ | ❌ | ❌ | ❌ | +| Manage organization settings, such as instances, API keys, and time zones. | ✅ | ❌ | ❌ | ❌ | ❌ | | Invite users to or remove users from an organization, and edit organization roles of users. | ✅ | ❌ | ❌ | ❌ | ❌ | -| All the permissions of `Project Owner` for all projects in the organization. | ✅ | ❌ | ❌ | ❌ | ❌ | -| Create projects with Customer-Managed Encryption Key (CMEK) enabled. | ✅ | ❌ | ❌ | ❌ | ❌ | +| All the permissions of `Instance Admin` for all instances in the organization. | ✅ | ❌ | ❌ | ❌ | ❌ | | Edit payment information for the organization. | ✅ | ✅ | ❌ | ❌ | ❌ | | View bills and use [cost explorer](/tidb-cloud/tidb-cloud-billing.md#cost-explorer). | ✅ | ✅ | ✅ | ❌ | ❌ | | Manage TiDB Cloud [console audit logging](/tidb-cloud/tidb-cloud-console-auditing.md) for the organization. | ✅ | ❌ | ❌ | ✅ | ❌ | -| View users in the organization and projects in which the member belong to. | ✅ | ✅ | ✅ | ✅ | ✅ | +| View all users in the organization. | ✅ | ✅ | ✅ | ✅ | ✅ | > **Note:** > -> - The `Organization Console Audit Manager` role (renamed from `Organization Console Audit Admin`) is used to manage audit logging in the TiDB Cloud console, instead of database audit logging. To manage database auditing, use the `Project Owner` role at the project level. +> - The `Organization Console Audit Manager` role (renamed from `Organization Console Audit Admin`) is used to manage audit logging in the TiDB Cloud console, instead of database audit logging. > - The `Organization Billing Manager` role is renamed from `Organization Billing Admin`, and the `Organization Viewer` role is renamed from `Organization Member`. -### Project roles +### Instance roles -At the project level, TiDB Cloud defines three roles, in which `Project Owner` can invite members and grant project roles to members. +At the instance level, TiDB Cloud defines three roles. > **Note:** > -> - `Organization Owner` has all the permissions of Project Owner for all projects so `Organization Owner` can invite project members and grant project roles to members too. -> - Each project role has all the permissions of Organization Viewer by default. -> - If a user in your organization does not belong to any projects, the user does not have any project permissions. - -| Permission | `Project Owner` | `Project Data Access Read-Write` | `Project Data Access Read-Only` | `Project Viewer` | -|---|---|---|---|---| -| Manage project settings | ✅ | ❌ | ❌ | ❌ | -| Invite users to or remove users from a project, and edit project roles of users. | ✅ | ❌ | ❌ | ❌ | -| Manage [database audit logging](/tidb-cloud/tidb-cloud-auditing.md) of the project. | ✅ | ❌ | ❌ | ❌ | -| Manage [spending limit](/tidb-cloud/manage-serverless-spend-limit.md) for all {{{ .starter }}} clusters in the project. | ✅ | ❌ | ❌ | ❌ | -| Manage cluster operations in the project, such as cluster creation, modification, and deletion. | ✅ | ❌ | ❌ | ❌ | -| Manage branches for {{{ .starter }}} and {{{ .essential }}} clusters in the project, such as branch creation, connection, and deletion. | ✅ | ❌ | ❌ | ❌ | -| Manage [recovery groups](/tidb-cloud/recovery-group-overview.md) for TiDB Cloud Dedicated clusters in the project, such as recovery group creation and deletion. | ✅ | ❌ | ❌ | ❌ | -| Manage cluster data such as data import, data backup and restore, and data migration. | ✅ | ✅ | ❌ | ❌ | -| Manage [Data Service](/tidb-cloud/data-service-overview.md) for data read-only operations such as using or creating endpoints to read data. | ✅ | ✅ | ✅ | ❌ | -| Manage [Data Service](/tidb-cloud/data-service-overview.md) for data read and write operations. | ✅ | ✅ | ❌ | ❌ | -| View cluster data using [SQL Editor](/tidb-cloud/explore-data-with-chat2query.md). | ✅ | ✅ | ✅ | ❌ | -| Modify and delete cluster data using [SQL Editor](/tidb-cloud/explore-data-with-chat2query.md). | ✅ | ✅ | ❌ | ❌ | -| Manage [changefeeds](/tidb-cloud/changefeed-overview.md). | ✅ | ✅ | ✅ | ❌ | -| Review and reset cluster passwords. | ✅ | ❌ | ❌ | ❌ | -| View cluster overview, backup records, metrics, events, and [changefeeds](/tidb-cloud/changefeed-overview.md) in the project. | ✅ | ✅ | ✅ | ✅ | +> - `Organization Owner` has all the permissions of Instance Owner for all instances. +> - Each instance role has all the permissions of Organization Viewer by default. +> - If a user in your organization does not belong to any instances, the user does not have any instance permissions. + +| Permission | `Instance Admin` | `Instance Viewer` | +|---|---|---| +| Manage instance settings | ✅ | ❌ | +| Manage [database audit logging](/tidb-cloud/tidb-cloud-auditing.md) of the instance. | ✅ | ❌ | +| Manage [spending limit](/tidb-cloud/manage-serverless-spend-limit.md) for all {{{ .starter }}} clusters in the instance. | ✅ | ❌ | +| Manage instance operations, such as cluster creation, modification, and deletion. | ✅ | ❌ | +| Manage branches for {{{ .starter }}} and {{{ .essential }}} clusters in the instance, such as branch creation, connection, and deletion. | ✅ | ❌ | +| Manage [recovery groups](/tidb-cloud/recovery-group-overview.md) for TiDB Cloud Dedicated clusters in the instance, such as recovery group creation and deletion. | ✅ | ❌ | +| Manage cluster data such as data import, data backup and restore, and data migration. | ✅ | ❌ | +| Manage [changefeeds](/tidb-cloud/changefeed-overview.md). | ✅ | ❌ | +| Review and reset cluster passwords. | ✅ | ❌ | +| View cluster overview, backup records, metrics, events, and [changefeeds](/tidb-cloud/changefeed-overview.md) in the instance. | ✅ | ✅ | ## Manage organization access @@ -122,11 +107,11 @@ At the project level, TiDB Cloud defines three roles, in which `Project Owner` c To view and switch between organizations, take the following steps: -1. In the [TiDB Cloud console](https://tidbcloud.com), click the combo box in the upper-left corner. The list of organizations and projects you belong to is displayed. +1. In the [TiDB Cloud console](https://tidbcloud.com), click the combo box in the upper-left corner. The list of organizations you belong to is displayed. > **Tip:** > - > - If you are currently on the page of a specific cluster, after clicking the combo box in the upper-left corner, you also need to click ← in the combo box to return to the organization and project list. + > - If you are currently on the page of a specific instance, after clicking the combo box in the upper-left corner, you also need to click ← in the combo box to return to the organization and project list. > - If you are a member of multiple organizations, you can click the target organization name in the combo box to switch your account between organizations. 2. To view the detailed information of your organization such as the organization ID and time zone, click the organization name, and then click **Organization Settings** > **General** in the left navigation pane. @@ -151,7 +136,7 @@ If you are in the `Organization Owner` role, you can invite users to your organi > **Note:** > -> You can also [invite a user to your project](#invite-a-project-member) directly according to your need, which also makes the user your organization member. +> You can also [invite a user to your instance](#invite-a-project-member) directly according to your need, which also makes the user your organization member. To invite a member to an organization, take the following steps: @@ -202,7 +187,7 @@ To remove a member from an organization, take the following steps: > **Note:** > -> If a member is removed from an organization, the member is removed from the belonged projects either. +> If a member is removed from an organization, the member is removed from the belonged instance either. 1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. @@ -212,76 +197,27 @@ To remove a member from an organization, take the following steps: 4. In the row of the target member, click **...** > **Delete**. -## Manage project access - -### View and switch between projects - -To view and switch between projects, take the following steps: - -1. In the [TiDB Cloud console](https://tidbcloud.com), click the combo box in the upper-left corner. The list of organizations and projects you belong to is displayed. - - > **Tip:** - > - > - If you are currently on the page of a specific cluster, after clicking the combo box in the upper-left corner, you also need to click ← in the combo box to return to the organization and project list. - > - If you are a member of multiple projects, you can click the target project name in the combo box to switch between projects. - -2. To view the detailed information of your project, click the project name, and then click **Project Settings** in the left navigation pane. - -### Create a project - -> **Note:** -> -> For free trial users, you cannot create a new project. - -If you are in the `Organization Owner` role, you can create projects in your organization. - -To create a new project, take the following steps: - -1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. - -2. In the left navigation pane, click **Projects**. - -3. On the **Projects** page, click **Create New Project**. - -4. Enter your project name. - -5. Click **Confirm**. - -### Rename a project - -If you are in the `Organization Owner` role, you can rename any projects in your organization. If you are in the `Project Owner` role, you can rename your project. - -To rename a project, take the following steps: - -1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. - -2. In the left navigation pane, click **Projects**. - -3. In the row of your project to be renamed, click **...** > **Rename**. - -4. Enter a new project name. - -5. Click **Confirm**. +## Manage instance access -### Invite a project member +### Invite an instance member -If you are in the `Organization Owner` or `Project Owner` role, you can invite members to your projects. +If you are in the `Organization Owner` role, you can invite members to your instances. > **Note:** > -> When a user not in your organization joins your project, the user automatically joins your organization as well. +> When a user not in your organization joins your instance, the user automatically joins your organization as well. -To invite a member to a project, take the following steps: +To invite a member to a instance, take the following steps: 1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, click the **By Project** tab, and then choose your project in the drop-down list. +3. On the **Users** page, and then choose your instance in the list. 4. Click **Invite**. -5. Enter the email address of the user to be invited, and then select a project role for the user. +5. Enter the email address of the user to be invited, and then select a instance role for the user. > **Tip:** > @@ -297,31 +233,31 @@ To invite a member to a project, take the following steps: > > The verification link in the email will expire in 24 hours. If your user doesn't receive the email, click **Resend**. -### Modify project roles +### Modify instance roles -If you are in the `Organization Owner` role, you can modify project roles of all project members in your organization. If you are in the `Project Owner` role, you can modify project roles of all members in your project. +If you are in the `Organization Owner` role, you can modify instance roles of all organization members in your organization. -To modify the project role of a member, take the following steps: +To modify the instance role of a member, take the following steps: 1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, click the **By Project** tab, and then choose your project in the drop-down list. +3. On the **Users** page, and then choose your project in the drop-down list. 4. In the row of the target member, click the role in the **Role** column, and then choose a new role from the drop-down list. -### Remove a project member +### Remove an instance member -If you are in the `Organization Owner` or `Project Owner` role, you can remove project members. +If you are in the `Organization Owner` role, you can remove instance members. -To remove a member from a project, take the following steps: +To remove a member from an instance, take the following steps: 1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, click the **By Project** tab, and then choose your project in the drop-down list. +3. On the **Users** page, and then choose your instance in the drop-down list. 4. In the row of the target member, click **...** > **Delete**. From 80d7d8496abf8f523191f3e2e5a78d01cd4a1da7 Mon Sep 17 00:00:00 2001 From: Roger Zhou Date: Wed, 22 Oct 2025 15:12:01 +0800 Subject: [PATCH 04/15] remove project terms --- tidb-cloud/premium/manage-user-access-premium.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index 573b13373055e..6e6a87dfcc7c2 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -11,7 +11,7 @@ Before accessing TiDB Cloud, [create a TiDB Cloud account](https://tidbcloud.com ## Organizations and instances -TiDB Cloud provides a hierarchical structure based on organizations and projects to facilitate the management of TiDB Cloud users and clusters. If you are an organization owner, you can create multiple projects in your organization. +TiDB Cloud provides a hierarchical structure based on organizations and instances to facilitate the management of TiDB Cloud users and clusters. If you are an organization owner, you can create multiple instance in your organization. For example: @@ -111,7 +111,7 @@ To view and switch between organizations, take the following steps: > **Tip:** > - > - If you are currently on the page of a specific instance, after clicking the combo box in the upper-left corner, you also need to click ← in the combo box to return to the organization and project list. + > - If you are currently on the page of a specific instance, after clicking the combo box in the upper-left corner, you also need to click ← in the combo box to return to the organization list. > - If you are a member of multiple organizations, you can click the target organization name in the combo box to switch your account between organizations. 2. To view the detailed information of your organization such as the organization ID and time zone, click the organization name, and then click **Organization Settings** > **General** in the left navigation pane. @@ -136,7 +136,7 @@ If you are in the `Organization Owner` role, you can invite users to your organi > **Note:** > -> You can also [invite a user to your instance](#invite-a-project-member) directly according to your need, which also makes the user your organization member. +> You can also [invite a user to your instance](#invite-an-instance-member) directly according to your need, which also makes the user your organization member. To invite a member to an organization, take the following steps: @@ -153,7 +153,7 @@ To invite a member to an organization, take the following steps: > **Tip:** > > - If you want to invite multiple members at one time, you can enter multiple email addresses. - > - The invited user does not belong to any projects by default. To invite a user to a project, see [Invite a project member](#invite-a-project-member). + > - The invited user does not belong to any instances by default. To invite a user to a instance, see [Invite an instance member](#invite-an-instance-member). 6. Click **Confirm**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. @@ -227,7 +227,7 @@ To invite a member to a instance, take the following steps: 7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. -8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. If the email address has been signed up for a TiDB Cloud account, the user is directed to the sign-in page. After sign-in, the account joins the project automatically. +8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. If the email address has been signed up for a TiDB Cloud account, the user is directed to the sign-in page. After sign-in, the account joins the instance automatically. > **Note:** > @@ -243,7 +243,7 @@ To modify the instance role of a member, take the following steps: 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, and then choose your project in the drop-down list. +3. On the **Users** page, and then choose your instance in the drop-down list. 4. In the row of the target member, click the role in the **Role** column, and then choose a new role from the drop-down list. From 0d0123423bc3dfd9370e0de3e0ce6cd521ce5b3a Mon Sep 17 00:00:00 2001 From: Roger Zhou Date: Wed, 22 Oct 2025 15:22:32 +0800 Subject: [PATCH 05/15] remove cluster terms --- .../premium/manage-user-access-premium.md | 25 ++++++++----------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index 6e6a87dfcc7c2..042ea5c6c24bd 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -5,13 +5,13 @@ summary: Learn how to manage identity access in TiDB Cloud. # Identity Access Management -This document describes how to manage access to organizations, instances, roles, and user profiles in TiDB Cloud. +This document describes how to manage access to organizations, instances, roles and user profiles in TiDB Cloud. Before accessing TiDB Cloud, [create a TiDB Cloud account](https://tidbcloud.com/free-trial). You can either sign up with email and password so that you can [manage your password using TiDB Cloud](/tidb-cloud/tidb-cloud-password-authentication.md), or choose your Google, GitHub, or Microsoft account for single sign-on (SSO) to TiDB Cloud. ## Organizations and instances -TiDB Cloud provides a hierarchical structure based on organizations and instances to facilitate the management of TiDB Cloud users and clusters. If you are an organization owner, you can create multiple instance in your organization. +TiDB Cloud provides a hierarchical structure based on organizations and instances to facilitate the management of TiDB Cloud users and TiDB instances. If you are an organization owner, you can create multiple TiDB instance in your organization. For example: @@ -26,7 +26,7 @@ For example: Under this structure: - To access an organization, a user must be a member of that organization. -- To access an instance, a user must at least have the read access to the instnace in that organization. +- To access an instance, a user must at least have the read access to the instance in that organization. For more information about user roles and permissions, see [User Roles](#user-roles). @@ -36,7 +36,7 @@ An organization can contain multiple instances. TiDB Cloud calculates billing at the organization level and provides the billing details for each instance. -If you are an organization owner, you have the highest permission in your organization. +If you are an `Organization Owner`, you have the highest permission in your organization. For example, you can do the following: @@ -46,11 +46,11 @@ For example, you can do the following: ### Instances -If you are a instance admin, you can manage instance settings. +If you are an `Instance Admin`, you can manage instance settings. For example, you can do the following: -- Delete the instance according to your business nee. +- Delete the instance according to your business needs. - Configure instance settings. ## User roles @@ -84,7 +84,7 @@ At the instance level, TiDB Cloud defines three roles. > **Note:** > -> - `Organization Owner` has all the permissions of Instance Owner for all instances. +> - `Organization Owner` has all the permissions of Instance Admin for all instances. > - Each instance role has all the permissions of Organization Viewer by default. > - If a user in your organization does not belong to any instances, the user does not have any instance permissions. @@ -92,14 +92,11 @@ At the instance level, TiDB Cloud defines three roles. |---|---|---| | Manage instance settings | ✅ | ❌ | | Manage [database audit logging](/tidb-cloud/tidb-cloud-auditing.md) of the instance. | ✅ | ❌ | -| Manage [spending limit](/tidb-cloud/manage-serverless-spend-limit.md) for all {{{ .starter }}} clusters in the instance. | ✅ | ❌ | -| Manage instance operations, such as cluster creation, modification, and deletion. | ✅ | ❌ | -| Manage branches for {{{ .starter }}} and {{{ .essential }}} clusters in the instance, such as branch creation, connection, and deletion. | ✅ | ❌ | -| Manage [recovery groups](/tidb-cloud/recovery-group-overview.md) for TiDB Cloud Dedicated clusters in the instance, such as recovery group creation and deletion. | ✅ | ❌ | -| Manage cluster data such as data import, data backup and restore, and data migration. | ✅ | ❌ | +| Manage instance operations, such as instance creation, modification, and deletion. | ✅ | ❌ | +| Manage instance data such as data import, data backup and restore, and data migration. | ✅ | ❌ | | Manage [changefeeds](/tidb-cloud/changefeed-overview.md). | ✅ | ❌ | -| Review and reset cluster passwords. | ✅ | ❌ | -| View cluster overview, backup records, metrics, events, and [changefeeds](/tidb-cloud/changefeed-overview.md) in the instance. | ✅ | ✅ | +| Review and reset instance passwords. | ✅ | ❌ | +| View instance overview, backup records, metrics, events, and [changefeeds](/tidb-cloud/changefeed-overview.md) in the instance. | ✅ | ✅ | ## Manage organization access From 92dc4a17b1ed72eb28b46bf526dda478c834d3e0 Mon Sep 17 00:00:00 2001 From: Roger Zhou Date: Wed, 22 Oct 2025 15:35:46 +0800 Subject: [PATCH 06/15] update the permissions to view all users --- tidb-cloud/premium/manage-user-access-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index 042ea5c6c24bd..b413347214a05 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -71,7 +71,7 @@ At the organization level, TiDB Cloud defines four roles, in which `Organization | Edit payment information for the organization. | ✅ | ✅ | ❌ | ❌ | ❌ | | View bills and use [cost explorer](/tidb-cloud/tidb-cloud-billing.md#cost-explorer). | ✅ | ✅ | ✅ | ❌ | ❌ | | Manage TiDB Cloud [console audit logging](/tidb-cloud/tidb-cloud-console-auditing.md) for the organization. | ✅ | ❌ | ❌ | ✅ | ❌ | -| View all users in the organization. | ✅ | ✅ | ✅ | ✅ | ✅ | +| View all users in the organization. | ✅ | ❌ | ❌ | ❌ | ❌ | > **Note:** > From 496469e2985632fbc76bbfc61d9f12a72a4b8ce3 Mon Sep 17 00:00:00 2001 From: Roger Zhou Date: Wed, 22 Oct 2025 15:40:09 +0800 Subject: [PATCH 07/15] update permissions to view organization basic info --- tidb-cloud/premium/manage-user-access-premium.md | 1 + 1 file changed, 1 insertion(+) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index b413347214a05..8aaa9a172c862 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -72,6 +72,7 @@ At the organization level, TiDB Cloud defines four roles, in which `Organization | View bills and use [cost explorer](/tidb-cloud/tidb-cloud-billing.md#cost-explorer). | ✅ | ✅ | ✅ | ❌ | ❌ | | Manage TiDB Cloud [console audit logging](/tidb-cloud/tidb-cloud-console-auditing.md) for the organization. | ✅ | ❌ | ❌ | ✅ | ❌ | | View all users in the organization. | ✅ | ❌ | ❌ | ❌ | ❌ | +| View organization name and time zone. | ✅ | ✅ | ✅ | ✅ | ✅ | > **Note:** > From db4f49d49da40cff6f68d780b04b31ec9b2df9d5 Mon Sep 17 00:00:00 2001 From: Roger Zhou Date: Wed, 22 Oct 2025 15:55:31 +0800 Subject: [PATCH 08/15] update manage access to org roles --- .../premium/manage-user-access-premium.md | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index 8aaa9a172c862..cd383515a9321 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -81,7 +81,7 @@ At the organization level, TiDB Cloud defines four roles, in which `Organization ### Instance roles -At the instance level, TiDB Cloud defines three roles. +At the instance level, TiDB Cloud defines two roles. > **Note:** > @@ -142,22 +142,22 @@ To invite a member to an organization, take the following steps: 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, click the **By Organization** tab. - -4. Click **Invite**. +3. On the **Users** page, click **Invite User**. 5. Enter the email address of the user to be invited, and then select an organization role for the user. > **Tip:** - > + > - The default role at organization level is `Organization Viewer`. > - If you want to invite multiple members at one time, you can enter multiple email addresses. > - The invited user does not belong to any instances by default. To invite a user to a instance, see [Invite an instance member](#invite-an-instance-member). -6. Click **Confirm**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. +6. If you only need assign the user an orgnization role, and not assign any instance roles or project roles, turn off the switch of **Add access for projects and instance**. + +7. Click **Invite**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. 7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. -8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. If the email address has been signed up for a TiDB Cloud account, the user is directed to the sign-in page, and after sign-in, the account joins the organization automatically. +8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. > **Note:** > @@ -173,9 +173,7 @@ To modify the organization role of a member, take the following steps: 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, click the **By Organization** tab. - -4. Click the role of the target member, and then modify the role. +3. On the **Users** page, click the **...** > **Edit Permission** of the target member. ### Remove an organization member @@ -191,9 +189,7 @@ To remove a member from an organization, take the following steps: 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, click the **By Organization** tab. - -4. In the row of the target member, click **...** > **Delete**. +3. On the **Users** page, click **...** > **Delete** in the row of the target member, ## Manage instance access From c748b961099e710cb256bb587f01d3c09f251d55 Mon Sep 17 00:00:00 2001 From: Roger Zhou Date: Wed, 22 Oct 2025 16:32:21 +0800 Subject: [PATCH 09/15] update manage user access to instance --- .../premium/manage-user-access-premium.md | 39 ++++++------------- 1 file changed, 11 insertions(+), 28 deletions(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index cd383515a9321..4e7ea7c110ac0 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -144,16 +144,16 @@ To invite a member to an organization, take the following steps: 3. On the **Users** page, click **Invite User**. -5. Enter the email address of the user to be invited, and then select an organization role for the user. +4. Enter the email address of the user to be invited, and then select an organization role for the user. > **Tip:** > - The default role at organization level is `Organization Viewer`. > - If you want to invite multiple members at one time, you can enter multiple email addresses. > - The invited user does not belong to any instances by default. To invite a user to a instance, see [Invite an instance member](#invite-an-instance-member). -6. If you only need assign the user an orgnization role, and not assign any instance roles or project roles, turn off the switch of **Add access for projects and instance**. +5. If you only need assign the user an orgnization role, and not assign any instance roles or project roles, turn off the switch of **Add access for projects and instance**. -7. Click **Invite**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. +6. Click **Invite**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. 7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. @@ -173,7 +173,7 @@ To modify the organization role of a member, take the following steps: 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, click the **...** > **Edit Permission** of the target member. +3. On the **Users** page, click **...** > **Edit Permission** of the target member. ### Remove an organization member @@ -207,21 +207,19 @@ To invite a member to a instance, take the following steps: 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, and then choose your instance in the list. +3. On the **Users** page, click **Invite User**. -4. Click **Invite**. +4. Enter the email address of the user to be invited, and then select an organization role for the user. -5. Enter the email address of the user to be invited, and then select a instance role for the user. +5. Make sure the switch "Add access for projects and instances" on. Click **Add access** and then select the resources to assign roles - > **Tip:** - > - > If you want to invite multiple members at one time, you can enter multiple email addresses. +6. Select an instance role for the user -6. Click **Confirm**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. +6. Click **Add access**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. 7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. -8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. If the email address has been signed up for a TiDB Cloud account, the user is directed to the sign-in page. After sign-in, the account joins the instance automatically. +8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. > **Note:** > @@ -237,23 +235,8 @@ To modify the instance role of a member, take the following steps: 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, and then choose your instance in the drop-down list. - -4. In the row of the target member, click the role in the **Role** column, and then choose a new role from the drop-down list. - -### Remove an instance member - -If you are in the `Organization Owner` role, you can remove instance members. - -To remove a member from an instance, take the following steps: - -1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner. - -2. In the left navigation pane, click **Organization Settings** > **Users**. - -3. On the **Users** page, and then choose your instance in the drop-down list. +3. On the **Users** page, click **...** > **Edit Permission** of the target member. -4. In the row of the target member, click **...** > **Delete**. ## Manage user profiles From 7c2fe2749f856cd4118b3ce3013db86818d9eb65 Mon Sep 17 00:00:00 2001 From: Grace Cai Date: Tue, 28 Oct 2025 14:09:44 +0800 Subject: [PATCH 10/15] Apply suggestions from code review --- tidb-cloud/premium/manage-user-access-premium.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index 4e7ea7c110ac0..8c576ac7f9007 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -3,15 +3,15 @@ title: Identity Access Management summary: Learn how to manage identity access in TiDB Cloud. --- -# Identity Access Management +# Identity Access Management for TiDB Cloud Premium -This document describes how to manage access to organizations, instances, roles and user profiles in TiDB Cloud. +This document describes how to manage access to organizations, instances, roles and user profiles in TiDB Cloud Premium. Before accessing TiDB Cloud, [create a TiDB Cloud account](https://tidbcloud.com/free-trial). You can either sign up with email and password so that you can [manage your password using TiDB Cloud](/tidb-cloud/tidb-cloud-password-authentication.md), or choose your Google, GitHub, or Microsoft account for single sign-on (SSO) to TiDB Cloud. ## Organizations and instances -TiDB Cloud provides a hierarchical structure based on organizations and instances to facilitate the management of TiDB Cloud users and TiDB instances. If you are an organization owner, you can create multiple TiDB instance in your organization. +TiDB Cloud Premium provides a hierarchical structure based on organizations and instances to facilitate the management of TiDB Cloud users and TiDB instances. If you are an organization owner, you can create multiple TiDB instances in your organization. For example: @@ -147,7 +147,8 @@ To invite a member to an organization, take the following steps: 4. Enter the email address of the user to be invited, and then select an organization role for the user. > **Tip:** - > - The default role at organization level is `Organization Viewer`. + > + > - The default role at the organization level is `Organization Viewer`. > - If you want to invite multiple members at one time, you can enter multiple email addresses. > - The invited user does not belong to any instances by default. To invite a user to a instance, see [Invite an instance member](#invite-an-instance-member). @@ -189,7 +190,7 @@ To remove a member from an organization, take the following steps: 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, click **...** > **Delete** in the row of the target member, +3. On the **Users** page, click **...** > **Delete** in the row of the target member. ## Manage instance access From 4f4acf6998a9a1040c3479a5c83bb2874e6788ab Mon Sep 17 00:00:00 2001 From: Grace Cai Date: Tue, 28 Oct 2025 14:23:08 +0800 Subject: [PATCH 11/15] update according to UI --- tidb-cloud/premium/manage-user-access-premium.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index 8c576ac7f9007..a57675102e452 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -152,13 +152,11 @@ To invite a member to an organization, take the following steps: > - If you want to invite multiple members at one time, you can enter multiple email addresses. > - The invited user does not belong to any instances by default. To invite a user to a instance, see [Invite an instance member](#invite-an-instance-member). -5. If you only need assign the user an orgnization role, and not assign any instance roles or project roles, turn off the switch of **Add access for projects and instance**. +5. Click **Invite**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. -6. Click **Invite**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. +6. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. -7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. - -8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. +7. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. > **Note:** > @@ -174,7 +172,7 @@ To modify the organization role of a member, take the following steps: 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, click **...** > **Edit Permission** of the target member. +3. On the **Users** page, click **...** > **Edit Role** in the row of the target member. ### Remove an organization member From b0023b80cb7e436da1f85dbdc93ada394936c294 Mon Sep 17 00:00:00 2001 From: Grace Cai Date: Tue, 28 Oct 2025 15:38:01 +0800 Subject: [PATCH 12/15] update according to UI --- tidb-cloud/premium/manage-user-access-premium.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index a57675102e452..67240877c2752 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -152,11 +152,13 @@ To invite a member to an organization, take the following steps: > - If you want to invite multiple members at one time, you can enter multiple email addresses. > - The invited user does not belong to any instances by default. To invite a user to a instance, see [Invite an instance member](#invite-an-instance-member). -5. Click **Invite**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. +5. If you only need to assign the user an organization role and do not need to assign any project or instance roles, disable the **Add access for projects and instances** option. -6. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. +6. Click **Invite**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. -7. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. +7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. + +8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. > **Note:** > @@ -210,9 +212,7 @@ To invite a member to a instance, take the following steps: 4. Enter the email address of the user to be invited, and then select an organization role for the user. -5. Make sure the switch "Add access for projects and instances" on. Click **Add access** and then select the resources to assign roles - -6. Select an instance role for the user +5. Make sure the **Add access for projects and instances** option is enabled, click **Add access** in the **Instance access** section, and then select an instance role for the user. 6. Click **Add access**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. @@ -234,8 +234,7 @@ To modify the instance role of a member, take the following steps: 2. In the left navigation pane, click **Organization Settings** > **Users**. -3. On the **Users** page, click **...** > **Edit Permission** of the target member. - +3. On the **Users** page, click **...** > **Edit Role** of the target member. ## Manage user profiles From 6c0fff133307ff240a74289ba23a0461ed086e74 Mon Sep 17 00:00:00 2001 From: qiancai Date: Tue, 28 Oct 2025 15:39:45 +0800 Subject: [PATCH 13/15] Update TOC-tidb-cloud-premium.md --- TOC-tidb-cloud-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TOC-tidb-cloud-premium.md b/TOC-tidb-cloud-premium.md index b797bf126cbf5..3c915ebaf30eb 100644 --- a/TOC-tidb-cloud-premium.md +++ b/TOC-tidb-cloud-premium.md @@ -225,7 +225,7 @@ - [Password Authentication](/tidb-cloud/tidb-cloud-password-authentication.md) - [Standard SSO Authentication](/tidb-cloud/tidb-cloud-sso-authentication.md) - [Organization SSO Authentication](/tidb-cloud/tidb-cloud-org-sso-authentication.md) - - [Identity Access Management](/tidb-cloud/manage-user-access.md) + - [Identity Access Management](/tidb-cloud/premium/manage-user-access-premium.md) - [OAuth 2.0](/tidb-cloud/oauth2.md) - Network Access Control - [Connect via Private Endpoint with Alibaba Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-alibaba-cloud.md) From a9870e09aeeea3f3e070945e3d800b68de6c0c80 Mon Sep 17 00:00:00 2001 From: qiancai Date: Tue, 28 Oct 2025 15:46:56 +0800 Subject: [PATCH 14/15] replace TiDB Cloud Premium with {{{ .premium }}} --- tidb-cloud/premium/manage-user-access-premium.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index 67240877c2752..c7cef37e5b546 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -1,17 +1,17 @@ --- -title: Identity Access Management -summary: Learn how to manage identity access in TiDB Cloud. +title: Identity Access Management for {{{ .premium }}} +summary: Learn how to manage identity access in {{{ .premium }}}. --- -# Identity Access Management for TiDB Cloud Premium +# Identity Access Management for {{{ .premium }}} -This document describes how to manage access to organizations, instances, roles and user profiles in TiDB Cloud Premium. +This document describes how to manage access to organizations, instances, roles and user profiles in {{{ .premium }}}. Before accessing TiDB Cloud, [create a TiDB Cloud account](https://tidbcloud.com/free-trial). You can either sign up with email and password so that you can [manage your password using TiDB Cloud](/tidb-cloud/tidb-cloud-password-authentication.md), or choose your Google, GitHub, or Microsoft account for single sign-on (SSO) to TiDB Cloud. ## Organizations and instances -TiDB Cloud Premium provides a hierarchical structure based on organizations and instances to facilitate the management of TiDB Cloud users and TiDB instances. If you are an organization owner, you can create multiple TiDB instances in your organization. +{{{ .premium }}} provides a hierarchical structure based on organizations and instances to facilitate the management of TiDB Cloud users and TiDB instances. If you are an organization owner, you can create multiple TiDB instances in your organization. For example: From 2fedbe7b7cc2c1cb17e31734c6cbd99ad1dc4dd0 Mon Sep 17 00:00:00 2001 From: qiancai Date: Tue, 28 Oct 2025 15:57:54 +0800 Subject: [PATCH 15/15] Update manage-user-access-premium.md --- tidb-cloud/premium/manage-user-access-premium.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tidb-cloud/premium/manage-user-access-premium.md b/tidb-cloud/premium/manage-user-access-premium.md index c7cef37e5b546..6dc9d314bf6f5 100644 --- a/tidb-cloud/premium/manage-user-access-premium.md +++ b/tidb-cloud/premium/manage-user-access-premium.md @@ -5,7 +5,7 @@ summary: Learn how to manage identity access in {{{ .premium }}}. # Identity Access Management for {{{ .premium }}} -This document describes how to manage access to organizations, instances, roles and user profiles in {{{ .premium }}}. +This document describes how to manage access to organizations, instances, roles, and user profiles in {{{ .premium }}}. Before accessing TiDB Cloud, [create a TiDB Cloud account](https://tidbcloud.com/free-trial). You can either sign up with email and password so that you can [manage your password using TiDB Cloud](/tidb-cloud/tidb-cloud-password-authentication.md), or choose your Google, GitHub, or Microsoft account for single sign-on (SSO) to TiDB Cloud. @@ -94,7 +94,7 @@ At the instance level, TiDB Cloud defines two roles. | Manage instance settings | ✅ | ❌ | | Manage [database audit logging](/tidb-cloud/tidb-cloud-auditing.md) of the instance. | ✅ | ❌ | | Manage instance operations, such as instance creation, modification, and deletion. | ✅ | ❌ | -| Manage instance data such as data import, data backup and restore, and data migration. | ✅ | ❌ | +| Manage instance data, such as data import, data backup and restore, and data migration. | ✅ | ❌ | | Manage [changefeeds](/tidb-cloud/changefeed-overview.md). | ✅ | ❌ | | Review and reset instance passwords. | ✅ | ❌ | | View instance overview, backup records, metrics, events, and [changefeeds](/tidb-cloud/changefeed-overview.md) in the instance. | ✅ | ✅ | @@ -112,7 +112,7 @@ To view and switch between organizations, take the following steps: > - If you are currently on the page of a specific instance, after clicking the combo box in the upper-left corner, you also need to click ← in the combo box to return to the organization list. > - If you are a member of multiple organizations, you can click the target organization name in the combo box to switch your account between organizations. -2. To view the detailed information of your organization such as the organization ID and time zone, click the organization name, and then click **Organization Settings** > **General** in the left navigation pane. +2. To view the detailed information of your organization, such as the organization ID and time zone, click the organization name, and then click **Organization Settings** > **General** in the left navigation pane. ### Set the time zone for your organization @@ -158,7 +158,7 @@ To invite a member to an organization, take the following steps: 7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows. -8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. +8. If the invited email address has not signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. > **Note:** > @@ -202,7 +202,7 @@ If you are in the `Organization Owner` role, you can invite members to your inst > > When a user not in your organization joins your instance, the user automatically joins your organization as well. -To invite a member to a instance, take the following steps: +To invite a member to an instance, take the following steps: 1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.