Fix the docs for authentication and authorization (#3925)

* Fix the docs for authentication and authorization * Fix some points from reviews
pipe-cd · Sep 29, 2022 · 88e9ba0 · 88e9ba0
1 parent 4089d74
commit 88e9ba0
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 7 deletions.
diff --git a/docs/content/en/docs-dev/user-guide/managing-controlplane/auth.md b/docs/content/en/docs-dev/user-guide/managing-controlplane/auth.md
@@ -6,7 +6,7 @@ description: >
   This page describes about PipeCD Authentication and Authorization.
 ---
 
-![](/images/settings-project.png)
+![](/images/settings-project-v0.38.x.png)
 
 ### Static Admin
 
@@ -32,12 +32,43 @@ The project can be configured to use a shared SSO configuration (shared OAuth ap
 
 Role-based access control (RBAC) allows restricting access on the PipeCD web-based on the roles of user groups within the project. Before using this feature, the SSO must be configured.
 
-PipeCD provides three roles:
+PipeCD provides three built-in roles:
 
-- `viewer`: has only permissions to view application, deployment list, and details.
-- `editor`: has all viewer permissions, plus permissions for actions that modify state, such as manually syncing application, canceling deployment...
-- `admin`: has all editor permissions, plus permissions for updating project configurations.
+- `Viewer`: has only permissions to view existing resources or data.
+- `Editor`: has all viewer permissions, plus permissions for actions that modify state, such as manually syncing application, canceling deployment...
+- `Admin`: has all editor permissions, plus permissions for updating project configurations.
 
-Configuring RBAC means setting up 3 teams (GitHub) /groups (Google) corresponding to 3 above roles. All users belong to a team/group will have all permissions of that team/group.
+#### Configuring the PipeCD's roles
 
-![](/images/settings-update-rbac.png)
+The below table represents PipeCD's resources with actions on those resources.
+
+| resource | get | list | create | update | delete |
+|:--------------------|:------:|:-------:|:-------:|:-------:|:-------:|
+| application | ○ | ○ | ○ | ○ | ○ |
+| deployment  | ○ | ○ |   | ○ |   |
+| event       |   | ○ |   |   |   |
+| piped       | ○ | ○ | ○ | ○ |   |
+| project     | ○ |   |   | ○ |   |
+| apiKey      |   | ○ | ○ | ○ |   |
+| insight     | ○ |   |   |   |   |
+
+
+Each role is defined as a combination of multiple policies under this format.
+```
+resources=RESOURCE_NAMES;actions=ACTION_NAMES
+```
+
+The `*` represents all resources and all actions for a resource.
+```
+resources=*;actions=ACTION_NAMES
+resources=RESOURCE_NAMES;actions=*
+resources=*;actions=*
+```
+
+#### Configuring the PipeCD's user groups
+
+User Group represents a relation with a specific team (GitHub)/group (Google) and an arbitrary role. All users belong to a team/group will have all permissions of that team/group.
+
+You cannot assign multiple roles to a team/group.
+
+![](/images/settings-add-user-group.png)
diff --git a/docs/static/images/settings-add-user-group.png b/docs/static/images/settings-add-user-group.png
diff --git a/docs/static/images/settings-project-v0.38.x.png b/docs/static/images/settings-project-v0.38.x.png