Skip to content

Commit

Permalink
Merge pull request #3465 from EnterpriseDB/release/2022-12-19
Browse files Browse the repository at this point in the history 
Production Release: 2022-12-19
  • Loading branch information
@ccestes
ccestes authored Dec 19, 2022
2 parents a81c975 + f50a2c7 commit e809cd4
Show file tree
Hide file tree
Showing 17 changed files with 198 additions and 131 deletions.
148 changes: 55 additions & 93 deletions product_docs/docs/biganimal/release/administering_cluster/01_portal_access.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,129 +5,91 @@ redirects:
- 01_user_access
---

BigAnimal uses role-based access controls to grant users access to different parts of the application using organization-level and project-level roles. Roles are sets of permissions. BigAnimal uses roles to manage permissions assigned to users.

BigAnimal uses role-based access controls to grant users access to different parts of the application.
Each customer has a unique BigAnimal organization. Each organization has at least one project by default. An organization's database clusters are deployed and managed in the customer's cloud account within a project. You can create multiple projects within a single organization.

## Organizations
With multiple projects within an organization you can:
- separate workflows to provide secure and isolated environments
- assign different users to different projects or give different roles to users in different projects to ensure they have the correct level of permissions

Each subscribed customer has a unique *organization*. Each organization’s database clusters are deployed and managed in the customer's cloud account. This approach ensures complete segregation of customer data between organizations.
In order to access a BigAnimal organization, each user needs to be first added to the organization's identity provider. For more information, see [Setting up your identity provider](/biganimal/latest/getting_started/identity_provider/). Your identity provider establishes the identity of users that can log in to BigAnimal.

Each BigAnimal organization is associated with an identity provider, set up by the customer. Your identity provider establishes the identity of users that belong to an organization. After an organization's identity provider is set up, users added to the identity provider can log in with minimum access privileges.
Once a user has logged in to BigAnimal, you can assign them a role.

For Azure Marketplace accounts, each BigAnimal organization is associated with an Azure AD tenant. Azure AD establishes the identity of users that belong to an organization. After Azure AD is linked during subscription, users that belong to that AD can log in with minimum access privileges.
## Organization level roles
The following roles grant privileges within an organization.

BigAnimal supports role-based access control policies. A user with the owner role can assign roles to other users in the same organization.
- **Organization owner** — This role has management privileges to the organization and can perform the following actions:
- Create and view projects within their organization
- Update and delete their own projects
- View and assign organization-level and project-level roles
- View an activity log for the whole organization and each project
- View and download a usage report for the whole organization and each project
- View the identity provider details

## Roles
!!!noteNotes
- The first user in a BigAnimal organization is an organization owner and project owner of the initial project, by default.
- At least one user must be an organization owner.
!!!

Access to BigAnimal is controlled by roles. Roles are sets of permissions. You use roles to manage permissions assigned to users.
- **Organization admin** — This role has read-only permissions to the organization. They can:
- View a list of projects within the organization

Each organization has three default roles available:
- View and download a usage report for the whole organization
- View other users with organization-level roles
- View the identity provider details of the BigAnimal subscription

- account owner
- contributor
- reader

## Project level roles

### Permissions
The following roles grant privileges within a project.

Permissions are generally represented in the format *action*:*object* where *action* represents an operation to perform and *object* represents a category of portal functionality.
- **Project owner** — This role has management privileges to the project and can perform the following actions within the project:

- The available actions are: create, read, update, and delete.
- Connect the cloud service provider accounts to BigAnimal

- The available objects are: cloud accounts, backups, billing, clusters, events, identity providers, permissions, roles, users, and versions.
- View, edit, and delete the project
- Create, view, edit, and delete clusters
- Activate, suspend, and deactivate regions
- View and assign project-level roles
- View an activity log
- View and download a usage report

!!! Note
Not every object supports all the actions. For example, versions objects are always read-only.
!!!note
At least one user must be a project owner.
!!!

### Permissions by role
- **Project editor** — This role has edit privileges to the project and can perform the following actions within the project:

The following are the default permissions by role:
- View the cloud service provider accounts connected to BigAnimal

| Role | Object | Permissions |
| ------------- | ----------------- | ----------- |
| account owner | backups | create, read, update, and delete |
| | billing | read |
| | cloud account | create, read, and update |
| | clusters | create, read, update, and delete |
| | events | read |
| | identity provider | read |
| | permissions | read |
| | regions | create, read, update, and delete |
| | roles | read |
| | users | read, update |
| | versions | read |
| contributor | backups | create, read, update, and delete |
| | cloud account | create, read, and update |
| | clusters | create, read, update, and delete |
| | events | read |
| | permissions | read |
| | regions | create, read, update, and delete |
| | roles | read |
| | users | read, update |
| | versions | read |
| reader | backups | read |
| | cloud account | read |
| | clusters | read |
| | events | read |
| | permissions | read |
| | roles | read |
| | users | read |
| | versions | read |
- Create, view, edit, and delete clusters
- Activate regions
- View users with project-level roles
- View an activity log
- View and download a usage report

## Users
- **Project viewer** — This role has read-only permissions to the project. They can:

- View clusters

- View users with project-level roles

If you purchased BigAnimal through Azure Marketplace, when you configured your Azure subscription, you also enabled BigAnimal to authenticate users from your organization using Azure AD. Before users become visible in the BigAnimal Users screen, they need to sign in using Azure AD after receiving special emails from your organization.

If you are using your own account, you enabled BigAnimal to authenticate users from your organization using your identity provider. Before users become visible in the BigAnimal Users screen, they need to log in.
## Users

New users signed in to BigAnimal have a minimum set of permissions until you assign them a role.
Organization owners can assign users organization-level roles to complete certain tasks:

### Assign roles to users

1. Navigate to **Admin > Users**.
1. Select **User Management** from the organization dropdown menu next to your organization name in the top right of the portal.

2. Select the edit icon for the user.

3. Select **Assign Roles**.

4. Select or clear roles for the user.
4. Select the roles for the user.

5. Select **Submit**.

!!! Note
For a user's role assignment to take effect, the user must log out from BigAnimal and log in again.

### View users

You can view all users from your organization who have logged in at least once.

1. Navigate to **Admin > Users**.

2. View the list of users. You can use search to narrow the list and you can also sort it by name or email.

## Example scenario

1. Tom is the first user and sets up the identity provider. He is granted the account owner role.

2. Tom invites Jerry and Sally to log in through the organizations identity provider. Both of their accounts in BigAnimal are automatically created with the role of reader.

3. Tom connects the organization's cloud account to BigAnimal.

3. Tom grants Sally the contributor role. She can now create BigAnimal clusters.

4. Sally asks Jerry to log in and grants him the contributor role.

5. Jerry can now see the clusters that Sally created and can create clusters.

## Example scenario for Azure Marketplace

1. The BigAnimal organization is created, and Tom logs in and is granted the account owner role.

2. Tom asks Jerry to log in, using his Azure AD account. Jerry's account in BigAnimal is created.

3. Tom grants Sally the contributor role. Sally can now create BigAnimal clusters.

4. Sally asks Jerry to log in and grants him the contributor role.

5. Jerry can now see the clusters that Sally created and can create clusters.
See [Adding a user to a project](/biganimal/release/administering_cluster/projects.mdx) for information on adding users to projects.
11 changes: 6 additions & 5 deletions product_docs/docs/biganimal/release/administering_cluster/01a_superset_access.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,12 @@ The Superset roles map to BigAnimal permissions:

| Superset role | Description | BigAnimal permissions mapped to Superset role |
| ------------- | ---------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- |
| Gamma | View data that user has been granted access to, create dashboards | Reader |
| Alpha | All Superset Gamma privileges, plus the ability to add or modify data sources | Contributor |
| Admin | All Superset Alpha privileges, plus access to SQL Lab and the ability to grant or revoke access to data to other users | Account owner |
| Gamma | View data that user has been granted access to, create dashboards | Project viewer |
| Alpha | All Superset Gamma privileges, plus the ability to add or modify data sources | Project editor |
| Admin | All Superset Alpha privileges, plus access to SQL Lab and the ability to grant or revoke access to data to other users | Project owner |

!!! Note
While Admin users have access to all databases by default, both Alpha and Gamma users need to be given access via the Superset sql_lab role on a per database basis. The sql_lab role grants access to SQL Lab.
!!!NoteNotes
- Access to Superset is currently limited to the initial default project set up by BigAnimal. The user needs to have a project role for the initial project to access Superset.
- While Admin users have access to all databases by default, both Alpha and Gamma users need to be given access via the Superset sql_lab role on a per database basis. The sql_lab role grants access to SQL Lab.

To assign BigAnimal user roles, see [Changing role permissions](01_portal_access/#assign-roles-to-users).
13 changes: 10 additions & 3 deletions product_docs/docs/biganimal/release/administering_cluster/03_account_activity.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: "Reviewing account activity"
description: "Use the activity log to audit user activities or research account activities"
---

The activity log collects BigAnimal events based on user activity in the portal. You can use the log to audit activities performed by users from your organizations or research activities that might have affected your account.
The activity logs collect BigAnimal events based on user activity in the portal. There is an organization-level log available users with organization roles and a project-level log. You can use the log to audit activities performed by users from your organizations or research activities that might have affected your account at either the organization level or the project level.

## Events

Expand All @@ -22,19 +22,26 @@ Events are related to the following resource types:
- user roles
- role permissions
- organization
- project

!!! Note
Database events are not logging activity on the Postgres server. They are logging the use of the portal to create or modify database clusters.

## View and search the activity log

To view events, navigate to the [Activity Log](https://portal.biganimal.com/activityLog) page on the [BigAnimal](https://portal.biganimal.com) portal. To search events, use the filters at the top of the page.
To view events, navigate to the Activity Log page on the [BigAnimal](https://portal.biganimal.com) portal.
- The organization-level activity log is available from the dropdown menu next to your organization name in the top right of the portal if you are an organization owner or admin.
- The project-level activity log is available from the Project menu on the left of the portal.

The following fields are in the activity log:
To search events, use the filters at the top of the page.

The following fields are in the activity logs:

| Field | Description |
| ----------------- | -------------------------------------------------------------------- |
| **Projects** | Projects in the organization (only available from the organization log) |
| **Activity Name** | Name of an event in the format *Action Resource-Type, Resource-name* |
| **User** | User responsible for the event |
| **Date** | Date when the action was performed |
| **Resource** | Resource type of the resource |

3 changes: 3 additions & 0 deletions product_docs/docs/biganimal/release/administering_cluster/images/projects.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
5 changes: 4 additions & 1 deletion product_docs/docs/biganimal/release/administering_cluster/index.mdx
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
---
title: "Administering your account"
indexCards: simple
navigation:
- 01_portal_access
- projects
---

Administrative activities for the BigAnimal account include portal and database user access management as well as account activity reviews and customizing Azure policy definitions.
Administrative activities for the BigAnimal account include portal and database user access management as well as account activity reviews and customizing cloud provider policy definitions.

If you coordinated with [BigAnimal Support](../overview/support) to enable the Apache Superset feature, see [Managing Superset access](01a_superset_access) for information on setting up roles and permission for access to the Superset data sources.
78 changes: 78 additions & 0 deletions product_docs/docs/biganimal/release/administering_cluster/projects.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
title: Managing projects
description: "Use projects to provide additional security and segregation to workflows within your organization"
---

Projects are a group of database clusters within a BigAnimal organization. Access to projects is controlled by a user's role. With projects, you can separate workflows to provide secure and isolated environments and assign different users to different projects. See [Managing portal access](/biganimal/release/administering_cluster/01_portal_access) for more information.

Projects actions are available from the left navigation bar. The actions apply to the project in focus. You can switch between projects using the Projects menu.

## Adding a user to a project
Before adding a user to a project:
- The user must be added to the organization through the organization's identity provider.

- The user must log in to the BigAnimal portal at least once.
- You must be an organization owner or the project owner of the project.

To add a user:
1. Select the project you want to add a user to from the Projects menu.

1. Select Users from the left navigation bar.
2. Select the edit icon for the user.
3. Select **Assign Roles**.
4. Depending on the level of access you want for the user, select the appropriate role.

5. Select **Submit**.


## Creating a project

Before creating a new project:

- You must have an organization owner role.

- You must create a new Azure subscription or AWS account to create a new project.

- To create a new Azure subscription, see [Create a Microsoft Customer Agreement subscription](https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/create-subscription).

- To create a new AWS account, see [Creating an AWS account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html).

!!!noteNotes
- You can only use a single Azure subscription or AWS account for one project at a time. For example, if you have two projects and only need to deploy your clusters in AWS, you need to connect a different AWS account for each project.

- To reuse an Azure subscription or AWS account, you have to first delete the project that was previously connected with that account.

To create a new project:

1. On the Projects menu, select **New Project**.

1. Enter a unique name for the project.
1. Select **Create Project**.
1. Select **Project > See All Projects**.
1. Select your new project.
1. Set up the cloud provider for the project. See [Connecting your cloud](/biganimal/latest/getting_started/02_connecting_to_your_cloud/).
1. Activate the region for the project. See [Activating regions](/biganimal/latest/getting_started/activating_regions/).
1. Select **Create Project**.


## Editing a project

To edit a project:
1. On the Projects page, select the edit icon next to the project in the projects list.

1. Enter a new name.
1. Select **Update**.


## Deleting a project

!!!Note
Contact [BigAnimal Support](/biganimal/release/overview/support) if you want to delete the initial default project created by BigAnimal.

To delete a project that you created:

1. On the Projects page, select the edit icon next to the project in the projects list.

1. Delete any remaining clusters in the project.
1. Delete the regions for the project.
1. Select **Yes, Delete Project**.
Loading

2 comments on commit e809cd4

@github-actions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸŽ‰ Published on https://edb-docs-staging.netlify.app as production
πŸš€ Deployed on https://63a08b5f46721d005f727850--edb-docs-staging.netlify.app

@github-actions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸŽ‰ Published on https://edb-docs.netlify.app as production
πŸš€ Deployed on https://63a08ed2fe097f01f9e6cf23--edb-docs.netlify.app

Please sign in to comment.