Permissions section is done

OctopusDeploy · Nov 8, 2024 · a382d4a · a382d4a
1 parent 5970534
commit a382d4a
Showing 1 changed file with 18 additions and 23 deletions.
diff --git a/src/pages/docs/runbooks/config-as-code-runbooks.md b/src/pages/docs/runbooks/config-as-code-runbooks.md
@@ -34,42 +34,37 @@ You can migrate an existing version controlled project to use CaC Runbooks by cl
 
 Once that's done, you should see a branch selector at the top of the **Runbooks** page, and a new 'runbooks/' directory in your repository alongside your existing OCL files (see the '.octopus/ directory' of your repository). 
 
-## Migrating runbook drafts
+## Drafts vs branches
 
-Note that when you convert your project to use CaC Runbooks, only 'published' runbooks will be available in Octopus as CaC Runbooks. 
+Note that when you convert your project to use CaC Runbooks, only published runbooks will be available in Octopus as CaC Runbooks. 
 
-However 'draft' runbooks will still be converted to code. They can be found in the 'runbooks/migrated-drafts/' directory alongside your other runbooks' OCL files. 
+One of the exciting things about CaC is that it allows you to edit your runbooks over as many branches as you would like, creating as many copies of the runbook as you have branches. This means that we no longer need draft runbooks. 
 
-To access your draft runbooks in Octopus, you can just move their OCL files into the 'runbooks/' folder. However, first we should consider how CaC Runbooks uses branches to handle permissions. 
+Draft runbooks will still be converted to code. They can be found in the 'runbooks/migrated-drafts/' directory alongside your other runbooks' OCL files. 
 
-## Working with branches
+To access your draft runbooks in Octopus, you can just move their OCL files up to the 'runbooks/' folder. However, first let's consider how CaC Runbooks uses branches to handle permissions. 
 
-One of the exciting things about CaC is that it allows you to edit your runbooks over as many branches as you would like, creating as many copies of the runbook as you have branches. This means that we no longer need 'draft' runbooks. 
-
-But what about published runbooks? When you convert your project to use CaC, you specify a 'default' branch to contain the approved versions of your OCL files. 
-
-Octopus provides two built in roles to help you to manage permissions around editing and running runbooks: 'Runbook Consumer' and 'Runbook Producer'. 
-
-Runbook Consumer:
-- Non-CaC Runbooks - Users with this role cannot edit runbooks and can only run published runbooks. 
-- CaC Runbooks - Users with this role cannot edit runbooks and can only run runbooks from the latest commit on the default branch. 
-
-Runbook Producer:
-- Non-CaC Runbooks - Users with this role can edit and run both draft and published runbooks. 
-- CaC Runbooks - Users with this role can edit runbooks on any unprotected branches and can run runbooks from any commit on any branch. 
+## Permissions by branch
 
+When converting your project to use CaC, you specify a default branch to contain the approved versions of your OCL files. Other branches can be thought of as containing restricted versions of your runbooks. These may be unfinished runbook drafts or runbooks that you want to place extra permissions around.
 
+You also have the option to specify protected branches. Protected cannot be changed from within Octopus. Consider marking any branch which you would normally follow a PR review process to update as protected. 
 
+Octopus provides two built in roles to help you to manage permissions around editing and running runbooks: 'Runbook Consumer' and 'Runbook Producer'. 
 
+#### Runbook Consumer:
+- Non-CaC Runbooks - cannot edit runbooks and can only run published runbooks. 
+- CaC Runbooks - cannot edit runbooks and can only run runbooks from the latest commit on the default branch. 
 
+#### Runbook Producer:
+- Non-CaC Runbooks - can edit and run both draft and published runbooks.
+- CaC Runbooks - can edit runbooks on any unprotected branches and can run runbooks from any commit on any branch. 
 
+Effectively, this means that your 'published' runbooks will become those in the latest commit on your default branch, and your 'draft' runbooks are those on any other commit and any other branch. 
 
-To prevent runbooks which arent aproved being run by just anyone, non-cac runbooks let you put permissions around draft runbooks. If using our built in roles:
-- consumer - can run published and draft versions
-- producer - can run the published version
-In the case of cac runbooks, producers can run anything but only runbooks from the tip of the default branch can be run by consumers. 
+💡 If you are using Octopus built in roles, keep these permissions in mind when moving your draft runbooks out of the 'migrated-drafts/' folder.
 
-Keep this in mind when moving your drafts across from the migrated-drafts folder. If you want them to be available for general use, add them to your default branch. If not, keep them on another branch. 
+## Snapshots vs commits
 
 
 ## How are runbooks different with CaC?