From 1547ee00ba565b4ac42be5d9617cd8313a3c656d Mon Sep 17 00:00:00 2001 From: George Wallace Date: Wed, 13 Nov 2024 20:49:08 -0700 Subject: [PATCH] cleaning up organization management --- serverless/index-serverless-general.asciidoc | 5 +- serverless/pages/custom-roles.asciidoc | 2 +- ...cess-to-org-from-existing-account.asciidoc | 17 --- .../manage-access-to-org-user-roles.asciidoc | 78 ---------- .../pages/manage-access-to-org.asciidoc | 32 ---- serverless/pages/manage-org.asciidoc | 143 +++++++++++++++++- .../pages/welcome-to-serverless.asciidoc | 29 +--- 7 files changed, 148 insertions(+), 158 deletions(-) delete mode 100644 serverless/pages/manage-access-to-org-from-existing-account.asciidoc delete mode 100644 serverless/pages/manage-access-to-org-user-roles.asciidoc delete mode 100644 serverless/pages/manage-access-to-org.asciidoc diff --git a/serverless/index-serverless-general.asciidoc b/serverless/index-serverless-general.asciidoc index e39acd09..ca36da06 100644 --- a/serverless/index-serverless-general.asciidoc +++ b/serverless/index-serverless-general.asciidoc @@ -1,16 +1,13 @@ [[intro]] == Welcome to Elastic serverless -include::{docs-content-root}/serverless/pages/welcome-to-serverless.asciidoc[leveloffset=+2] +include::./pages/welcome-to-serverless.asciidoc[leveloffset=+2] include::./pages/sign-up.asciidoc[leveloffset=+2] include::./pages/get-started-general.asciidoc[leveloffset=+2] include::./pages/manage-org.asciidoc[leveloffset=+2] -include::./pages/manage-access-to-org.asciidoc[leveloffset=+3] -include::./pages/manage-access-to-org-user-roles.asciidoc[leveloffset=+3] -include::./pages/manage-access-to-org-from-existing-account.asciidoc[leveloffset=+3] include::./pages/manage-your-project.asciidoc[leveloffset=+2] include::./pages/manage-your-project-rest-api.asciidoc[leveloffset=+3] diff --git a/serverless/pages/custom-roles.asciidoc b/serverless/pages/custom-roles.asciidoc index 041205c1..99c28424 100644 --- a/serverless/pages/custom-roles.asciidoc +++ b/serverless/pages/custom-roles.asciidoc @@ -13,7 +13,7 @@ preview:[] This content applies to: {es-badge} {sec-badge} -The built-in <> and <> are great for getting started with {serverless-full}, and for system administrators who do not need more restrictive access. +The built-in <> and <> are great for getting started with {serverless-full}, and for system administrators who do not need more restrictive access. As an administrator, however, you have the ability to create your own roles to describe exactly the kind of access your users should have within a specific project. For example, you might create a marketing_user role, which you then assign to all users in your marketing department. diff --git a/serverless/pages/manage-access-to-org-from-existing-account.asciidoc b/serverless/pages/manage-access-to-org-from-existing-account.asciidoc deleted file mode 100644 index 20607b9e..00000000 --- a/serverless/pages/manage-access-to-org-from-existing-account.asciidoc +++ /dev/null @@ -1,17 +0,0 @@ -[[general-join-organization-from-existing-cloud-account]] -= Join an organization from an existing Elastic Cloud account - -// :description: Join a new organization and bring over your projects. -// :keywords: serverless, general, organization, join, how to - -preview:[] - -If you already belong to an organization, and you want to join a new one, it is currently not possible to bring your projects over to the new organization. - -If you want to join a new project, follow these steps: - -. Make sure you do not have active projects before you leave your current organization. -. Delete your projects and clear any bills. -. Leave your current organization. -. Ask the administrator to invite you to the organization you want to join. -. Accept the invitation that you will get by email. diff --git a/serverless/pages/manage-access-to-org-user-roles.asciidoc b/serverless/pages/manage-access-to-org-user-roles.asciidoc deleted file mode 100644 index 6569c153..00000000 --- a/serverless/pages/manage-access-to-org-user-roles.asciidoc +++ /dev/null @@ -1,78 +0,0 @@ -[[general-assign-user-roles]] -= Assign user roles and privileges - -// :description: Manage the predefined set of roles and privileges for all your projects. -// :keywords: serverless, general, organization, roles, how to - -preview:[] - -Within an organization, users can have one or more roles and each role grants specific privileges. - -You must assign user roles when you <>. -To subsequently edit the roles assigned to a user: - -. Go to the user icon on the header bar and select **Organization**. -. Find the user on the **Members** tab of the **Organization** page. Click the member name to view and edit its roles. - -[discrete] -[[general-assign-user-roles-organization-level-roles]] -== Organization-level roles - -* **Organization owner**. Can manage all roles under the organization and has full access to all serverless projects, organization-level details, billing details, and subscription levels. This role is assigned by default to the person who created the organization. -* **Billing admin**. Has access to all invoices and payment methods. Can make subscription changes. - -[discrete] -[[general-assign-user-roles-instance-access-roles]] -== Instance access roles - -Each serverless project type has a set of predefined roles that you can assign to your organization members. -You can assign the predefined roles: - -* globally, for all projects of the same type ({es-serverless}, {observability}, or {elastic-sec}). In this case, the role will also apply to new projects created later. -* individually, for specific projects only. To do that, you have to set the **Role for all** field of that specific project type to **None**. - -For example, you can assign a user the developer role for a specific {es-serverless} project: - -[role="screenshot"] -image::images/individual-role.png[Individual role] - -ifdef::serverlessCustomRoles[] - -You can also optionally <>. -To assign a custom role to users, go to "Instance access roles" and select it from the list under the specific project it was created in. - -endif::[] - -[discrete] -[[general-assign-user-roles-es]] -=== {es} - -* **Admin**. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges. -* **Developer**. Creates API keys, indices, data streams, adds connectors, and builds visualizations. -* **Viewer**. Has read-only access to project details, data, and features. - -[discrete] -[[general-assign-user-roles-observability]] -=== {observability} - -* **Admin**. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges. -* **Editor**. Configures all Observability projects. Has read-only access to data indices. Has full access to all project features. -* **Viewer**. Has read-only access to project details, data, and features. - -[discrete] -[[general-assign-user-roles-security]] -=== {elastic-sec} - -* **Admin**. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges. -* **Editor**. Configures all Security projects. Has read-only access to data indices. Has full access to all project features. -* **Viewer**. Has read-only access to project details, data, and features. -* **Tier 1 analyst**. Ideal for initial alert triage. General read access, can create dashboards and visualizations. -* **Tier 2 analyst**. Ideal for alert triage and beginning the investigation process. Can create cases. -* **Tier 3 analyst**. Deeper investigation capabilities. Access to rules, lists, cases, Osquery, and response actions. -* **Threat intelligence analyst**. Access to alerts, investigation tools, and intelligence pages. -* **Rule author**. Access to detection engineering and rule creation. Can create rules from available data sources and add exceptions to reduce false positives. -* **SOC manager**. Access to alerts, cases, investigation tools, endpoint policy management, and response actions. -* **Endpoint operations analyst**. Access to endpoint response actions. Can manage endpoint policies, {fleet}, and integrations. -* **Platform engineer**. Access to {fleet}, integrations, endpoints, and detection content. -* **Detections admin**. All available detection engine permissions to include creating rule actions, such as notifications to third-party systems. -* **Endpoint policy manager**. Access to endpoint policy management and related artifacts. Can manage {fleet} and integrations. diff --git a/serverless/pages/manage-access-to-org.asciidoc b/serverless/pages/manage-access-to-org.asciidoc deleted file mode 100644 index b0d0108c..00000000 --- a/serverless/pages/manage-access-to-org.asciidoc +++ /dev/null @@ -1,32 +0,0 @@ -[[general-manage-access-to-organization]] -= Invite your team - -// :description: Add members to your organization and projects. -// :keywords: serverless, general, organization, overview - -To allow other users to interact with your projects, you must invite them to join your organization and grant them access to your organization resources and instances. - -Alternatively, {cloud}/ec-saml-sso.html[configure {ecloud} SAML SSO] to enable your organization members to join the {ecloud} organization automatically. preview:[] - -. Go to the user icon on the header bar and select **Organization**. -. Click **Invite members**. -+ -You can add multiple members by entering their email addresses separated by a space. -+ -You can grant access to all projects of the same type with a unique role, or select individual roles for specific projects. -For more details about roles, refer to <>. -. Click **Send invites**. -+ -Invitations to join an organization are sent by email. Invited users have 72 hours to accept the invitation. If they do not join within that period, you will have to send a new invitation. - -On the **Members** tab of the **Organization** page, you can view the list of current members, their status and role. - -In the **Actions** column, click the three dots to edit a member’s role or revoke the invite. - -[discrete] -[[general-manage-access-to-organization-leave-an-organization]] -== Leave an organization - -On the **Organization** page, click **Leave organization**. - -If you're the only user in the organization, you can only leave if you have deleted all your projects and don't have any pending bills. diff --git a/serverless/pages/manage-org.asciidoc b/serverless/pages/manage-org.asciidoc index a74ca77d..b91679b8 100644 --- a/serverless/pages/manage-org.asciidoc +++ b/serverless/pages/manage-org.asciidoc @@ -10,6 +10,147 @@ When you sign up to Elastic Cloud, you create an **organization**. This organization is the umbrella for all of your Elastic Cloud resources, users, and account settings. Every organization has a unique identifier. Bills are invoiced according to the billing contact and details that you set for your organization. -* <>: Add members to your organization and projects. +In this article we walk you through the essential processes to effectively oversee your organization. + +Learn how to: + +* <>: Invite users in your organization to access serverless projects and specify their roles. +* <>: Assign predefined roles to users in your organization. +* <>: Join a new organization and bring over your projects. +* <>: Leave an organization. + +For information on billing and project features and usage, refer to: + * <>: Configure the billing details of your organization. * <>: Configure project-wide features and usage. + +[discrete] +[[general-manage-access-to-organization]] +== Invite your team + +// :description: Add members to your organization and projects. +// :keywords: serverless, general, organization, overview + +To allow other users to interact with your projects, you must invite them to join your organization and grant them access to your organization resources and instances. + +Alternatively, {cloud}/ec-saml-sso.html[configure {ecloud} SAML SSO] to enable your organization members to join the {ecloud} organization automatically. preview:[] + +. Go to the user icon on the header bar and select **Organization**. +. Click **Invite members**. ++ +You can add multiple members by entering their email addresses separated by a space. ++ +You can grant access to all projects of the same type with a unique role, or select individual roles for specific projects. +For more details about roles, refer to <>. +. Click **Send invites**. ++ +Invitations to join an organization are sent by email. Invited users have 72 hours to accept the invitation. If they do not join within that period, you will have to send a new invitation. + +On the **Members** tab of the **Organization** page, you can view the list of current members, their status and role. + +In the **Actions** column, click the three dots to edit a member’s role or revoke the invite. + +[discrete] +[[general-assign-user-roles]] +== Assign user roles and privileges + +// :description: Manage the predefined set of roles and privileges for all your projects. +// :keywords: serverless, general, organization, roles, how to + +preview:[] + +Within an organization, users can have one or more roles and each role grants specific privileges. + +You must assign user roles when you <>. +To subsequently edit the roles assigned to a user: + +. Go to the user icon on the header bar and select **Organization**. +. Find the user on the **Members** tab of the **Organization** page. Click the member name to view and edit its roles. + +[discrete] +[[general-assign-user-roles-organization-level-roles]] +=== Organization-level roles + +* **Organization owner**. Can manage all roles under the organization and has full access to all serverless projects, organization-level details, billing details, and subscription levels. This role is assigned by default to the person who created the organization. +* **Billing admin**. Has access to all invoices and payment methods. Can make subscription changes. + +[discrete] +[[general-assign-user-roles-instance-access-roles]] +=== Instance access roles + +Each serverless project type has a set of predefined roles that you can assign to your organization members. +You can assign the predefined roles: + +* globally, for all projects of the same type ({es-serverless}, {observability}, or {elastic-sec}). In this case, the role will also apply to new projects created later. +* individually, for specific projects only. To do that, you have to set the **Role for all** field of that specific project type to **None**. + +For example, you can assign a user the developer role for a specific {es-serverless} project: + +[role="screenshot"] +image::images/individual-role.png[Individual role] + +ifdef::serverlessCustomRoles[] + +You can also optionally <>. +To assign a custom role to users, go to "Instance access roles" and select it from the list under the specific project it was created in. + +endif::[] + +[discrete] +[[general-assign-user-roles-es]] +==== {es} + +* **Admin**. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges. +* **Developer**. Creates API keys, indices, data streams, adds connectors, and builds visualizations. +* **Viewer**. Has read-only access to project details, data, and features. + +[discrete] +[[general-assign-user-roles-observability]] +==== {observability} + +* **Admin**. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges. +* **Editor**. Configures all Observability projects. Has read-only access to data indices. Has full access to all project features. +* **Viewer**. Has read-only access to project details, data, and features. + +[discrete] +[[general-assign-user-roles-security]] +==== {elastic-sec} + +* **Admin**. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges. +* **Editor**. Configures all Security projects. Has read-only access to data indices. Has full access to all project features. +* **Viewer**. Has read-only access to project details, data, and features. +* **Tier 1 analyst**. Ideal for initial alert triage. General read access, can create dashboards and visualizations. +* **Tier 2 analyst**. Ideal for alert triage and beginning the investigation process. Can create cases. +* **Tier 3 analyst**. Deeper investigation capabilities. Access to rules, lists, cases, Osquery, and response actions. +* **Threat intelligence analyst**. Access to alerts, investigation tools, and intelligence pages. +* **Rule author**. Access to detection engineering and rule creation. Can create rules from available data sources and add exceptions to reduce false positives. +* **SOC manager**. Access to alerts, cases, investigation tools, endpoint policy management, and response actions. +* **Endpoint operations analyst**. Access to endpoint response actions. Can manage endpoint policies, {fleet}, and integrations. +* **Platform engineer**. Access to {fleet}, integrations, endpoints, and detection content. +* **Detections admin**. All available detection engine permissions to include creating rule actions, such as notifications to third-party systems. +* **Endpoint policy manager**. Access to endpoint policy management and related artifacts. Can manage {fleet} and integrations. + +[discrete] +[[general-leave-an-organization]] +== Leave an organization + +On the **Organization** page, click **Leave organization**. + +If you're the only user in the organization, you can only leave if you have deleted all your projects and don't have any pending bills. + +[discrete] +[[general-join-organization-from-existing-cloud-account]] +== Join an organization from an existing Elastic Cloud account + +// :description: Join a new organization and bring over your projects. +// :keywords: serverless, general, organization, join, how to + +If you already belong to an organization, and you want to join a new one, it is currently not possible to bring your projects over to the new organization. + +If you want to join a new project, follow these steps: + +. Make sure you do not have active projects before you leave your current organization. +. Delete your projects and clear any bills. +. Leave your current organization. +. Ask the administrator to invite you to the organization you want to join. +. Accept the invitation that you will get by email. diff --git a/serverless/pages/welcome-to-serverless.asciidoc b/serverless/pages/welcome-to-serverless.asciidoc index c5b22d53..6c7a7510 100644 --- a/serverless/pages/welcome-to-serverless.asciidoc +++ b/serverless/pages/welcome-to-serverless.asciidoc @@ -1,21 +1,11 @@ -++++ - -++++ += Elasticsearch Serverless Overview +== Introduction preview:[] -Elastic serverless products allow you to deploy and use Elastic for your use cases without managing the underlying Elastic cluster, -such as nodes, data tiers, and scaling. Serverless instances of the Elastic Stack that you create in {ecloud} are called **serverless projects**. These serverless projects are fully-managed, autoscaled, and automatically upgraded by Elastic so you can focus more on gaining value and insight from your data. +Elasticsearch serverless is a fully managed solution that allows you to deploy and use Elastic for your use cases without managing the underlying infrastructure. It represents a shift in how you interact with Elasticsearch - instead of managing clusters, nodes, data tiers, and scaling, you create **serverless projects** that are fully managed and automatically scaled by Elastic. This abstraction of infrastructure decisions allows you to focus solely on gaining value and insight from your data. -Serverless instances of the Elastic Stack that you create in {ecloud} are called **serverless projects**. +Elasticsearch serverless automatically provisions, manages, and scales your Elasticsearch resources based on your actual usage. Unlike traditional deployments where you need to predict and provision resources in advance, serverless adapts to your workload in real-time, ensuring optimal performance while eliminating the need for manual capacity planning. Serverless projects use the core components of the {stack}, such as {es} and {kib}, and are based on https://www.elastic.co/blog/elastic-serverless-architecture[an architecture that decouples compute and storage]. Search and indexing operations are separated, which offers high flexibility for scaling your workloads while ensuring @@ -58,17 +48,6 @@ a set of predefined settings you can edit. Until May 31, 2024, your serverless consumption will not incur any charges, but will be visible along with your total Elastic Cloud consumption on the https://cloud.elastic.co/billing/usage[Billing Usage page]. Unless you are in a trial period, usage on or after June 1, 2024 will be deducted from your existing Elastic Cloud credits or be billed to your active payment method. ==== -[discrete] -[[general-what-is-serverless-elastic-control-your-data-and-performance]] -== Control your data and performance - -Control your project data and query performance against your project data. - -**Data.** Choose the data you want to ingest, and the method to ingest it. By default, data is stored indefinitely in your project, -and you define the retention settings for your data streams. - -**Performance.** For granular control over costs and query performance against your project data, serverless projects come with a set of predefined <> that you can edit. - [discrete] [[general-what-is-serverless-elastic-differences-between-serverless-projects-and-hosted-deployments-on-ecloud]] == Differences between serverless projects and hosted deployments on {ecloud}