four-how-to-users-etc

Author: yarongol

docs/admin/runai-setup/authentication/accessrules.md

@@ -0,0 +1,74 @@
+This article explains the procedure to manage Access rules.
+
+Access rules provide users, groups, or applications privileges to system entities.
+
+An access rule is the assignment of a role to a subject in a scope: \<Subject\> is a \<Role\> in a \<Scope\>.
+
+For example, user **user@domain.com** is a **department admin** in **department A**.
+
+## Access rules table
+
+The Access rules table can be found under **Tools & Settings** in the Run:ai platform.
+
+The Access rules table provides a list of all the access rules defined in the platform, and allows you to manage them.
+
+
+
+!!! Note
+    __Flexible management__
+
+    It is also possible to manage access rules directly for a specific user, application, project, or department.
+
+![](img/accessrulestable.png)
+
+The Access rules table consists of the following columns:
+
+| Column | Description |
+| :---- | :---- |
+| Type | The type of subject assigned to the access rule (user, SSO group, or application). |
+| Subject | The user, SSO group, or application assigned with the role |
+| Role | The role assigned to the subject |
+| Scope | The scope to which the subject has access. Click the name of the scope to see the scope and its subordinates |
+| Authorized by | The user who granted the access rule |
+| Creation time | The timestamp for when the rule was created |
+| Last updated | The last time the access rule was updated |
+
+### Customizing the table view
+
+* Filter \- Click ADD FILTER, select the column to filter by, and enter the filter values  
+* Search \- Click SEARCH and type the value to search by  
+* Sort \- Click each column header to sort by  
+* Column selection \- Click COLUMNS and select the columns to display in the table  
+* Download table \- Click MORE and then Click Download as CSV
+
+## Adding new access rules
+
+To add a new access rule:
+
+1. Click **\+NEW ACCESS RULE**  
+1. Select a subject **User, SSO Group**, or **Application**  
+1. Select or enter the subject identifier:  
+    * **User Email** for a local user created in Run:ai or for SSO user as recognized by the IDP  
+    * **Group name** as recognized by the IDP  
+    * **Application name** as created in Run:ai  
+1. Select a role  
+1. Select a scope  
+1. Click **SAVE RULE**
+
+!!!Note
+    An access rule consists of a single subject with a single role in a single scope. To assign multiple roles or multiple scopes to the same subject, multiple access rules must be added.
+
+## Editing an access rule
+
+Access rules cannot be edited. To change an access rule, you must delete the rule, and then create a new rule to replace it.
+
+## Deleting an access rule
+
+1. Select the access rule you want to delete  
+1. Click **DELETE**  
+1. On the dialog, click **DELETE** to confirm the deletion
+
+## Using API
+
+Go to the [Access rules](https://app.run.ai/api/docs\#tag/Access-rules) API reference to view the available actions
+

docs/admin/runai-setup/authentication/applications.md

@@ -0,0 +1,99 @@
+This article explains the procedure to manage applications and it’s permissions.
+
+Applications are used for API integrations with Run:ai. An application contains a secret key. Using the secret key you can obtain a token and use it within subsequent API calls.
+
+Applications are managed locally and assigned with Access Rules to manage its permissions.
+
+For example, application **ci-pipeline-prod** assigned with a **Researcher** role in **Cluster: A**.
+
+## Applications table
+
+The Applications table can be found under **Tools & Settings** in the Run:ai platform.
+
+The Applications table provides a list of all the applications defined in the platform, and allows you to manage them.
+
+![](img/appstable.png)
+
+
+The Applications table consists of the following columns:
+
+| Column | Description |
+| :---- | :---- |
+| Application | The name of the application |
+| Status | The status of the application |
+| Access rule(s) | The access rules assigned to the application |
+| Last login | The timestamp for the last time the user signed in |
+| Created by | The user who created the application |
+| Creation time | The timestamp for when the application was created |
+| Last updated | The last time the application was updated |
+
+### Customizing the table view
+
+* Filter \- Click ADD FILTER, select the column to filter by, and enter the filter values  
+* Search \- Click SEARCH and type the value to search by  
+* Sort \- Click each column header to sort by  
+* Column selection \- Click COLUMNS and select the columns to display in the table  
+* Download table \- Click MORE and then Click Download as CSV
+
+## Creating an application
+
+To create an application:
+
+1. Click **\+NEW APPLICATION**  
+1. Enter the application’s **Name**  
+1. Click **CREATE**  
+1. Copy the credentials and store it securely:  
+    * **Application name**  
+    * **Secret key**  
+1. Click **DONE**
+
+!!!Note
+    The secret key is visible only at the time of creation, it cannot be recovered but can be regenerated.
+
+## Adding an access rule to an application
+
+To create an access rule:
+
+1. Select the application you want to add an access rule for  
+1. Click **ACCESS RULES**  
+1. Click **\+ACCESS RULE**  
+1. Select a role  
+1. Select a scope  
+1. Click **SAVE RULE**  
+1. Click **CLOSE**
+
+## Deleting an access rule from an application
+
+To delete an access rule:
+
+1. Select the application you want to remove an access rule from  
+1. Click **ACCESS RULES**  
+1. Find the access rule assigned to the user you would like to delete  
+1. Click on the trash icon  
+1. Click **CLOSE**
+
+## Regenerating key
+
+To regenerate an application’s key:
+
+1. Select the application you want to regenerate it’s secret key  
+1. Click **REGENERATE KEY**  
+1. Click **REGENERATE**  
+1. Review the user’s credentials and store it securely:  
+    * **Application** name  
+    * **Secret key**  
+1. Click **DONE**
+
+!!!Warning
+    Regenerating an application key revokes its previous key.
+
+## Deleting an application
+
+1. Select the application you want to delete  
+1. Click **DELETE**  
+1. On the dialog, click **DELETE** to confirm the deletion
+
+## Using API
+
+Go to the [Applications](https://app.run.ai/api/docs\#tag/Applications), [Access rules](https://app.run.ai/api/docs\#tag/Access-rules) API reference to view the available actions
+

docs/admin/runai-setup/authentication/img/accessrulestable.png

@@ -0,0 +1,48 @@
+This article explains the roles in the Run:ai platform.
+
+A role is a set of permissions that can be assigned to a subject in a scope.
+
+A permission is a set of actions (View, Edit, Create & Delete) over a Run:ai entity (e.g. projects, workloads, users).
+
+## Roles table
+
+The Roles table can be found under **Tools & Settings** in the Run:ai platform.
+
+The Roles table displays a list of predefined roles available to users in the Run:ai platform. It is not possible to create additional rules or edit or delete existing rules.
+
+![](img/rolestable.png)
+
+
+The Roles table consists of the following columns:
+
+| Column | Description |
+| :---- | :---- |
+| Role | The name of the role |
+| Created by | The name of the role creator |
+| Creation time | The timestamp when the role was created |
+
+### Customizing the table view
+
+* Filter \- Click ADD FILTER, select the column to filter by, and enter the filter values  
+* Search \- Click SEARCH and type the value to search by  
+* Sort \- Click each column header to sort by  
+* Column selection \- Click COLUMNS and select the columns to display in the table  
+* Download table \- Click MORE and then Click Download as CSV
+
+## Reviewing a role
+
+* **Role name** \- The name of the role  
+* **Permissions** \- Displays the available permissions defining the role, as follows:
+
+| Column | Description |
+| :---- | :---- |
+| Entity | A system-managed object that can be viewed, edited, created or deleted by a user based on their assigned role and scope |
+| View | If checked, an assigned user with this role can view instances of this type of entity within their defined scope |
+| Edit | If checked, an assigned user with this role can change the settings of an instance of this type of entity within their defined scope |
+| Create | If checked, an assigned user with this role can create new instances of this type of entity within their defined scope |
+| Delete | If checked, an assigned user with this role can delete instances of this type of entity within their defined scope |
+
+*   
+  ## Using API
+  Go to the [Roles](https://app.run.ai/api/docs\#tag/Roles) API reference to view the available actions
+

docs/admin/runai-setup/authentication/img/appstable.png

@@ -0,0 +1,101 @@
+This article explains the procedure to manage users and their permissions.
+
+Users can be managed locally, or via the Identity provider, while assigned with Access Rules to manage its permissions.
+
+For example, user **user@domain.com** is a **department admin** in **department A**.
+
+## Users table
+
+The Users table can be found under **Tools & Settings** in the Run:ai platform.
+
+The users table provides a list of all the users in the platform.  
+You can manage local users and manage user permissions (access rules) for both local and SSO users.
+
+!!! Note
+    __Single Sign-On users__
+    SSO users are managed by the identity provider and appear once they have signed in to Run:ai
+
+![](img/userstable.png)
+
+The Users table consists of the following columns:
+
+| Column | Description |
+| :---- | :---- |
+| User | The unique identity of the user (email address) |
+| Type | The type of the user \- SSO / local |
+| Last login | The timestamp for the last time the user signed in |
+| Access rule(s) | The access rules assigned to the user |
+| Created By | The user who created the user |
+| Creation time | The timestamp for when the user was created |
+| Last updated | The last time the user was updated |
+
+### Customizing the table view
+
+* Filter \- Click ADD FILTER, select the column to filter by, and enter the filter values  
+* Search \- Click SEARCH and type the value to search by  
+* Sort \- Click each column header to sort by  
+* Column selection \- Click COLUMNS and select the columns to display in the table  
+* Download table \- Click MORE and then Click Download as CSV
+
+## Creating a local user
+
+To create a local user:
+
+1. Click **\+NEW LOCAL USER**  
+1. Enter the user’s **Email address**  
+1. Click **CREATE**  
+1. Review and copy the user’s credentials:  
+    * **User Email**  
+    * **Temporary password** to be used on first sign-in  
+1. Click **DONE**
+
+!!! Note
+    The temporary password is visible only at the time of user’s creation, and must be changed after the first sign-in
+
+## Adding an access rule to a user
+
+To create an access rule:
+
+1. Select the user you want to add an access rule for  
+1. Click **ACCESS RULES**  
+1. Click **\+ACCESS RULE**  
+1. Select a role  
+1. Select a scope  
+1. Click **SAVE RULE**  
+1. Click **CLOSE**
+
+## Deleting user’s access rule
+
+To delete an access rule:
+
+1. Select the user you want to remove an access rule from  
+1. Click **ACCESS RULES**  
+1. Find the access rule assigned to the user you would like to delete  
+1. Click on the trash icon  
+1. Click **CLOSE**
+
+## Resetting a user password
+
+To reset a user’s password:
+
+1. Select the user you want to reset it’s password  
+1. Click **RESET PASSWORD**  
+1. Click **RESET**  
+1. Review and copy the user’s credentials:  
+    * **User Email**  
+    * **Temporary password** to be used on next sign-in  
+1. Click **DONE**
+
+## Deleting a user
+
+1. Select the user you want to delete  
+1. Click **DELETE**  
+1. In the dialog, click **DELETE** to confirm the deletion
+
+!!!Note
+    To ensure administrative operations are always available, at least one local user with System Administrator role should exist.
+
+## Using API
+
+Go to the [Users](https://app.run.ai/api/docs\#tag/Users), [Access rules](https://app.run.ai/api/docs\#tag/Access-rules) API reference to view the available actions
+

docs/admin/runai-setup/authentication/img/rolestable.png

@@ -176,12 +176,16 @@ nav:
         - 'Scaling' : 'admin/runai-setup/config/large-clusters.md'
       - 'Authentication & Authorization' :
         - 'Overview' : 'admin/runai-setup/authentication/authentication-overview.md'
-        - 'Access control' : 'admin/runai-setup/access-control/rbac.md'
-        - 'Researcher Authentication' : 'admin/runai-setup/authentication/researcher-authentication.md'
         - 'Single Sign-On' : 
           - 'Setup SSO with SAML' : 'admin/runai-setup/authentication/sso/saml.md'
           - 'Setup SSO with OpenID Connect' : 'admin/runai-setup/authentication/sso/openidconnect.md'
           - 'Setup SSO with OpenShift' : 'admin/runai-setup/authentication/sso/openshift.md'
+        - 'Users' : 'admin/runai-setup/authentication/users.md'
+        - 'Applications' : 'admin/runai-setup/authentication/applications.md'
+        - 'Roles' : 'admin/runai-setup/authentication/roles.md'
+        - 'Access Rules' : 'admin/runai-setup/authentication/accessrules.md'
+        - 'Access control' : 'admin/runai-setup/access-control/rbac.md'
+        - 'Researcher Authentication' : 'admin/runai-setup/authentication/researcher-authentication.md'
       - 'Notifications System':
         - 'Email and System Notifications': 'admin/runai-setup/notifications/notifications.md'
       - 'Maintenance' :