diff --git a/docs/admin/tiered-rbac.md b/docs/admin/rabbit/README.md similarity index 60% rename from docs/admin/tiered-rbac.md rename to docs/admin/rabbit/README.md index ae3c02c886..94c95c84e3 100644 --- a/docs/admin/tiered-rbac.md +++ b/docs/admin/rabbit/README.md @@ -7,8 +7,8 @@ Tiered RBAC is a suite of features that improves Coder's security posture for hi This includes: - Organizations +- Service Accounts - Custom Roles -- Custom Token Scopes ## Organizations @@ -21,6 +21,10 @@ There are several use cases for this: Users can belong to multiple organizations. Workspaces, templates, provisioners, and groups are scoped to a single organization. +## Service Accounts + +Service accounts can be used for CI jobs, third-party integrations, and other automation. Unlike other accounts in Coder, service accounts do not consume a license seat or have an OIDC/password login method, so they cannot be used to log in to the Coder UI. + ## Custom Roles Custom roles can be created to give users a granular set of permissions within the Coder deployment or organization. @@ -28,12 +32,19 @@ Custom roles can be created to give users a granular set of permissions within t There are several cases for this: - The "Banking Compliance Auditor" custom role cannot create workspaces, but can read template source code and view audit logs -- The "Team Lead" role can access user workspaces for trobuleshooting but cannot edit templates +- The "Team Lead" role can access user workspaces for troubleshooting purposes, but cannot edit templates - The "Platform Member" role cannot edit or create workspaces as they are created via a third-party system -## Custom Token Scopes +Custom roles can also be applied to service accounts: -Custom Token scopes are functionally the same as custom roles, but are designed for service accounts and CI jobs +- A "Health Check" role can view deployment status but cannot create workspaces, manage templates, or view users +- A "CI" role can update manage templates but cannot create workspaces or view users -- A "Health Check" token can view deployment status but cannot create workspaces, manage templates, or view users -- A "CI" token can update manage templates but cannot create workspaces or view users +--- + +### Recipes + +Learn how to use tiered RBAC with concrete examples. + +- [Bring your own cluster](#): Allow different groups to bring their own Kubernetes cluster into Coder, or optionally build their own templates on entirely different infrastructure. +- [Shared workspaces](#): Allow users to share workspaces with other users in the same organization. diff --git a/docs/admin/rabbit/guides/byoc.md b/docs/admin/rabbit/guides/byoc.md new file mode 100644 index 0000000000..260dbe9d0a --- /dev/null +++ b/docs/admin/rabbit/guides/byoc.md @@ -0,0 +1,57 @@ +# Bring your own cluster + +Allow different groups to bring their own Kubernetes cluster into Coder, or optionally build their own templates on entirely different infrastructure. + +## Prerequisites + +- A Coder deployment with [tiered RBAC](../README.md) enabled + +## Tutorial + +Not inside a list: + +