From 21ca696753a6cfc6d504845d49e498d32ea9d413 Mon Sep 17 00:00:00 2001 From: Grace Cai Date: Tue, 18 Jul 2023 19:36:15 +0800 Subject: [PATCH] cloud: update docs for RBAC support (#14233) * add draft * modify steps of user management * update roles according to the new RBAC * Apply suggestions from code review * Apply suggestions from code review * Update manage-user-access.md * fix typo * refine the permission tables * Update manage-user-access.md * Update manage-user-access.md * add permissions for CMEK and branch * Remove an extra line * Update tidb-cloud/migrate-from-amazon-s3-or-gcs.md * add role requirements --------- Co-authored-by: Lilian Lee --- tidb-cloud/_index.md | 4 +- tidb-cloud/branch-manage.md | 7 + tidb-cloud/create-tidb-cluster-serverless.md | 2 +- tidb-cloud/create-tidb-cluster.md | 2 +- tidb-cloud/integrate-tidbcloud-with-vercel.md | 2 +- tidb-cloud/manage-user-access.md | 193 +++++++++++++----- tidb-cloud/migrate-from-op-tidb.md | 2 +- .../third-party-monitoring-integrations.md | 2 +- tidb-cloud/tidb-cloud-auditing.md | 2 +- tidb-cloud/tidb-cloud-billing.md | 12 +- tidb-cloud/tidb-cloud-console-auditing.md | 2 +- tidb-cloud/tidb-cloud-glossary.md | 2 +- .../tidb-cloud-org-sso-authentication.md | 8 +- 13 files changed, 171 insertions(+), 69 deletions(-) diff --git a/tidb-cloud/_index.md b/tidb-cloud/_index.md index 29bea6701cf11..fe569f7a24f58 100644 --- a/tidb-cloud/_index.md +++ b/tidb-cloud/_index.md @@ -101,14 +101,14 @@ hide_commit: true [Password Authentication](https://docs.pingcap.com/tidbcloud/tidb-cloud-password-authentication) +[User Roles](https://docs.pingcap.com/tidbcloud/manage-user-access#user-roles) + [Manage User Profiles](https://docs.pingcap.com/tidbcloud/manage-user-access#manage-user-profiles) [Manage organization access](https://docs.pingcap.com/tidbcloud/manage-user-access#manage-organization-access) [Manage project access](https://docs.pingcap.com/tidbcloud/manage-user-access#manage-project-access) -[Configure Roles](https://docs.pingcap.com/tidbcloud/manage-user-access#manage-role-access) - [Configure Security Settings](https://docs.pingcap.com/tidbcloud/configure-security-settings) diff --git a/tidb-cloud/branch-manage.md b/tidb-cloud/branch-manage.md index ea8517c686f14..86978c2391468 100644 --- a/tidb-cloud/branch-manage.md +++ b/tidb-cloud/branch-manage.md @@ -7,6 +7,13 @@ summary: Learn How to manage TiDB Serverless branches. This document describes how to manage TiDB Serverless branches using the [TiDB Cloud console](https://tidbcloud.com). To manage it using the TiDB Cloud CLI, see [`ticloud branch`](/tidb-cloud/ticloud-branch-create.md). +## Required access + +- To [create a branch](#create-a-branch) or [connect to a branch](#connect-to-a-branch), you must be in the `Organization Owner` role of your organization or the `Project Owner` role of the target project. +- To [view branches](#create-a-branch) for clusters in a project, you must belong to that project. + +For more information about permissions, see [User roles](/tidb-cloud/manage-user-access.md#user-roles). + ## Create a branch > **Note:** diff --git a/tidb-cloud/create-tidb-cluster-serverless.md b/tidb-cloud/create-tidb-cluster-serverless.md index 7fc0d087cb40d..474ae6408df88 100644 --- a/tidb-cloud/create-tidb-cluster-serverless.md +++ b/tidb-cloud/create-tidb-cluster-serverless.md @@ -21,7 +21,7 @@ If you do not have a TiDB Cloud account, click [here](https://tidbcloud.com/sign ## Steps -To create a TiDB Serverless cluster, take the following steps: +If you are in the `Organization Owner` or the `Project Owner` role, you can create a TiDB Serverless cluster as follows: 1. Log in to the [TiDB Cloud console](https://tidbcloud.com/), and then navigate to the [**Clusters**](https://tidbcloud.com/console/clusters) page. diff --git a/tidb-cloud/create-tidb-cluster.md b/tidb-cloud/create-tidb-cluster.md index 63f27edab0cc3..0e48bf4e50593 100644 --- a/tidb-cloud/create-tidb-cluster.md +++ b/tidb-cloud/create-tidb-cluster.md @@ -40,7 +40,7 @@ If you are an organization owner, you can rename the default project or create a ## Step 2. Create a TiDB Dedicated cluster -To create a TiDB Dedicated cluster, take the following steps: +If you are in the `Organization Owner` or the `Project Owner` role, you can create a TiDB Dedicated cluster as follows: 1. Navigate to the [**Clusters**](https://tidbcloud.com/console/clusters) page of your project. diff --git a/tidb-cloud/integrate-tidbcloud-with-vercel.md b/tidb-cloud/integrate-tidbcloud-with-vercel.md index 1e25711d37296..b858915a66a9f 100644 --- a/tidb-cloud/integrate-tidbcloud-with-vercel.md +++ b/tidb-cloud/integrate-tidbcloud-with-vercel.md @@ -50,7 +50,7 @@ You are expected to have an account and a cluster in TiDB Cloud. If you do not h > > For TiDB Dedicated clusters, make sure that the traffic filter of the cluster allows all IP addresses (set to `0.0.0.0/0`) for connection, because Vercel deployments use [dynamic IP addresses](https://vercel.com/guides/how-to-allowlist-deployment-ip-address). If you use the TiDB Cloud Vercel integration, TiDB Cloud automatically adds a `0.0.0.0/0` traffic filter to your cluster in the integration workflow if there is none. -To [integrate with Vercel via the TiDB Cloud Vercel Integration](#connect-via-the-tidb-cloud-vercel-integration), you are expected to have the "Owner" access to your organization or the "Member" access to the target project in TiDB Cloud. For more information, see [Manage role access](/tidb-cloud/manage-user-access.md#manage-role-access). +To [integrate with Vercel via the TiDB Cloud Vercel Integration](#connect-via-the-tidb-cloud-vercel-integration), you are expected to be in the `Organization Owner` role of your organization or the `Project Owner` role of the target project in TiDB Cloud. For more information, see [User roles](/tidb-cloud/manage-user-access.md#user-roles). One TiDB Cloud cluster can connect to multiple Vercel projects. diff --git a/tidb-cloud/manage-user-access.md b/tidb-cloud/manage-user-access.md index 654858f680fdb..3749ac8ab3524 100644 --- a/tidb-cloud/manage-user-access.md +++ b/tidb-cloud/manage-user-access.md @@ -7,21 +7,109 @@ summary: Learn how to manage identity access in TiDB Cloud. This document describes how to manage access to organizations, projects, roles, and user profiles in TiDB Cloud. -Before accessing TiDB cloud, [create a TiDB cloud account](https://tidbcloud.com/free-trial). You can either sign up with email and password so that you can [manage your password using TiDB Cloud](/tidb-cloud/tidb-cloud-password-authentication.md), or choose your Google, GitHub, or Microsoft account for single sign-on (SSO) to TiDB Cloud. +Before accessing TiDB Cloud, [create a TiDB cloud account](https://tidbcloud.com/free-trial). You can either sign up with email and password so that you can [manage your password using TiDB Cloud](/tidb-cloud/tidb-cloud-password-authentication.md), or choose your Google, GitHub, or Microsoft account for single sign-on (SSO) to TiDB Cloud. ## Organizations and projects -TiDB Cloud provides a hierarchical structure based on organizations and projects to facilitate the management of your TiDB cluster. An organization in TiDB Cloud can contain multiple projects and organization members, and a project can contain multiple clusters and project members. +TiDB Cloud provides a hierarchical structure based on organizations and projects to facilitate the management of TiDB Cloud users and clusters. If you are an organization owner, you can create multiple projects in your organization. -To access a cluster in a project under an organization, a user must be a member of both the organization and the project. Organization owners can invite users to join the project to create and manage clusters in the project. +For example: + +``` +- Your organization + - Project 1 + - Cluster 1 + - Cluster 2 + - Project 2 + - Cluster 3 + - Cluster 4 + - Project 3 + - Cluster 5 + - Cluster 6 +``` Under this structure: -- Billing occurs at the organization level, while retaining visibility of usage in each project and cluster. +- To access an organization, a user must be a member of that organization. +- To access a project in an organization, a user must at least have the read access to the project in that organization. +- To manage clusters in a project, a user must be in the `Project Owner` role. + +For more information about user roles and permissions, see [User Roles](#user-roles). + +### Organizations + +An organization can contain multiple projects. + +TiDB Cloud calculates billing at the organization level and provides the billing details for each project. + +If you are an organization owner, you have the highest permission in your organization. + +For example, you can do the following: + +- Create different projects (such as development, staging, and production) for different purposes. +- Assign different users with different organization roles and project roles. +- Configure organization settings. For example, configure the time zone for your organization. + +### Projects + +A project can contain multiple clusters. + +If you are a project owner, you can manage clusters and project settings for your project. + +For example, you can do the following: + +- Create multiple clusters according to your business need. +- Assign different users with different project roles. +- Configure project settings. For example, configure different alert settings for different projects. + +## User roles + +TiDB Cloud defines different user roles to manage different permissions of TiDB Cloud users in organizations, projects, or both. + +You can grant roles to a user at the organization level or at the project level. Make sure to carefully plan the hierarchy of your organizations and projects for security considerations. -- You can view all members in your organization. +### Organization roles -- You can also view all members in your project. +At the organization level, TiDB Cloud defines four roles, in which `Organization Owner` can invite members and grant organization roles to members. + +| Permission | `Organization Owner` | `Organization Billing Admin` | `Organization Console Audit Admin` | `Organization Member` | +|---|---|---|---|---| +| Manage organization settings, such as projects, API keys, and time zones. | ✅ | ❌ | ❌ | ❌ | +| Invite users to or remove users from an organization, and edit organization roles of users. | ✅ | ❌ | ❌ | ❌ | +| All the permissions of `Project Owner` for all projects in the organization. | ✅ | ❌ | ❌ | ❌ | +| Create projects with Customer-Managed Encryption Key (CMEK) enabled | ✅ | ❌ | ❌ | ❌ | +| View bills and edit payment information for the organization. | ✅ | ✅ | ❌ | ❌ | +| Manage TiDB Cloud [console audit logging](/tidb-cloud/tidb-cloud-console-auditing.md) for the organization. | ✅ | ❌ | ✅ | ❌ | +| View users in the organization and projects in which the member belong to. | ✅ | ✅ | ✅ | ✅ | + +> **Note:** +> +> The `Organization Console Audit Admin` role is only visible upon request. It is recommended that you use the `Organization Owner` role for [console audit logging](/tidb-cloud/tidb-cloud-console-auditing.md). If you need to use the `Organization Console Audit Admin` role, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Chat with Us**. Then, fill in "Apply for the Organization Console Audit Admin role" in the **Description** field and click **Send**. + +### Project roles + +At the project level, TiDB Cloud defines three roles, in which `Project Owner` can invite members and grant project roles to members. + +> **Note:** +> +> - `Organization Owner` has all the permissions of Project Owner for all projects so `Organization Owner` can invite project members and grant project roles to members too. +> - Each project role has all the permissions of Organization Member by default. +> - If a user in your organization does not belong to any projects, the user does not have any project permissions. + +| Permission | `Project Owner` | `Project Data Access Read-Write` | `Project Data Access Read-Only` | +|---|---|---|---| +| Manage project settings | ✅ | ❌ | ❌ | +| Invite users to or remove users from a project, and edit project roles of users. | ✅ | ❌ | ❌ | +| Manage [database audit logging](/tidb-cloud/tidb-cloud-auditing.md) of the project. | ✅ | ❌ | ❌ | +| Manage [spending limit](/tidb-cloud/manage-serverless-spend-limit.md) for all TiDB Serverless clusters in the project. | ✅ | ❌ | ❌ | +| Manage cluster operations in the project, such as cluster creation, modification, and deletion. | ✅ | ❌ | ❌ | +| Manage branches for TiDB Serverless clusters in the project, such as branch creation, connection, and deletion. | ✅ | ❌ | ❌ | +| Manage cluster data such as data import, data backup and restore, and data migration. | ✅ | ✅ | ❌ | +| Manage [Data Service](/tidb-cloud/data-service-overview.md) for data read-only operations such as using or creating endpoints to read data. | ✅ | ✅ | ✅ | +| Manage [Data Service](/tidb-cloud/data-service-overview.md) for data read and write operations. | ✅ | ✅ | ❌ | +| View cluster data using [Chat2Query](/tidb-cloud/explore-data-with-chat2query.md). | ✅ | ✅ | ✅ | +| Modify and delete cluster data using [Chat2Query](/tidb-cloud/explore-data-with-chat2query.md). | ✅ | ✅ | ❌ | +| View clusters in the project, view cluster backup records, and manage [changefeeds](/tidb-cloud/changefeed-overview.md). | ✅ | ✅ | ✅ | ## Manage organization access @@ -39,11 +127,11 @@ If you are a member of multiple organizations, you can switch your account betwe To switch between organizations, take the following steps: 1. Click in the lower-left corner of the TiDB Cloud console. -2. Select **Switch Organization** in the drop-down menu, and click the organization you want to switch to. +2. Click the name of the organization you want to switch to. ### Set the time zone for your organization -If you are the organization owner, you can modify the system display time according to your time zone. +If you are in the `Organization Owner` role, you can modify the system display time according to your time zone. To change the local timezone setting, take the following steps: @@ -55,11 +143,15 @@ To change the local timezone setting, take the following steps: 4. Click the drop-down list and select your time zone. -5. Click **Confirm**. +5. Click **Save**. ### Invite an organization member -If you are the owner of an organization, you can invite organization members. +If you are in the `Organization Owner` role, you can invite users to your organization. + +> **Note:** +> +> You can also [invite a user to your project](#invite-a-project-member) directly according to your need, which also makes the user your organization member. To invite a member to an organization, take the following steps: @@ -67,15 +159,16 @@ To invite a member to an organization, take the following steps: 2. Click **Organization Settings**. The organization settings page is displayed. -3. Click the **User Management** tab, and then select **By All Users**. +3. Click the **User Management** tab, and then select **By Organization**. 4. Click **Invite**. -5. Enter the email address of the user to be invited, select a role for the user, and then choose a project for the user. +5. Enter the email address of the user to be invited, and then select an organization role for the user. > **Tip:** > - > If you want to invite multiple members at one time, you can enter multiple email addresses. + > - If you want to invite multiple members at one time, you can enter multiple email addresses. + > - The invited user does not belong to any projects by default. To invite a user to a project, see [Invite a project member](#invite-a-project-member). 6. Click **Confirm**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link. @@ -87,9 +180,23 @@ To invite a member to an organization, take the following steps: > > The verification link in the email expires in 24 hours. If the user you want to invite does not receive the email, click **Resend**. +### Modify organization roles + +If you are in the `Organization Owner` role, you can modify organization roles of all members in your organization. + +To modify the organization role of a member, take the following steps: + +1. Click in the lower-left corner of the TiDB Cloud console. + +2. Click **Organization Settings**. The organization settings page is displayed. + +3. Click the **User Management** tab, and then select **By Organization**. + +4. Click the role of the target member, and then modify the role. + ### Remove an organization member -If you are the owner of an organization, you can remove organization members. +If you are in the `Organization Owner` role, you can remove organization members from your organization. To remove a member from an organization, take the following steps: @@ -101,7 +208,7 @@ To remove a member from an organization, take the following steps: 2. Click **Organization Settings**. The organization settings page is displayed. -3. Click the **User Management** tab, and then select **By All Users**. +3. Click the **User Management** tab, and then select **By Organization**. 4. Click **Delete** in the user row that you want to delete. @@ -125,6 +232,8 @@ To check which project you belong to, take the following steps: > > For free trial users, you cannot create a new project. +If you are in the `Organization Owner` role, you can create projects in your organization. + To create a new project, take the following steps: 1. Click in the lower-left corner of the TiDB Cloud console. @@ -139,6 +248,8 @@ To create a new project, take the following steps: ### Rename a project +If you are in the `Organization Owner` role, you can rename any projects in your organization. If you are in the `Project Owner` role, you can rename your project. + To rename a project, take the following steps: 1. Click in the lower-left corner of the TiDB Cloud console. @@ -153,7 +264,11 @@ To rename a project, take the following steps: ### Invite a project member -If you are the owner of an organization, you can invite project members. +If you are in the `Organization Owner` or `Project Owner` role, you can invite members to your projects. + +> **Note:** +> +> When a user not in your organization joins your project, the user automatically joins your organization as well. To invite a member to a project, take the following steps: @@ -161,11 +276,11 @@ To invite a member to a project, take the following steps: 2. Click **Organization Settings**. The organization settings page is displayed. -3. Click the **User Management** tab, and then select **By Project**. +3. Click the **User Management** tab, select **By Project**, and then select your project from the drop-down list. 4. Click **Invite**. -5. Enter the email address of the user to be invited, select a role for the user, and then choose a project for the user. +5. Enter the email address of the user to be invited, and then select a project role for the user. > **Tip:** > @@ -181,53 +296,33 @@ To invite a member to a project, take the following steps: > > The verification link in the email will expire in 24 hours. If your user doesn't receive the email, click **Resend**. -### Remove a project member +### Modify project roles -If you are the owner of an organization, you can remove project members. +If you are in the `Organization Owner` role, you can modify project roles of all project members in your organization. If you are in the `Project Owner` role, you can modify project roles of all members in your project. -To remove a member from a project, take the following steps: +To modify the project role of a member, take the following steps: 1. Click in the lower-left corner of the TiDB Cloud console. 2. Click **Organization Settings**. The organization settings page is displayed. -3. Click the **User Management** tab, and then select the **By Project**. +3. Click the **User Management** tab, select **By Projects**, and then choose your project in the drop-down list. -4. Click **Delete** in the user row that you want to delete. +4. Click the role of the target member, and then modify the role. -## Manage role access +### Remove a project member + +If you are in the `Organization Owner` or `Project Owner` role, you can remove project members. -If you are the owner of an organization, you can take the following steps to configure roles for your organization members: +To remove a member from a project, take the following steps: 1. Click in the lower-left corner of the TiDB Cloud console. 2. Click **Organization Settings**. The organization settings page is displayed. -3. Click the **User Management** tab, and then select **By All Users**. - -4. Click the role of the target member, and then modify the role. - -There are four roles in an organization. The permissions of each role are as follows: - -| Permission | Owner | Member | Billing Admin | Audit Admin | -|---------------------------------------------------------------------------------------|-------|--------|---------------|-------------| -| Invite members to or remove members from an organization | ✅ | ❌ | ❌ | ❌ | -| Set roles for an organization member | ✅ | ❌ | ❌ | ❌ | -| Create and rename projects | ✅ | ❌ | ❌ | ❌ | -| Invite members to or remove members from a project | ✅ | ❌ | ❌ | ❌ | -| Edit time zone | ✅ | ❌ | ❌ | ❌ | -| View bills and edit payment information | ✅ | ❌ | ✅ | ❌ | -| Enable, view, or disable [console audit logging](/tidb-cloud/tidb-cloud-console-auditing.md) | ✅ | ❌ | ❌ | ✅ | -| View and configure [database audit logging](/tidb-cloud/tidb-cloud-auditing.md) | ❌ | ❌ | ❌ | ✅ | -| Obtain project instance management permissions | ✅ | ✅ | ✅ | ✅ | -| Manage an API key | ✅ | ❌ | ❌ | ❌ | +3. Click the **User Management** tab, and then select the **By Project**. -> **Note:** -> -> Currently, the Audit Admin role is only visible upon request. -> -> - For [console audit logging](/tidb-cloud/tidb-cloud-console-auditing.md), it is recommended that you use the Owner role directly. If you need to use the Audit Admin role, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Chat with Us**. Then, fill in "Apply for the Audit Admin role" in the **Description** field and click **Send**. -> - For [database audit logging](/tidb-cloud/tidb-cloud-auditing.md), to get the Audit Admin role, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Chat with Us**. Then, fill in "Apply for database audit logging" in the **Description** field and click **Send**. +4. Click **Delete** in the user row that you want to delete. ## Manage user profiles diff --git a/tidb-cloud/migrate-from-op-tidb.md b/tidb-cloud/migrate-from-op-tidb.md index 25b9c5b3df528..6516c32f0f0a3 100644 --- a/tidb-cloud/migrate-from-op-tidb.md +++ b/tidb-cloud/migrate-from-op-tidb.md @@ -24,7 +24,7 @@ Before migration, you need to prepare the following: - An [AWS account](https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-up-s3.html#sign-up-for-aws-gsg) with administrator access - An [AWS S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html) -- [A TiDB Cloud account with the administrator access and a TiDB Cloud (AWS) cluster](/tidb-cloud/tidb-cloud-quickstart.md) +- [A TiDB Cloud account](/tidb-cloud/tidb-cloud-quickstart.md) with at least the [`Project Data Access Read-Write`](/tidb-cloud/manage-user-access.md#user-roles) access to your target TiDB Cloud cluster hosted on AWS ## Prepare tools diff --git a/tidb-cloud/third-party-monitoring-integrations.md b/tidb-cloud/third-party-monitoring-integrations.md index ac504c462c464..d0cd59441a9cf 100644 --- a/tidb-cloud/third-party-monitoring-integrations.md +++ b/tidb-cloud/third-party-monitoring-integrations.md @@ -9,7 +9,7 @@ You can integrate TiDB Cloud with third-party metrics services to receive TiDB C ## Required access -To edit third-party integration settings, you must have the `Owner` access to your organization or `Member` access to the target project. +To edit third-party integration settings, you must be in the `Organization Owner` role of your organization or the `Project Owner` role of the target project. ## View or modify third-party integrations diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md index 929af52868539..26ebb3544c364 100644 --- a/tidb-cloud/tidb-cloud-auditing.md +++ b/tidb-cloud/tidb-cloud-auditing.md @@ -22,7 +22,7 @@ The audit logging feature is disabled by default. To audit a cluster, you need t ## Prerequisites - You are using a TiDB Dedicated cluster. Audit logging is not available for TiDB Serverless clusters. -- You are the audit administrator of your organization in TiDB Cloud. Otherwise, you cannot see the audit-related options in the TiDB Cloud console. For more information, see [Manage role access](/tidb-cloud/manage-user-access.md#manage-role-access). +- You are in the `Organization Owner` or `Project Owner` role of your organization. Otherwise, you cannot see the database audit-related options in the TiDB Cloud console. For more information, see [User roles](/tidb-cloud/manage-user-access.md#user-roles). ## Enable audit logging for AWS or GCP diff --git a/tidb-cloud/tidb-cloud-billing.md b/tidb-cloud/tidb-cloud-billing.md index c82ab3a065037..e226614fb8064 100644 --- a/tidb-cloud/tidb-cloud-billing.md +++ b/tidb-cloud/tidb-cloud-billing.md @@ -16,7 +16,7 @@ TiDB Cloud charges according to the resources that you consume. You can visit th ## Invoices -If you are the owner or billing administrator of your organization, you can manage the invoice information of TiDB Cloud. Otherwise, skip this section. +If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can manage the invoice information of TiDB Cloud. Otherwise, skip this section. After you set up the payment method, TiDB Cloud will generate an invoice once your cost reaches a quota, which is $500 by default. If you want to raise the quota or receive one invoice per month, you can [contact our sales](https://www.pingcap.com/contact-us/). @@ -50,7 +50,7 @@ To view the list of invoices, perform the following steps: ## Billing details -If you are the owner or billing administrator of the organization, you can view and export the billing details of TiDB Cloud. Otherwise, skip this section. +If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can view and export the billing details of TiDB Cloud. Otherwise, skip this section. After setting the payment method, TiDB Cloud will generate the invoice and billing details of the historical months, and generate the bill details of the current month at the beginning of each month. The billing details include your organization's TiDB cluster usage consumption, discounts, backup storage costs, data transmission costs, support service cost, credit consumption, and project splitting information. @@ -113,7 +113,7 @@ To view this page, perform the following steps: ## Discounts -If you are the owner or billing administrator of your organization, you can view the discount information of TiDB Cloud on the **Discounts** page. Otherwise, skip this section. +If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can view the discount information of TiDB Cloud on the **Discounts** page. Otherwise, skip this section. The discount information includes all discounts that you have received, the status, the discount percentage, and the discount start and end date. @@ -130,7 +130,7 @@ To view this page, perform the following steps: ## Payment method -If you are the owner or billing administrator of your organization, you can manage the payment information of TiDB Cloud. Otherwise, skip this section. +If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can manage the payment information of TiDB Cloud. Otherwise, skip this section. > **Note:** > @@ -194,7 +194,7 @@ To edit the billing profile information, perform the following steps: ## Contract -If you are the owner or billing administrator of your organization, you can manage your customized TiDB Cloud subscriptions in the TiDB Cloud console to meet compliance requirements. Otherwise, skip this section. +If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can manage your customized TiDB Cloud subscriptions in the TiDB Cloud console to meet compliance requirements. Otherwise, skip this section. If you have agreed with our sales on a contract and received an email to review and accept the contract online, you can do the following: @@ -212,7 +212,7 @@ To learn more about contracts, feel free to [contact our sales](https://www.ping ## Billing from AWS Marketplace or Google Cloud Marketplace -If you are the owner or billing administrator of your organization, you can link your TiDB Cloud account to an AWS billing account or Google Cloud billing account. Otherwise, skip this section. +If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can link your TiDB Cloud account to an AWS billing account or Google Cloud billing account. Otherwise, skip this section. If you are new to TiDB Cloud and do not have a TiDB Cloud account, you can sign up for a TiDB Cloud account through [AWS Marketplace](https://aws.amazon.com/marketplace) or [Google Cloud Marketplace](https://console.cloud.google.com/marketplace), and pay for the usage via the AWS or GCP billing account. diff --git a/tidb-cloud/tidb-cloud-console-auditing.md b/tidb-cloud/tidb-cloud-console-auditing.md index 7228fcbb566d6..568a9bd60254f 100644 --- a/tidb-cloud/tidb-cloud-console-auditing.md +++ b/tidb-cloud/tidb-cloud-console-auditing.md @@ -9,7 +9,7 @@ TiDB Cloud provides the console audit logging feature to help you track various ## Prerequisites -- You must be in the Owner or Audit Admin role of your organization in TiDB Cloud. Otherwise, you cannot see the console audit logging-related options in the TiDB Cloud console. The Audit Admin role is only visible upon request, so it is recommended that you use the Owner role directly. If you need to use the Audit Admin role, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Chat with Us**. Then, fill in "Apply for the Audit Admin role" in the **Description** field and click **Send**. For more information about roles in TiDB Cloud, see [Manage role access](/tidb-cloud/manage-user-access.md#manage-role-access). +- You must be in the `Organization Owner` or `Organization Console Audit Admin` role of your organization in TiDB Cloud. Otherwise, you cannot see the console audit logging-related options in the TiDB Cloud console. The `Organization Console Audit Admin` role is only visible upon request, so it is recommended that you use the `Organization Owner` role directly. If you need to use the `Organization Console Audit Admin` role, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Chat with Us**. Then, fill in "Apply for the Organization Console Audit Admin role" in the **Description** field and click **Send**. For more information about roles in TiDB Cloud, see [User roles](/tidb-cloud/manage-user-access.md#user-roles). - You can only enable and disable the console audit logging for your organization. You can only track the actions of users in your organization. - After the console audit logging is enabled, all event types of the TiDB Cloud console will be audited, and you cannot specify only auditing some of them. diff --git a/tidb-cloud/tidb-cloud-glossary.md b/tidb-cloud/tidb-cloud-glossary.md index 2bb6bfacc9092..1c9f28babbaf1 100644 --- a/tidb-cloud/tidb-cloud-glossary.md +++ b/tidb-cloud/tidb-cloud-glossary.md @@ -77,7 +77,7 @@ An entity that you create to manage your TiDB Cloud accounts, including a manage ### organization members -Organization members are users who are invited by the organization owner to join an organization. Organization members can view members of the organization and can be invited to projects within the organization. +Organization members are users who are invited by the organization owner or project owner to join an organization. Organization members can view members of the organization and can be invited to projects within the organization. ## P diff --git a/tidb-cloud/tidb-cloud-org-sso-authentication.md b/tidb-cloud/tidb-cloud-org-sso-authentication.md index fd4c215023fa3..caa603d4465e1 100644 --- a/tidb-cloud/tidb-cloud-org-sso-authentication.md +++ b/tidb-cloud/tidb-cloud-org-sso-authentication.md @@ -29,7 +29,7 @@ Before migrating to Cloud Organization SSO, check and confirm the items in this > **Note:** > > - Once Cloud Organization SSO is enabled, it cannot be disabled. -> - To enable Cloud Organization SSO, you need to have the owner role in your TiDB Cloud organization. For more information about roles, see [Manage role access](/tidb-cloud/manage-user-access.md#manage-role-access). +> - To enable Cloud Organization SSO, you need to be in the `Organization Owner` role of your TiDB Cloud organization. For more information about roles, see [User roles](/tidb-cloud/manage-user-access.md#user-roles). ### Decide a custom URL for the TiDB Cloud login page of your organization @@ -54,9 +54,9 @@ All the enabled authentication methods will be displayed on your custom TiDB Clo ### Decide whether to enable auto-provision -Auto-provision is a feature that allows members to automatically join an organization without requiring an invitation from an existing member or organization owner. In TiDB Cloud, it is disabled by default for all the supported authentication methods. +Auto-provision is a feature that allows members to automatically join an organization without requiring an invitation from the `Organization Owner` or `Project Owner`. In TiDB Cloud, it is disabled by default for all the supported authentication methods. -- When auto-provision is disabled for an authentication method, only users who have been invited by an organization owner can log in to your custom URL. +- When auto-provision is disabled for an authentication method, only users who have been invited by an `Organization Owner` or `Project Owner` can log in to your custom URL. - When auto-provision is enabled for an authentication method, any users using this authentication method can log in to your custom URL. After login, they are automatically assigned the default **Member** role within the organization. For security considerations, if you choose to enable auto-provision, it is recommended to limit the allowed email domains for authentication when you [configure the authentication method details](#step-2-configure-authentication-methods). @@ -74,7 +74,7 @@ Before enabling Cloud Organization SSO, make sure to inform your members about t To enable Cloud Organization SSO, take the following steps: -1. Log in to [TiDB Cloud console](https://tidbcloud.com) as a user with the organization owner role. +1. Log in to [TiDB Cloud console](https://tidbcloud.com) as a user with the `Organization Owner` role. 2. In the lower-left corner of the TiDB Cloud console, click , and then click **Organization Settings**. 3. On the **Organization Settings** page, click the **Authentication** tab, and then click **Enable**. 4. In the dialog, fill in the custom URL for your organization, which must be unique in TiDB Cloud.