cloud: update docs for RBAC support

tidb-cloud/_index.md

@@ -101,14 +101,14 @@ hide_commit: true
 
 [Password Authentication](https://docs.pingcap.com/tidbcloud/tidb-cloud-password-authentication)
 
+[User Roles](https://docs.pingcap.com/tidbcloud/manage-user-access#user-roles)
+
 [Manage User Profiles](https://docs.pingcap.com/tidbcloud/manage-user-access#manage-user-profiles)
 
 [Manage organization access](https://docs.pingcap.com/tidbcloud/manage-user-access#manage-organization-access)
 
 [Manage project access](https://docs.pingcap.com/tidbcloud/manage-user-access#manage-project-access)
 
-[Configure Roles](https://docs.pingcap.com/tidbcloud/manage-user-access#manage-role-access)
-
 [Configure Security Settings](https://docs.pingcap.com/tidbcloud/configure-security-settings)
 
 </LearningPath>

tidb-cloud/branch-manage.md

@@ -7,6 +7,13 @@ summary: Learn How to manage TiDB Serverless branches.
 
 This document describes how to manage TiDB Serverless branches using the [TiDB Cloud console](https://tidbcloud.com). To manage it using the TiDB Cloud CLI, see [`ticloud branch`](/tidb-cloud/ticloud-branch-create.md).
 
+## Required access
+
+- To [create a branch](#create-a-branch) or [connect to a branch](#connect-to-a-branch), you must be in the `Organization Owner` role of your organization or the `Project Owner` role of the target project.
+- To [view branches](#create-a-branch) for clusters in a project, you must belong to that project.
+
+For more information about permissions, see [User roles](/tidb-cloud/manage-user-access.md#user-roles).
+
 ## Create a branch
 
 > **Note:**

tidb-cloud/create-tidb-cluster-serverless.md

@@ -21,7 +21,7 @@ If you do not have a TiDB Cloud account, click [here](https://tidbcloud.com/sign
 
 ## Steps
 
-To create a TiDB Serverless cluster, take the following steps:
+If you are in the `Organization Owner` or the `Project Owner` role, you can create a TiDB Serverless cluster as follows:
 
 1. Log in to the [TiDB Cloud console](https://tidbcloud.com/), and then navigate to the [**Clusters**](https://tidbcloud.com/console/clusters) page.
 

tidb-cloud/create-tidb-cluster.md

@@ -40,7 +40,7 @@ If you are an organization owner, you can rename the default project or create a
 
 ## Step 2. Create a TiDB Dedicated cluster
 
-To create a TiDB Dedicated cluster, take the following steps:
+If you are in the `Organization Owner` or the `Project Owner` role, you can create a TiDB Dedicated cluster as follows:
 
 1. Navigate to the [**Clusters**](https://tidbcloud.com/console/clusters) page of your project.
 

tidb-cloud/integrate-tidbcloud-with-vercel.md

@@ -50,7 +50,7 @@ You are expected to have an account and a cluster in TiDB Cloud. If you do not h
     >
     > For TiDB Dedicated clusters, make sure that the traffic filter of the cluster allows all IP addresses (set to `0.0.0.0/0`) for connection, because Vercel deployments use [dynamic IP addresses](https://vercel.com/guides/how-to-allowlist-deployment-ip-address). If you use the TiDB Cloud Vercel integration, TiDB Cloud automatically adds a `0.0.0.0/0` traffic filter to your cluster in the integration workflow if there is none.
 
-To [integrate with Vercel via the TiDB Cloud Vercel Integration](#connect-via-the-tidb-cloud-vercel-integration), you are expected to have the "Owner" access to your organization or the "Member" access to the target project in TiDB Cloud. For more information, see [Manage role access](/tidb-cloud/manage-user-access.md#manage-role-access).
+To [integrate with Vercel via the TiDB Cloud Vercel Integration](#connect-via-the-tidb-cloud-vercel-integration), you are expected to be in the `Organization Owner` role of your organization or the `Project Owner` role of the target project in TiDB Cloud. For more information, see [User roles](/tidb-cloud/manage-user-access.md#user-roles).
 
 One TiDB Cloud cluster can connect to multiple Vercel projects.
 

tidb-cloud/migrate-from-op-tidb.md

@@ -24,7 +24,7 @@ Before migration, you need to prepare the following:
 
 - An [AWS account](https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-up-s3.html#sign-up-for-aws-gsg) with administrator access
 - An [AWS S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html)
-- [A TiDB Cloud account with the administrator access and a TiDB Cloud (AWS) cluster](/tidb-cloud/tidb-cloud-quickstart.md)
+- [A TiDB Cloud account](/tidb-cloud/tidb-cloud-quickstart.md) with at least the [`Project Data Access Read-Write`](/tidb-cloud/manage-user-access.md#user-roles) access to your target TiDB Cloud cluster hosted on AWS
 
 ## Prepare tools
 

tidb-cloud/third-party-monitoring-integrations.md

@@ -9,7 +9,7 @@ You can integrate TiDB Cloud with third-party metrics services to receive TiDB C
 
 ## Required access
 
-To edit third-party integration settings, you must have the `Owner` access to your organization or `Member` access to the target project.
+To edit third-party integration settings, you must be in the `Organization Owner` role of your organization or the `Project Owner` role of the target project.
 
 ## View or modify third-party integrations
 

tidb-cloud/tidb-cloud-auditing.md

@@ -22,7 +22,7 @@ The audit logging feature is disabled by default. To audit a cluster, you need t
 ## Prerequisites
 
 - You are using a TiDB Dedicated cluster. Audit logging is not available for TiDB Serverless clusters.
-- You are the audit administrator of your organization in TiDB Cloud. Otherwise, you cannot see the audit-related options in the TiDB Cloud console. For more information, see [Manage role access](/tidb-cloud/manage-user-access.md#manage-role-access).
+- You are in the `Organization Owner` or `Project Owner` role of your organization. Otherwise, you cannot see the database audit-related options in the TiDB Cloud console. For more information, see [User roles](/tidb-cloud/manage-user-access.md#user-roles).
 
 ## Enable audit logging for AWS or GCP
 

tidb-cloud/tidb-cloud-billing.md

@@ -16,7 +16,7 @@ TiDB Cloud charges according to the resources that you consume. You can visit th
 
 ## Invoices
 
-If you are the owner or billing administrator of your organization, you can manage the invoice information of TiDB Cloud. Otherwise, skip this section.
+If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can manage the invoice information of TiDB Cloud. Otherwise, skip this section.
 
 After you set up the payment method, TiDB Cloud will generate an invoice once your cost reaches a quota, which is $500 by default. If you want to raise the quota or receive one invoice per month, you can [contact our sales](https://www.pingcap.com/contact-us/).
 
@@ -50,7 +50,7 @@ To view the list of invoices, perform the following steps:
 
 ## Billing details
 
-If you are the owner or billing administrator of the organization, you can view and export the billing details of TiDB Cloud. Otherwise, skip this section.
+If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can view and export the billing details of TiDB Cloud. Otherwise, skip this section.
 
 After setting the payment method, TiDB Cloud will generate the invoice and billing details of the historical months, and generate the bill details of the current month at the beginning of each month. The billing details include your organization's TiDB cluster usage consumption, discounts, backup storage costs, data transmission costs, support service cost, credit consumption, and project splitting information.
 
@@ -113,7 +113,7 @@ To view this page, perform the following steps:
 
 ## Discounts
 
-If you are the owner or billing administrator of your organization, you can view the discount information of TiDB Cloud on the **Discounts** page. Otherwise, skip this section.
+If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can view the discount information of TiDB Cloud on the **Discounts** page. Otherwise, skip this section.
 
 The discount information includes all discounts that you have received, the status, the discount percentage, and the discount start and end date.
 
@@ -130,7 +130,7 @@ To view this page, perform the following steps:
 
 ## Payment method
 
-If you are the owner or billing administrator of your organization, you can manage the payment information of TiDB Cloud. Otherwise, skip this section.
+If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can manage the payment information of TiDB Cloud. Otherwise, skip this section.
 
 > **Note:**
 >
@@ -194,7 +194,7 @@ To edit the billing profile information, perform the following steps:
 
 ## Contract
 
-If you are the owner or billing administrator of your organization, you can manage your customized TiDB Cloud subscriptions in the TiDB Cloud console to meet compliance requirements. Otherwise, skip this section.
+If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can manage your customized TiDB Cloud subscriptions in the TiDB Cloud console to meet compliance requirements. Otherwise, skip this section.
 
 If you have agreed with our sales on a contract and received an email to review and accept the contract online, you can do the following:
 
@@ -212,7 +212,7 @@ To learn more about contracts, feel free to [contact our sales](https://www.ping
 
 ## Billing from AWS Marketplace or Google Cloud Marketplace
 
-If you are the owner or billing administrator of your organization, you can link your TiDB Cloud account to an AWS billing account or Google Cloud billing account. Otherwise, skip this section.
+If you are in the `Organization Owner` or `Organization Billing Admin` role of your organization, you can link your TiDB Cloud account to an AWS billing account or Google Cloud billing account. Otherwise, skip this section.
 
 If you are new to TiDB Cloud and do not have a TiDB Cloud account, you can sign up for a TiDB Cloud account through [AWS Marketplace](https://aws.amazon.com/marketplace) or [Google Cloud Marketplace](https://console.cloud.google.com/marketplace), and pay for the usage via the AWS or GCP billing account.
 

tidb-cloud/tidb-cloud-console-auditing.md

@@ -9,7 +9,7 @@ TiDB Cloud provides the console audit logging feature to help you track various
 
 ## Prerequisites
 
-- You must be in the Owner or Audit Admin role of your organization in TiDB Cloud. Otherwise, you cannot see the console audit logging-related options in the TiDB Cloud console. The Audit Admin role is only visible upon request, so it is recommended that you use the Owner role directly. If you need to use the Audit Admin role, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Chat with Us**. Then, fill in "Apply for the Audit Admin role" in the **Description** field and click **Send**. For more information about roles in TiDB Cloud, see [Manage role access](/tidb-cloud/manage-user-access.md#manage-role-access).
+- You must be in the `Organization Owner` or `Organization Console Audit Admin` role of your organization in TiDB Cloud. Otherwise, you cannot see the console audit logging-related options in the TiDB Cloud console. The `Organization Console Audit Admin` role is only visible upon request, so it is recommended that you use the `Organization Owner` role directly. If you need to use the `Organization Console Audit Admin` role, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Chat with Us**. Then, fill in "Apply for the Organization Console Audit Admin role" in the **Description** field and click **Send**. For more information about roles in TiDB Cloud, see [User roles](/tidb-cloud/manage-user-access.md#user-roles).
 - You can only enable and disable the console audit logging for your organization. You can only track the actions of users in your organization.
 - After the console audit logging is enabled, all event types of the TiDB Cloud console will be audited, and you cannot specify only auditing some of them.
 

tidb-cloud/tidb-cloud-glossary.md

@@ -77,7 +77,7 @@ An entity that you create to manage your TiDB Cloud accounts, including a manage
 
 ### organization members
 
-Organization members are users who are invited by the organization owner to join an organization. Organization members can view members of the organization and can be invited to projects within the organization.
+Organization members are users who are invited by the organization owner or project owner to join an organization. Organization members can view members of the organization and can be invited to projects within the organization.
 
 ## P
 

tidb-cloud/tidb-cloud-org-sso-authentication.md

@@ -29,7 +29,7 @@ Before migrating to Cloud Organization SSO, check and confirm the items in this
 > **Note:**
 >
 > - Once Cloud Organization SSO is enabled, it cannot be disabled.
-> - To enable Cloud Organization SSO, you need to have the owner role in your TiDB Cloud organization. For more information about roles, see [Manage role access](/tidb-cloud/manage-user-access.md#manage-role-access).
+> - To enable Cloud Organization SSO, you need to be in the `Organization Owner` role of your TiDB Cloud organization. For more information about roles, see [User roles](/tidb-cloud/manage-user-access.md#user-roles).
 
 ### Decide a custom URL for the TiDB Cloud login page of your organization
 
@@ -54,9 +54,9 @@ All the enabled authentication methods will be displayed on your custom TiDB Clo
 
 ### Decide whether to enable auto-provision
 
-Auto-provision is a feature that allows members to automatically join an organization without requiring an invitation from an existing member or organization owner. In TiDB Cloud, it is disabled by default for all the supported authentication methods.
+Auto-provision is a feature that allows members to automatically join an organization without requiring an invitation from the `Organization Owner` or `Project Owner`. In TiDB Cloud, it is disabled by default for all the supported authentication methods.
 
-- When auto-provision is disabled for an authentication method, only users who have been invited by an organization owner can log in to your custom URL.
+- When auto-provision is disabled for an authentication method, only users who have been invited by an `Organization Owner` or `Project Owner` can log in to your custom URL.
 - When auto-provision is enabled for an authentication method, any users using this authentication method can log in to your custom URL. After login, they are automatically assigned the default **Member** role within the organization.
 
 For security considerations, if you choose to enable auto-provision, it is recommended to limit the allowed email domains for authentication when you [configure the authentication method details](#step-2-configure-authentication-methods).
@@ -74,7 +74,7 @@ Before enabling Cloud Organization SSO, make sure to inform your members about t
 
 To enable Cloud Organization SSO, take the following steps:
 
-1. Log in to [TiDB Cloud console](https://tidbcloud.com) as a user with the organization owner role.
+1. Log in to [TiDB Cloud console](https://tidbcloud.com) as a user with the `Organization Owner` role.
 2. In the lower-left corner of the TiDB Cloud console, click <MDSvgIcon name="icon-top-organization" />, and then click **Organization Settings**.
 3. On the **Organization Settings** page, click the **Authentication** tab, and then click **Enable**.
 4. In the dialog, fill in the custom URL for your organization, which must be unique in TiDB Cloud.