mgmt/mgmt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Clarify mgmtsuite permission levels in user guide

Browse Source 
The guide implied group management requires project admin. In fact
group operations (create/delete custom groups, add/remove group
members) and verifying details only require write. Correct the
Permission Levels table, intro, and tip, and add an explicit
read/write/admin breakdown plus a groups-vs-members note.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
scott
2026-06-16 21:31:41 -07:00
parent 28e7b9f418
commit 93a9362545
1 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/user-guide.md
View File

@@ -2,7 +2,7 @@
A how-to guide for project members and project admins. This covers the day-to-day tasks you'll do on a project detail page: managing groups and members, managing the project service account, verifying project details, editing project information, bulk-loading permissions via CSV, and handling sponsorship.
> **Who can do what?** Most read actions are available to any project member. Actions that change membership, groups, or project details require project **admin** privilege (or global admin). Permission levels are granted through Keycloak group membership; see [Permission Levels](#permission-levels-at-a-glance) below.
> **Who can do what?** Most read actions are available to any project member. Managing groups and their memberships (and verifying details) requires **write**; managing project members, sponsorship, and project details requires **admin** (or global admin). Permission levels are granted through Keycloak group membership; see [Permission Levels](#permission-levels-at-a-glance) below.
---
@@ -92,15 +92,17 @@ Later sections of this guide walk through each.
Your access to a project is determined by which Keycloak groups you belong to. Each project has a set of child groups named `{PROJECT}-{app}-{level}`:
| Level | What you can do |
| Level | What you can do in Mgmt Suite |
| --------- | ------------------------------------------------------------------------- |
| **read** | View project details, members, groups, licenses. No changes. |
| **write** | Everything in read, plus edit certain project content (app-specific). |
| **admin** | Everything in write, plus manage members, groups, edit project details, verify. |
| **read** | View everything: project details, the Members tab, the Keycloak Groups panel and each group's membership, the service account, and CSV exports of members/groups. No changes. |
| **write** | Everything in read, **plus manage groups**: create and delete custom groups, add and remove members from any group, import permissions via CSV, verify project details, and create/manage the service account. |
| **admin** | Everything in write, plus the project-level actions: add or remove project members outright, manage sponsorship (sponsor / release), change billing types, and edit project metadata (the pencil/edit fields). |
The four standard applications are **Bitbucket**, **SRM**, **Coverity**, and **Mgmt Suite** — each with its own read/write/admin groups. A user's access to *this* application (the one you're reading about) is governed by the `{PROJECT}-mgmtsuite-*` groups.
The four standard applications are **Bitbucket**, **SRM**, **Coverity**, and **Mgmt Suite** — each with its own read/write/admin groups. A user's access to *this* application (the one you're reading about) is governed by the `{PROJECT}-mgmtsuite-*` groups. So a member of `{PROJECT}-mgmtsuite-write` can do everything in the **write** row above.
> **Tip:** If you don't see a button mentioned in this guide (e.g., "Verify Details", the pencil/edit icon, "Add Member"), you probably don't have admin on the project. Ask a project admin to either grant you admin or perform the action for you.
> **Groups vs. members — a common surprise:** Changing who is *in a group* (the Keycloak Groups panel) only needs **write**. Changing the project's *membership and sponsorship* (the Members tab), or editing project details, needs **admin**. So a write-level user can add and remove people from groups — including creating and deleting custom groups — without being a project admin.
> **Tip:** If you don't see the Members tab action buttons (Sponsor, Release, Remove), the inline billing-type dropdown, or the pencil/edit icon on project details, you don't have **admin**. If you can't create groups, add members to a group, or verify details, you likely only have **read** — ask a project admin for **write**.
---
@@ -108,6 +110,8 @@ The four standard applications are **Bitbucket**, **SRM**, **Coverity**, and **M
Each project has a set of **Keycloak child groups** — one per application and permission level — that control who can access what. You'll find group management on the project detail page under the **Keycloak Groups** section.
> **Privilege required:** Viewing groups and their members needs **read**. Everything that *changes* a group — creating or deleting custom groups, and adding or removing members — needs **write**. You do **not** need project admin for any of this. (Removing someone from the project entirely, via the Members tab, is a separate admin-only action.)
![Keycloak Groups — group selected, members on right](/api/docs/user-guide/images/05-groups-members.png)
### Layout