Merge pull request #5650 from influxdata/DAR-450-add-user-groups-for-dedicated

feat(dedicated): Add Cloud Dedicated user groups

content/influxdb/cloud-dedicated/admin/tokens/management/_index.md

@@ -11,6 +11,8 @@ menu:
     name: Management tokens
 weight: 101
 influxdb/cloud-dedicated/tags: [tokens]
+related:
+  - /influxdb/cloud-dedicated/reference/internals/security/
 ---
 
 Management tokens grant permission to perform administrative actions such as
@@ -21,24 +23,27 @@ managing users, databases, and database tokens in your
 Management tokens do _not_ grant permissions to write or query time series data
 in your {{< product-name omit=" Clustered">}} cluster.
 
-To grant write or query permissions, use management tokens to create [database tokens](/influxdb/cloud-dedicated/admin/tokens/database/).
+To grant write or query permissions, use management tokens to create
+[database tokens](/influxdb/cloud-dedicated/admin/tokens/database/).
 {{% /note %}}
 
-By default, management tokens are short-lived tokens issued by an OAuth2 identity
-provider that grant a specific user administrative access to your
-{{< product-name omit=" Clustered">}} cluster.
+By default, management tokens are short-lived tokens issued by your identity
+provider for a [specific client session](/influxdb/cloud-dedicated/reference/internals/security/#management-tokens-in-the-influxctl-cli) (for example, `influxctl`).
+
 However, for automation purposes, you can manually create management tokens that
 authenticate directly with your InfluxDB Cluster and do not require human
 interaction with your identity provider.
+_Manually created management tokens provide full access to all account resources
+and aren't affected by [user groups](/influxdb/cloud-dedicated/reference/internals/security/#user-groups)_.
 
 {{% warn %}}
 #### For automation use cases only
 
-The tools outlined below are meant for automation use cases and should not be
-used to circumvent your identity provider. **Take great care when manually creating
-and using management tokens**.
+The tools outlined below are meant for automation use cases and shouldn't be
+used to circumvent your identity provider or user group permissions.
+**Take great care when manually creating and using management tokens**.
 
-{{< product-name >}} requires at least one user associated with your cluster 
+{{< product-name >}} requires at least one [Admin user](/influxdb/cloud-dedicated/reference/internals/security/#admin-user-group) associated with your cluster 
 and authorized through your OAuth2 identity provider to manually create a
 management token.
 {{% /warn %}}

content/influxdb/cloud-dedicated/admin/users/_index.md

@@ -0,0 +1,92 @@
+---
+title: Manage users
+seotitle: Manage users and permissions in InfluxDB Cloud Dedicated
+description: >
+  Manage users and access to resources in your InfluxDB Cloud Dedicated cluster.
+  Assign user groups for role-based access control and security.
+menu:
+  influxdb_cloud_dedicated:
+    parent: Administer InfluxDB Cloud
+weight: 101
+influxdb/cloud-dedicated/tags: [user groups]
+related:
+  - /influxdb/cloud-dedicated/reference/internals/security/
+  - /influxdb/cloud-dedicated/admin/tokens/ 
+---
+
+Manage users and access to resources in your {{% product-name %}} cluster.
+
+By assigning users to different groups based on the level of access they need,
+you can minimize unnecessary access and reduce the risk of inadvertent
+actions.
+User groups associate access privileges with user attributes--an important part of the
+Attribute-Based Access Control (ABAC) security model which grants access based on
+user attributes, resource types, and environment context.
+
+- [Available user groups](#available-user-groups)
+- [Manage users](#manage-users)
+
+## Available user groups
+
+In {{% product-name %}}, users have "management" responsibilities, such as creating and 
+deleting [databases](/influxdb/cloud-dedicated/admin/databases/), [viewing resource information](/influxdb/cloud-dedicated/admin/monitor-your-cluster/), and provisioning
+[database tokens](/influxdb/cloud-dedicated/admin/tokens/database/) for reading and writing data. 
+
+A user can belong to the following groups, each with predefined privileges:
+
+- **Admin**: Read and write permissions on all resources.
+- **Member**: Read permission on certain resources and create permission for
+  database tokens; members can't delete or create databases or management tokens.
+- **Auditor**: Read permission on all resources; auditors can't modify resources.
+
+{{% note %}}
+#### Existing users are Admin by default
+
+With the release of user groups for {{% product-name %}}, all existing users
+in your account are initially assigned to the Admin group, retaining full
+access to resources in your cluster.
+{{% /note %}}
+
+## Manage users
+
+- [Assign a user to a different group](#assign-a-user-to-a-different-group)
+- [Invite a user to your account](#invite-a-user-to-your-account)
+
+### Assign a user to a different group
+
+To assign existing users in your account to different
+groups, [contact InfluxData support](https://support.influxdata.com/s/login/)
+and provide the list of users and the desired [user groups](#available-user-groups)
+for each.
+
+### Invite a user to your account
+
+For new users that you want to add to your account, the InfluxData Support Team
+configures invitations with the attributes and groups that you specify. 
+
+1. [Contact InfluxData support](https://support.influxdata.com/s/login/)
+   to invite a user to your account.
+   In your request, provide the user details, including email address, desired
+   [user groups](#available-user-groups), and other attributes for the user.
+2. InfluxData support creates the user account and emails the user an invitation
+   that includes following:
+
+   - A login URL to authenticate access to the cluster
+   - The {{% product-name %}} **account ID**
+   - The {{% product-name %}} **cluster ID**
+   - The {{% product-name %}} **cluster URL**
+   - A password reset email for setting the login password
+
+3. The user accepts the invitation to your account
+
+With a valid password, the user can access cluster resources by interacting with the
+[`influxctl`](/influxdb/cloud-dedicated/reference/influxctl/) command line tool.
+The assigned user groups determine the user's access to resources.
+
+{{% note %}}
+#### Use database tokens to authorize data reads and writes
+
+In {{% product-name %}}, user groups control access for managing cluster resources.
+[Database tokens](/influxdb/cloud-dedicated/admin/tokens/database/) control access
+for reading and writing data in cluster databases.
+{{% /note %}}

content/influxdb/cloud-dedicated/reference/cli/influxctl/user/delete.md

@@ -9,6 +9,13 @@ weight: 301
 draft: true
 ---
 
+{{% warn %}}
+#### InfluxData internal use only
+
+This command is for InfluxData internal use only and won't work when run by
+a user account.
+{{% /warn %}}
+
 The `influxctl user delete` command deletes a user from your {{< product-name >}}
 account.
 

content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md

@@ -1,7 +1,7 @@
 ---
 title: influxctl user invite
 description: >
-  The `influxctl user invite` command invites a user to your InfluxDB Cloud Dedicated
+  The `influxctl user invite` command invites a user to an InfluxDB Cloud Dedicated
   account.
 menu:
   influxdb_cloud_dedicated:
@@ -10,7 +10,14 @@ weight: 301
 draft: true
 ---
 
-The `influxctl user invite` command invites a user to your {{< product-name >}}
+{{% warn %}}
+#### InfluxData internal use only
+
+This command is for InfluxData internal use only and won't work when run by
+a user account.
+{{% /warn %}}
+
+The `influxctl user invite` command invites a user to an {{< product-name >}}
 account.
 
 ## Usage

content/influxdb/cloud-dedicated/reference/internals/security.md

@@ -8,6 +8,9 @@ menu:
     name: Security
     parent: InfluxDB internals
 influxdb/cloud-dedicated/tags: [security, internals]
+related:
+  - /influxdb/cloud-dedicated/admin/tokens
+  - /influxdb/cloud-dedicated/admin/users
 ---
 
 InfluxData's information security program is based on industry-recognized standards and frameworks,
@@ -233,21 +236,25 @@ Users can configure the following security controls:
 
 ### Access, authentication, and authorization
 
-{{< product-name >}} uses [Auth0](https://auth0.com/) for authentication and
-separates workload cluster management authorizations (using _management tokens_)
+{{< product-name >}} separates workload cluster management authorizations
+(using _management tokens_)
 from database read and write authorizations (using _database tokens_).
 
 - [User provisioning](#user-provisioning)
+- [User groups](#user-groups)
 - [Management tokens](#management-tokens)
 - [Database tokens](#database-tokens)
 
 #### User provisioning
 
-InfluxData uses [Auth0](https://auth0.com/) to create user accounts and assign
-permission sets to user accounts on {{% product-name %}}.
-After a user account is created, InfluxData provides the user with the following:
+InfluxData follows security best practices for creating user accounts
+and managing permissions to resources.
 
-- An **Auth0 login** to authenticate access to the cluster
+InfluxData Support creates user accounts with [user group](#user-groups) permissions
+for access to {{% product-name omit="Clustered" %}} cluster resources.
+After creating the user account, InfluxData provides the user with the following:
+
+- A login URL for authenticating access to the cluster
 - The {{% product-name %}} **account ID**
 - The {{% product-name %}} **cluster ID**
 - The {{% product-name %}} **cluster URL**
@@ -255,15 +262,46 @@ After a user account is created, InfluxData provides the user with the following
 
 With a valid password, the user can login by invoking one of the
 [`influxctl` commands](/influxdb/cloud-dedicated/reference/influxctl/).
-The command initiates an Auth0 browser login so that the password is never
+The command initiates a browser login between the identity provider and the user
+so that the password is never
 exchanged with `influxctl`.
-After a successful Auth0 authentication, {{% product-name %}} provides the
+After a successful authentication, {{% product-name %}} provides the
 user's `influxctl` session with a short-lived
 [management token](#management-tokens) for access to the Granite service.
-The user interacts with the `influxctl` command line tool to manage the workload
-cluster, including creating [database tokens](#database-tokens) for database
-read and write access and [creating long-lived management tokens](/influxdb/cloud-dedicated/admin/management-tokens/)
-for use with the [Management API](/influxdb/cloud-dedicated/api/management/).
+The user interacts with the `influxctl` command line tool to view or manage
+cluster resources.
+The [user groups](#user-groups) assigned to the user determine the level of
+access to resources.
+
+#### User groups
+
+User groups associate access privileges with user attributes--an important part of the
+Attribute-Based Access Control (ABAC) security model, which grants access based on
+user attributes, resource types, and environment context.
+
+In {{% product-name %}}, a user can belong to any of the following user groups,
+each with predefined privileges:
+
+- [Admin user group](#admin-user-group)
+- [Member user group](#member-user-group)
+- [Auditor user group](#auditor-user-group)
+
+##### Admin user group
+
+Admins are {{% product-name %}} users who have read and write permissions on
+all resources (for all clusters) in the account.
+Only Admins can create [management tokens](#management-tokens).
+
+##### Member user group 
+
+Members are {{% product-name %}} users who have read permission on certain
+resources and create permission for [database tokens](#database-tokens).
+Members can't delete or create databases or management tokens.
+
+##### Auditor user group 
+
+Auditors are {{% product-name %}} users who have read permission on all resources
+(for all clusters) in the account; auditors can't modify account resources.
 
 #### Management tokens
 
@@ -279,11 +317,24 @@ Management tokens consist of the following:
 
 - An access token string (sensitive)
 - A permission set for management activities (configured during user provisioning)
-- A mandatory 1 hour expiration for tokens generated by logging in to  `influxctl` 
+- For tokens generated by logging in to `influxctl`, a mandatory 1 hour expiration 
 
+In {{% product-name %}}, management tokens may be created by
+the account's identity provider
+for user authentication in clients, such as `influxctl`, or they may be manually
+created by [Admin](#admins-role-admin)
+users for automation using the Management API.
+
+- [Management tokens in the `influxctl` CLI](#management-tokens-in-influxctl-cli)
+- [Management tokens and the Management API](#management-tokens-and-the-management-api)
+
+##### Management tokens in influxctl CLI
+
+In {{% product-name %}}, the account's identity provider creates management tokens
+for user authentication in tools such as `influxctl`.
 When a user issues a command using the `influxctl` command-line tool,
 `influxctl` sends the management token string with the request to the server,
-where Granite validates the token (for example, using Auth0).
+where Granite validates the token.
 If the management token is valid and not expired, the service then compares the
 token's permissions against the permissions needed to complete the user's request.
 
@@ -300,13 +351,17 @@ For example, a user's Linux system would store the management token at
 
 ##### Management tokens and the Management API
 
-A user associated with the cluster and authorized through OAuth may use
-`influxctl` to
-[manually create and revoke management tokens](/influxdb/cloud-dedicated/admin/tokens/management/)
-for automation use
-cases--for example, using the [Management API for
-{{% product-name %}}](/influxdb/cloud-dedicated/api/management/) to rotate
-database tokens or create tables.
+For automation use cases, [Admins](#admin-group) can
+[manually create and revoke long-lived management tokens](/influxdb/cloud-dedicated/admin/tokens/management/)
+for use with the [Management API](/influxdb/cloud-dedicated/api/management/)--for
+example, to rotate database tokens or create tables.
+
+Manually created management tokens:
+
+- aren't affected by [user group](#user-groups) permissions
+- have an optional expiration and don't require human interaction with the OAuth provider
+- are for automation use cases
+- shouldn't be used to circumvent the OAuth provider
 
 To authenticate a Management API request, the user passes the manually created
 token in the HTTP `Authorization` header:
@@ -315,17 +370,15 @@ token in the HTTP `Authorization` header:
 Authorization MANAGEMENT_TOKEN
 ```
 
-A manually created management token has an optional expiration and
-doesn't require human interaction with the OAuth provider.
-
-Manually created management tokens are meant for automation use cases
-and shouldn't be used to circumvent the OAuth provider.
-
 #### Database tokens
 
-Database tokens provide authorization for users and client applications to read and write data and metadata in an {{% product-name %}} database.
+[Admins](#admin-group) and [Members](#member-group), can create
+[database tokens](#database-tokens) for database read and write access.
+Database tokens provide authorization for users and client applications to read
+and write data and metadata in an {{% product-name %}} database.
 All data write and query API requests require a valid database token with sufficient permissions.
-_**Note:** an all-access management token can't read or write to a database because it's not a database token._
+_**Note:** an all-access [management token](#management-tokens) can't read or
+write to a database because it's not a database token._
 
 Database tokens consist of the following: