From 4dd7f46e8e2a714a329b4d8e44ab1e2ae3969f0e Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <stirnamanj@gmail.com>
Date: Fri, 11 Oct 2024 11:49:27 -0500
Subject: [PATCH 1/7] feat(dedicated): Add user groups Closes
 influxdata/dar/issues/450 - Introduces user groups for Dedicated - Invite new
 users and assign groups - Reassign existing users to different groups -
 Update internals/security

---
 .../cloud-dedicated/admin/users/_index.md     | 99 +++++++++++++++++++
 .../reference/internals/security.md           | 70 ++++++++++---
 2 files changed, 155 insertions(+), 14 deletions(-)
 create mode 100644 content/influxdb/cloud-dedicated/admin/users/_index.md

diff --git a/content/influxdb/cloud-dedicated/admin/users/_index.md b/content/influxdb/cloud-dedicated/admin/users/_index.md
new file mode 100644
index 000000000..141c0aa2e
--- /dev/null
+++ b/content/influxdb/cloud-dedicated/admin/users/_index.md
@@ -0,0 +1,99 @@
+---
+title: Manage users
+seotitle: Manage users and permissions in InfluxDB Cloud Dedicated
+description: >
+  Manage users and access to resources in your InfluxDB Cloud Dedicated cluster.
+  Assign user groups for role-based access control and security.
+menu:
+  influxdb_cloud_dedicated:
+    parent: Administer InfluxDB Cloud
+weight: 101
+influxdb/cloud-dedicated/tags: [user groups]
+related:
+  - /influxdb/cloud-dedicated/reference/internals/security/
+  - /influxdb/cloud-dedicated/admin/tokens/ 
+---
+
+Manage users and access to resources in your {{% product-name %}} cluster.
+
+By assigning users to different groups based on the level of access they need,
+you can minimize unnecessary access and reduce the risk of inadvertent
+actions.
+User groups associate access privileges with user attributes--an important part of the
+Attribute-Based Access Control (ABAC) security model which grants access based on
+user attributes, resource types, and environment context.
+
+- [Available user groups](#available-user-groups)
+- [Manage users](#manage-users)
+- [Assign a user to a different group](#assign-a-user-to-a-different-group)
+- [Invite a user to your account](#invite-a-user-to-your-account)
+
+### Available user groups
+
+In {{% product-name %}}, users have "management" roles, such as creating and 
+deleting databases, viewing resource information, and provisioning
+[database tokens](/influxdb/cloud-dedicated/admin/tokens/database/) for reading and writing data. 
+
+A user can belong to the following groups, each with predefined privileges:
+
+<!-- Question: what are the "certain resources" below? -->
+
+- **Admin**: Read and write permissions on all resources.
+- **Member**: Read permission on certain resources and create permission for
+  database tokens; members can't delete or create databases or management tokens.
+- **Auditor**: Read permission on all resources; auditors can't modify resources.
+
+{{% note %}}
+#### Existing users are Admin by default
+
+With the release of user groups for {{% product-name %}}, all existing users
+in your account are initially assigned to the Admin group, retaining full
+access to resources in your cluster.
+{{% /note %}}
+
+### Manage users
+
+InfluxData uses Auth0 to create user accounts and assign users to groups
+in {{% product-name %}}.
+
+### Assign a user to a different group
+
+To assign existing users in your account to different
+groups, [contact InfluxData support](https://support.influxdata.com/s/login/)
+and provide the list of users and the desired [user groups](#available-user-groups)
+for each.
+
+### Invite a user to your account
+
+For new users that you want to add to your account, the InfluxData Support Team
+configures invitations with the attributes and groups that you specify. 
+
+<!-- Question: cluster admins shouldn't use `influctl user invite` https://github.com/influxdata/docs-v2/blob/dddf699722bc9e2ba33c4ea9f34673454f3164a5/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md
+How should we communicate this? -->
+
+1. [Contact InfluxData support](https://support.influxdata.com/s/login/)
+   to invite a user to your account.
+   In your request, provide the user details, including email address, desired
+   [user groups](#available-user-groups), and other attributes for the user.
+2. InfluxData support creates the user account and emails the user an invitation
+   that includes following:
+
+   - An **Auth0 login** to authenticate access to the cluster
+   - The {{% product-name %}} **account ID**
+   - The {{% product-name %}} **cluster ID**
+   - The {{% product-name %}} **cluster URL**
+   - A password reset email for setting the login password
+
+3. The user accepts the invitation to your account
+
+With a valid password, the user can access cluster resources by interacting with the
+[`influxctl`](/influxdb/cloud-dedicated/reference/influxctl/) command line tool.
+The assigned user groups determine the user's access to resources.
+
+{{% note %}}
+#### Use database tokens to authorize data reads and writes
+
+In {{% product-name %}}, user groups control access for managing cluster resources.
+[Database tokens](/influxdb/cloud-dedicated/admin/tokens/database/) control access
+for reading and writing data in cluster databases.
+{{% /note %}}
diff --git a/content/influxdb/cloud-dedicated/reference/internals/security.md b/content/influxdb/cloud-dedicated/reference/internals/security.md
index 915c486c4..c18cee678 100644
--- a/content/influxdb/cloud-dedicated/reference/internals/security.md
+++ b/content/influxdb/cloud-dedicated/reference/internals/security.md
@@ -238,13 +238,15 @@ separates workload cluster management authorizations (using _management tokens_)
 from database read and write authorizations (using _database tokens_).
 
 - [User provisioning](#user-provisioning)
+- [User groups](#user-groups)
 - [Management tokens](#management-tokens)
 - [Database tokens](#database-tokens)
 
 #### User provisioning
 
-InfluxData uses [Auth0](https://auth0.com/) to create user accounts and assign
-permission sets to user accounts on {{% product-name %}}.
+InfluxData uses [Auth0](https://auth0.com/) to create user accounts and 
+assign user attributes, including [user groups](#user-groups), on {{% product-name %}}.
+
 After a user account is created, InfluxData provides the user with the following:
 
 - An **Auth0 login** to authenticate access to the cluster
@@ -260,13 +262,49 @@ exchanged with `influxctl`.
 After a successful Auth0 authentication, {{% product-name %}} provides the
 user's `influxctl` session with a short-lived
 [management token](#management-tokens) for access to the Granite service.
-The user interacts with the `influxctl` command line tool to manage the workload
-cluster, including creating [database tokens](#database-tokens) for database
-read and write access and [creating long-lived management tokens](/influxdb/cloud-dedicated/admin/management-tokens/)
-for use with the [Management API](/influxdb/cloud-dedicated/api/management/).
+The user interacts with the `influxctl` command line tool to view or manage
+cluster resources.
+The [user groups](#user-groups) assigned to the user determine the level of
+access to resources.
+
+#### User groups
+
+User groups associate access privileges with user attributes--an important part of the
+Attribute-Based Access Control (ABAC) security model, which grants access based on
+user attributes, resource types, and environment context.
+
+In {{% product-name %}}, a user can belong to any of the following user groups,
+each with predefined privileges:
+
+- [Admin user group]
+- [Member user group]
+- [Auditor user group]
+
+##### Admin user group
+
+Admins are {{% product-name %}} users who have read and write permissions on
+all resources (for all clusters) in the account.
+Only Admins can create [management tokens](#management-tokens).
+
+##### Members (role: member)
+
+<!-- Define "certain resources" below: -->
+
+Members are {{% product-name %}} users who have read permission on certain
+resources and create permission for [database tokens](#database-tokens).
+Members can't delete or create databases or management tokens.
+
+##### Auditor (role: auditor)
+
+Auditors are {{% product-name %}} users who have read permission on all resources
+(for all clusters) in the account; auditors can't modify account resources.
 
 #### Management tokens
 
+[Admins](#admin-group) can create long-lived
+[management tokens](/influxdb/cloud-dedicated/admin/management-tokens/)
+for use with the [Management API](/influxdb/cloud-dedicated/api/management/).
+
 Management tokens authenticate user accounts to the Granite service and provide
 authorizations for workload cluster management activities, including:
  
@@ -308,6 +346,12 @@ cases--for example, using the [Management API for
 {{% product-name %}}](/influxdb/cloud-dedicated/api/management/) to rotate
 database tokens or create tables.
 
+Manually created management tokens:
+
+- have an optional expiration and don't require human interaction with the OAuth provider
+- are for automation use cases
+- shouldn't be used to circumvent the OAuth provider
+
 To authenticate a Management API request, the user passes the manually created
 token in the HTTP `Authorization` header:
 
@@ -315,17 +359,15 @@ token in the HTTP `Authorization` header:
 Authorization MANAGEMENT_TOKEN
 ```
 
-A manually created management token has an optional expiration and
-doesn't require human interaction with the OAuth provider.
-
-Manually created management tokens are meant for automation use cases
-and shouldn't be used to circumvent the OAuth provider.
-
 #### Database tokens
 
-Database tokens provide authorization for users and client applications to read and write data and metadata in an {{% product-name %}} database.
+[Admins](#admin-group) and [Members](#member-group), can create
+[database tokens](#database-tokens) for database read and write access.
+Database tokens provide authorization for users and client applications to read
+and write data and metadata in an {{% product-name %}} database.
 All data write and query API requests require a valid database token with sufficient permissions.
-_**Note:** an all-access management token can't read or write to a database because it's not a database token._
+_**Note:** an all-access [management token](#management-tokens) can't read or
+write to a database because it's not a database token._
 
 Database tokens consist of the following:
 

From 56eeec15bc61ee99212c3ee09ec81500273932bb Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <stirnamanj@gmail.com>
Date: Wed, 16 Oct 2024 13:39:49 -0500
Subject: [PATCH 2/7] fix(Dedicated): User group shortcuts

---
 .../cloud-dedicated/reference/internals/security.md    | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/content/influxdb/cloud-dedicated/reference/internals/security.md b/content/influxdb/cloud-dedicated/reference/internals/security.md
index c18cee678..c9fcaea2e 100644
--- a/content/influxdb/cloud-dedicated/reference/internals/security.md
+++ b/content/influxdb/cloud-dedicated/reference/internals/security.md
@@ -276,11 +276,11 @@ user attributes, resource types, and environment context.
 In {{% product-name %}}, a user can belong to any of the following user groups,
 each with predefined privileges:
 
-- [Admin user group]
-- [Member user group]
-- [Auditor user group]
+- [Admin user group](#admins-role-admin
+- [Member user group](#members-role-member)
+- [Auditor user group](#auditors-role-auditor)
 
-##### Admin user group
+##### Admins (role: admin)
 
 Admins are {{% product-name %}} users who have read and write permissions on
 all resources (for all clusters) in the account.
@@ -294,7 +294,7 @@ Members are {{% product-name %}} users who have read permission on certain
 resources and create permission for [database tokens](#database-tokens).
 Members can't delete or create databases or management tokens.
 
-##### Auditor (role: auditor)
+##### Auditors (role: auditor)
 
 Auditors are {{% product-name %}} users who have read permission on all resources
 (for all clusters) in the account; auditors can't modify account resources.

From b51a168a852b6abb5ef4bb57f81195617a014ce9 Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <stirnamanj@gmail.com>
Date: Wed, 16 Oct 2024 13:51:51 -0500
Subject: [PATCH 3/7] fix(Dedicated): User group shortcuts

---
 .../influxdb/cloud-dedicated/reference/internals/security.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/influxdb/cloud-dedicated/reference/internals/security.md b/content/influxdb/cloud-dedicated/reference/internals/security.md
index c9fcaea2e..f0d2919ca 100644
--- a/content/influxdb/cloud-dedicated/reference/internals/security.md
+++ b/content/influxdb/cloud-dedicated/reference/internals/security.md
@@ -276,7 +276,7 @@ user attributes, resource types, and environment context.
 In {{% product-name %}}, a user can belong to any of the following user groups,
 each with predefined privileges:
 
-- [Admin user group](#admins-role-admin
+- [Admin user group](#admins-role-admin)
 - [Member user group](#members-role-member)
 - [Auditor user group](#auditors-role-auditor)
 

From 86ee055c10018f248613a5e95a3c02def165f7a5 Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <stirnamanj@gmail.com>
Date: Thu, 17 Oct 2024 10:22:17 -0500
Subject: [PATCH 4/7] fix(v3): broken optimize-queries links, typos,
 placeholder

---
 .../troubleshoot-and-optimize/analyze-query-plan.md       | 6 +++---
 .../troubleshoot-and-optimize/optimize-queries.md         | 1 +
 .../troubleshoot-and-optimize/analyze-query-plan.md       | 8 ++++----
 .../troubleshoot-and-optimize/optimize-queries.md         | 1 +
 .../troubleshoot-and-optimize/analyze-query-plan.md       | 6 +++---
 .../troubleshoot-and-optimize/optimize-queries.md         | 1 +
 6 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/content/influxdb/cloud-dedicated/query-data/troubleshoot-and-optimize/analyze-query-plan.md b/content/influxdb/cloud-dedicated/query-data/troubleshoot-and-optimize/analyze-query-plan.md
index 915b95683..f0da76fe1 100644
--- a/content/influxdb/cloud-dedicated/query-data/troubleshoot-and-optimize/analyze-query-plan.md
+++ b/content/influxdb/cloud-dedicated/query-data/troubleshoot-and-optimize/analyze-query-plan.md
@@ -25,7 +25,7 @@ By learning how to generate and interpret reports for the query plan,
 you can better understand how the query is executed and identify bottlenecks that affect the performance of your query.
 
 For example, if the query plan reveals that your query reads a large number of Parquet files,
-you can then take steps to [optimize your query](/influxdb/cloud-dedicated/query-data/optimize-queries/), such as add filters to read less data or
+you can then take steps to [optimize your query](/influxdb/cloud-dedicated/query-data/troubleshoot-and-optimize/optimize-queries/), such as add filters to read less data or
 configure your cluster to store fewer and larger files.
 
 - [Use EXPLAIN keywords to view a query plan](#use-explain-keywords-to-view-a-query-plan)
@@ -113,7 +113,7 @@ Plans are in _tree format_--each plan is an upside-down tree in which
 execution and data flow from _leaf nodes_, the innermost steps in the plan, to outer _branch nodes_.
 Whether reading a logical or physical plan, keep the following in mind:
 
-- Start at the the _leaf nodes_ and read upward.
+- Start at the _leaf nodes_ and read upward.
 - At the top of the plan, the _root node_ represents the final, encompassing step.
 
 In a [physical plan](/influxdb/cloud-dedicated/reference/internals/query-plan/#physical-plan), each step is an [`ExecutionPlan` node](/influxdb/cloud-dedicated/reference/internals/query-plan/#execution-plan-nodes) that receives expressions for input data and output requirements, and computes a partition of data.
@@ -770,4 +770,4 @@ Operator structure for aggregating, sorting, and final output.
 - `SortPreservingMergeExec: [city@0 ASC NULLS LAST]`: Merges and sorts the four sorted streams for the final output.
 
 In the preceding examples, the `EXPLAIN` report shows the query plan without executing the query.
-To view runtime metrics, such as execution time for a plan and its operators, use [`EXPLAIN ANALYZE`](/influxdb/cloud-dedicated/reference/sql/explain/#explain-analyze) to generate the report and [tracing](/influxdb/cloud-dedicated/query-data/optimize-queries/#enable-trace-logging) for further debugging, if necessary.
+To view runtime metrics, such as execution time for a plan and its operators, use [`EXPLAIN ANALYZE`](/influxdb/cloud-dedicated/reference/sql/explain/#explain-analyze) to generate the report and [tracing](/influxdb/cloud-dedicated/query-data/troubleshoot-and-optimize/optimize-queries/#enable-trace-logging) for further debugging, if necessary.
diff --git a/content/influxdb/cloud-dedicated/query-data/troubleshoot-and-optimize/optimize-queries.md b/content/influxdb/cloud-dedicated/query-data/troubleshoot-and-optimize/optimize-queries.md
index 5a297bd9a..350a0136c 100644
--- a/content/influxdb/cloud-dedicated/query-data/troubleshoot-and-optimize/optimize-queries.md
+++ b/content/influxdb/cloud-dedicated/query-data/troubleshoot-and-optimize/optimize-queries.md
@@ -16,6 +16,7 @@ related:
 aliases:
   - /influxdb/cloud-dedicated/query-data/execute-queries/optimize-queries/
   - /influxdb/cloud-dedicated/query-data/execute-queries/analyze-query-plan/
+  - /influxdb/cloud-dedicated/query-data/optimize-queries/
 ---
 
 Optimize SQL and InfluxQL queries to improve performance and reduce their memory and compute (CPU) requirements.
diff --git a/content/influxdb/cloud-serverless/query-data/troubleshoot-and-optimize/analyze-query-plan.md b/content/influxdb/cloud-serverless/query-data/troubleshoot-and-optimize/analyze-query-plan.md
index e2926ca49..8d61f5508 100644
--- a/content/influxdb/cloud-serverless/query-data/troubleshoot-and-optimize/analyze-query-plan.md
+++ b/content/influxdb/cloud-serverless/query-data/troubleshoot-and-optimize/analyze-query-plan.md
@@ -24,7 +24,7 @@ By learning how to generate and interpret reports for the query plan,
 you can better understand how the query is executed and identify bottlenecks that affect the performance of your query.
 
 For example, if the query plan reveals that your query reads a large number of Parquet files,
-you can then take steps to [optimize your query](/influxdb/cloud-serverless/query-data/optimize-queries/), such as add filters to read less data.
+you can then take steps to [optimize your query](/influxdb/cloud-serverless/query-data/troubleshoot-and-optimize/optimize-queries/), such as add filters to read less data.
 
 - [Use EXPLAIN keywords to view a query plan](#use-explain-keywords-to-view-a-query-plan)
 - [Read an EXPLAIN report](#read-an-explain-report)
@@ -65,7 +65,7 @@ import pandas as pd
 import tabulate # Required for pandas.to_markdown()
 
 # Instantiate an InfluxDB client.
-client = InfluxDBClient3(token = f"TOKEN",
+client = InfluxDBClient3(token = f"API_TOKEN",
                         host = f"{{< influxdb/host >}}",
                         database = f"BUCKET_NAME")
 
@@ -109,7 +109,7 @@ Plans are in _tree format_--each plan is an upside-down tree in which
 execution and data flow from _leaf nodes_, the innermost steps in the plan, to outer _branch nodes_.
 Whether reading a logical or physical plan, keep the following in mind:
 
-- Start at the the _leaf nodes_ and read upward.
+- Start at the _leaf nodes_ and read upward.
 - At the top of the plan, the _root node_ represents the final, encompassing execution step.
 
 In a [physical plan](/influxdb/cloud-serverless/reference/internals/query-plan/#physical-plan), each step is an [`ExecutionPlan` node](/influxdb/cloud-serverless/reference/internals/query-plan/#executionplan-nodes) that receives expressions for input data and output requirements, and computes a partition of data.
@@ -766,4 +766,4 @@ Operator structure for aggregating, sorting, and final output.
 - `SortPreservingMergeExec: [city@0 ASC NULLS LAST]`: Merges and sorts the four sorted streams for the final output.
 
 In the preceding examples, the `EXPLAIN` report shows the query plan without executing the query.
-To view runtime metrics, such as execution time for a plan and its operators, use [`EXPLAIN ANALYZE`](/influxdb/cloud-serverless/reference/sql/explain/#explain-analyze) to generate the report and [tracing](/influxdb/cloud-serverless/query-data/optimize-queries/#enable-trace-logging) for further debugging, if necessary.
+To view runtime metrics, such as execution time for a plan and its operators, use [`EXPLAIN ANALYZE`](/influxdb/cloud-serverless/reference/sql/explain/#explain-analyze) to generate the report and [tracing](/influxdb/cloud-serverless/query-data/troubleshoot-and-optimize/optimize-queries/#enable-trace-logging) for further debugging, if necessary.
diff --git a/content/influxdb/cloud-serverless/query-data/troubleshoot-and-optimize/optimize-queries.md b/content/influxdb/cloud-serverless/query-data/troubleshoot-and-optimize/optimize-queries.md
index 9b7c00e2c..7db303751 100644
--- a/content/influxdb/cloud-serverless/query-data/troubleshoot-and-optimize/optimize-queries.md
+++ b/content/influxdb/cloud-serverless/query-data/troubleshoot-and-optimize/optimize-queries.md
@@ -15,6 +15,7 @@ related:
   - /influxdb/cloud-serverless/query-data/execute-queries/analyze-query-plan/
 aliases:
   - /influxdb/cloud-serverless/query-data/execute-queries/optimize-queries/
+  - /influxdb/cloud-serverless/query-data/optimize-queries/
 ---
 
 Optimize SQL and InfluxQL queries to improve performance and reduce their memory and compute (CPU) requirements.
diff --git a/content/influxdb/clustered/query-data/troubleshoot-and-optimize/analyze-query-plan.md b/content/influxdb/clustered/query-data/troubleshoot-and-optimize/analyze-query-plan.md
index 898b01496..c5c347183 100644
--- a/content/influxdb/clustered/query-data/troubleshoot-and-optimize/analyze-query-plan.md
+++ b/content/influxdb/clustered/query-data/troubleshoot-and-optimize/analyze-query-plan.md
@@ -25,7 +25,7 @@ By learning how to generate and interpret reports for the query plan,
 you can better understand how the query is executed and identify bottlenecks that affect the performance of your query.
 
 For example, if the query plan reveals that your query reads a large number of Parquet files,
-you can then take steps to [optimize your query](/influxdb/clustered/query-data/optimize-queries/), such as add filters to read less data or
+you can then take steps to [optimize your query](/influxdb/clustered/query-data/troubleshoot-and-optimize/optimize-queries/), such as add filters to read less data or
 configure your cluster to store fewer and larger files.
 
 - [Use EXPLAIN keywords to view a query plan](#use-explain-keywords-to-view-a-query-plan)
@@ -113,7 +113,7 @@ Plans are in _tree format_--each plan is an upside-down tree in which
 execution and data flow from _leaf nodes_, the innermost steps in the plan, to outer _branch nodes_.
 Whether reading a logical or physical plan, keep the following in mind:
 
-- Start at the the _leaf nodes_ and read upward.
+- Start at the _leaf nodes_ and read upward.
 - At the top of the plan, the _root node_ represents the final, encompassing step.
 
 In a [physical plan](/influxdb/clustered/reference/internals/query-plan/#physical-plan), each step is an [`ExecutionPlan` node](/influxdb/clustered/reference/internals/query-plan/#executionplan-nodes) that receives expressions for input data and output requirements, and computes a partition of data.
@@ -770,4 +770,4 @@ Operator structure for aggregating, sorting, and final output.
 - `SortPreservingMergeExec: [city@0 ASC NULLS LAST]`: Merges and sorts the four sorted streams for the final output.
 
 In the preceding examples, the `EXPLAIN` report shows the query plan without executing the query.
-To view runtime metrics, such as execution time for a plan and its operators, use [`EXPLAIN ANALYZE`](/influxdb/clustered/reference/sql/explain/#explain-analyze) to generate the report and use [tracing](/influxdb/clustered/query-data/optimize-queries/#enable-trace-logging) for further debugging, if necessary.
+To view runtime metrics, such as execution time for a plan and its operators, use [`EXPLAIN ANALYZE`](/influxdb/clustered/reference/sql/explain/#explain-analyze) to generate the report and use [tracing](/influxdb/clustered/query-data/troubleshoot-and-optimize/optimize-queries/#enable-trace-logging) for further debugging, if necessary.
diff --git a/content/influxdb/clustered/query-data/troubleshoot-and-optimize/optimize-queries.md b/content/influxdb/clustered/query-data/troubleshoot-and-optimize/optimize-queries.md
index 69a66af6f..3b3b0684c 100644
--- a/content/influxdb/clustered/query-data/troubleshoot-and-optimize/optimize-queries.md
+++ b/content/influxdb/clustered/query-data/troubleshoot-and-optimize/optimize-queries.md
@@ -16,6 +16,7 @@ related:
 aliases:
   - /influxdb/clustered/query-data/execute-queries/optimize-queries/
   - /influxdb/clustered/query-data/execute-queries/analyze-query-plan/
+  - /influxdb/clustered/query-data/optimize-queries/
 ---
 
 Optimize SQL and InfluxQL queries to improve performance and reduce their memory and compute (CPU) requirements.

From 83b7da3a6c282403ccab32cb823c265b02268259 Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <stirnamanj@gmail.com>
Date: Thu, 17 Oct 2024 14:43:27 -0500
Subject: [PATCH 5/7] feat(dedicated): cleanup Auth0 mentions, apply PR
 suggestions

---
 .../admin/tokens/management/_index.md         | 21 +++---
 .../cloud-dedicated/admin/users/_index.md     | 17 ++---
 .../reference/cli/influxctl/user/delete.md    |  7 ++
 .../reference/cli/influxctl/user/invite.md    | 11 ++-
 .../reference/internals/security.md           | 69 +++++++++++--------
 5 files changed, 74 insertions(+), 51 deletions(-)

diff --git a/content/influxdb/cloud-dedicated/admin/tokens/management/_index.md b/content/influxdb/cloud-dedicated/admin/tokens/management/_index.md
index be24443b1..8c8c79b3c 100644
--- a/content/influxdb/cloud-dedicated/admin/tokens/management/_index.md
+++ b/content/influxdb/cloud-dedicated/admin/tokens/management/_index.md
@@ -11,6 +11,8 @@ menu:
     name: Management tokens
 weight: 101
 influxdb/cloud-dedicated/tags: [tokens]
+related:
+  - /influxdb/cloud-dedicated/reference/internals/security/
 ---
 
 Management tokens grant permission to perform administrative actions such as
@@ -21,24 +23,27 @@ managing users, databases, and database tokens in your
 Management tokens do _not_ grant permissions to write or query time series data
 in your {{< product-name omit=" Clustered">}} cluster.
 
-To grant write or query permissions, use management tokens to create [database tokens](/influxdb/cloud-dedicated/admin/tokens/database/).
+To grant write or query permissions, use management tokens to create
+[database tokens](/influxdb/cloud-dedicated/admin/tokens/database/).
 {{% /note %}}
 
-By default, management tokens are short-lived tokens issued by an OAuth2 identity
-provider that grant a specific user administrative access to your
-{{< product-name omit=" Clustered">}} cluster.
+By default, management tokens are short-lived tokens issued by your identity
+provider for a [specific client session](/influxdb/cloud-dedicated/reference/internals/security/#management-tokens-in-the-influxctl-cli) (for example, `influxctl`).
+
 However, for automation purposes, you can manually create management tokens that
 authenticate directly with your InfluxDB Cluster and do not require human
 interaction with your identity provider.
+_Manually created management tokens provide full access to all account resources
+and aren't affected by [user groups](/influxdb/cloud-dedicated/reference/internals/security/#user-groups)_.
 
 {{% warn %}}
 #### For automation use cases only
 
-The tools outlined below are meant for automation use cases and should not be
-used to circumvent your identity provider. **Take great care when manually creating
-and using management tokens**.
+The tools outlined below are meant for automation use cases and shouldn't be
+used to circumvent your identity provider or user group permissions.
+**Take great care when manually creating and using management tokens**.
 
-{{< product-name >}} requires at least one user associated with your cluster 
+{{< product-name >}} requires at least one [Admin user](/influxdb/cloud-dedicated/reference/internals/security/#admin-user-group) associated with your cluster 
 and authorized through your OAuth2 identity provider to manually create a
 management token.
 {{% /warn %}}
diff --git a/content/influxdb/cloud-dedicated/admin/users/_index.md b/content/influxdb/cloud-dedicated/admin/users/_index.md
index 141c0aa2e..e47534748 100644
--- a/content/influxdb/cloud-dedicated/admin/users/_index.md
+++ b/content/influxdb/cloud-dedicated/admin/users/_index.md
@@ -25,19 +25,15 @@ user attributes, resource types, and environment context.
 
 - [Available user groups](#available-user-groups)
 - [Manage users](#manage-users)
-- [Assign a user to a different group](#assign-a-user-to-a-different-group)
-- [Invite a user to your account](#invite-a-user-to-your-account)
 
 ### Available user groups
 
-In {{% product-name %}}, users have "management" roles, such as creating and 
-deleting databases, viewing resource information, and provisioning
+In {{% product-name %}}, users have "management" responsibilities, such as creating and 
+deleting [databases](/influxdb/cloud-dedicated/admin/databases/), [viewing resource information](/influxdb/cloud-dedicated/admin/monitor-your-cluster/), and provisioning
 [database tokens](/influxdb/cloud-dedicated/admin/tokens/database/) for reading and writing data. 
 
 A user can belong to the following groups, each with predefined privileges:
 
-<!-- Question: what are the "certain resources" below? -->
-
 - **Admin**: Read and write permissions on all resources.
 - **Member**: Read permission on certain resources and create permission for
   database tokens; members can't delete or create databases or management tokens.
@@ -53,8 +49,8 @@ access to resources in your cluster.
 
 ### Manage users
 
-InfluxData uses Auth0 to create user accounts and assign users to groups
-in {{% product-name %}}.
+- [Assign a user to a different group](#assign-a-user-to-a-different-group)
+- [Invite a user to your account](#invite-a-user-to-your-account)
 
 ### Assign a user to a different group
 
@@ -68,9 +64,6 @@ for each.
 For new users that you want to add to your account, the InfluxData Support Team
 configures invitations with the attributes and groups that you specify. 
 
-<!-- Question: cluster admins shouldn't use `influctl user invite` https://github.com/influxdata/docs-v2/blob/dddf699722bc9e2ba33c4ea9f34673454f3164a5/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md
-How should we communicate this? -->
-
 1. [Contact InfluxData support](https://support.influxdata.com/s/login/)
    to invite a user to your account.
    In your request, provide the user details, including email address, desired
@@ -78,7 +71,7 @@ How should we communicate this? -->
 2. InfluxData support creates the user account and emails the user an invitation
    that includes following:
 
-   - An **Auth0 login** to authenticate access to the cluster
+   - A login URL to authenticate access to the cluster
    - The {{% product-name %}} **account ID**
    - The {{% product-name %}} **cluster ID**
    - The {{% product-name %}} **cluster URL**
diff --git a/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/delete.md b/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/delete.md
index e148e0a01..ba0a71e28 100644
--- a/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/delete.md
+++ b/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/delete.md
@@ -9,6 +9,13 @@ weight: 301
 draft: true
 ---
 
+{{% warn %}}
+#### InfluxData internal use only
+
+This command is for InfluxData internal use only and won't work when run by
+a user account.
+{{% /warn %}}
+
 The `influxctl user delete` command deletes a user from your {{< product-name >}}
 account.
 
diff --git a/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md b/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md
index 61ae750a3..d3a84f2ec 100644
--- a/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md
+++ b/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md
@@ -1,7 +1,7 @@
 ---
 title: influxctl user invite
 description: >
-  The `influxctl user invite` command invites a user to your InfluxDB Cloud Dedicated
+  The `influxctl user invite` command invites a user to an InfluxDB Cloud Dedicated
   account.
 menu:
   influxdb_cloud_dedicated:
@@ -10,7 +10,14 @@ weight: 301
 draft: true
 ---
 
-The `influxctl user invite` command invites a user to your {{< product-name >}}
+{{% warn %}}
+#### InfluxData internal use only
+
+This command is for InfluxData internal use only and won't work when run by
+a user account.
+{{% /warn %}}
+
+The `influxctl user invite` command invites a user to an {{< product-name >}}
 account.
 
 ## Usage
diff --git a/content/influxdb/cloud-dedicated/reference/internals/security.md b/content/influxdb/cloud-dedicated/reference/internals/security.md
index f0d2919ca..6a74cdaa6 100644
--- a/content/influxdb/cloud-dedicated/reference/internals/security.md
+++ b/content/influxdb/cloud-dedicated/reference/internals/security.md
@@ -8,6 +8,9 @@ menu:
     name: Security
     parent: InfluxDB internals
 influxdb/cloud-dedicated/tags: [security, internals]
+related:
+  - /influxdb/cloud-dedicated/admin/tokens
+  - /influxdb/cloud-dedicated/admin/users
 ---
 
 InfluxData's information security program is based on industry-recognized standards and frameworks,
@@ -233,8 +236,8 @@ Users can configure the following security controls:
 
 ### Access, authentication, and authorization
 
-{{< product-name >}} uses [Auth0](https://auth0.com/) for authentication and
-separates workload cluster management authorizations (using _management tokens_)
+{{< product-name >}} separates workload cluster management authorizations
+(using _management tokens_)
 from database read and write authorizations (using _database tokens_).
 
 - [User provisioning](#user-provisioning)
@@ -244,12 +247,14 @@ from database read and write authorizations (using _database tokens_).
 
 #### User provisioning
 
-InfluxData uses [Auth0](https://auth0.com/) to create user accounts and 
-assign user attributes, including [user groups](#user-groups), on {{% product-name %}}.
+InfluxData follows security best practices for creating user accounts
+and managing permissions to resources.
 
-After a user account is created, InfluxData provides the user with the following:
+InfluxData Support creates user accounts with [user group](#user-groups) permissions
+for access to {{% product-name omit="Clustered" %}} cluster resources.
+After creating the user account, InfluxData provides the user with the following:
 
-- An **Auth0 login** to authenticate access to the cluster
+- A login URL for authenticating access to the cluster
 - The {{% product-name %}} **account ID**
 - The {{% product-name %}} **cluster ID**
 - The {{% product-name %}} **cluster URL**
@@ -257,9 +262,10 @@ After a user account is created, InfluxData provides the user with the following
 
 With a valid password, the user can login by invoking one of the
 [`influxctl` commands](/influxdb/cloud-dedicated/reference/influxctl/).
-The command initiates an Auth0 browser login so that the password is never
+The command initiates a browser login between the identity provider and the user
+so that the password is never
 exchanged with `influxctl`.
-After a successful Auth0 authentication, {{% product-name %}} provides the
+After a successful authentication, {{% product-name %}} provides the
 user's `influxctl` session with a short-lived
 [management token](#management-tokens) for access to the Granite service.
 The user interacts with the `influxctl` command line tool to view or manage
@@ -276,35 +282,29 @@ user attributes, resource types, and environment context.
 In {{% product-name %}}, a user can belong to any of the following user groups,
 each with predefined privileges:
 
-- [Admin user group](#admins-role-admin)
-- [Member user group](#members-role-member)
-- [Auditor user group](#auditors-role-auditor)
+- [Admin user group](#admin-user-group)
+- [Member user group](#member-user-group)
+- [Auditor user group](#auditor-user-group)
 
-##### Admins (role: admin)
+##### Admin user group
 
 Admins are {{% product-name %}} users who have read and write permissions on
 all resources (for all clusters) in the account.
 Only Admins can create [management tokens](#management-tokens).
 
-##### Members (role: member)
-
-<!-- Define "certain resources" below: -->
+##### Member user group 
 
 Members are {{% product-name %}} users who have read permission on certain
 resources and create permission for [database tokens](#database-tokens).
 Members can't delete or create databases or management tokens.
 
-##### Auditors (role: auditor)
+##### Auditor user group 
 
 Auditors are {{% product-name %}} users who have read permission on all resources
 (for all clusters) in the account; auditors can't modify account resources.
 
 #### Management tokens
 
-[Admins](#admin-group) can create long-lived
-[management tokens](/influxdb/cloud-dedicated/admin/management-tokens/)
-for use with the [Management API](/influxdb/cloud-dedicated/api/management/).
-
 Management tokens authenticate user accounts to the Granite service and provide
 authorizations for workload cluster management activities, including:
  
@@ -317,11 +317,24 @@ Management tokens consist of the following:
 
 - An access token string (sensitive)
 - A permission set for management activities (configured during user provisioning)
-- A mandatory 1 hour expiration for tokens generated by logging in to  `influxctl` 
+- For tokens generated by logging in to `influxctl`, a mandatory 1 hour expiration 
 
+In {{% product-name %}}, management tokens may be created by
+the account's identity provider
+for user authentication in clients, such as `influxctl`, or they may be manually
+created by [Admin](#admins-role-admin)
+users for automation using the Management API.
+
+- [Management tokens in the `influxctl` CLI](#management-tokens-in-influxctl-cli)
+- [Management tokens and the Management API](#management-tokens-and-the-management-api)
+
+##### Management tokens in influxctl CLI
+
+In {{% product-name %}}, the account's identity provider creates management tokens
+for user authentication in tools such as `influxctl`.
 When a user issues a command using the `influxctl` command-line tool,
 `influxctl` sends the management token string with the request to the server,
-where Granite validates the token (for example, using Auth0).
+where Granite validates the token.
 If the management token is valid and not expired, the service then compares the
 token's permissions against the permissions needed to complete the user's request.
 
@@ -338,16 +351,14 @@ For example, a user's Linux system would store the management token at
 
 ##### Management tokens and the Management API
 
-A user associated with the cluster and authorized through OAuth may use
-`influxctl` to
-[manually create and revoke management tokens](/influxdb/cloud-dedicated/admin/tokens/management/)
-for automation use
-cases--for example, using the [Management API for
-{{% product-name %}}](/influxdb/cloud-dedicated/api/management/) to rotate
-database tokens or create tables.
+For automation use cases, [Admins](#admin-group) can
+[manually create and revoke long-lived management tokens](/influxdb/cloud-dedicated/admin/tokens/management/)
+for use with the [Management API](/influxdb/cloud-dedicated/api/management/)--for
+example, to rotate database tokens or create tables.
 
 Manually created management tokens:
 
+- aren't affected by [user group](#user-groups) permissions
 - have an optional expiration and don't require human interaction with the OAuth provider
 - are for automation use cases
 - shouldn't be used to circumvent the OAuth provider

From 0e4dfb90972bad36562499165254831ecd90faa2 Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <jstirnaman@influxdata.com>
Date: Thu, 17 Oct 2024 16:05:15 -0500
Subject: [PATCH 6/7] Update
 content/influxdb/cloud-dedicated/admin/users/_index.md

Co-authored-by: Scott Anderson <sanderson@users.noreply.github.com>
---
 content/influxdb/cloud-dedicated/admin/users/_index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/influxdb/cloud-dedicated/admin/users/_index.md b/content/influxdb/cloud-dedicated/admin/users/_index.md
index e47534748..a066f81f6 100644
--- a/content/influxdb/cloud-dedicated/admin/users/_index.md
+++ b/content/influxdb/cloud-dedicated/admin/users/_index.md
@@ -26,7 +26,7 @@ user attributes, resource types, and environment context.
 - [Available user groups](#available-user-groups)
 - [Manage users](#manage-users)
 
-### Available user groups
+## Available user groups
 
 In {{% product-name %}}, users have "management" responsibilities, such as creating and 
 deleting [databases](/influxdb/cloud-dedicated/admin/databases/), [viewing resource information](/influxdb/cloud-dedicated/admin/monitor-your-cluster/), and provisioning

From 4611a9fc23dd40cedb705ab8a638c6c2d6fff7d4 Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <jstirnaman@influxdata.com>
Date: Thu, 17 Oct 2024 16:05:23 -0500
Subject: [PATCH 7/7] Update
 content/influxdb/cloud-dedicated/admin/users/_index.md

Co-authored-by: Scott Anderson <sanderson@users.noreply.github.com>
---
 content/influxdb/cloud-dedicated/admin/users/_index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/influxdb/cloud-dedicated/admin/users/_index.md b/content/influxdb/cloud-dedicated/admin/users/_index.md
index a066f81f6..43e9d3778 100644
--- a/content/influxdb/cloud-dedicated/admin/users/_index.md
+++ b/content/influxdb/cloud-dedicated/admin/users/_index.md
@@ -47,7 +47,7 @@ in your account are initially assigned to the Admin group, retaining full
 access to resources in your cluster.
 {{% /note %}}
 
-### Manage users
+## Manage users
 
 - [Assign a user to a different group](#assign-a-user-to-a-different-group)
 - [Invite a user to your account](#invite-a-user-to-your-account)