From 6532ad0c5726f446474ad2c597b04e50e1e8e0e4 Mon Sep 17 00:00:00 2001
From: David Rusnak <106361125+david-rusnak@users.noreply.github.com>
Date: Wed, 9 Oct 2024 19:11:17 -0400
Subject: [PATCH 1/7] docs: add other required fields to user setup for
 clustered (#5639)

---
 content/influxdb/clustered/admin/users/add.md | 28 ++++++++++++++++---
 .../install/configure-cluster/directly.md     | 14 ++++++++--
 .../install/configure-cluster/use-helm.md     | 14 ++++++++--
 3 files changed, 48 insertions(+), 8 deletions(-)

diff --git a/content/influxdb/clustered/admin/users/add.md b/content/influxdb/clustered/admin/users/add.md
index e4ed4859c..04c92d9f9 100644
--- a/content/influxdb/clustered/admin/users/add.md
+++ b/content/influxdb/clustered/admin/users/add.md
@@ -119,7 +119,12 @@ spec:
         jwksEndpoint: |-
           https://AUTH0_HOST/.well-known/openid-configuration
         users:
-          - AUTH0_USER_ID
+          # All fields are required but `firstName`, `lastName`, and `email` can be
+          # arbitrary values. However, `id` must match the user ID provided by Auth0.
+          - id: AUTH0_USER_ID
+            firstName: Marty
+            lastName: McFly
+            email: mcfly@influxdata.com
 ```
 
 {{% /code-placeholders %}}
@@ -152,7 +157,12 @@ spec:
         jwksEndpoint: |-
           https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys
         users:
-          - AZURE_USER_ID
+          # All fields are required but `firstName`, `lastName`, and `email` can be
+          # arbitrary values. However, `id` must match the user ID provided by Azure.
+          - id: AZURE_USER_ID
+            firstName: Marty
+            lastName: McFly
+            email: mcfly@influxdata.com
 ```
 
 {{% /code-placeholders %}}
@@ -249,7 +259,12 @@ admin:
     https://AUTH0_HOST/.well-known/openid-configuration
   # The list of users to grant access to Clustered via influxctl
   users:
-    - AUTH0_USER_ID
+    # All fields are required but `firstName`, `lastName`, and `email` can be
+    # arbitrary values. However, `id` must match the user ID provided by Auth0.
+    - id: AUTH0_USER_ID
+      firstName: Marty
+      lastName: McFly
+      email: mcfly@influxdata.com
 ```
 
 {{% /code-placeholders %}}
@@ -280,7 +295,12 @@ admin:
     https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys
   # The list of users to grant access to Clustered via influxctl
   users:
-    - AZURE_USER_ID
+    # All fields are required but `firstName`, `lastName`, and `email` can be
+    # arbitrary values. However, `id` must match the user ID provided by Azure.
+    - id: AZURE_USER_ID
+      firstName: Marty
+      lastName: McFly
+      email: mcfly@influxdata.com
 ```
 
 {{% /code-placeholders %}}
diff --git a/content/influxdb/clustered/install/configure-cluster/directly.md b/content/influxdb/clustered/install/configure-cluster/directly.md
index dc11b643d..28630d24b 100644
--- a/content/influxdb/clustered/install/configure-cluster/directly.md
+++ b/content/influxdb/clustered/install/configure-cluster/directly.md
@@ -747,7 +747,12 @@ spec:
         jwksEndpoint: |-
           https://AUTH0_HOST/.well-known/openid-configuration
         users:
-          - AUTH0_USER_ID
+          # All fields are required but `firstName`, `lastName`, and `email` can be
+          # arbitrary values. However, `id` must match the user ID provided by Auth0.
+          - id: AUTH0_USER_ID
+            firstName: Marty
+            lastName: McFly
+            email: mcfly@influxdata.com
 ```
 
 {{% /code-placeholders %}}
@@ -782,7 +787,12 @@ spec:
         jwksEndpoint: |-
           https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys
         users:
-          - AZURE_USER_ID
+          # All fields are required but `firstName`, `lastName`, and `email` can be
+          # arbitrary values. However, `id` must match the user ID provided by Azure.
+          - id: AZURE_USER_ID
+            firstName: Marty
+            lastName: McFly
+            email: mcfly@influxdata.com
 ```
 
 {{% /code-placeholders %}}
diff --git a/content/influxdb/clustered/install/configure-cluster/use-helm.md b/content/influxdb/clustered/install/configure-cluster/use-helm.md
index e85c4acb3..7ecf852a8 100644
--- a/content/influxdb/clustered/install/configure-cluster/use-helm.md
+++ b/content/influxdb/clustered/install/configure-cluster/use-helm.md
@@ -764,7 +764,12 @@ admin:
     https://AUTH0_HOST/.well-known/openid-configuration
   # The list of users to grant access to Clustered via influxctl
   users:
-    - AUTH0_USER_ID
+    # All fields are required but `firstName`, `lastName`, and `email` can be
+    # arbitrary values. However, `id` must match the user ID provided by Auth0.
+    - id: AUTH0_USER_ID
+      firstName: Marty
+      lastName: McFly
+      email: mcfly@influxdata.com
 ```
 
 {{% /code-placeholders %}}
@@ -797,7 +802,12 @@ admin:
     https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys
   # The list of users to grant access to Clustered via influxctl
   users:
-    - AZURE_USER_ID
+    # All fields are required but `firstName`, `lastName`, and `email` can be
+    # arbitrary values. However, `id` must match the user ID provided by Azure.
+    - id: AZURE_USER_ID
+      firstName: Marty
+      lastName: McFly
+      email: mcfly@influxdata.com
 ```
 
 {{% /code-placeholders %}}

From c6086a6fc96f7f47414c2f05f27119d574ff79d4 Mon Sep 17 00:00:00 2001
From: Fraser Savage <fsavage@influxdata.com>
Date: Fri, 11 Oct 2024 15:25:26 +0100
Subject: [PATCH 2/7] fix(dedicated): Update links to database token management
 API reference

Links what have been broke, have done unbroke.
---
 .../influxdb/cloud-dedicated/admin/tokens/database/create.md  | 4 ++--
 .../influxdb/cloud-dedicated/admin/tokens/database/delete.md  | 2 +-
 .../influxdb/cloud-dedicated/admin/tokens/database/list.md    | 2 +-
 .../influxdb/cloud-dedicated/admin/tokens/database/update.md  | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/content/influxdb/cloud-dedicated/admin/tokens/database/create.md b/content/influxdb/cloud-dedicated/admin/tokens/database/create.md
index 69d1cbf11..a342611f4 100644
--- a/content/influxdb/cloud-dedicated/admin/tokens/database/create.md
+++ b/content/influxdb/cloud-dedicated/admin/tokens/database/create.md
@@ -50,7 +50,7 @@ related:
 ---
 
 Use the [`influxctl` CLI](/influxdb/cloud-dedicated/reference/cli/influxctl/)
-or the [Management HTTP API](influxdb/cloud-dedicated/api/management/) to create a [database token](/influxdb/cloud-dedicated/admin/tokens/database/) with permissions for reading and writing data in your {{< product-name omit=" Clustered" >}} cluster.
+or the [Management HTTP API](influxdb/cloud-dedicated/reference/api/management/) to create a [database token](/influxdb/cloud-dedicated/admin/tokens/database/) with permissions for reading and writing data in your {{< product-name omit=" Clustered" >}} cluster.
 
 {{< tabs-wrapper >}}
 {{% tabs %}}
@@ -435,4 +435,4 @@ curl \
 
 {{% /code-placeholders %}}
 {{% /code-tab-content %}}
-{{< /code-tabs-wrapper >}}
\ No newline at end of file
+{{< /code-tabs-wrapper >}}
diff --git a/content/influxdb/cloud-dedicated/admin/tokens/database/delete.md b/content/influxdb/cloud-dedicated/admin/tokens/database/delete.md
index b4232c262..416d86b44 100644
--- a/content/influxdb/cloud-dedicated/admin/tokens/database/delete.md
+++ b/content/influxdb/cloud-dedicated/admin/tokens/database/delete.md
@@ -32,7 +32,7 @@ related:
 ---
 
 Use the [`influxctl` CLI](/influxdb/cloud-dedicated/reference/cli/influxctl/)
-or the [Management HTTP API](influxdb/cloud-dedicated/api/management/)
+or the [Management HTTP API](influxdb/cloud-dedicated/reference/api/management/)
 to delete a database token from your {{< product-name omit=" Clustered" >}} cluster.
 
 {{< tabs-wrapper >}}
diff --git a/content/influxdb/cloud-dedicated/admin/tokens/database/list.md b/content/influxdb/cloud-dedicated/admin/tokens/database/list.md
index cfa05bf4a..baa6f33b3 100644
--- a/content/influxdb/cloud-dedicated/admin/tokens/database/list.md
+++ b/content/influxdb/cloud-dedicated/admin/tokens/database/list.md
@@ -36,7 +36,7 @@ related:
 ---
 
 Use the [`influxctl` CLI](/influxdb/cloud-dedicated/reference/cli/influxctl/)
-or the [Management HTTP API](influxdb/cloud-dedicated/api/management/)
+or the [Management HTTP API](influxdb/cloud-dedicated/reference/api/management/)
 to list database tokens in your {{< product-name omit=" Clustered" >}} cluster.
 
 [List database tokens](#list-database-tokens)
diff --git a/content/influxdb/cloud-dedicated/admin/tokens/database/update.md b/content/influxdb/cloud-dedicated/admin/tokens/database/update.md
index c728685ba..2b63fe7db 100644
--- a/content/influxdb/cloud-dedicated/admin/tokens/database/update.md
+++ b/content/influxdb/cloud-dedicated/admin/tokens/database/update.md
@@ -53,7 +53,7 @@ related:
 ---
 
 Use the [`influxctl` CLI](/influxdb/cloud-dedicated/reference/cli/influxctl/)
-or the [Management HTTP API](influxdb/cloud-dedicated/api/management/)
+or the [Management HTTP API](influxdb/cloud-dedicated/reference/api/management/)
 to update a database token's permissions {{< product-name omit=" Clustered" >}} cluster.
 
 {{< tabs-wrapper >}}

From 8347ad6a6a5db973456c6564c22f1528a356e043 Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <jstirnaman@influxdata.com>
Date: Fri, 11 Oct 2024 10:19:34 -0500
Subject: [PATCH 3/7] Update
 content/influxdb/cloud-dedicated/admin/tokens/database/create.md

---
 .../influxdb/cloud-dedicated/admin/tokens/database/create.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/influxdb/cloud-dedicated/admin/tokens/database/create.md b/content/influxdb/cloud-dedicated/admin/tokens/database/create.md
index a342611f4..d0be6c137 100644
--- a/content/influxdb/cloud-dedicated/admin/tokens/database/create.md
+++ b/content/influxdb/cloud-dedicated/admin/tokens/database/create.md
@@ -50,7 +50,7 @@ related:
 ---
 
 Use the [`influxctl` CLI](/influxdb/cloud-dedicated/reference/cli/influxctl/)
-or the [Management HTTP API](influxdb/cloud-dedicated/reference/api/management/) to create a [database token](/influxdb/cloud-dedicated/admin/tokens/database/) with permissions for reading and writing data in your {{< product-name omit=" Clustered" >}} cluster.
+or the [Management HTTP API](/influxdb/cloud-dedicated/api/management/) to create a [database token](/influxdb/cloud-dedicated/admin/tokens/database/) with permissions for reading and writing data in your {{< product-name omit=" Clustered" >}} cluster.
 
 {{< tabs-wrapper >}}
 {{% tabs %}}

From e58e90797aa0e3e2727692c264731607648d86a6 Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <jstirnaman@influxdata.com>
Date: Fri, 11 Oct 2024 10:19:54 -0500
Subject: [PATCH 4/7] Update
 content/influxdb/cloud-dedicated/admin/tokens/database/list.md

---
 content/influxdb/cloud-dedicated/admin/tokens/database/list.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/influxdb/cloud-dedicated/admin/tokens/database/list.md b/content/influxdb/cloud-dedicated/admin/tokens/database/list.md
index baa6f33b3..aaecbb1fe 100644
--- a/content/influxdb/cloud-dedicated/admin/tokens/database/list.md
+++ b/content/influxdb/cloud-dedicated/admin/tokens/database/list.md
@@ -36,7 +36,7 @@ related:
 ---
 
 Use the [`influxctl` CLI](/influxdb/cloud-dedicated/reference/cli/influxctl/)
-or the [Management HTTP API](influxdb/cloud-dedicated/reference/api/management/)
+or the [Management HTTP API](/influxdb/cloud-dedicated/api/management/)
 to list database tokens in your {{< product-name omit=" Clustered" >}} cluster.
 
 [List database tokens](#list-database-tokens)

From 19a56051527a008a8477bead301f4393af872ac1 Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <jstirnaman@influxdata.com>
Date: Fri, 11 Oct 2024 10:20:13 -0500
Subject: [PATCH 5/7] Update
 content/influxdb/cloud-dedicated/admin/tokens/database/delete.md

---
 .../influxdb/cloud-dedicated/admin/tokens/database/delete.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/influxdb/cloud-dedicated/admin/tokens/database/delete.md b/content/influxdb/cloud-dedicated/admin/tokens/database/delete.md
index 416d86b44..fce52f815 100644
--- a/content/influxdb/cloud-dedicated/admin/tokens/database/delete.md
+++ b/content/influxdb/cloud-dedicated/admin/tokens/database/delete.md
@@ -32,7 +32,7 @@ related:
 ---
 
 Use the [`influxctl` CLI](/influxdb/cloud-dedicated/reference/cli/influxctl/)
-or the [Management HTTP API](influxdb/cloud-dedicated/reference/api/management/)
+or the [Management HTTP API](/influxdb/cloud-dedicated/api/management/)
 to delete a database token from your {{< product-name omit=" Clustered" >}} cluster.
 
 {{< tabs-wrapper >}}

From 82cd595931b8fc7705f5ab88311c43e452d280e4 Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <jstirnaman@influxdata.com>
Date: Fri, 11 Oct 2024 10:20:24 -0500
Subject: [PATCH 6/7] Update
 content/influxdb/cloud-dedicated/admin/tokens/database/update.md

---
 .../influxdb/cloud-dedicated/admin/tokens/database/update.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/influxdb/cloud-dedicated/admin/tokens/database/update.md b/content/influxdb/cloud-dedicated/admin/tokens/database/update.md
index 2b63fe7db..69abd7568 100644
--- a/content/influxdb/cloud-dedicated/admin/tokens/database/update.md
+++ b/content/influxdb/cloud-dedicated/admin/tokens/database/update.md
@@ -53,7 +53,7 @@ related:
 ---
 
 Use the [`influxctl` CLI](/influxdb/cloud-dedicated/reference/cli/influxctl/)
-or the [Management HTTP API](influxdb/cloud-dedicated/reference/api/management/)
+or the [Management HTTP API](/influxdb/cloud-dedicated/api/management/)
 to update a database token's permissions {{< product-name omit=" Clustered" >}} cluster.
 
 {{< tabs-wrapper >}}

From 4dd7f46e8e2a714a329b4d8e44ab1e2ae3969f0e Mon Sep 17 00:00:00 2001
From: Jason Stirnaman <stirnamanj@gmail.com>
Date: Fri, 11 Oct 2024 11:49:27 -0500
Subject: [PATCH 7/7] feat(dedicated): Add user groups Closes
 influxdata/dar/issues/450 - Introduces user groups for Dedicated - Invite new
 users and assign groups - Reassign existing users to different groups -
 Update internals/security

---
 .../cloud-dedicated/admin/users/_index.md     | 99 +++++++++++++++++++
 .../reference/internals/security.md           | 70 ++++++++++---
 2 files changed, 155 insertions(+), 14 deletions(-)
 create mode 100644 content/influxdb/cloud-dedicated/admin/users/_index.md

diff --git a/content/influxdb/cloud-dedicated/admin/users/_index.md b/content/influxdb/cloud-dedicated/admin/users/_index.md
new file mode 100644
index 000000000..141c0aa2e
--- /dev/null
+++ b/content/influxdb/cloud-dedicated/admin/users/_index.md
@@ -0,0 +1,99 @@
+---
+title: Manage users
+seotitle: Manage users and permissions in InfluxDB Cloud Dedicated
+description: >
+  Manage users and access to resources in your InfluxDB Cloud Dedicated cluster.
+  Assign user groups for role-based access control and security.
+menu:
+  influxdb_cloud_dedicated:
+    parent: Administer InfluxDB Cloud
+weight: 101
+influxdb/cloud-dedicated/tags: [user groups]
+related:
+  - /influxdb/cloud-dedicated/reference/internals/security/
+  - /influxdb/cloud-dedicated/admin/tokens/ 
+---
+
+Manage users and access to resources in your {{% product-name %}} cluster.
+
+By assigning users to different groups based on the level of access they need,
+you can minimize unnecessary access and reduce the risk of inadvertent
+actions.
+User groups associate access privileges with user attributes--an important part of the
+Attribute-Based Access Control (ABAC) security model which grants access based on
+user attributes, resource types, and environment context.
+
+- [Available user groups](#available-user-groups)
+- [Manage users](#manage-users)
+- [Assign a user to a different group](#assign-a-user-to-a-different-group)
+- [Invite a user to your account](#invite-a-user-to-your-account)
+
+### Available user groups
+
+In {{% product-name %}}, users have "management" roles, such as creating and 
+deleting databases, viewing resource information, and provisioning
+[database tokens](/influxdb/cloud-dedicated/admin/tokens/database/) for reading and writing data. 
+
+A user can belong to the following groups, each with predefined privileges:
+
+<!-- Question: what are the "certain resources" below? -->
+
+- **Admin**: Read and write permissions on all resources.
+- **Member**: Read permission on certain resources and create permission for
+  database tokens; members can't delete or create databases or management tokens.
+- **Auditor**: Read permission on all resources; auditors can't modify resources.
+
+{{% note %}}
+#### Existing users are Admin by default
+
+With the release of user groups for {{% product-name %}}, all existing users
+in your account are initially assigned to the Admin group, retaining full
+access to resources in your cluster.
+{{% /note %}}
+
+### Manage users
+
+InfluxData uses Auth0 to create user accounts and assign users to groups
+in {{% product-name %}}.
+
+### Assign a user to a different group
+
+To assign existing users in your account to different
+groups, [contact InfluxData support](https://support.influxdata.com/s/login/)
+and provide the list of users and the desired [user groups](#available-user-groups)
+for each.
+
+### Invite a user to your account
+
+For new users that you want to add to your account, the InfluxData Support Team
+configures invitations with the attributes and groups that you specify. 
+
+<!-- Question: cluster admins shouldn't use `influctl user invite` https://github.com/influxdata/docs-v2/blob/dddf699722bc9e2ba33c4ea9f34673454f3164a5/content/influxdb/cloud-dedicated/reference/cli/influxctl/user/invite.md
+How should we communicate this? -->
+
+1. [Contact InfluxData support](https://support.influxdata.com/s/login/)
+   to invite a user to your account.
+   In your request, provide the user details, including email address, desired
+   [user groups](#available-user-groups), and other attributes for the user.
+2. InfluxData support creates the user account and emails the user an invitation
+   that includes following:
+
+   - An **Auth0 login** to authenticate access to the cluster
+   - The {{% product-name %}} **account ID**
+   - The {{% product-name %}} **cluster ID**
+   - The {{% product-name %}} **cluster URL**
+   - A password reset email for setting the login password
+
+3. The user accepts the invitation to your account
+
+With a valid password, the user can access cluster resources by interacting with the
+[`influxctl`](/influxdb/cloud-dedicated/reference/influxctl/) command line tool.
+The assigned user groups determine the user's access to resources.
+
+{{% note %}}
+#### Use database tokens to authorize data reads and writes
+
+In {{% product-name %}}, user groups control access for managing cluster resources.
+[Database tokens](/influxdb/cloud-dedicated/admin/tokens/database/) control access
+for reading and writing data in cluster databases.
+{{% /note %}}
diff --git a/content/influxdb/cloud-dedicated/reference/internals/security.md b/content/influxdb/cloud-dedicated/reference/internals/security.md
index 915c486c4..c18cee678 100644
--- a/content/influxdb/cloud-dedicated/reference/internals/security.md
+++ b/content/influxdb/cloud-dedicated/reference/internals/security.md
@@ -238,13 +238,15 @@ separates workload cluster management authorizations (using _management tokens_)
 from database read and write authorizations (using _database tokens_).
 
 - [User provisioning](#user-provisioning)
+- [User groups](#user-groups)
 - [Management tokens](#management-tokens)
 - [Database tokens](#database-tokens)
 
 #### User provisioning
 
-InfluxData uses [Auth0](https://auth0.com/) to create user accounts and assign
-permission sets to user accounts on {{% product-name %}}.
+InfluxData uses [Auth0](https://auth0.com/) to create user accounts and 
+assign user attributes, including [user groups](#user-groups), on {{% product-name %}}.
+
 After a user account is created, InfluxData provides the user with the following:
 
 - An **Auth0 login** to authenticate access to the cluster
@@ -260,13 +262,49 @@ exchanged with `influxctl`.
 After a successful Auth0 authentication, {{% product-name %}} provides the
 user's `influxctl` session with a short-lived
 [management token](#management-tokens) for access to the Granite service.
-The user interacts with the `influxctl` command line tool to manage the workload
-cluster, including creating [database tokens](#database-tokens) for database
-read and write access and [creating long-lived management tokens](/influxdb/cloud-dedicated/admin/management-tokens/)
-for use with the [Management API](/influxdb/cloud-dedicated/api/management/).
+The user interacts with the `influxctl` command line tool to view or manage
+cluster resources.
+The [user groups](#user-groups) assigned to the user determine the level of
+access to resources.
+
+#### User groups
+
+User groups associate access privileges with user attributes--an important part of the
+Attribute-Based Access Control (ABAC) security model, which grants access based on
+user attributes, resource types, and environment context.
+
+In {{% product-name %}}, a user can belong to any of the following user groups,
+each with predefined privileges:
+
+- [Admin user group]
+- [Member user group]
+- [Auditor user group]
+
+##### Admin user group
+
+Admins are {{% product-name %}} users who have read and write permissions on
+all resources (for all clusters) in the account.
+Only Admins can create [management tokens](#management-tokens).
+
+##### Members (role: member)
+
+<!-- Define "certain resources" below: -->
+
+Members are {{% product-name %}} users who have read permission on certain
+resources and create permission for [database tokens](#database-tokens).
+Members can't delete or create databases or management tokens.
+
+##### Auditor (role: auditor)
+
+Auditors are {{% product-name %}} users who have read permission on all resources
+(for all clusters) in the account; auditors can't modify account resources.
 
 #### Management tokens
 
+[Admins](#admin-group) can create long-lived
+[management tokens](/influxdb/cloud-dedicated/admin/management-tokens/)
+for use with the [Management API](/influxdb/cloud-dedicated/api/management/).
+
 Management tokens authenticate user accounts to the Granite service and provide
 authorizations for workload cluster management activities, including:
  
@@ -308,6 +346,12 @@ cases--for example, using the [Management API for
 {{% product-name %}}](/influxdb/cloud-dedicated/api/management/) to rotate
 database tokens or create tables.
 
+Manually created management tokens:
+
+- have an optional expiration and don't require human interaction with the OAuth provider
+- are for automation use cases
+- shouldn't be used to circumvent the OAuth provider
+
 To authenticate a Management API request, the user passes the manually created
 token in the HTTP `Authorization` header:
 
@@ -315,17 +359,15 @@ token in the HTTP `Authorization` header:
 Authorization MANAGEMENT_TOKEN
 ```
 
-A manually created management token has an optional expiration and
-doesn't require human interaction with the OAuth provider.
-
-Manually created management tokens are meant for automation use cases
-and shouldn't be used to circumvent the OAuth provider.
-
 #### Database tokens
 
-Database tokens provide authorization for users and client applications to read and write data and metadata in an {{% product-name %}} database.
+[Admins](#admin-group) and [Members](#member-group), can create
+[database tokens](#database-tokens) for database read and write access.
+Database tokens provide authorization for users and client applications to read
+and write data and metadata in an {{% product-name %}} database.
 All data write and query API requests require a valid database token with sufficient permissions.
-_**Note:** an all-access management token can't read or write to a database because it's not a database token._
+_**Note:** an all-access [management token](#management-tokens) can't read or
+write to a database because it's not a database token._
 
 Database tokens consist of the following: