Add documentation for Custom Roles feature#4293
Add documentation for Custom Roles feature#4293brianmacdonald-temporal wants to merge 1 commit intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📖 Docs PR preview links |
|
|
||
| Using Custom Roles with [Service Accounts](/cloud/service-accounts) can make them more secure for automation purposes. | ||
|
|
||
| ## Defining Custom Roles |
There was a problem hiding this comment.
[new information] We have limits set for pre-release that need to clarify:
- Each account can create up to 25 custom roles, while UI may display at most of 100 custom roles.
- No hard limit on number of permission actions per custom role
- A max of 10 custom roles can be assigned per principal (e.g. user)
- A max of 20 specific resources (e.g. NS) per custom roles total. Note that apply to ALL resources is still supported even if there are more than 20.
Slack thread for reference: https://temporaltechnologies.slack.com/archives/C09FNFWRW0L/p1773412536252889
There was a problem hiding this comment.
Add to https://docs.temporal.io/cloud/limits and link from here?
There was a problem hiding this comment.
Separately, we should also add modifying and deleting a customer role workflow
and explicitly mention what permission role is needed for these actions: today only account owner & global admin can create/modify/delete a customer role. We don't support custom role delegation e.g. create a role to allow someone for managing custom role (hope this isn't confusing :D)
| You can scope roles to: | ||
| * All resources of a given type | ||
| * Specific resources by explicit ID list | ||
| * Resource subsets |
There was a problem hiding this comment.
What is a resource subset?
| import Tabs from '@theme/Tabs'; | ||
| import TabItem from '@theme/TabItem'; | ||
|
|
||
| Temporal Cloud currently offers a fixed set of predefined [account-level roles and Namespace-level permissions](https://docs.temporal.io/cloud/users#account-level-roles). |
There was a problem hiding this comment.
| Temporal Cloud currently offers a fixed set of predefined [account-level roles and Namespace-level permissions](https://docs.temporal.io/cloud/users#account-level-roles). | |
| Temporal Cloud offers a set of predefined [account-level roles and Namespace-level permissions](https://docs.temporal.io/cloud/users#account-level-roles). |
| These roles are sufficient for many Temporal use cases, but not for supporting enterprise-grade access models | ||
| that require least privilege, delegation, and automation-safe permissions. |
There was a problem hiding this comment.
| These roles are sufficient for many Temporal use cases, but not for supporting enterprise-grade access models | |
| that require least privilege, delegation, and automation-safe permissions. | |
| These roles are sufficient for many Temporal use cases, but can't cover all combinations of least privilege, delegation, and automation-safe permissions often required in large enterprises. |
Trying to sound less negative about the fixed roles
| ## What are Custom Roles? | ||
|
|
||
| Custom Roles enable you to define your own roles as bundles of permission primitives (operations/actions) | ||
| scoped to applicable resources (namespaces, projects, account objects) and assign them to any |
There was a problem hiding this comment.
Intentional projects mention?
|
|
||
| Use Custom Roles if you want more fine-grained authentication than Temporal Cloud's predefined roles and permissions provide. | ||
|
|
||
| Use Custom Roles if your access model requires the Principle of Least Privilege or delegation. |
There was a problem hiding this comment.
This sounds a little funny - all access models SHOULD adhere to this. It's more when there's a significant gap between what least privilege means in the user context and what our fixed roles offer.
|
|
||
| Using Custom Roles with [Service Accounts](/cloud/service-accounts) can make them more secure for automation purposes. | ||
|
|
||
| ## Defining Custom Roles |
There was a problem hiding this comment.
Add to https://docs.temporal.io/cloud/limits and link from here?
4 participants
What does this PR do?
Adds documentation for the Custom Roles feature
Notes to reviewers
┆Attachments: EDU-6050 Add documentation for Custom Roles feature