Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating self-service page #6221

Merged
merged 8 commits into from
Oct 3, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion website/docs/docs/cloud/git/connect-github.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Connecting your GitHub account to dbt Cloud provides convenience and another lay
* **Note** — [Single tenant](/docs/cloud/about-cloud/tenancy#single-tenant) accounts offer enhanced connection options for integrating with an On-Premises GitHub deployment setup using the native integration. This integration allows you to use all the features of the integration, such as triggering CI builds. The dbt Labs infrastructure team will coordinate with you to ensure any additional networking configuration requirements are met and completed. To discuss details, contact dbt Labs support or your dbt Cloud account team.
- You _must_ be a **GitHub organization owner** in order to [install the dbt Cloud application](/docs/cloud/git/connect-github#installing-dbt-cloud-in-your-github-account) in your GitHub organization. To learn about GitHub organization roles, see the [GitHub documentation](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization).
- The GitHub organization owner requires [_Owner_](/docs/cloud/manage-access/self-service-permissions) or [_Account Admin_](/docs/cloud/manage-access/enterprise-permissions) permissions when they log into dbt Cloud to integrate with a GitHub environment using organizations.
- You may need to temporarily provide an extra dbt Cloud user account with _Owner_ or _Account Admin_ [permissions](/docs/cloud/manage-access/self-service-permissions) for your GitHub organization owner until they complete the installation.
- You may need to temporarily provide an extra dbt Cloud user account with _Owner_ or _Account Admin_ [permissions](/docs/cloud/manage-access/enterprise-permissions) for your GitHub organization owner until they complete the installation.


## Installing dbt Cloud in your GitHub account
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: "Users and licenses"
description: "Learn how dbt Cloud administrators can use licenses and seats to control access in a dbt Cloud account."
id: "seats-and-users"
sidebar: "Users and licenses"
pagination_next: "docs/cloud/manage-access/self-service-permissions"
pagination_next: "docs/cloud/manage-access/enterprise-permissions"
pagination_prev: null
---

Expand Down
83 changes: 61 additions & 22 deletions website/docs/docs/cloud/manage-access/self-service-permissions.md
Original file line number Diff line number Diff line change
@@ -1,42 +1,81 @@
---
title: "Self-service permissions"
description: "Learn how dbt Cloud administrators can use self-service permissions to control access in a dbt Cloud account."
title: "Self-service Team account permissions"
description: "Learn how dbt Cloud administrators can use self-service permissions to control access in a dbt Cloud Team account."
sidebar_label: "Team permissions"
id: "self-service-permissions"
---

import Permissions from '/snippets/_self-service-permissions-table.md';
Self-service Team accounts are a quick and easy way to get dbt Cloud up and running for a small team. Team accounts have limited access to features and advanced settings like SSO, group management, and larger user bases will require an [Enterprise](/docs/cloud/manage-access/enterprise-permissions) account. If you're interested in upgrading, contact [dbt Labs today](https://www.getdbt.com/contact)!
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved

## Groups and permissions

<Permissions features={'/snippets/_self-service-permissions-table.md'}/>
Groups determine a users permission and there are three groups are available for Team plan dbt Cloud accounts: Owner, Member, and Everyone. The first Owner user is the person who created the dbt Cloud account. New users are added to the Member and Everyone groups when they onboardbut this can be changed when the invitation is created. These groups only affect users with a [Developer license](#licenses) assigned.
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you delete any of these?


## Read-Only vs. Developer License Types
The group access permissions are as follows:

Users configured with Read-Only license types will experience a restricted set of permissions in dbt Cloud. If a user is associated with a _Member_ permission set and a Read-Only seat license, then they will only have access to what a Read-Only seat allows. See [Seats and Users](/docs/cloud/manage-access/seats-and-users) for more information on the impact of licenses on these permissions.
- **Owner** &mdash; Full access to account features.
- **Member** &mdash; Robust access to the account with restrictions on features that can alter billing or security.
- **Everyone** &mdash; A catch-all group for all users in the account. This group does not have any permission assignments beyond the user's profile. Users must be assigned to either the Member or Owner group to work in dbt Cloud.

## Owner and Member Groups in dbt Cloud Enterprise
## Licenses

By default, new users are added to the Member and Owner groups when they onboard to a new dbt Cloud account. Member and Owner groups are included with every new dbt Cloud account because they provide access for administrators to add users and groups, and to apply permission sets.
You assign licenses to every user onboarded into dbt Cloud. You only assign Developer-licensed users to the Owner and Member groups. The groups have no impact on Read-only or IT licensed users.

You will need owner and member groups to help with account onboarding, but these groups can create confusion when initially setting up SSO and RBAC for dbt Cloud Enterprise accounts as described in the [Enterprise Permissions](enterprise-permissions) guide. Owner and Member groups are **account level** groups, so their permissions override any project-level permissions you wish to apply.
There are three license types:

After onboarding administrative users and configuring RBAC/SSO groups, we recommend the following steps for onboarding users to a dbt Cloud Enterprise account.
- **Developer** &mdash; The default license. Developer licenses don't restrict access to any features, so users with this license should be assigned to either the Owner or Member group. You're allotted up to 8 developer licenses per account.
- **Read-Only** &mdash; Read-only access to your project, including environments dbt Explorer. Doesn't have access to account settings at all. Functions the same regardless of group assignments. You're allotted up to 5 read-only licenses per account.
- **IT** &mdash; Partial access to the account settings including users, integrations, billing, and API settings. Cannot create or edit connects or access the project at all. Functions the same regardless of group assignments.
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved

See [Seats and Users](/docs/cloud/manage-access/seats-and-users) for more information on the impact of licenses on these permissions.

### Prerequisites
## Table of groups, licenses, and permissions

matthewshaver marked this conversation as resolved.
Show resolved Hide resolved
You need to create an Account Admins group before removing any other groups.
Key:

1. Create an Account Admins group.
2. Assign at least one user to the Account Admins group. The assigned user can manage future group, SSO mapping, and user or group assignment.
* (W)rite &mdash; Create new or modify existing. Includes `send`, `create`, `delete`, `allocate`, `modify`, and `read`.
* (R)ead &mdash; Can view but can not create or change any fields.
* No value &mdash; No access to the feature.

### Remove the Owner and Member groups
Permissions:

Follow these steps for both Owner and Member groups:
* Account-level permissions &mdash; Permissions related to management of the dbt Cloud account. For example, billing and account settings.
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved
* Project-level permissions &mdash; Permissions related to the projects in dbt Cloud. For example, Explorer and the IDE.
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved

The following tables outline the access that users have if they are assigned a Developer license and the Owner or Member group, Read-only license, or IT license.

#### Account permissions for account roles

| Account-level permission| Owner | Member | Read-only license| IT license |
|:------------------------|:-----:|:------:|:----------------:|:------------:|
| Account settings | W | W | | W |
| Billing | W | | | W |
| Invitations | W | W | | W |
| Licenses | W | R | | W |
| Users | W | R | | W |
| Project (create) | W | W | | W |
| Connections | W | W | | W |
| Service tokens | W | | | W |
| Webhooks | W | W | | |

#### Project permissions for account roles

|Project-level permission | Owner | Member | Read-only | IT license |
|:------------------------|:-----:|:-------:|:---------:|:----------:|
| Adapters | W | W | R | |
| Connections | W | W | R | |
| Credentials | W | W | R | |
| Custom env. variables | W | W | R | |
| dbt adapters | W | W | | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what does dbt adapters mea? how is it diff to connections?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Removing that

matthewshaver marked this conversation as resolved.
Show resolved Hide resolved
| Develop (IDE or dbt Cloud CLI)| W | W | | |
| Environments | W | W | R | |
| Jobs | W | W | R | |
| Metadata | R | R | R | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

by metadata, do we mean explorer?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure. This was already in the table when I moved it. It's all read-only so I don't think it's Explorer as a whole, but I'll remove it for now and revisit when we update these tables

matthewshaver marked this conversation as resolved.
Show resolved Hide resolved
| Permissions | W | R | | |
| Profile | W | W | R | |
| Projects | W | W | R | |
| Repositories | W | W | R | |
| Runs | W | W | R | |
| Semantic Layer Config | W | W | R | |

1. Log into dbt Cloud.
2. Click the gear icon at the top right and select **Account settings**.
3. Select **Groups** then select **OWNER** or **MEMBER**** group.
4. Click **Edit**.
5. At the bottom of the Group page, click **Delete**.

The Account Admin can add additional SSO mapping groups, permission sets, and users as needed.
2 changes: 1 addition & 1 deletion website/docs/docs/dbt-cloud-apis/service-tokens.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ Job admin service tokens can authorize requests for viewing, editing, and creati
Job runner service tokens can authorize requests for triggering runs and viewing historical runs.

**Member** <br/>
Member service tokens can authorize requests for viewing and editing resources, triggering runs, and inviting members to the account. Tokens assigned the Member permission set will have the same permissions as a Member user. For more information about Member users, see "[Self-service permissions](/docs/cloud/manage-access/self-service-permissions)".
Member service tokens can authorize requests for viewing and editing resources, triggering runs, and inviting members to the account. Tokens assigned the Member permission set will have the same permissions as a Member user. For more information about Member users, see "[Self-service Team plan permissions](/docs/cloud/manage-access/self-service-permissions)".

**Read-only**<br/>
Read-only service tokens can authorize requests for viewing a read-only dashboard, viewing generated documentation, and viewing source freshness reports. This token can access and retrieve account-level information endpoints on the [Admin API](/docs/dbt-cloud-apis/admin-cloud-api) and authorize requests to the [Discovery API](/docs/dbt-cloud-apis/discovery-api).
Expand Down
2 changes: 1 addition & 1 deletion website/docs/guides/sl-snowflake-qs.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ Open a new tab and follow these quick steps for account setup and data loading i
## Prerequisites

- You need a [dbt Cloud](https://www.getdbt.com/signup/) Trial, Team, or Enterprise account for all deployments. Contact your representative for Single-tenant setup; otherwise, create an account using this guide.
- Have the correct [dbt Cloud license](/docs/cloud/manage-access/seats-and-users) and [permissions](/docs/cloud/manage-access/self-service-permissions) based on your plan:
- Have the correct [dbt Cloud license](/docs/cloud/manage-access/seats-and-users) and [permissions](/docs/cloud/manage-access/enterprise-permissions) based on your plan:
<DetailsToggle alt_header="More info on license and permissions">

- Enterprise &mdash; Developer license with Account Admin permissions. Or "Owner" with a Developer license, assigned Project Creator, Database Admin, or Admin permissions.
Expand Down
Loading
Loading