Security

modules/ROOT/content-nav.adoc

@@ -16,8 +16,6 @@ Generic Start
 ** xref:managing-instances/migration-readiness.adoc[Migration Readiness Report]
 ** xref:managing-instances/develop.adoc[Develop]
 
-//(tapping on resources will take you to the metrics tab, and then I fully document the metrics tab further down and I link to that in my notes)
-
 * **Import data**
 ** xref:import/introduction.adoc[What is Import?]
 ** xref:import/visual-tour.adoc[Visual tour]
@@ -70,6 +68,9 @@ Generic Start
 // ** xref:logging/log-forwarding.adoc[Security log forwarding]
 ** xref:logging/query-log-analyzer.adoc[Query log analyzer]
 
+* **Security**
+** xref:security/tool-auth.adoc[Tool authentication]
+
 * **Manage users**
 ** xref:user-management.adoc[]
 

modules/ROOT/pages/getting-started/quick-start-guide.adoc

@@ -104,20 +104,20 @@ Use the *Import* button and select the _.csv_ file you downloaded from Workspace
 [.shadow]
 image::import-saved-cypher.png[width=400]
 
-// === Perspectives
+=== Perspectives
 
-// Perspectives, except for the default Perspective (which is automatically re-created in the new console), can be exported from the Perspective drawer in Workspace.
-// Use the *Export* option on the Perspective you want to save.
-// It is exported as a _.json_ file.
+Perspectives, except for the default Perspective (which is automatically re-created in the new console), can be exported from the Perspective drawer in Workspace.
+Use the *Export* option on the Perspective you want to save.
+It is exported as a _.json_ file.
 
-// [.shadow]
-// image::export-perspective.png[width=300]
+[.shadow]
+image::export-perspective.png[width=300]
 
-// In the new console, navigate to the *Explore* tab and open the *Perspective* drawer.
-// Use the *Import* option and select the _.json_ file you downloaded from Workspace.
+In the new console, navigate to the *Explore* tab and open the *Perspective* drawer.
+Use the *Import* option and select the _.json_ file you downloaded from Workspace.
 
-// [.shadow]
-// image::import-perspective.png[width=600]
+[.shadow]
+image::import-perspective.png[width=600]
 
 
 

modules/ROOT/pages/security/tool-auth.adoc

@@ -0,0 +1,15 @@
+[[tool-auth]]
+= Tool authentication
+:description: This section describes the seamless tool authentication functionality in AuraDB.
+
+Organization admins can allow users in a project to connect seamlessly to a project and the instances within it.
+
+This feature can be enabled and configured from the Org settings.
+
+As an Org admin, you maintain access control of all projects within the organization.
+You can select which projects and instances users can connect seamlessly to and which they should be required to use username and password to connect to.
+
+To prevent unauthorized access and allow Project admins full access control, the authentication is used in conjunction with predefined roles with varying levels of access to the database.
+
+This means that Project admins assign roles to the users that grants them seamless connection to the project and its instances as well as certain privileges to the databases there.
+See xref:user-management.adoc#roles[User management - Roles] for more information.

modules/ROOT/pages/user-management.adoc

@@ -10,7 +10,7 @@ image::inviteusers.png[]
 
 Grant users access to a project.
 
-The project you're currently viewing is displayed in the header of the console. 
+The project you're currently viewing is displayed in the header of the console.
 You can select the project name to open the project dropdown menu, allowing you to view all the projects that you have access to and switch between them.
 
 Additionally, you can perform the following actions from the *Project Settings* page.
@@ -24,43 +24,187 @@ You can access the **Settings** page by selecting **Settings** from the sidebar
 
 Each project can have multiple users with individual accounts allowing access to the same environment.
 
-The users with access to a project can be viewed and managed from the **Users** page. 
+The users with access to a project can be viewed and managed from the **Users** page.
 You can access the **Users** page by selecting **Users** from the sidebar menu of the console.
 
-=== Roles
+[[roles]]
+== Roles
 
-Users within a project can be assigned one of the following roles:
+Users within a project can be assigned one of the following predefined roles:
 
 * _Project Admin_
 * _Project Member_
 * _Project Viewer_
 * _Project Metrics Integration Reader_
 
+These roles grant the users certain privileges both on the console level as well as on the instance level.
+The roles are immutable and every new user needs to be assigned one.
+
 :check-mark: icon:check[]
 
-.Roles
+.Roles and console capabilities
 [opts="header",cols="3,1,1,1"]
 |===
-| Capability | Admin | Member | Viewer
+| Capability | Viewer | Member | Admin
 | View users and their roles | {check-mark} | {check-mark} | {check-mark}
 | View and open instances | {check-mark} | {check-mark} | {check-mark}
-| Access the Neo4j Customer Support Portal | {check-mark} | {check-mark} | {check-mark} 
-| Perform all actions on instances footnote:[Actions include creating, deleting, pausing, resuming, and editing instances.] | {check-mark} | {check-mark} |
-| Clone data to new and existing instances | {check-mark} | {check-mark} |
-| Take on-demand snapshots | {check-mark} | {check-mark} |
-| Restore from snapshots | {check-mark} | {check-mark} |
-| Edit the project name | {check-mark} | |
-| Invite new users to the project | {check-mark} | |
-| Edit existing users' roles | {check-mark} | |
-| Delete existing users from the project | {check-mark} | |
-| View and edit billing information | {check-mark} | |
+| Access the Neo4j Customer Support Portal | {check-mark} | {check-mark} | {check-mark}
+| Perform all actions on instances footnote:[Actions include creating, deleting, pausing, resuming, and editing instances.] | | {check-mark} | {check-mark}
+| Clone data to new and existing instances | | {check-mark} | {check-mark}
+| Take on-demand snapshots | | {check-mark} | {check-mark}
+| Restore from snapshots | | {check-mark} | {check-mark}
+| Edit the project name | | | {check-mark}
+| Invite new users to the project | | | {check-mark}
+| Edit existing users' roles | | | {check-mark}
+| Delete existing users from the project | | | {check-mark}
+| View and edit billing information | | | {check-mark}
 |===
 
 [NOTE]
 ====
 Each project must have at least one Project Admin, but it is also possible for projects to have multiple Project Admins.
 ====
 
+Additionally, predefined roles are assigned certain privileges on the instance level as well.
+
+.Roles and database privileges
+[options="header", cols="3,1,1,1,1,1"]
+|===
+| Privilege
+| Viewer
+| Member
+| Admin Free
+| Admin Pro
+| Admin BC
+
+| Access to database
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| List constraints
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Create constraints
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+
+| Delete constraints
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| List indexes
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Create indexes
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Delete indexes
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Find nodes and relationships and read their properties
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Load external data in queries
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Write to the graph
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Name management for node labels, relationship types, and property names.
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| List and end transactions for specified users on the database
+|
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| List, create, delete, and modify users.
+|
+|
+|
+| {check-mark}
+| {check-mark}
+
+| List roles
+|
+|
+|
+| {check-mark}
+| {check-mark}
+
+| Create roles
+|
+|
+|
+|
+| {check-mark}
+
+| Assign roles
+|
+|
+|
+| {check-mark}
+| {check-mark}
+
+| Rename roles
+|
+|
+|
+|
+| {check-mark}
+
+| Remove roles
+|
+|
+|
+| {check-mark}
+| {check-mark}
+|===
+
 === Inviting users
 
 As an _Admin_, to invite a new user:
@@ -98,13 +242,13 @@ As an _Admin_, to delete an existing user:
 
 === Accepting an invite
 
-When invited to a project, you will receive an email with a link to accept the invite. 
+When invited to a project, you will receive an email with a link to accept the invite.
 This link will direct you to the Aura console, where a **Project invitation** modal will appear.
-You can select the project(s) you have been invited to and choose to accept or decline the invite(s). 
+You can select the project(s) you have been invited to and choose to accept or decline the invite(s).
 
 // You can also close the **Project invitation** modal without accepting or declining the invite(s) and later manually re-open the modal by selecting the **Pending invites** envelope icon in the console header.
 
 [TIP]
 ====
-User management within the Aura console does not replace built-in roles or fine-grained RBAC at the database level. 
+User management within the Aura console does not replace built-in roles or fine-grained RBAC at the database level.
 ====