V2.14-rbac

docs/Researcher/cli-reference/runai-submit-dist-TF.md

@@ -5,7 +5,7 @@
 Submit a distributed TensorFlow training run:ai job to run.
 
 !!! Note
-    To use distributed training you need to have installed the < insert  TensorFlow operator here > as specified < insert pre-requisites link here >.
+    To use distributed training you need to have installed the TensorFlow operator as specified in [Distributed training](../../admin/runai-setup/cluster-setup/cluster-prerequisites.md#distributed-training).
 
 Syntax notes:
 

docs/Researcher/cli-reference/runai-submit-dist-mpi.md

@@ -3,7 +3,7 @@
 Submit a Distributed Training (MPI) Run:ai Job to run.
 
 !!! Note
-    To use distributed training you need to have installed the Kubeflow MPI Operator as specified [here](../../../admin/runai-setup/cluster-setup/cluster-prerequisites/#distributed-training-via-kubeflow-mpi)
+    To use distributed training you need to have installed the Kubeflow MPI Operator as specified in [Distributed training](../../admin/runai-setup/cluster-setup/cluster-prerequisites.md#distributed-training).
 
 Syntax notes:
 

docs/Researcher/cli-reference/runai-submit-dist-pytorch.md

@@ -5,7 +5,7 @@
 Submit a distributed PyTorch training run:ai job to run.
 
 !!! Note
-    To use distributed training you need to have installed the < insert pytorch operator here > as specified < insert pre-requisites link here >.
+    To use distributed training you need to have installed the Pytorch operator as specified in [Distributed training](../../admin/runai-setup/cluster-setup/cluster-prerequisites.md#distributed-training).
 
 Syntax notes:
 

docs/admin/admin-ui-setup/admin-ui-users.md

@@ -2,10 +2,10 @@
 
 ## Introduction
 
-The Run:ai User Interface allows the creation of Run:ai Users. Run:ai Users can receive varying levels of access to the Administration UI and submit Jobs on the Cluster.
+The Run:ai UI allows the creation of Run:ai Users. Users are assigned levels of access to all aspects of the UI including submitting jobs on the cluster.
 
 !!! Tip
-    It is possible to connect the Run:ai user interface to the organization's directory and use single sign-on. This allows you to set Run:ai roles for users and groups from the organizational directory. For further information see [single sign-on configuration](../runai-setup/authentication/sso.md).
+    It is possible to connect the Run:ai UI to the organization's directory and use single sign-on (SSO). This allows you to set Run:ai roles for users and groups from the organizational directory. For further information see [single sign-on configuration](../runai-setup/authentication/sso.md).
 
 ## Working with Users
 
@@ -14,54 +14,29 @@ You can create users, as well as update and delete users.
 ### Create a User
 
 !!! Note
-    To be able to review, add, update and delete users, you must have an *Administrator* access. If you do not have such access, please contact an Administrator.
+    To be able to review, add, update and delete users, you must have *System Administrator* access. To upgrade your access, contact a system administrator.
 
-:octicons-versions-24: Department Admin is available in version 2.10 and later.
+To create a new user:
 
-1. Login to the Users area of the Run:ai User interface at `company-name.run.ai`.
-2. Select the `Users` tab for local users, or the `SSO Users` tab for SSO users.
-3. On the top right, select "NEW USER".
-4. Enter the user's email.
-5. Select Roles. More than one role can be selected. Available roles are:
-    * **Administrator**—Can manage Users and install Clusters.
-    * **Editor**—Can manage Projects and Departments.
-    * **Viewer**—View-only access to the Run:ai User Interface.
-    * **Researcher**—Can submit ML workloads. Setting a user as a *Researcher* also requires [assigning the user to projects](../project-setup/#create-a-new-project.md).
-    * **Research Manager**—Can act as *Researcher* in all projects, including new ones to be created in the future.
-    * **ML Engineer**—Can view and manage deployments and cluster resources. Available only when [Inference module is installed](../workloads/inference-overview.md).
-    * **Department Administrator**—Can manage Departments, descendent Projects and Workloads.
+1. Login to the Run:ai UI at `company-name.run.ai`.
+2. Press the ![Tools and Settings](img/tools-and-settings.svg) icon, then select *Users*.
+3. Press *New user* and enter the user's email address, then press *Create*.
+4. Review the new user information and note the temporary password that has been assigned. To send the user an introductory email, select the checkbox.
+5. Press *Done* when complete.
 
-    For more information, [Roles and permissions](#roles-and-permissions).
+## Assigning access rules to users
 
-6. (Optional) Select Cluster(s). This determines what Clusters are accessible to this User.
-7. Press "Save".
+Once you have created the users you can assign them *Access rules*. This provides the needed authorization to access system assets and resources.
 
-You will get the new user credentials and have the option to send the credentials by email.
+To add an *Access rule* to a user:
 
-### Roles and permissions
-
-Roles provide a way to group permissions and assign them to either users or user groups. The role identifies the collection of permissions that administrators assign to users or user groups. Permissions define the actions that users can perform on the managed entities. The following table shows the default roles and permissions.
+1. Select the user, then press *Access rules*, then press *+Access rule*.
+2. Select a *Role* from the dropdown.
+3. Press ![Scope](../../images/scope-icon.svg) then select a scope for the user. You can select multiple scopes.
+4. After selecting all the required scopes, press *Save rule*.
+5. To add another rule, use the *+Access rule*.
+6. Press *Done* when all the rules are configured.
 
-| Managed Entity   /  Roles | Admin | Dep. Admin | Editor | Research Manager | Researcher | ML Eng. | Viewer |
-|:--|:--|:--|:--|:--|:--|:--|:--|
-| Assign (Settings) Users/Groups/Apps to Roles | CRUD (all roles) | CRUD (Proj. Researchers and ML Engineers only) | N/A | N/A | N/A | N/A | N/A |
-| Assign Users/Groups/Apps to Organizations | R (Projects, Departments) | CRUD (Projects only) | CRUD (Projects, Departments) | N/A | N/A | N/A | N/A |
-| Departments | R | R | CRUD | N/A | N/A | R | R |
-| Projects | R | CRUD | CRUD | R | R | R | R |
-| Jobs | R | R | R | R | CRUD | N/A | R |
-| Deployments | R | R | R | N/A | N/A | CRUD | R |
-| Workspaces | R | R | R | R | CRUD | N/A | N/A |
-| Environments | CRUD | CRUD | CRUD | CRUD | CRUD | N/A | N/A |
-| Data Sources | CRUD | CRUD | CRUD | CRUD | CRUD | N/A | N/A |
-| Compute Resources | CRUD | CRUD | CRUD | CRUD | CRUD | N/A | N/A |
-| Templates | CRUD | CRUD | CRUD | CRUD | CRUD | N/A | N/A |
-| Clusters | CRUD | N/A | R | N/A | N/A | R | R |
-| Node Pools | CRUD | N/A | R | N/A | N/A | R | R |
-| Nodes | R | N/A | R | N/A | N/A | R | R |
-| Settings (General, Credentials) | CRUD | N/A | N/A | N/A | N/A | N/A | N/A |
-| Events History | R | N/A | N/A | N/A | N/A | N/A | N/A |
-| Dashboard.Overview | R | R | R | R | R | R | R |
-| Dashboards.Analytics | R | R | R | R | R | R | R |
-| Dashboards.Consumption | R | N/A | N/A | N/A | N/A | N/A | N/A |
+### Roles and permissions
 
-Permissions:    **C** = Create, **R** = Read, **U** = Update, **D** = Delete
+Roles provide a way for administrators to group and identify collections of permissions that administrators assign to [subjects](../runai-setup/access-control/rbac.md#subjects). Permissions define the actions that can be performed on managed entities. The [Roles](../runai-setup/access-control/rbac.md#roles) table shows the default roles and permissions that come with the syste. See [Role based access control](../runai-setup/access-control/rbac.md) for more information.

docs/admin/admin-ui-setup/department-setup.md

@@ -56,30 +56,47 @@ To add a new department:
 
 1. In the **Departments** grid, press **New Department**.
 2. Enter a name.
-3. In *Quota management* configure the number GPUs, CPUs, and CPU memory.
-4. In *Access control* select a user or application to be department administrator. If there are no users assigned the role of department administrator, see [Assigning Department Administrator role](#assigning-department-administrator-role).
+3. In *Quota management* configure the number GPUs, CPUs, and CPU memory, then press *Save*.
+
+<!-- 4. In *Access control* select a user or application to be department administrator. If there are no users assigned the role of department administrator, see [Assigning Department Administrator role](#assigning-department-administrator-role). -->
 
 ### Assigning Department Administrator role
 
+There are two ways to add *Department Administrator* roles to a department.
+
+The first is through the *Users* UI, and the second is through the *Access rules* that you can assign to a department.
+
+#### Users UI
+
 You can create a new user with the *Department Administrator* role, or add the role to existing users.
 To create a new user with this role, see [Create a user](admin-ui-users.md#create-a-user).
 To add this role to an existing user:
 
-1. Go to `Settings | Users`.
-2. Select a user from the list and then press `Edit User`.
-3. Select the `Department Admin` role from the list. (Deselect to remove the role from the user).
-4. Press save when complete.
+1. Press the ![Tools and Settings](img/tools-and-settings.svg) icon, then select *Users*..
+2. Select a user, then press *Access rules*, then press *+Access rule*.
+3. Select the `Department Administrator` role from the list.
+4. Press on the ![Scope](../../images/scope-icon.svg) and select one or more departments.
+5. Press *Save rule* and then *Close*.
 
-After you have created the user with the Department Administrator role, you will need to assign the user to the correct department.
+#### Assigning the access rule to the department
+
+To assign the *Access rule* to the department:
+
+1. Select a department from the list, then press *Access rules*, then press then press *+Access rule*.
+2. From the *Subject type* dropdown choose *User* or *Application*, then enter the user name or the application name.
+3. From the *Role* dropdown, select *Department administrator*, then press *Save rule*.
+4. If you want to add another rule, use the *+Access rule*.
+5. When all the rules are configured, press *Close*.
+
+<!-- After you have created the user with the Department Administrator role, you will need to assign the user to the correct department.
 
 To assign the Department Administrator user to the correct department:
 
 1. Go to `Settings | Departments`.
 2. Select a department from the list, then press `Edit`. If you do not have a department, you will need to create one. See [Adding a new department](#adding-departments).
 3. Select `Department Administrator`, then select `Users` or `Applications`.
 4. If you selected `Users`, select one or more users from the drop down menu.
-5. Press save when complete.
-
+5. Press save when complete. -->
 
 ### Assigning Projects to Departments
 

docs/admin/admin-ui-setup/project-setup.md

@@ -46,29 +46,38 @@ As an administrator, you may want to disconnect the two parameters. So, for exam
 !!! Note
     To be able to create or edit Projects, you must have *Editor* access. See the [Users](admin-ui-users.md) documentation.
 
-1. In the left-menu, press **Projects**.
-1.5 On the top right, select "Add New Project"
+1. In the left-menu, press **Projects**, then press *+Add New Project*.
 2. Choose a *Department* from the drop-down. The default is `default`.
 3. Enter a *Project name*. Press *Namespace* to set the namespace associated with the project. You can either create the namespace from the project name (default) or enter an existing namespace.
-4. In *Access control*, add one or more applications or users. If your user or application isn't in the list, see [Roles and permissions](admin-ui-users.md#roles-and-permissions), and verify that the users have the correct permissions. To change user permissions, see [Working with users](admin-ui-users.md#working-with-users).
-5. In *Quota management*, configure the node pool priority (if editable), the GPUs, CPUs, CPU memory, and Over-quota priority settings. Configure the following:
+4. In *Quota management*, configure the node pool priority (if editable), the GPUs, CPUs, CPU memory, and Over-quota priority settings. Configure the following:
 
        * *Order of priority*—the priority the node pool will receive when trying to schedule workloads. For more information, see [Node pool priority](../../Researcher/scheduling/using-node-pools.md#multiple-node-pools-selection).
        * *GPUs*—the number of GPUs in the node pool. Press *GPUs* and enter the number of GPUs, then press *Apply* to save.
        * *CPUs(Cores)*—the number of CPU cores in the node pool. Press *CPUs* and enter the number of GPUs, then press *Apply* to save.
        * *CPU Memory*—the amount of memory the CPUs will be allocated. Press *CPU Memory*, enter an amount of memory, then press *Apply* to save.
        * Over-quota priority—the priority for the specific node pool to receive over-quota allocations.
 
-6. (Optional) In the *Scheduling rules* pane, use the dropdown arrow to open the pane. Press on the *+ Rule* button to add a new rule to the project. Add one (or more) of the following rule types:
+5. (Optional) In the *Scheduling rules* pane, use the dropdown arrow to open the pane. Press on the *+ Rule* button to add a new rule to the project. Add one (or more) of the following rule types:
 
     * *Idle GPU timeout*—controls the amount of time that specific workload GPUs which are idle will be remain assigned to the project before getting reassigned.
     * *Workspace duration*—limit the length of time a workspace will before being terminated.
     * *Training duration*—limit the length of time training workloads will run.
     * *Node type (Affinity)*—limits specific workloads to run on specific node types.
+
+<!-- 4. In *Access control*, add one or more applications or users. If your user or application isn't in the list, see [Roles and permissions](admin-ui-users.md#roles-and-permissions), and verify that the users have the correct permissions. To change user permissions, see [Working with users](admin-ui-users.md#working-with-users). -->
+
+## Assign users to a Project
+
+<!-- This is no longer available even when it is set to enabled!!
+When [Researcher Authentication](../runai-setup/authentication/researcher-authentication.md) is enabled, the Project form will contain an additional *Access Control* tab. The tab will allow you to assign Researchers to their Projects.  -->
 
-## Assign Users to Project
+To assign *Access rules* to the project:
 
-When [Researcher Authentication](../runai-setup/authentication/researcher-authentication.md) is enabled, the Project form will contain an additional *Access Control* tab. The tab will allow you to assign Researchers to their Projects.
+1. Select a project from the list, then press *Access rules*, then press then press *+Access rule*.
+2. From the *Subject type* dropdown choose *User* or *Application*, then enter the user name or the application name.
+3. From the *Role* dropdown, select the desired role, then press *Save rule*.
+4. If you want to add another rule, use the *+Access rule*.
+5. When all the rules are configured, press *Close*.
 
 If you are using Single-sign-on, you can also assign Groups
 
@@ -175,9 +184,9 @@ To set a duration limit for interactive Jobs:
 * Create a Project or edit an existing Project.
 * Go to the *Time Limit* tab
 * You can limit interactive Jobs using two criteria:
-    * Set a hard time limit (day, hour, minute) to an Interactive Job, regardless of the activity of this Job, e.g. stop the Job after 1 day of work.
-    * Set a time limit for Idle Interactive Jobs, i.e. an Interactive Job idle for X time is stopped. Idle means no GPU activity.
-    * You can set if this idle time limit is effective for Interactive Jobs that are Preemptible, non-Preemptible, or both.
+  * Set a hard time limit (day, hour, minute) to an Interactive Job, regardless of the activity of this Job, e.g. stop the Job after 1 day of work.
+  * Set a time limit for Idle Interactive Jobs, i.e. an Interactive Job idle for X time is stopped. Idle means no GPU activity.
+  * You can set if this idle time limit is effective for Interactive Jobs that are Preemptible, non-Preemptible, or both.
 
 The setting only takes effect for Jobs that have started after the duration has been changed.
 
@@ -187,7 +196,7 @@ To set a duration limit for Training Jobs:
 
 * Create a Project or edit an existing Project.
 * Go to the *Time Limit* tab:
-    * Set a time limit for Idle Training Jobs, i.e. a Training Job idle for X time is stopped. Idle means no GPU activity.
+  * Set a time limit for Idle Training Jobs, i.e. a Training Job idle for X time is stopped. Idle means no GPU activity.
 
 The setting only takes effect for Jobs that have started after the duration has been changed.