Skip to content

docs: improve rbac and permissions readability #6443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Holmus wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: improve rbac and permissions readability #6443

Holmus wants to merge 1 commit into from

Conversation

@Holmus
Copy link
Contributor

@Holmus Holmus commented Dec 29, 2025

Thanks for submitting a PR! Please check the boxes below:

  • I have added information to docs/ if required so people know about the feature!
  • I have filled in the "Changes" section below?
  • I have filled in the "How did you test this code" section below?
  • I have used a Conventional Commit title for this Pull Request

Changes

  • Restructured RBAC docs with clearer explanations of permission levels (organisation/project/environment) and role types
  • Added practical examples for common permission setups (developers with production restrictions, QA read-only access, etc.)
  • Updated change requests docs with a permissions table for create/approve/publish actions
  • Added permissions section to data model docs explaining how permissions align with the data hierarchy

How did you test this code?

Ran docs locally, verified SVGs look good, that links work, that the text makes sense and that the general order concepts are presented in makes sense.

@Holmus Holmus requested a review from a team as a code owner December 29, 2025 11:41
@Holmus Holmus requested review from matthewelwell and removed request for a team December 29, 2025 11:41
@vercel
Copy link

vercel bot commented Dec 29, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
docs Ready Ready Preview, Comment Dec 29, 2025 0:01am
2 Skipped Deployments
Project Deployment Review Updated (UTC)
flagsmith-frontend-preview Ignored Ignored Preview Dec 29, 2025 0:01am
flagsmith-frontend-staging Ignored Ignored Preview Dec 29, 2025 0:01am

@github-actions github-actions bot added the docs Documentation updates label Dec 29, 2025
@khvn26
Copy link
Member

khvn26 commented Dec 29, 2025

Kindly check the linting failure:

  [cause]: Error: Docusaurus found broken links!
  
  Please check the pages of your site in the list below, and make sure you don't reference any path that does not exist.
  Note: it's possible to ignore broken links with the 'onBrokenLinks' Docusaurus configuration, and let the build pass.
  
  Exhaustive list of all broken links found:
  - Broken link on source page path = /administration-and-security/access-control/rbac:
     -> linking to /project-management/tags

matthewelwell
matthewelwell approved these changes Dec 31, 2025
View reviewed changes
Copy link
Contributor

@matthewelwell matthewelwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the whole, this seems like a great improvement. I've added a few minor suggestions and one question, but nothing that is strictly necessary I don't think.

docs/docs/administration-and-security/access-control/rbac.md
R -->|Assigned to| A[Admin API keys];
G -->|Contains many| U;
```
Permissions are granted to **roles**, and roles are assigned to users, groups, or Admin API keys. A user's effective permissions are the **union of all permissions** from every role assigned to them — both directly and through group membership.
Copy link
Contributor

@matthewelwell matthewelwell Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor suggestion - should we add links to relevant documentation sections for groups and Admin API Keys (and users if applicable, but I'm not sure we have any documentation on users as such)?

docs/static/img/permission-hierarchy.svg
Copy link
Contributor

@matthewelwell matthewelwell Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How did you generate these images, where are the originals?

docs/docs/administration-and-security/access-control/rbac.md
- _Organisation Administrator_ grants full access to everything in your Flagsmith organisation.
- _User_ grants no access and requires you to assign permissions using custom roles and/or groups.
- An _Organisation User_ (no organisation-wide admin access)
- A _Project Administrator_ for _Mobile App_ (full control of that project)
Copy link
Contributor

@matthewelwell matthewelwell Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- A _Project Administrator_ for _Mobile App_ (full control of that project)
- A _Project Administrator_ for _Mobile App_ (full control of that project and all its environments)

docs/docs/administration-and-security/access-control/rbac.md
- _User_ grants no access and requires you to assign permissions using custom roles and/or groups.
- An _Organisation User_ (no organisation-wide admin access)
- A _Project Administrator_ for _Mobile App_ (full control of that project)
- An _Environment Administrator_ for _Production_ in _Web App_ (full control of just that environment)
Copy link
Contributor

@matthewelwell matthewelwell Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- An _Environment Administrator_ for _Production_ in _Web App_ (full control of just that environment)
- An _Environment Administrator_ for _Development_ in _Web App_ (full control of just that environment)

A bit nit picky, but it seems odd that someone would be an admin for just the Production environment.

docs/docs/administration-and-security/access-control/rbac.md
Comment on lines +216 to +220
2. Create a custom role called _Developer Access_ with these permissions:
- **Project-level**: View project, Create feature
- **Development environment**: Administrator
- **Staging environment**: Administrator
- **Production environment**: View environment, Create change request
Copy link
Contributor

@matthewelwell matthewelwell Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this is probably a pretty pragmatic approach, I think a strict separation of roles would probably result in something like the following three roles:

Non-prod Admin Role
Production Change Proposal Role
Base Project Access Role

I don't think we really need to change it for now though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matthewelwell matthewelwell matthewelwell approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs Documentation updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Holmus @khvn26 @matthewelwell