diff --git a/docs/admin/users/access-control.mdx b/docs/admin/users/access-control.mdx
new file mode 100644
index 00000000..88e3cc09
--- /dev/null
+++ b/docs/admin/users/access-control.mdx
@@ -0,0 +1,171 @@
+---
+title: "Access control"
+---
+
+import { OwnerBadge, AdminBadge, MemberBadge, ViewerBadge, OperatorBadge, ProvisionerBadge, PublisherBadge, GroupManagerBadge } from '/snippets/components/role-badges.jsx';
+
+There are two access control mechanisms for users in a workspace: **user types** and **roles**.
+
+## User types
+
+User types determine the broad access levels of a user. Below is a summary of the user types and their functions.
+
+ - complete control over the workspace; exactly one per workspace
+
+ - complete administrative and application access; is subordinate to the owner
+
+ - limited application access to the workspace with no administrative privileges
+
+Owners have unrestricted access to the workspace with the ability to execute any action. Administrators hold nearly the same access as owners, but are unable to escalate themselves to be the workspace owner.
+
+Members are the only user type that can be granted fine-grained access to the workspace through [roles](#roles). Administrators and owners cannot be given any roles since they already have complete access to the workspace.
+
+### Administrative privileges
+
+There are a variety of privileges which are only available to owners and administrators — no roles exist that can grant members these privileges:
+
+[API Keys](/admin/apikeys)
+- Create a new API key
+- Delete an API key
+
+[Groups](/learn/groups)
+- Create a group
+- Update a group
+- Delete a group
+- Move a device to a different group
+
+[Invites](/admin/users/invites)
+- Send an invite
+- Resend an invite
+- Revoke an invite
+
+[Members](/admin/users/manage)
+- Suspend a member
+- Update another member's role
+
+[Workspace](/admin/workspace)
+- Update the workspace
+
+## Roles
+
+While a user's type determines broad access and administrative capabilities, **roles** grant fine-grained access to the workspace. Because owners and admins already have full access to the workspace, roles can only be granted to members.
+
+A member's roles are defined in two independent sources:
+
+- **Workspace roles** apply across the entire workspace
+- **Group roles** apply to a [group](/learn/groups) and all of its subgroups
+
+A member can hold any combination of both. Permissions are always **additive** — Miru allows an action if any of the member's roles permit it, and one role never removes access granted by another.
+
+### Workspace roles
+
+A workspace role grants a member permissions across the **entire workspace**. Every member is at least a viewer, with read-only access to the entire application.
+
+Beyond viewer, the other roles permit write access to specific resources. A member can hold multiple workspace roles at once.
+
+#### Viewer
+
+Viewers hold read-only access to the entire application. It is not possible to restrict read access to specific resources.
+
+#### Operator
+
+The operator role allows members to deploy configurations to devices in the workspace. The operator role grants access to the following operations:
+
+[Config editor](/learn/devices/config-editor)
+
+- Deploy configurations to devices
+
+[Release staging area](/learn/releases/staging-area)
+
+- Stage a deployment
+- Patch a deployment
+- Review a deployment
+- Deploy a deployment
+- Archive a deployment
+
+#### Provisioner
+
+The provisioner role allows members to create and activate devices in the workspace. The provisioner role grants access to the following operations:
+
+[Manage devices](/learn/devices/manage)
+
+- Create a device
+- Edit a device
+- Delete a device
+
+[Provision devices](/learn/devices/provision/dashboard)
+
+- Provision a device
+- Reprovision a device
+
+#### Publisher
+
+The publisher role allows members to create and edit config types, schemas, and releases (all the resources needed to publish a release). The publisher role grants access to the following operations:
+
+[Config types](/learn/config-types)
+
+- Create a config type
+- Edit a config type
+
+[Config schemas](/learn/schemas/manage)
+
+- Create a config schema
+
+[Releases](/learn/releases/create)
+
+- Create a release
+- [Duplicate a release](/learn/releases/manage#duplicate-a-release)
+
+### Group roles
+
+A group role grants permissions inside one [group](/learn/groups) **and every group beneath it**. Because a device belongs to every group above it in the tree, a role granted on a group cascades down to all of its subgroups and devices.
+
+Group roles mirror the workspace roles, scoped to a single group. A member can hold multiple group roles at once.
+
+#### Viewer
+
+Viewers hold read-only access to all of the group's resources.
+
+#### Operator
+
+The operator role allows members to deploy configurations to devices in the group. The operator role grants access to the following operations:
+
+[Config editor](/learn/devices/config-editor)
+
+- Deploy configurations to devices
+
+[Release staging area](/learn/releases/staging-area)
+
+- Stage a deployment
+- Patch a deployment
+- Review a deployment
+- Deploy a deployment
+- Archive a deployment
+
+#### Provisioner
+
+The provisioner role allows members to create and activate devices in the group. The provisioner role grants access to the following operations:
+
+[Manage devices](/learn/devices/manage)
+
+- Create a device
+- Edit a device
+- Delete a device
+
+[Provision devices](/learn/devices/provision/dashboard)
+
+- Provision a device
+- Reprovision a device
+
+#### Manager
+
+The manager role allows members to manage a group's members, their grants, and its subgroups. It includes everything the operator and provisioner roles can do, along with the following operations:
+
+[Groups](/learn/groups)
+
+- Create a subgroup
+- Edit a group
+- Move a device
+- Delete a group
+
+A member's effective permissions are the union of their workspace roles and every group role they hold. For example, a member with the workspace viewer role plus the manager role on a `production` group can read everything in the workspace and fully manage `production` and all of its descendants.
diff --git a/docs/admin/users/overview.mdx b/docs/admin/users/overview.mdx
index 47738ed9..53233673 100644
--- a/docs/admin/users/overview.mdx
+++ b/docs/admin/users/overview.mdx
@@ -39,7 +39,7 @@ import UserDef from '/snippets/definitions/user.mdx';
- The user's [access role](/admin/users/roles) in the workspace.
+ The user's [access role](/admin/users/access-control) in the workspace.
Allowed values:
- `member`
diff --git a/docs/admin/users/roles.mdx b/docs/admin/users/roles.mdx
deleted file mode 100644
index 9a02bdcd..00000000
--- a/docs/admin/users/roles.mdx
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: "Roles"
----
-
-Roles are the access levels of a user in a workspace. Below is a summary of the roles and their permissions.
-
-| Role | Description |
-| -------- | ----------------------------------------------------------------------------------- |
-| `owner` | Complete control over the workspace; exactly one per workspace |
-| `admin` | Administrative and application access to the workspace; is subordinate to the owner |
-| `member` | Application access to the workspace, but no administrative privileges |
-
-### Admin permissions
-
-Owners and admins hold administrative privileges, granting them the following permissions, which are unavailable to members:
-
-**API Keys**
-- Create a new API key
-- Delete an existing API key
-
-**Groups**
-- Create a new group
-- Update an existing group
-- Delete an existing group
-- Move a device to a different group
-
-**Invites**
-- Send an invite
-- Resend an invite
-- Revoke an invite
-
-**Members**
-- Suspend a member
-- Update another member's role
-
-**Workspace**
-- Update the workspace
-
-Of course, owners have some special immunity from the above permissions to prevent unwanted privilege escalation:
-
-- Owners cannot be suspended
-- Owners cannot have their role changed by another user
-
-### Owner permissions
-
-A workspace must have exactly one owner. As such, owners cannot leave their workspace or be suspended.
-
-However, owners can transfer ownership to another member. Thus, in addition to the admin permissions above, owners also have a special permission for transferring workspace ownership to another member.
-
-### Member permissions
-
-Members hold application access to the workspace but no administrative privileges.
-
-We won't detail every permission here — suffice it to say, members can perform any action that is not administrative or owner-only. This includes creating devices, deploying configurations, etc.
diff --git a/docs/docs.json b/docs/docs.json
index b0557c34..589ba8d4 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -162,9 +162,9 @@
"group": "Users",
"pages": [
"admin/users/overview",
- "admin/users/roles",
"admin/users/invites",
"admin/users/profile",
+ "admin/users/access-control",
"admin/users/manage"
]
}
diff --git a/docs/snippets/components/role-badges.jsx b/docs/snippets/components/role-badges.jsx
index d1a06c06..4b55a2b1 100644
--- a/docs/snippets/components/role-badges.jsx
+++ b/docs/snippets/components/role-badges.jsx
@@ -3,21 +3,94 @@ export const OwnerBadge = ({ size = "md" }) => {
owner
);
};
+export const MemberBadge = ({ size = "md" }) => {
+ return (
+
+ member
+
+ );
+};
+
export const AdminBadge = ({ size = "md" }) => {
return (
admin
);
-};
\ No newline at end of file
+};
+
+export const GroupManagerBadge = ({ size = "md" }) => {
+ return (
+
+ group manager
+
+ );
+};
+
+export const PublisherBadge = ({ size = "md" }) => {
+ return (
+
+ publisher
+
+ );
+};
+
+export const ProvisionerBadge = ({ size = "md" }) => {
+ return (
+
+ provisioner
+
+ );
+};
+
+export const OperatorBadge = ({ size = "md" }) => {
+ return (
+
+ operator
+
+ );
+};
+
+export const ViewerBadge = ({ size = "md" }) => {
+ return (
+
+ viewer
+
+ );
+};
+
diff --git a/docs/snippets/components/users/roles.jsx b/docs/snippets/components/users/roles.jsx
index b83acabe..a11fda9c 100644
--- a/docs/snippets/components/users/roles.jsx
+++ b/docs/snippets/components/users/roles.jsx
@@ -1,18 +1,18 @@
export const ROLE_TOOLTIP = {
tip: "The access role of the user in the workspace.",
cta: "Learn more",
- href: "/admin/users/roles"
+ href: "/admin/users/access-control"
};
export const ADMIN_TOOLTIP = {
tip: "A user with administrative and application access to the workspace; subordinate to the owner.",
cta: "Learn more",
- href: "/admin/users/roles"
+ href: "/admin/users/access-control"
};
export const OWNER_TOOLTIP = {
tip: "A user with complete control over the workspace; exactly one per workspace.",
cta: "Learn more",
- href: "/admin/users/roles"
+ href: "/admin/users/access-control"
};
\ No newline at end of file