From 2bd0ae52059c43b3cd5a8818a55c21261eebba0a Mon Sep 17 00:00:00 2001 From: atovpeko Date: Fri, 6 Jun 2025 11:35:06 +0300 Subject: [PATCH 01/19] draft RBAC --- getting-started/run-queries-from-console.md | 2 +- integrations/cloudwatch.md | 2 +- integrations/datadog.md | 2 +- lambda/redirects.js | 4 + .../metrics-logging/aws-cloudwatch.md | 2 +- use-timescale/metrics-logging/datadog.md | 2 +- use-timescale/page-index/page-index.js | 20 ++-- use-timescale/security/index.md | 9 +- use-timescale/security/ip-allow-list.md | 2 +- use-timescale/{ => security}/members.md | 98 +++++++++++++------ use-timescale/security/overview.md | 4 + use-timescale/security/read-only-role.md | 23 ++--- use-timescale/security/vpc.md | 2 +- 13 files changed, 109 insertions(+), 63 deletions(-) rename use-timescale/{ => security}/members.md (51%) diff --git a/getting-started/run-queries-from-console.md b/getting-started/run-queries-from-console.md index 48aafbd244..3532c3a47a 100644 --- a/getting-started/run-queries-from-console.md +++ b/getting-started/run-queries-from-console.md @@ -258,7 +258,7 @@ To use $SQL_EDITOR: [portal-data-mode]: https://console.cloud.timescale.com/dashboard/services?popsql [portal-ops-mode]: https://console.cloud.timescale.com/dashboard/services [pricing-plan-features]: https://www.timescale.com/pricing#features -[project-members]: /use-timescale/:currentVersion:/members/ +[project-members]: /use-timescale/:currentVersion:/security/members/ [query-variables]: https://docs.popsql.com/docs/query-variables [read-replica]: /use-timescale/:currentVersion:/ha-replicas/read-scaling/ [run-popsql]: /getting-started/:currentVersion:/run-queries-from-console/#data-mode diff --git a/integrations/cloudwatch.md b/integrations/cloudwatch.md index e33ed768db..ba0b58a60e 100644 --- a/integrations/cloudwatch.md +++ b/integrations/cloudwatch.md @@ -33,7 +33,7 @@ tool. You create an exporter on the [project level][projects], in the same AWS r -[projects]: /use-timescale/:currentVersion:/members/ +[projects]: /use-timescale/:currentVersion:/security/members/ [pricing-plan-features]: /about/:currentVersion:/pricing-and-account-management/#features-included-in-each-plan [cloudwatch]: https://aws.amazon.com/cloudwatch/ [cloudwatch-signup]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/GettingSetup.html diff --git a/integrations/datadog.md b/integrations/datadog.md index 0765975c5f..964795d700 100644 --- a/integrations/datadog.md +++ b/integrations/datadog.md @@ -141,7 +141,7 @@ comprehensive list of [metrics][datadog-postgres-metrics] collected. [datadog-monitor-cloud]: /integrations/:currentVersion:/datadog/#monitor-timescale-cloud-service-metrics-with-datadog [datadog-agent]: /integrations/:currentVersion:/datadog/#configure-datadog-agent-to-collect-metrics-for-your-timescale-cloud-services [datadog-agent-restart]: https://docs.datadoghq.com/agent/configuration/agent-commands/#start-stop-and-restart-the-agent -[projects]: /use-timescale/:currentVersion:/members/ +[projects]: /use-timescale/:currentVersion:/security/members/ [datadog-api-key]: https://docs.datadoghq.com/account_management/api-app-keys/#add-an-api-key-or-client-token [pricing-plan-features]: /about/:currentVersion:/pricing-and-account-management/#features-included-in-each-plan [run-queries]: /getting-started/:currentVersion:/run-queries-from-console/ diff --git a/lambda/redirects.js b/lambda/redirects.js index 0ec5952069..9aaf7b44c8 100644 --- a/lambda/redirects.js +++ b/lambda/redirects.js @@ -1053,4 +1053,8 @@ module.exports = [ from: '/use-timescale/latest/metrics-logging/insights/', to: 'https://docs.tigerdata.com/use-timescale/latest/metrics-logging/monitoring/#insights', } + { + from: '/use-timescale/latest/members/', + to: 'https://docs.tigerdata.com/use-timescale/latest/security/members/', + } ]; diff --git a/use-timescale/metrics-logging/aws-cloudwatch.md b/use-timescale/metrics-logging/aws-cloudwatch.md index a4b4588c47..6c155ee5fe 100644 --- a/use-timescale/metrics-logging/aws-cloudwatch.md +++ b/use-timescale/metrics-logging/aws-cloudwatch.md @@ -41,4 +41,4 @@ This section shows you how to attach, monitor, edit, and delete a data exporter. [console-services]: https://console.cloud.timescale.com/dashboard/services [services-portal]: https://console.cloud.timescale.com/dashboard/services [pricing-plan-features]: /about/:currentVersion:/pricing-and-account-management/#features-included-in-each-plan -[projects]: /use-timescale/:currentVersion:/members/ \ No newline at end of file +[projects]: /use-timescale/:currentVersion:/security/members/ \ No newline at end of file diff --git a/use-timescale/metrics-logging/datadog.md b/use-timescale/metrics-logging/datadog.md index 511c8f6483..431551cfee 100644 --- a/use-timescale/metrics-logging/datadog.md +++ b/use-timescale/metrics-logging/datadog.md @@ -42,4 +42,4 @@ This section shows you how to attach, monitor, edit, and delete a data exporter. [console-services]: https://console.cloud.timescale.com/dashboard/services [services-portal]: https://console.cloud.timescale.com/dashboard/services [pricing-plan-features]: /about/:currentVersion:/pricing-and-account-management/#features-included-in-each-plan -[projects]: /use-timescale/:currentVersion:/members/ +[projects]: /use-timescale/:currentVersion:/security/members/ diff --git a/use-timescale/page-index/page-index.js b/use-timescale/page-index/page-index.js index 23d80e90f6..2c1b9ecc1b 100644 --- a/use-timescale/page-index/page-index.js +++ b/use-timescale/page-index/page-index.js @@ -173,11 +173,6 @@ module.exports = [ }, ], }, - { - title: "Control user access to Tiger Cloud projects", - href: "members", - excerpt: "User management in Tiger Cloud", - }, { title: "Write data", href: "write-data", @@ -701,6 +696,16 @@ module.exports = [ href: "overview", excerpt: "Get an overview of Tiger Cloud security", }, + { + title: "Role-based access to Tiger Cloud projects", + href: "members", + excerpt: "User role management in Tiger Cloud", + }, + { + title: "Role-based access to your data", + href: "read-only-role", + excerpt: "Restrict access to your data", + }, { title: "SAML authentication", href: "saml", @@ -717,11 +722,6 @@ module.exports = [ excerpt: "Client credentials to programmatically access your Tiger Cloud account", }, - { - title: "Read only role", - href: "read-only-role", - excerpt: "Create a read-only role to access your database", - }, { title: "Connect with a stricter SSL mode", href: "strict-ssl", diff --git a/use-timescale/security/index.md b/use-timescale/security/index.md index 25bc25b8f2..3c5ed2e58a 100644 --- a/use-timescale/security/index.md +++ b/use-timescale/security/index.md @@ -7,13 +7,13 @@ keywords: [security] # Security -Learn how your $SERVICE_LONG is secured to protect your data and -privacy. +Learn how $CLOUD_LONG protects your data and privacy. * Learn about [security in $CLOUD_LONG][overview] +* Restrict access to your [$PROJECT_SHORT][console-rbac] +* Restrict access to your [data][read-only] * Set up [multifactor][mfa] and [SAML][saml] authentication * Generate multiple [client credentials][client-credentials] instead of using your username and password -* Grant [read-only access][read-only] to your data * Connect with a [stricter SSL mode][ssl] * Secure your $SERVICE_SHORTs with [VPC peering][vpc-peering] * Connect to your $SERVICE_SHORTs from any cloud with [AWS Transit Gateway][transit-gateway] @@ -27,4 +27,5 @@ privacy. [read-only]: /use-timescale/:currentVersion:/security/read-only-role/ [vpc-peering]: /use-timescale/:currentVersion:/security/vpc/ [ip-allowlist]: /use-timescale/:currentVersion:/security/ip-allow-list/ -[transit-gateway]: /use-timescale/:currentVersion:/security/transit-gateway/ \ No newline at end of file +[transit-gateway]: /use-timescale/:currentVersion:/security/transit-gateway/ +[console-rbac]: /use-timescale/:currentVersion:/security/members/ \ No newline at end of file diff --git a/use-timescale/security/ip-allow-list.md b/use-timescale/security/ip-allow-list.md index 2f24cc514f..f10f32c6c3 100644 --- a/use-timescale/security/ip-allow-list.md +++ b/use-timescale/security/ip-allow-list.md @@ -75,7 +75,7 @@ You have successfully added an IP allow list for querying your $SERVICE_SHORT in [console]: https://console.cloud.timescale.com/dashboard/ [pricing-plans]: /about/:currentVersion:/pricing-and-account-management/ [vpc-peering]: /use-timescale/:currentVersion:/security/vpc/ -[members]: /use-timescale/:currentVersion:/members/ +[members]: /use-timescale/:currentVersion:/security/members/ [modes]: /getting-started/:currentVersion:/services/ diff --git a/use-timescale/members.md b/use-timescale/security/members.md similarity index 51% rename from use-timescale/members.md rename to use-timescale/security/members.md index e3f4eb44b0..ca88916365 100644 --- a/use-timescale/members.md +++ b/use-timescale/security/members.md @@ -1,6 +1,6 @@ --- -title: User management -excerpt: Manage your projects in Tiger Cloud Console. Add and delete users, join and leave projects, transfer project ownership, and configure authentication +title: Role-based access to Tiger Cloud projects +excerpt: Manage your projects and services in Tiger Cloud Console. Add and delete users, assign roles, join and leave projects, transfer project ownership, and configure authentication products: [cloud] keywords: [members, projects, admin, roles] tags: [users] @@ -9,18 +9,24 @@ cloud_ui: - [members] --- -# Control user access to $PROJECT_LONGs +# Role-based access to $PROJECT_LONGs -When you sign up for a [30-day free trial][sign-up], $CLOUD_LONG creates a $PROJECT_SHORT for you, and -you are assigned the `Owner` role for the $PROJECT_SHORT. As the $PROJECT_SHORT owner, you have rights to -add and delete other users, and edit $PROJECT_SHORT settings. Users that you add to the $PROJECT_SHORT are -assigned the `Member` role. Members have rights to collaborate with you on your $PROJECT_SHORT, and help -create and administer the $SERVICE_SHORTs running in the $PROJECT_SHORT. +When you sign up for a [30-day free trial][sign-up], $CLOUD_LONG creates a $PROJECT_SHORT with built-in role-based access. This includes the following roles: -![Project users in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-users-overview.png) +- `Owner`: $CLOUD_LONG assigns this role to you when creating your $PROJECT_SHORT. As the `Owner`, you have the full scope of rights to add and delete other users, transfer project ownership, administer $SERVICE_SHORTs, and edit $PROJECT_SHORT settings. +- `Admin`: the `Owner` can assign this role to other users in the $PROJECT_SHORT. A user with the `Admin` role has the same scope of rights as the `Owner` but cannot transfer project ownership. +- `Viwer`: the `Owner` and `Admin` can assign this role to other users in the $PROJECT_SHORT. A user with the `Viewer` role has limited, read-only access to $CONSOLE_LONG. This means that a `Viewer` cannot modify $SERVICE_SHORTs and their configurations in any way. A `Viewer` has no access to the $DATA_MODE and has read-queries-only access to $SQL_EDITOR. -If you have the [Enterprise pricing plan][pricing-plans], you can use your company [SAML][saml] -identity provider to log in to $CONSOLE. +![Project users in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-project-users-overview.png) + +If you have the [$ENTERPRISE $PRICING_PLAN][pricing-plans], you can use your company [SAML][saml] +identity provider to log in to $CONSOLE_SHORT. + + + +The user roles for administering $SERVICE_SHORTs in $CONSOLE_LONG and managing data in the underlying database do not overlap. This page describes the user roles available in $CONSOLE_SHORT. For the database-level user roles, see [Role-based access to your data][database-rbac]. + + ## Add a user to your $PROJECT_SHORT @@ -33,13 +39,14 @@ To add a user to a $PROJECT_SHORT: 1. In [$CONSOLE][cloud-login], click `Invite users`, then click `Add new user`. - ![Send a user invitation in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-add-users.png) -1. Type the email address of the person that you want to add, and click `Add +1. Type the email address of the person that you want to add, select their role, and click `Add user`. - [Enterprise plan][pricing-plans] and SAML users receive a notification in $CONSOLE. Users in the - other pricing plans receive a confirmation email. The new user then [joins the $PROJECT_SHORT][join-a-project]. + ![Send a user invitation in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-add-new-user.png) + + [$ENTERPRISE $PRICING_PLAN][pricing-plans] and SAML users receive a notification in $CONSOLE_SHORT. Users in the + other $PRICING_PLANs receive a confirmation email. The new user then [joins the $PROJECT_SHORT][join-a-project]. @@ -49,14 +56,14 @@ When you are asked to join a $PROJECT_SHORT, the $CONSOLE sends you an invitatio instructions in the invitation email to join the $PROJECT_SHORT: - **New $CLOUD_LONG user**: - 1. In the invitation email, click **Accept Invite**. + 1. In the invitation email, click `Accept Invite`. $CLOUD_LONG opens. 2. Follow the setup wizard and create a new $ACCOUNT_SHORT. You are added to the $PROJECT_SHORT you were invited to. - **Existing $CLOUD_LONG user**: - 1. In the invitation email, click **Accept Invite**. + 1. In the invitation email, click `Accept Invite`. $CONSOLE_LONG opens and you are added to the $PROJECT_SHORT. @@ -75,9 +82,11 @@ $PROJECT_SHORT_CAP invitations are valid for 7 days. To resend a $PROJECT_SHORT 1. In [$CONSOLE][cloud-login], click `Invite users`. - ![Resend a user invitation $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-resend-invitation.png) + 1. Next to the person you want to invite to your $PROJECT_SHORT, click `Resend invitation`. + ![Resend a user invitation in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-resend-user-invitation.png) + ## Change the current $PROJECT_SHORT @@ -86,9 +95,11 @@ To change the $PROJECT_SHORT you are currently working in: -1. In [$CONSOLE][cloud-login], click `Tiger Cloud Project`, then `Current project`. +1. In [$CONSOLE][cloud-login], click the $PROJECT_SHORT name > `Current project` in the top left. + ![Change project in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-change-project.png) -2. Select the $PROJECT_SHORT you want to use. + +1. Select the $PROJECT_SHORT you want to use. You can now manage the users and $SERVICE_SHORTs in this $PROJECT_SHORT. @@ -96,7 +107,7 @@ You can now manage the users and $SERVICE_SHORTs in this $PROJECT_SHORT. ## Transfer $PROJECT_SHORT ownership -Each $PROJECT_SHORT in $CONSOLE has one `owner`. As the $PROJECT_SHORT owner, you have rights to +Each $PROJECT_SHORT in $CONSOLE has one `Owner`. As the $PROJECT_SHORT owner, you have rights to add and delete users, edit $PROJECT_SHORT settings, and transfer the owner role to another user. When you transfer ownership to another user, you lose your ownership rights. @@ -105,11 +116,15 @@ To transfer $PROJECT_SHORT ownership: 1. In [$CONSOLE][cloud-login], click `Invite users`. -2. Next to the person you want to transfer project ownership to, click `⋮` > `Transfer project ownership`. - ![Transfer project ownership in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-transfer-project-ownership.png) + +1. Next to the person you want to transfer project ownership to, click `⋮` > `Transfer project ownership`. + + ![Transfer project ownership in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-transfer-project-ownership.png) + If you are unable to transfer ownership, hover over the greyed out button to see the details. -3. Enter your password, and click `Verify`. -4. Complete the two-factor authentication challenge and click `Confirm`. + +1. Enter your password, and click `Verify`. +1. Complete the two-factor authentication challenge and click `Confirm`. @@ -125,13 +140,34 @@ To stop working in a $PROJECT_SHORT: 1. In [$CONSOLE][cloud-login], click `Invite users`. + 1. Click `⋮` > `Leave project`, then click `Leave`. - ![Leave a project in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-leave-a-project.png) + + ![Leave a project in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-leave-a-project.png) Your $ACCOUNT_SHORT is removed from the $PROJECT_SHORT immediately, you can no longer access this $PROJECT_SHORT. +## Change roles of other users in a $PROJECT_SHORT + +The `Owner` can change the roles of all other users in the $PROJECT_SHORT. An `Admin` can change the roles of other users from `Viewer` to `Admin`. + + +To change another user's role: + + + +1. In [$CONSOLE][cloud-login], click `Invite users`. + +1. Next to the corresponding user, select another role in the dropdown. + + ![Change user role in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-change-user-role.png) + +The user role is changed immediately. + + + ## Remove users from a $PROJECT_SHORT To remove a user's access to a $PROJECT_SHORT: @@ -140,7 +176,7 @@ To remove a user's access to a $PROJECT_SHORT: 1. In [$CONSOLE][cloud-login], click `Invite users`. 1. Next to the person you want to remove, click `⋮` > `Remove`. - ![Remove user in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-transfer-project-ownership.png) + ![Remove user in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-remove-user-access.png) 1. In `Remove user`, click `Remove`. The user is deleted immediately, they can no longer access your $PROJECT_SHORT. @@ -151,9 +187,9 @@ The user is deleted immediately, they can no longer access your $PROJECT_SHORT. [cloud-login]: https://console.cloud.timescale.com/ [saml]: /use-timescale/:currentVersion:/security/saml/ [2fa]: /use-timescale/:currentVersion:/security/multi-factor-authentication/ -[cloud-login]: https://console.cloud.timescale.com/ [sign-up]: https://console.cloud.timescale.com/ [pricing-plans]: /about/:currentVersion:/pricing-and-account-management/ -[join-a-project]: /use-timescale/:currentVersion:/members/#join-a-project -[change-project]: /use-timescale/:currentVersion:/members/#change-the-current-project -[saml]: https://en.wikipedia.org/wiki/SAML_2.0 \ No newline at end of file +[join-a-project]: /use-timescale/:currentVersion:/security/members/#join-a-project +[change-project]: /use-timescale/:currentVersion:/security/members/#change-the-current-project +[saml]: https://en.wikipedia.org/wiki/SAML_2.0 +[database-rbac]: /use-timescale/:currentVersion:/security/read-only-role/ \ No newline at end of file diff --git a/use-timescale/security/overview.md b/use-timescale/security/overview.md index a1ba1b183c..c2aa10078c 100644 --- a/use-timescale/security/overview.md +++ b/use-timescale/security/overview.md @@ -17,6 +17,10 @@ $COMPANY products do not have any identified weaknesses. This page lists the additional things we do to ensure operational security and to lock down $SERVICE_LONGs. To see our security features at a glance, see [$COMPANY Security][security-at-timescale]. +## Role-based access + +$CLOUD_LONG provides role-based access to your $SERVICE_SHORT administration and data. In $CONSOLE_LONG, users with the `Owner`, `Admin`, and `Viewer` roles have different permissions to create and modify $SERVICE_SHORTs. On the database level, you can create other roles on top of the automatically created `tsdbadmin` role to restrict access to your data. + ## Data encryption Your data on $CLOUD_LONG is encrypted both in transit and at rest. Both active diff --git a/use-timescale/security/read-only-role.md b/use-timescale/security/read-only-role.md index 2f395ab38f..b35f74280c 100644 --- a/use-timescale/security/read-only-role.md +++ b/use-timescale/security/read-only-role.md @@ -1,20 +1,20 @@ --- -title: Read-only role -excerpt: Tiger Cloud includes different levels of access to your services and data for enhanced security. Learn how to grant read-only access to your data +title: Role-based access to your data +excerpt: Learn about the available user roles to access data in your database products: [cloud] keywords: [client credentials, accounts, users, members, read-only, security] tags: [authentication, credentials, members, security] --- -# Read-only user +# Role-based access to your data -You can create a role that provides read-only access to your database. +When you create a $SERVICE_SHORT, $CLOUD_LONG assigns you the `tsdmadmin` role. This role has the full scope of permissions to modify data in your $SERVICE_SHORT, but it is not a superuser. $CLOUD_LONG does not provide superuser access. + +As `tsdmadmin`, you can use standard $PG means to create other roles or assign individual permissions. This page explains how to create a read-only role for your database. Note that adding a read-only role does not provide resource isolation. If you want to restrict the access of a read-only user, as well as isolate resources, you can create a read replica instead. For more information, see [Read scaling][read-scaling]. -Adding a read-only user role to your database does not provide resource -isolation. If you want to restrict the access of a read-only user, as well as isolate resources, you can create a read replica instead. For more information, see the -[read scaling](/use-timescale/latest/ha-replicas/read-scaling/) section. +The user roles for managing data in the underlying database and administering $SERVICE_SHORTs in $CONSOLE_LONG do not overlap. This page describes the user roles on the database level. For user roles available in $CONSOLE_SHORT, see [Role-based access to Tiger Cloud projects][console-rbac]. @@ -24,11 +24,9 @@ You can create a read-only user to provide limited access to your database. -### Creating a read-only user - -1. Connect to your database as the `tsdbadmin` user. +1. Connect to your $SERVICE_SHORT as the `tsdbadmin` user. -1. At the psql prompt, create the new role: +1. Create the new role: ```sql CREATE ROLE readaccess; @@ -60,3 +58,6 @@ You can create a read-only user to provide limited access to your database. ``` + +[console-rbac]: /use-timescale/:currentVersion:/security/members/ +[read-scaling]: /use-timescale/:currentVersion:/ha-replicas/read-scaling/ diff --git a/use-timescale/security/vpc.md b/use-timescale/security/vpc.md index f867e2b229..d3046b683f 100644 --- a/use-timescale/security/vpc.md +++ b/use-timescale/security/vpc.md @@ -228,4 +228,4 @@ some time for DNS propagation. [aws-vpc-connect-vpcs]: /use-timescale/:currentVersion:/security/vpc/#attach-a-timescale-service-to-the-peering-vpc [create-service]: /getting-started/:currentVersion:/services/#create-a-timescale-cloud-service [pricing-plans]: /about/:currentVersion:/pricing-and-account-management/ -[project-members]: /use-timescale/:currentVersion:/members/ +[project-members]: /use-timescale/:currentVersion:/security/members/ From 2194aae8ff77b7157c05885f5de44cac7b493fd2 Mon Sep 17 00:00:00 2001 From: atovpeko Date: Wed, 25 Jun 2025 10:40:40 +0300 Subject: [PATCH 02/19] draft RBAC --- about/pricing-and-account-management.md | 1 + 1 file changed, 1 insertion(+) diff --git a/about/pricing-and-account-management.md b/about/pricing-and-account-management.md index 79025ee6a0..8f537fa0ae 100644 --- a/about/pricing-and-account-management.md +++ b/about/pricing-and-account-management.md @@ -160,6 +160,7 @@ The features included in each [$PRICING_PLAN][pricing-plans] are: | Performance insights | ✓ | ✓ | ✓ | | Metrics and log exporters | | ✓ | ✓ | | **Security and compliance** | | | | +| Role-based access | ✓ | ✓ | ✓ | | End-to-end encryption | ✓ | ✓ | ✓ | | Private Networking (VPC) | 1 multi-attach VPC | Unlimited multi-attach VPCs | Unlimited multi-attach VPCs | | AWS Transit Gateway | | ✓ | ✓ | From cc823366909f9bf1c8ea88a48eda23d7f9743f1b Mon Sep 17 00:00:00 2001 From: atovpeko Date: Wed, 25 Jun 2025 10:42:16 +0300 Subject: [PATCH 03/19] draft RBAC --- use-timescale/security/members.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index ca88916365..d9abf690bc 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -151,8 +151,7 @@ Your $ACCOUNT_SHORT is removed from the $PROJECT_SHORT immediately, you can no l ## Change roles of other users in a $PROJECT_SHORT -The `Owner` can change the roles of all other users in the $PROJECT_SHORT. An `Admin` can change the roles of other users from `Viewer` to `Admin`. - +The `Owner` can change the roles of all other users in the $PROJECT_SHORT. An `Admin` can change the roles of other users except the `Owner`. To change another user's role: From adf75277eca8b33c7726e8c61c8d18ce0437b130 Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 13:52:18 +0300 Subject: [PATCH 04/19] Update use-timescale/security/members.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index d9abf690bc..cd3cac547c 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -13,7 +13,7 @@ cloud_ui: When you sign up for a [30-day free trial][sign-up], $CLOUD_LONG creates a $PROJECT_SHORT with built-in role-based access. This includes the following roles: -- `Owner`: $CLOUD_LONG assigns this role to you when creating your $PROJECT_SHORT. As the `Owner`, you have the full scope of rights to add and delete other users, transfer project ownership, administer $SERVICE_SHORTs, and edit $PROJECT_SHORT settings. +- `Owner`: $CLOUD_LONG assigns this role to you when your $PROJECT_SHORT is created. As Owner, you can add and delete other users, transfer project ownership, administer $SERVICE_SHORTs, and edit $PROJECT_SHORT settings. - `Admin`: the `Owner` can assign this role to other users in the $PROJECT_SHORT. A user with the `Admin` role has the same scope of rights as the `Owner` but cannot transfer project ownership. - `Viwer`: the `Owner` and `Admin` can assign this role to other users in the $PROJECT_SHORT. A user with the `Viewer` role has limited, read-only access to $CONSOLE_LONG. This means that a `Viewer` cannot modify $SERVICE_SHORTs and their configurations in any way. A `Viewer` has no access to the $DATA_MODE and has read-queries-only access to $SQL_EDITOR. From 1ba793b72e65dd7eba821c9735bab752f605f3c3 Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 13:55:24 +0300 Subject: [PATCH 05/19] Update use-timescale/security/members.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index cd3cac547c..6181d86471 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -14,7 +14,7 @@ cloud_ui: When you sign up for a [30-day free trial][sign-up], $CLOUD_LONG creates a $PROJECT_SHORT with built-in role-based access. This includes the following roles: - `Owner`: $CLOUD_LONG assigns this role to you when your $PROJECT_SHORT is created. As Owner, you can add and delete other users, transfer project ownership, administer $SERVICE_SHORTs, and edit $PROJECT_SHORT settings. -- `Admin`: the `Owner` can assign this role to other users in the $PROJECT_SHORT. A user with the `Admin` role has the same scope of rights as the `Owner` but cannot transfer project ownership. +- `Admin`: the Owner assigns this role to other users in the $PROJECT_SHORT. A user with the `Admin` role has the same scope of rights as the `Owner` but cannot transfer project ownership. - `Viwer`: the `Owner` and `Admin` can assign this role to other users in the $PROJECT_SHORT. A user with the `Viewer` role has limited, read-only access to $CONSOLE_LONG. This means that a `Viewer` cannot modify $SERVICE_SHORTs and their configurations in any way. A `Viewer` has no access to the $DATA_MODE and has read-queries-only access to $SQL_EDITOR. ![Project users in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-project-users-overview.png) From 2b97625fa4d8c6787dc6806a30314d4e33b672ef Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 13:55:44 +0300 Subject: [PATCH 06/19] Update use-timescale/security/members.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index 6181d86471..7e4fba251c 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -15,7 +15,7 @@ When you sign up for a [30-day free trial][sign-up], $CLOUD_LONG creates a $PROJ - `Owner`: $CLOUD_LONG assigns this role to you when your $PROJECT_SHORT is created. As Owner, you can add and delete other users, transfer project ownership, administer $SERVICE_SHORTs, and edit $PROJECT_SHORT settings. - `Admin`: the Owner assigns this role to other users in the $PROJECT_SHORT. A user with the `Admin` role has the same scope of rights as the `Owner` but cannot transfer project ownership. -- `Viwer`: the `Owner` and `Admin` can assign this role to other users in the $PROJECT_SHORT. A user with the `Viewer` role has limited, read-only access to $CONSOLE_LONG. This means that a `Viewer` cannot modify $SERVICE_SHORTs and their configurations in any way. A `Viewer` has no access to the $DATA_MODE and has read-queries-only access to $SQL_EDITOR. +- `Viewer`: the Owner and Admin assign this role to other users in the $PROJECT_SHORT. A Viewer has limited, read-only access to $CONSOLE_LONG. This means that a Viewer cannot modify $SERVICE_SHORTs and their configurations in any way. A Viewer has no access to the $DATA_MODE and has read-queries-only access to $SQL_EDITOR. ![Project users in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-project-users-overview.png) From 8e2eb03ee32d46d621ab47f87976b0e92601d9cc Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 14:43:45 +0300 Subject: [PATCH 07/19] Update use-timescale/security/members.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index 7e4fba251c..70a5251a05 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -24,7 +24,7 @@ identity provider to log in to $CONSOLE_SHORT. -The user roles for administering $SERVICE_SHORTs in $CONSOLE_LONG and managing data in the underlying database do not overlap. This page describes the user roles available in $CONSOLE_SHORT. For the database-level user roles, see [Role-based access to your data][database-rbac]. +$PROJECT_LONG RBAC roles do not overlap with database-level roles for the individual $SERVICE_SHORTs in your $PROJECT_SHORT. This page describes the user roles available in $CONSOLE_SHORT. For the database-level user roles, see [Manage database level user roles][database-rbac]. From 0d217aefc2b8ad305d25149f8de1821edaf744f0 Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 14:44:02 +0300 Subject: [PATCH 08/19] Update use-timescale/security/members.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index 70a5251a05..a45aa21514 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -89,7 +89,7 @@ $PROJECT_SHORT_CAP invitations are valid for 7 days. To resend a $PROJECT_SHORT -## Change the current $PROJECT_SHORT +## Change your current $PROJECT_SHORT To change the $PROJECT_SHORT you are currently working in: From 8c7ef5920a916693ed8e0d56078ed6b59092ac6d Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 14:44:09 +0300 Subject: [PATCH 09/19] Update use-timescale/security/read-only-role.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/read-only-role.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/read-only-role.md b/use-timescale/security/read-only-role.md index b35f74280c..6592a61477 100644 --- a/use-timescale/security/read-only-role.md +++ b/use-timescale/security/read-only-role.md @@ -8,7 +8,7 @@ tags: [authentication, credentials, members, security] # Role-based access to your data -When you create a $SERVICE_SHORT, $CLOUD_LONG assigns you the `tsdmadmin` role. This role has the full scope of permissions to modify data in your $SERVICE_SHORT, but it is not a superuser. $CLOUD_LONG does not provide superuser access. +When you create a $SERVICE_SHORT, $CLOUD_LONG assigns you the tsdmadmin role. This role has full permissions to modify data in your $SERVICE_SHORT. However, $CLOUD_LONG does not provide superuser access. tsdmadmin is not a superuser. As `tsdmadmin`, you can use standard $PG means to create other roles or assign individual permissions. This page explains how to create a read-only role for your database. Note that adding a read-only role does not provide resource isolation. If you want to restrict the access of a read-only user, as well as isolate resources, you can create a read replica instead. For more information, see [Read scaling][read-scaling]. From 6a29c27705018c1a01c5f0832af3ff856e91c4e4 Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 14:44:18 +0300 Subject: [PATCH 10/19] Update use-timescale/security/read-only-role.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/read-only-role.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/read-only-role.md b/use-timescale/security/read-only-role.md index 6592a61477..9cb2878dd1 100644 --- a/use-timescale/security/read-only-role.md +++ b/use-timescale/security/read-only-role.md @@ -10,7 +10,7 @@ tags: [authentication, credentials, members, security] When you create a $SERVICE_SHORT, $CLOUD_LONG assigns you the tsdmadmin role. This role has full permissions to modify data in your $SERVICE_SHORT. However, $CLOUD_LONG does not provide superuser access. tsdmadmin is not a superuser. -As `tsdmadmin`, you can use standard $PG means to create other roles or assign individual permissions. This page explains how to create a read-only role for your database. Note that adding a read-only role does not provide resource isolation. If you want to restrict the access of a read-only user, as well as isolate resources, you can create a read replica instead. For more information, see [Read scaling][read-scaling]. +As tsdmadmin, you can use standard $PG means to create other roles or assign individual permissions. This page shows you how to create a read-only role for your database. Adding a read-only role does not provide resource isolation. To restrict the access of a read-only user, as well as isolate resources, create a [read replica][read-scaling] instead. From 6b6e0dc908852269988cc1f625abdcc95689904d Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 14:44:42 +0300 Subject: [PATCH 11/19] Update use-timescale/security/members.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index a45aa21514..fc1644ff80 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -107,7 +107,7 @@ You can now manage the users and $SERVICE_SHORTs in this $PROJECT_SHORT. ## Transfer $PROJECT_SHORT ownership -Each $PROJECT_SHORT in $CONSOLE has one `Owner`. As the $PROJECT_SHORT owner, you have rights to +Each $PROJECT_LONG has one Owner. As the $PROJECT_SHORT Owner, you have rights to add and delete users, edit $PROJECT_SHORT settings, and transfer the owner role to another user. When you transfer ownership to another user, you lose your ownership rights. From fe9989bde8b8f30eb8f53c006eaf5fd477c2c639 Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 14:46:19 +0300 Subject: [PATCH 12/19] Update use-timescale/security/members.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index fc1644ff80..dc01243701 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -108,7 +108,7 @@ You can now manage the users and $SERVICE_SHORTs in this $PROJECT_SHORT. ## Transfer $PROJECT_SHORT ownership Each $PROJECT_LONG has one Owner. As the $PROJECT_SHORT Owner, you have rights to -add and delete users, edit $PROJECT_SHORT settings, and transfer the owner role to another user. When you transfer +add and delete users, edit $PROJECT_SHORT settings, and transfer the Owner role to another user. When you transfer ownership to another user, you lose your ownership rights. To transfer $PROJECT_SHORT ownership: From 09fe50354adbc51216883b6b50aaac08fcb28c90 Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 14:46:42 +0300 Subject: [PATCH 13/19] Update use-timescale/security/members.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index dc01243701..3be74dc443 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -151,7 +151,7 @@ Your $ACCOUNT_SHORT is removed from the $PROJECT_SHORT immediately, you can no l ## Change roles of other users in a $PROJECT_SHORT -The `Owner` can change the roles of all other users in the $PROJECT_SHORT. An `Admin` can change the roles of other users except the `Owner`. +The Owner can change the roles of all users in the $PROJECT_SHORT. An Admin can change the roles of all users other than the Owner. To change another user's role: From 815f973ed6c479b41bce5f01f08af78d7ca22551 Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 14:46:59 +0300 Subject: [PATCH 14/19] Update use-timescale/security/members.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index 3be74dc443..55690eb95d 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -153,7 +153,7 @@ Your $ACCOUNT_SHORT is removed from the $PROJECT_SHORT immediately, you can no l The Owner can change the roles of all users in the $PROJECT_SHORT. An Admin can change the roles of all users other than the Owner. -To change another user's role: +To change the role for another user: From 96ba4a776b09f7572dcd14024f0086e2a34a9c04 Mon Sep 17 00:00:00 2001 From: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> Date: Thu, 26 Jun 2025 14:47:21 +0300 Subject: [PATCH 15/19] Update use-timescale/security/overview.md Co-authored-by: Iain Cox Signed-off-by: Anastasiia Tovpeko <114177030+atovpeko@users.noreply.github.com> --- use-timescale/security/overview.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/use-timescale/security/overview.md b/use-timescale/security/overview.md index 655f236e0c..9b70c4d6bd 100644 --- a/use-timescale/security/overview.md +++ b/use-timescale/security/overview.md @@ -19,7 +19,12 @@ To see our security features at a glance, see [$COMPANY Security][security-at-ti ## Role-based access -$CLOUD_LONG provides role-based access to your $SERVICE_SHORT administration and data. In $CONSOLE_LONG, users with the `Owner`, `Admin`, and `Viewer` roles have different permissions to create and modify $SERVICE_SHORTs. On the database level, you can create other roles on top of the automatically created `tsdbadmin` role to restrict access to your data. +$CLOUD_LONG provides role-based access for you to: + +* Administer your $PROJECT_LONG. + In $CONSOLE_LONG, users with the Owner, Admin, and Viewer roles have different permissions to manage users and $SERVICE_SHORTs in the $PROJECT_SHORT. +* Administer each $SERVICE_SHORT in the $PROJECT_SHORT. + To restrict access to your data on the database level, you can create other roles on top of the default `tsdbadmin` role. ## Data encryption From d6d2f63fe55e8a8a916d9a4497eda3ac8b89d1d6 Mon Sep 17 00:00:00 2001 From: atovpeko Date: Thu, 26 Jun 2025 14:47:58 +0300 Subject: [PATCH 16/19] review --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index fc1644ff80..476f1811ef 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -40,7 +40,7 @@ To add a user to a $PROJECT_SHORT: 1. In [$CONSOLE][cloud-login], click `Invite users`, then click `Add new user`. -1. Type the email address of the person that you want to add, select their role, and click `Add +1. Type the email address of the person that you want to add, select their role, and click `Invite user`. ![Send a user invitation in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-add-new-user.png) From 36a64f06b2a6ff666eee8381dfc98b147da92fbe Mon Sep 17 00:00:00 2001 From: atovpeko Date: Thu, 26 Jun 2025 15:23:09 +0300 Subject: [PATCH 17/19] review --- use-timescale/page-index/page-index.js | 8 +-- use-timescale/security/index.md | 2 +- use-timescale/security/members.md | 71 ++++++++++++++++-------- use-timescale/security/overview.md | 6 +- use-timescale/security/read-only-role.md | 10 ++-- 5 files changed, 60 insertions(+), 37 deletions(-) diff --git a/use-timescale/page-index/page-index.js b/use-timescale/page-index/page-index.js index 28f352f427..a2d8c7ad18 100644 --- a/use-timescale/page-index/page-index.js +++ b/use-timescale/page-index/page-index.js @@ -697,14 +697,14 @@ module.exports = [ excerpt: "Get an overview of Tiger Cloud security", }, { - title: "Role-based access to Tiger Cloud projects", + title: "Control user access to Tiger Cloud projects", href: "members", - excerpt: "User role management in Tiger Cloud", + excerpt: "Project and user role management in Tiger Cloud", }, { - title: "Role-based access to your data", + title: "Manage data security in your service", href: "read-only-role", - excerpt: "Restrict access to your data", + excerpt: "Restrict access to your data with roles", }, { title: "SAML authentication", diff --git a/use-timescale/security/index.md b/use-timescale/security/index.md index 3c5ed2e58a..e3b07bfd82 100644 --- a/use-timescale/security/index.md +++ b/use-timescale/security/index.md @@ -11,7 +11,7 @@ Learn how $CLOUD_LONG protects your data and privacy. * Learn about [security in $CLOUD_LONG][overview] * Restrict access to your [$PROJECT_SHORT][console-rbac] -* Restrict access to your [data][read-only] +* Restrict access to the [data in your $SERVICE_SHORT][read-only] * Set up [multifactor][mfa] and [SAML][saml] authentication * Generate multiple [client credentials][client-credentials] instead of using your username and password * Connect with a [stricter SSL mode][ssl] diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index df07c804f0..e8d548731e 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -1,5 +1,5 @@ --- -title: Role-based access to Tiger Cloud projects +title: Control access to Tiger Cloud projects excerpt: Manage your projects and services in Tiger Cloud Console. Add and delete users, assign roles, join and leave projects, transfer project ownership, and configure authentication products: [cloud] keywords: [members, projects, admin, roles] @@ -9,13 +9,13 @@ cloud_ui: - [members] --- -# Role-based access to $PROJECT_LONGs +# Control user access to Tiger Cloud projects When you sign up for a [30-day free trial][sign-up], $CLOUD_LONG creates a $PROJECT_SHORT with built-in role-based access. This includes the following roles: -- `Owner`: $CLOUD_LONG assigns this role to you when your $PROJECT_SHORT is created. As Owner, you can add and delete other users, transfer project ownership, administer $SERVICE_SHORTs, and edit $PROJECT_SHORT settings. -- `Admin`: the Owner assigns this role to other users in the $PROJECT_SHORT. A user with the `Admin` role has the same scope of rights as the `Owner` but cannot transfer project ownership. -- `Viewer`: the Owner and Admin assign this role to other users in the $PROJECT_SHORT. A Viewer has limited, read-only access to $CONSOLE_LONG. This means that a Viewer cannot modify $SERVICE_SHORTs and their configurations in any way. A Viewer has no access to the $DATA_MODE and has read-queries-only access to $SQL_EDITOR. +- **Owner**: $CLOUD_LONG assigns this role to you when your $PROJECT_SHORT is created. As the Owner, you can add and delete other users, transfer project ownership, administer $SERVICE_SHORTs, and edit $PROJECT_SHORT settings. +- **Admin**: the Owner assigns this role to other users in the $PROJECT_SHORT. A user with the Admin role has the same scope of rights as the Owner but cannot transfer project ownership. +- **Viewer**: the Owner and Admins assign this role to other users in the $PROJECT_SHORT. A Viewer has limited, read-only access to $CONSOLE_LONG. This means that a Viewer cannot modify $SERVICE_SHORTs and their configurations in any way. A Viewer has no access to the $DATA_MODE and has read-queries-only access to $SQL_EDITOR. ![Project users in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-console-project-users-overview.png) @@ -24,7 +24,7 @@ identity provider to log in to $CONSOLE_SHORT. -$PROJECT_LONG RBAC roles do not overlap with database-level roles for the individual $SERVICE_SHORTs in your $PROJECT_SHORT. This page describes the user roles available in $CONSOLE_SHORT. For the database-level user roles, see [Manage database level user roles][database-rbac]. +User roles in a $PROJECT_LONG do not overlap with the database-level roles for the individual $SERVICE_SHORTs. This page describes the $PROJECT_SHORT roles available in $CONSOLE_SHORT. For the database-level user roles, see [Manage data security in your $SERVICE_LONG][database-rbac]. @@ -52,28 +52,54 @@ To add a user to a $PROJECT_SHORT: ## Join a $PROJECT_SHORT -When you are asked to join a $PROJECT_SHORT, the $CONSOLE sends you an invitation email. Follow the +When you are asked to join a $PROJECT_SHORT, $CONSOLE sends you an invitation email. Follow the instructions in the invitation email to join the $PROJECT_SHORT: -- **New $CLOUD_LONG user**: - 1. In the invitation email, click `Accept Invite`. - $CLOUD_LONG opens. - 2. Follow the setup wizard and create a new $ACCOUNT_SHORT. + - You are added to the $PROJECT_SHORT you were invited to. + -- **Existing $CLOUD_LONG user**: - 1. In the invitation email, click `Accept Invite`. + + +1. **In the invitation email, click `Accept Invite`** + + $CLOUD_LONG opens. + +1. **Follow the setup wizard and create a new $ACCOUNT_SHORT** + + You are added to the $PROJECT_SHORT you were invited to. + + + + + + + + + +1. **In the invitation email, click `Accept Invite`** - $CONSOLE_LONG opens and you are added to the $PROJECT_SHORT. + $CONSOLE_LONG opens, and you are added to the $PROJECT_SHORT. -- **[Enterprise plan][pricing-plans] and SAML user**: - 1. Log in to $CONSOLE_SHORT using your company's identity provider. - 2. Click `Notifications`, then accept the invitation. + + + + + + + + +1. **Log in to $CONSOLE_SHORT using your company's identity provider** - $CONSOLE_LONG opens, and you are added to the $PROJECT_SHORT. As you are now - included in more than one $PROJECT_SHORT, you can easily [change $PROJECT_SHORTs][change-project]. +1. **Click `Notifications`, then accept the invitation** + $CONSOLE_LONG opens, and you are added to the $PROJECT_SHORT. As you are now included in more than one $PROJECT_SHORT, you can easily [change $PROJECT_SHORTs][change-project]. + + + + + + ## Resend a $PROJECT_SHORT invitation @@ -101,8 +127,6 @@ To change the $PROJECT_SHORT you are currently working in: 1. Select the $PROJECT_SHORT you want to use. -You can now manage the users and $SERVICE_SHORTs in this $PROJECT_SHORT. - ## Transfer $PROJECT_SHORT ownership @@ -132,7 +156,6 @@ If you have the [Enterprise pricing plan][pricing-plans], and log in to $CLOUD_L or have not enabled [two-factor authentication][2fa], [contact support](https://www.timescale.com/contact) to transfer $PROJECT_SHORT ownership. - ## Leave a $PROJECT_SHORT To stop working in a $PROJECT_SHORT: @@ -163,7 +186,7 @@ To change the role for another user: ![Change user role in $CONSOLE](https://assets.timescale.com/docs/images/tiger-cloud-console/tiger-cloud-change-user-role.png) -The user role is changed immediately. + The user role is changed immediately. diff --git a/use-timescale/security/overview.md b/use-timescale/security/overview.md index 9b70c4d6bd..8fea3090a6 100644 --- a/use-timescale/security/overview.md +++ b/use-timescale/security/overview.md @@ -21,10 +21,10 @@ To see our security features at a glance, see [$COMPANY Security][security-at-ti $CLOUD_LONG provides role-based access for you to: -* Administer your $PROJECT_LONG. +* Administer your $PROJECT_LONG In $CONSOLE_LONG, users with the Owner, Admin, and Viewer roles have different permissions to manage users and $SERVICE_SHORTs in the $PROJECT_SHORT. -* Administer each $SERVICE_SHORT in the $PROJECT_SHORT. - To restrict access to your data on the database level, you can create other roles on top of the default `tsdbadmin` role. +* Manage data in each $SERVICE_SHORT + To restrict access to your data on the database level, you can create other roles on top of the default tsdbadmin role. ## Data encryption diff --git a/use-timescale/security/read-only-role.md b/use-timescale/security/read-only-role.md index 9cb2878dd1..e814d745e8 100644 --- a/use-timescale/security/read-only-role.md +++ b/use-timescale/security/read-only-role.md @@ -1,20 +1,20 @@ --- -title: Role-based access to your data +title: Manage data security in your Tiger Cloud service excerpt: Learn about the available user roles to access data in your database products: [cloud] keywords: [client credentials, accounts, users, members, read-only, security] tags: [authentication, credentials, members, security] --- -# Role-based access to your data +# Manage data security in your Tiger Cloud service -When you create a $SERVICE_SHORT, $CLOUD_LONG assigns you the tsdmadmin role. This role has full permissions to modify data in your $SERVICE_SHORT. However, $CLOUD_LONG does not provide superuser access. tsdmadmin is not a superuser. +When you create a $SERVICE_SHORT, $CLOUD_LONG assigns you the tsdmadmin role. This role has full permissions to modify data in your $SERVICE_SHORT. However, $CLOUD_LONG does not provide superuser access. tsdmadmin is not a superuser. As tsdmadmin, you can use standard $PG means to create other roles or assign individual permissions. This page shows you how to create a read-only role for your database. Adding a read-only role does not provide resource isolation. To restrict the access of a read-only user, as well as isolate resources, create a [read replica][read-scaling] instead. -The user roles for managing data in the underlying database and administering $SERVICE_SHORTs in $CONSOLE_LONG do not overlap. This page describes the user roles on the database level. For user roles available in $CONSOLE_SHORT, see [Role-based access to Tiger Cloud projects][console-rbac]. +The database-level roles for the individual $SERVICE_SHORTs in your $PROJECT_SHORT do not overlap with the $PROJECT_LONG user roles. This page describes the database-level roles. For user roles available in $CONSOLE_SHORT, see [Control user access to Tiger Cloud projects][console-rbac]. @@ -24,7 +24,7 @@ You can create a read-only user to provide limited access to your database. -1. Connect to your $SERVICE_SHORT as the `tsdbadmin` user. +1. Connect to your $SERVICE_SHORT as the tsdbadmin user. 1. Create the new role: From a348c63d3dc323dc81dc962e09d75958f9ba323b Mon Sep 17 00:00:00 2001 From: atovpeko Date: Thu, 26 Jun 2025 15:24:10 +0300 Subject: [PATCH 18/19] review --- use-timescale/security/members.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/security/members.md b/use-timescale/security/members.md index e8d548731e..f20c81a777 100644 --- a/use-timescale/security/members.md +++ b/use-timescale/security/members.md @@ -153,7 +153,7 @@ To transfer $PROJECT_SHORT ownership: If you have the [Enterprise pricing plan][pricing-plans], and log in to $CLOUD_LONG using [SAML authentication][saml] -or have not enabled [two-factor authentication][2fa], [contact support](https://www.timescale.com/contact) to transfer +or have not enabled [two-factor authentication][2fa], [contact support](https://www.tigerdata.com/contact) to transfer $PROJECT_SHORT ownership. ## Leave a $PROJECT_SHORT From f74436c0198dfee50ffcdefd4b89f3a5f496e39c Mon Sep 17 00:00:00 2001 From: atovpeko Date: Thu, 26 Jun 2025 15:26:03 +0300 Subject: [PATCH 19/19] review --- use-timescale/page-index/page-index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-timescale/page-index/page-index.js b/use-timescale/page-index/page-index.js index a2d8c7ad18..17e7974918 100644 --- a/use-timescale/page-index/page-index.js +++ b/use-timescale/page-index/page-index.js @@ -697,7 +697,7 @@ module.exports = [ excerpt: "Get an overview of Tiger Cloud security", }, { - title: "Control user access to Tiger Cloud projects", + title: "Control user access to projects", href: "members", excerpt: "Project and user role management in Tiger Cloud", },