Merge pull request #4401 from Blargian/sql-console-access

Cloud: add guides for adjusting SQL console access and org and service level role assignment

Author: gingerwizard

docs/cloud/features/06_security/02_cloud-access-management/cloud-access-management.md

@@ -9,10 +9,15 @@ import Image from '@theme/IdealImage';
 import user_grant_permissions_options from '@site/static/images/cloud/security/cloud-access-management/user_grant_permissions_options.png';
 
 # Access control in ClickHouse Cloud {#access-control-in-clickhouse-cloud}
-ClickHouse controls user access in two places, via the console and via the database. Console access is managed via the clickhouse.cloud user interface. Database access is managed via database user accounts and roles. Additionally, console users can be granted roles within the database that enable the console user to interact with the database via our SQL console.
+
+ClickHouse Cloud controls access to the console itself and the features available within it.
+A **console user** is the foundation of this access with all permissions, roles, and access controls assigned to and managed through these users.
+When [database-level permissions are associated with console users](/cloud/security/common-access-management-queries#modifying-users-and-roles), those then govern their data access when querying via the SQL console.
 
 ## Console users and roles {#console-users-and-roles}
-Configure Organization and Service role assignments within the Console > Users and roles page. Configure SQL Console role assignments in the settings page for each service.
+
+[Configure Organization and Service role assignments](/cloud/guides/sql-console/configure-org-service-role-assignments) within the Console > Users and roles page.
+[Configure SQL Console role assignments](/cloud/guides/sql-console/config-sql-console-role-assignments) in the settings page for each service.
 
 Users must be assigned an organization level role and may optionally be assigned service roles for one or more services. Service roles may be optionally configured for users to access the SQL console in the service settings page.
 - Users assigned the Organization Admin role are granted Service Admin by default.

docs/cloud/features/06_security/02_cloud-access-management/cloud-authentication.md

@@ -33,7 +33,7 @@ If your company uses Google Workspace or Microsoft 365, you can leverage your cu
 ## Multi-factor authentication {#multi-factor-authentication}
 
 Users with email + password or social authentication can further secure their account using multi-factor authentication (MFA). To set up MFA:
-1. Log into console.clickhouse.cloud
+1. Log into [console.clickhouse.cloud](https://console.clickhouse.cloud/)
 2. Click your initials in the upper left corner next to the ClickHouse logo
 3. Select Profile
 4. Select Security on the left

docs/cloud/guides/SQL_console/_category_.json

@@ -0,0 +1,5 @@
+{
+  "label": "SQL console",
+  "collapsible": true,
+  "collapsed": true,
+}

docs/cloud/guides/SQL_console/configure_org_and_service_role_assignments.md

@@ -0,0 +1,84 @@
+---
+slug: /cloud/guides/sql-console/configure-org-service-role-assignments
+sidebar_label: 'Configuring organization and service role assignments'
+title: 'Configuring organization and service role assignments within the console'
+description: 'Guide showing how to configure org and service role assignments within the console'
+---
+
+import Image from '@theme/IdealImage';
+import step_1 from '@site/static/images/cloud/guides/sql_console/org_level_access/1_org_settings.png'
+import step_2 from '@site/static/images/cloud/guides/sql_console/org_level_access/2_org_settings.png'
+import step_3 from '@site/static/images/cloud/guides/sql_console/org_level_access/3_org_settings.png'
+import step_4 from '@site/static/images/cloud/guides/sql_console/org_level_access/4_org_settings.png'
+import step_5 from '@site/static/images/cloud/guides/sql_console/org_level_access/5_org_settings.png'
+import step_6 from '@site/static/images/cloud/guides/sql_console/org_level_access/6_org_settings.png'
+import step_7 from '@site/static/images/cloud/guides/sql_console/org_level_access/7_org_settings.png'
+
+# Configuring organization and service role assignments within the console
+
+> This guide shows you how to configure role assignments at the organization and service level.
+
+<VerticalStepper>
+
+## Access organization settings {#access-service-settings}
+
+From the services page, select the name of your organization:
+
+<Image img={step_1} size="md"/>
+
+Select the `Users and roles` menu item from the popup menu.
+
+<Image img={step_2} size="md"/>
+
+## Adjust access per user {#access-per-user}
+
+Select the menu item at the end of the row for the user that you which to modify
+access for:
+
+<Image img={step_3} size="lg"/>
+
+Select `edit`:
+
+<Image img={step_4} size="lg"/>
+
+A tab will display on the right hand side of the page:
+
+<Image img={step_5} size="lg"/>
+
+Select the drop-down menu items to adjust console-wide access permissions and which features a user can access from within the ClickHouse console.
+This manages high-level access and administrative settings for an organization:
+
+| Role        | Description                                                                      |
+|-------------|----------------------------------------------------------------------------------|
+| `Admin`     | Perform all administrative activities for an organization, control all settings. |
+| `Developer` | View everything except Services, create API keys with equal or lower access.     |
+| `Member`    | Sign in only with ability to manage personal profile settings.                   |
+| `Billing`   | View usage and invoices, and manage payment methods                              |
+
+Select the drop-down menu items to adjust the access scope of the service role of the selected user.
+This defines security and operational settings for individual services:
+
+| Access scope        |
+|---------------------|
+| `All services`      |
+| `Specific services` |
+| `No services`       |
+
+When selecting `Specific services`, you can control the role of the user per
+service:
+
+<Image img={step_6} size="md"/>
+
+You can choose from the following roles:
+
+| Role        | Description                                                        |
+|-------------|--------------------------------------------------------------------|
+| `Admin`     | Full control over configuration and security. Can delete service.  |
+| `Read-only` | Can see service data and security settings. Can't modify anything. |
+| `No access` | Doesn't know the service exists.                                   |
+
+Save your changes with the `Save changes` button at the bottom of the tab:
+
+<Image img={step_7} size="md"/>
+
+</VerticalStepper>

docs/cloud/guides/SQL_console/configure_sql_console_role_assignments.md

@@ -0,0 +1,74 @@
+---
+slug: /cloud/guides/sql-console/config-sql-console-role-assignments
+sidebar_label: 'Configuring SQL console role assignments'
+title: 'Configuring SQL console role assignments'
+description: 'Guide showing how to configure SQL console role assignments'
+---
+
+import Image from '@theme/IdealImage';
+import step_1 from '@site/static/images/cloud/guides/sql_console/service_level_access/1_service_settings.png'
+import step_2 from '@site/static/images/cloud/guides/sql_console/service_level_access/2_service_settings.png'
+import step_3 from '@site/static/images/cloud/guides/sql_console/service_level_access/3_service_settings.png'
+import step_4 from '@site/static/images/cloud/guides/sql_console/service_level_access/4_service_settings.png'
+import step_5 from '@site/static/images/cloud/guides/sql_console/service_level_access/5_service_settings.png'
+import step_6 from '@site/static/images/cloud/guides/sql_console/service_level_access/6_service_settings.png'
+import step_7 from '@site/static/images/cloud/guides/sql_console/service_level_access/7_service_settings.png'
+
+# Configuring SQL console role assignments
+
+> This guide shows you how to configure SQL console role assignments, which
+determine console-wide access permissions and the features that a user can
+access within Cloud console.
+
+<VerticalStepper>
+
+## Access service settings {#access-service-settings}
+
+From the services page, click the menu in the top right corner of the service
+for which you want to adjust SQL console access settings.
+
+<Image img={step_1} size="lg"/>
+
+Select `settings` from the popup menu.
+
+<Image img={step_2} size="lg"/>
+
+## Adjust SQL console access {#adjust-sql-console-access}
+
+Under the "Security" section, find the "SQL console access" area:
+
+<Image img={step_3} size="md"/>
+
+Select the drop-down menu for Service Admin to change the access control settings for Service Admin roles:
+
+<Image img={step_4} size="md"/>
+
+You can choose from the following roles:
+
+| Role          |
+|---------------|
+| `No access`   |
+| `Read only`   |
+| `Full access` |
+
+Select the drop-down menu for Service Read Only to change the access control settings for Service Read Only roles:
+
+<Image img={step_5} size="md"/>
+
+You can choose from the following roles:
+
+| Role          |
+|---------------|
+| `No access`   |
+| `Read only`   |
+| `Full access` |
+
+An overview of users for the service can be viewed by selecting the user count:
+
+<Image img={step_6} size="md"/>
+
+A tab will open to the right of the page showing the total number of users and their roles:
+
+<Image img={step_7} size="md"/>
+
+</VerticalStepper>