From 9be076e91b636d0cc00374300a76525652ac47b8 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 15 Apr 2026 16:35:12 -0600 Subject: [PATCH 1/3] DOC-1864: Document Cloud RBAC UX enhancements for service account scoping - Remove incorrect statement that service accounts are always assigned org-wide Admin role - Add Service account roles section documenting scoped role assignment - Add RBAC UX enhancements entry to What's New (March 2026) Co-Authored-By: Claude Opus 4.6 (1M context) --- .../get-started/pages/whats-new-cloud.adoc | 4 ++++ .../pages/authorization/rbac/rbac.adoc | 19 ++++++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 0c1234c0a..0351707f2 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -27,6 +27,10 @@ Serverless clusters now support up to 100 Redpanda Connect pipelines and 100 MCP == March 2026 +=== RBAC UX enhancements + +Organization admins can now xref:security:authorization/rbac/rbac.adoc#service-account-roles[assign scoped roles to service accounts], restricting access to specific resource groups or clusters instead of granting organization-wide permissions. + === Redpanda Connect updates * Inputs: diff --git a/modules/security/pages/authorization/rbac/rbac.adoc b/modules/security/pages/authorization/rbac/rbac.adoc index 12fdcb31b..c006d6da7 100644 --- a/modules/security/pages/authorization/rbac/rbac.adoc +++ b/modules/security/pages/authorization/rbac/rbac.adoc @@ -25,13 +25,13 @@ After reading this page, you will be able to: == Manage organization access -In the Redpanda Cloud Console, the *Organization IAM* page lists your organization's existing users and service accounts and their associated roles. You can edit a user's access, invite new users, and create service accounts. When you add a user, you define their permissions with role binding. Service accounts are assigned the Admin role for all resources in the organization. +In the Redpanda Cloud Console, the *Organization IAM* page lists your organization's existing users and service accounts and their associated roles. You can edit a user's access, invite new users, and create service accounts. When you add a user, you define their permissions with role binding. On the *Organization IAM - Users* page, select a user to see their assigned roles. For example, for a user with Admin access on the organization, the user's _Resource_ is the organization name, the _Scope_ is organization, and the _Role_ is Admin. -Various resources can be assigned as the scope of a role. For example: +Various resources can be assigned as the scope of a role. For example: -- Organization +- Organization - Resource group - Network - Network peering @@ -44,6 +44,19 @@ Users can have multiple roles, as long as they are each for a different resource When you delete a role, Redpanda removes it from any user or service account it is attached to, and permissions are revoked. +=== Service account roles + +By default, new service accounts are assigned the Admin role at organization scope. You can edit a service account to assign a different role or restrict the scope to a specific resource group or cluster. + +To change a service account's role: + +. In the left navigation menu, select *Organization IAM*. +. Select the *Service account* tab. +. Click the edit icon for the service account you want to modify. +. Assign the appropriate role and scope. + +You can only assign a service account to scopes that you have permissions for. For example, if you have the Admin role for a specific resource group, you can create a service account scoped to that resource group. + == Predefined roles include::security:partial$predefined-roles.adoc[] From 2504441c03264685f99f02c9964c5ae5fe47b609 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 15 Apr 2026 16:38:08 -0600 Subject: [PATCH 2/3] minor edit --- modules/security/pages/authorization/rbac/rbac.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/security/pages/authorization/rbac/rbac.adoc b/modules/security/pages/authorization/rbac/rbac.adoc index c006d6da7..975a2949a 100644 --- a/modules/security/pages/authorization/rbac/rbac.adoc +++ b/modules/security/pages/authorization/rbac/rbac.adoc @@ -25,7 +25,7 @@ After reading this page, you will be able to: == Manage organization access -In the Redpanda Cloud Console, the *Organization IAM* page lists your organization's existing users and service accounts and their associated roles. You can edit a user's access, invite new users, and create service accounts. When you add a user, you define their permissions with role binding. +In the Redpanda Cloud Console, the *Organization IAM* page lists your organization's existing users and service accounts and their associated roles. You can edit a user's access, invite new users, and create service accounts. When you add a user, you define their permissions with role bindings. On the *Organization IAM - Users* page, select a user to see their assigned roles. For example, for a user with Admin access on the organization, the user's _Resource_ is the organization name, the _Scope_ is organization, and the _Role_ is Admin. From a0f7690860bc7365f62881483fea4d1f7d930904 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 16 Apr 2026 10:53:34 -0600 Subject: [PATCH 3/3] incorporate review feedback --- .../get-started/pages/whats-new-cloud.adoc | 4 --- .../pages/authorization/rbac/rbac.adoc | 35 +++++++------------ .../security/partials/predefined-roles.adoc | 2 +- 3 files changed, 14 insertions(+), 27 deletions(-) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 0351707f2..0c1234c0a 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -27,10 +27,6 @@ Serverless clusters now support up to 100 Redpanda Connect pipelines and 100 MCP == March 2026 -=== RBAC UX enhancements - -Organization admins can now xref:security:authorization/rbac/rbac.adoc#service-account-roles[assign scoped roles to service accounts], restricting access to specific resource groups or clusters instead of granting organization-wide permissions. - === Redpanda Connect updates * Inputs: diff --git a/modules/security/pages/authorization/rbac/rbac.adoc b/modules/security/pages/authorization/rbac/rbac.adoc index 975a2949a..957727b7e 100644 --- a/modules/security/pages/authorization/rbac/rbac.adoc +++ b/modules/security/pages/authorization/rbac/rbac.adoc @@ -17,7 +17,7 @@ After reading this page, you will be able to: == RBAC terminology -**Role**: A role is a list of permissions. With RBAC, permissions are attached to roles. Users assigned multiple roles receive the union of all permissions defined in those roles. Redpanda Cloud has several predefined roles that you cannot modify or delete, including Reader, Writer, and Admin. You can also create custom roles. +**Role**: A role is a list of permissions. With RBAC, permissions are attached to roles. Users assigned multiple roles receive the union of all permissions defined in those roles. **Account**: An RBAC account is either a user account (human user) or a service account (machine or programmatic user). @@ -25,37 +25,28 @@ After reading this page, you will be able to: == Manage organization access -In the Redpanda Cloud Console, the *Organization IAM* page lists your organization's existing users and service accounts and their associated roles. You can edit a user's access, invite new users, and create service accounts. When you add a user, you define their permissions with role bindings. +In the Redpanda Cloud Console, the *Organization IAM* page lists your organization's users and service accounts and their assigned roles. You can invite users, create service accounts, and edit access for existing accounts. When you add a user or service account, you assign permissions through role bindings. -On the *Organization IAM - Users* page, select a user to see their assigned roles. For example, for a user with Admin access on the organization, the user's _Resource_ is the organization name, the _Scope_ is organization, and the _Role_ is Admin. +On the *Organization IAM* page, select a user or service account to view its assigned roles. For example, if a user has the Admin role at the organization level, the _Resource_ is the organization name, the _Scope_ is Organization, and the _Role_ is Admin. You can edit a user or service account to assign a different role or limit access to a specific resource. -Various resources can be assigned as the scope of a role. For example: +Role bindings can be scoped to different resource types, including: - Organization - Resource group - Network - Network peering - Cluster (Serverless clusters have a different set of permissions from BYOC and Dedicated clusters.) -- MCP server -NOTE: Redpanda topics are not included. For topic-level access control, see xref:security:authorization/rbac/rbac_dp.adoc[Configure RBAC in the Data Plane]. +[NOTE] +==== +* Redpanda topics are not included as a scope. For topic-level access control, see xref:security:authorization/rbac/rbac_dp.adoc[Configure RBAC in the Data Plane]. -Users can have multiple roles, as long as they are each for a different resource and scope. For example, you could assign a user the Reader role on the organization, the Admin role on a specific resource group, and the Writer role on a specific cluster. +* You can assign a service account only to resources for which you already have permission. For example, if you have the Admin role for a specific resource group, you can create a service account scoped to that resource group. +==== -When you delete a role, Redpanda removes it from any user or service account it is attached to, and permissions are revoked. +Users can have multiple roles if each role binding applies to a different resource or scope. For example, a user could have the Reader role for the organization, the Admin role for a specific resource group, and the Writer role for a specific cluster. -=== Service account roles - -By default, new service accounts are assigned the Admin role at organization scope. You can edit a service account to assign a different role or restrict the scope to a specific resource group or cluster. - -To change a service account's role: - -. In the left navigation menu, select *Organization IAM*. -. Select the *Service account* tab. -. Click the edit icon for the service account you want to modify. -. Assign the appropriate role and scope. - -You can only assign a service account to scopes that you have permissions for. For example, if you have the Admin role for a specific resource group, you can create a service account scoped to that resource group. +When you delete a custom role, Redpanda removes it from any users or service accounts assigned to it, and the associated permissions are revoked. == Predefined roles @@ -63,13 +54,13 @@ include::security:partial$predefined-roles.adoc[] == Custom roles -In addition to the predefined roles, administrators can create custom roles to mix and match permissions for specific use cases. Custom roles let you grant only the permissions a user needs, without the broad access of predefined roles. +In addition to the predefined roles, administrators can create custom roles to grant only the permissions an account needs, without the broad access of predefined roles. To create a custom role, use the https://cloud.redpanda.com[Redpanda Cloud Console^] or the link:/api/doc/cloud-controlplane/[Control Plane API]. In the Redpanda Cloud Console: -. In the left navigation menu, select *Organization IAM*, then select the *Roles* tab. +. In the left navigation menu, select the *Organization IAM* - *Roles* tab . Click *Create role*. . Enter a *Name* and optional *Description* for the role. . Select permissions from the available categories: *Control Plane*, *Data Plane*, *IAM*, and *Billing*. Each category contains multiple permission groups (for example, Cluster, Network, or Topic), and each group contains individual operations such as Create, Read, Update, and Delete. You can select operations individually or select all operations for a group. diff --git a/modules/security/partials/predefined-roles.adoc b/modules/security/partials/predefined-roles.adoc index 14ef375fd..ea0135a84 100644 --- a/modules/security/partials/predefined-roles.adoc +++ b/modules/security/partials/predefined-roles.adoc @@ -1,3 +1,3 @@ Redpanda Cloud provides several predefined roles that you cannot modify or delete, including Reader, Writer, and Admin. -You can see all predefined roles along with their permissions on the *Roles* tab of *Organization IAM*. +Before assigning a role to a user or service account, review the *Organization IAM* - *Roles* tab to compare the full list of predefined roles and their permissions.