diff --git a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst index 7e792f9ebda..e1631476307 100644 --- a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst +++ b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst @@ -206,7 +206,11 @@ Permissions in Mattermost are a property of the server code base and are not cre +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | demote_to_guest | system | Demote member users to guests. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| manage_remote_clusters | system | Add, remove, and view remote clusters for shared channels. | +| manage_remote_clusters (deprecated in v5.36) | system | Add, remove, and view remote clusters for shared channels. Deprecated in v5.36; renamed to ``manage_secure_connections``. | ++----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| manage_shared_channels | system | Share and unshare channels with existing connections to remote servers. | ++----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| manage_secure_connections | system | Create, manage, and remove secure connections to remote servers. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | manage_post_bleve_indexes_job | system | Manage the status of a Bleve post indexing job. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -378,7 +382,7 @@ The following built-in roles with default permissions are available: - invite_user - manage_shared_channels - remove_others_reactions -- manage_remote_clusters +- manage_secure_connections - sysconsole_write_user_management_users - sysconsole_read_experimental - sysconsole_write_compliance @@ -473,6 +477,14 @@ The following built-in roles with default permissions are available: - manage members - restore +*shared_channel_manager* + +- manage_shared_channels + +*secure_connection_manager* + +- manage_secure_connections + *system_guest* - create_group_channel diff --git a/source/administration-guide/onboard/connected-workspaces.rst b/source/administration-guide/onboard/connected-workspaces.rst index 72e06959c6d..1c2483c7f8c 100644 --- a/source/administration-guide/onboard/connected-workspaces.rst +++ b/source/administration-guide/onboard/connected-workspaces.rst @@ -19,16 +19,16 @@ The process of connecting Mattermost workspaces involves the following 5 steps: 2. `Enable the connected workspaces functionality <#enable-connected-workspaces>`__ for each Mattermost Enterprise instance you want to connect. -3. System admins must `create a secure and trusted connection <#create-a-secure-connection>`__ with other Mattermost Enterprise instances using the System Console or slash commands. This process involves creating a password-protected, encrypted invitation, creating a strong decryption password, then sending the invitation and password to the system admin of a remote Mattermost instance. From Mattermost v11.0, remote cluster invitations use PBKDF2 key derivation for enhanced security. +3. System admins or users with the **Secure Connection Manager** role must `create a secure and trusted connection <#create-a-secure-connection>`__ with other Mattermost Enterprise instances using the System Console or slash commands. This process involves creating a password-protected, encrypted invitation, creating a strong decryption password, then sending the invitation and password to the admin of a remote Mattermost instance. From Mattermost v11.0, remote cluster invitations use PBKDF2 key derivation for enhanced security. -4. When a remote system admin receives the invitation, they must `accept the invitation <#accept-a-secure-connection-invitation>`__ using the System Console or slash commands. +4. When a remote admin receives the invitation, they must `accept the invitation <#accept-a-secure-connection-invitation>`__ using the System Console or slash commands. -5. Once a trusted relationship is established between 2 Mattermost servers, system admins can `share specific public or private channels <#share-channels-with-secure-connections>`__ with secure connections. +5. Once a trusted relationship is established between 2 Mattermost servers, system admins or users with the **Shared Channel Manager** role can `share specific public or private channels <#share-channels-with-secure-connections>`__ with secure connections. .. note:: - - System admins can only create secure connections with other Mattermost Enterprise instances, and can only share channels with secured connections. - - System admins must use Mattermost to generate a password-protected encrypted invitation code. However, sending secure connection invitations is not completed using Mattermost. System admins must have an independent way to extend the secure connection invitation, such as by email. + - Only system admins or users with the appropriate :doc:`delegated administration role ` can create secure connections with other Mattermost Enterprise instances and share channels with secured connections. + - Users creating secure connections must use Mattermost to generate a password-protected encrypted invitation code. However, sending secure connection invitations is not completed using Mattermost. They must have an independent way to extend the secure connection invitation, such as by email. - A channel shared by a host organization cannot be shared from the receiving organization to another organization. Organizations can't share a channel originating from another organization. Enable connected workspaces @@ -62,9 +62,9 @@ Create a secure connection .. tab:: Slash Commands - By default, only system admins can use slash commands to create workspace connections. You can grant the ability to **Manage Shared Channels** and **Managed Secure Connections** to Mattermost users by modifying permissions of the :ref:`system scheme ` or :ref:`team override scheme `. + By default, only system admins can use slash commands to create workspace connections. You can delegate these capabilities using the built-in **Shared Channel Manager** and **Secure Connection Manager** :doc:`delegated administration roles `. Alternatively, you can grant the ability to **Manage Shared Channels** and **Manage Secure Connections** to Mattermost users by modifying permissions of the :ref:`system scheme ` or :ref:`team override scheme `. - System admins can :doc:`run the following slash command ` to create a secure connection invitation: + Authorized users can :doc:`run the following slash command ` to create a secure connection invitation: ``/secure-connection create --name <--displayname> --password`` @@ -116,7 +116,7 @@ Accept a connection invitation Share channels with secure connections -------------------------------------- -Once a connection is established between two Mattermost servers, system admins can share channels across secured workspaces. +Once a connection is established between two Mattermost servers, system admins or users with the **Shared Channel Manager** role can share channels across secured workspaces. .. tab:: System Console @@ -200,7 +200,7 @@ When ``EnableSharedChannelsMemberSync`` is disabled, channel membership changes Manage connections and invitations ---------------------------------- -System admins can `edit <#edit-a-connected-workspace>`__ or `delete <#delete-a-connected-workspace>`__ a connected workspace, and `review connection status <#review-connection-status>`__, and `regenerate invitation codes and passwords <#regenerate-invitation-codes-for-pending-connections>`__ for pending connections. +System admins or users with the **Secure Connection Manager** role can `edit <#edit-a-connected-workspace>`__ or `delete <#delete-a-connected-workspace>`__ a connected workspace, and `review connection status <#review-connection-status>`__, and `regenerate invitation codes and passwords <#regenerate-invitation-codes-for-pending-connections>`__ for pending connections. Edit a connected workspace ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/source/administration-guide/onboard/delegated-granular-administration.rst b/source/administration-guide/onboard/delegated-granular-administration.rst index a4e80d62253..2e29b9906b3 100644 --- a/source/administration-guide/onboard/delegated-granular-administration.rst +++ b/source/administration-guide/onboard/delegated-granular-administration.rst @@ -19,6 +19,8 @@ A system admin can configure the following delegated granular administration rol - **System Manager:** This role can be configured to have read/write permissions in different management areas. - **User Manager:** This role can be configured to have read/write to all the user management areas and to authentication - **Custom Group Manager** This role has permissions to :doc:`create, edit, restore, and delete custom user groups `. This role can be used to assign individual users the ability to manage custom groups when **Custom Groups** permissions are removed for **All Members** via **System Console > Permissions > Edit Scheme > Custom Groups**. +- **Shared Channel Manager** This role has the ``manage_shared_channels`` permission, allowing assigned users to share and unshare channels with existing connections to remote servers. +- **Secure Connection Manager** This role has the ``manage_secure_connections`` permission, allowing assigned users to create, manage, and remove secure connections to remote servers. - **Viewer:** The Viewer role can view all areas of the System Console, and can be configured with write access where needed. When a user is assigned a system role, they have role-based access to the System Console and the underlying API endpoints. Each role has a different set of default permissions, and what users can access or view depends on the role they've been assigned. @@ -44,6 +46,12 @@ The table below lists the default permissions for each role. Admins should caref +----------------------+-----------------------+---------------------------------------+ | Custom Group Manager | Custom User Groups | N/A | +----------------------+-----------------------+---------------------------------------+ +| Shared Channel | Shared Channels | N/A | +| Manager | | | ++----------------------+-----------------------+---------------------------------------+ +| Secure Connection | Secure Connections | N/A | +| Manager | | | ++----------------------+-----------------------+---------------------------------------+ | Viewer | N/A | - All pages within the System Console | +----------------------+-----------------------+---------------------------------------+ @@ -82,6 +90,16 @@ There are two ways to assign roles: | | **System Console > User Management > Permissions > Edit Scheme**. Under **All Members**, clear all of | | | | the **Custom Groups** permissions, including **Create**, **Manage members**, **Edit**, and **Delete**. | | +---------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------+ +| Grant the Shared Channel Manager role to a user | 1. Go to **System Console > User Management > Delegated Granular Administration**, then select the **Shared Channel Manager** | ``mmctl permissions role assign shared_channel_manager user-name`` | +| | role. | | +| | 2. Under **Assigned People**, select **Add People**. | | +| | 3. Search for and select the user name, then select **Add** to grant the Shared Channel Manager role to that user. | | ++---------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------+ +| Grant the Secure Connection Manager | 1. Go to **System Console > User Management > Delegated Granular Administration**, then select the **Secure Connection Manager** | ``mmctl permissions role assign secure_connection_manager user-name`` | +| role to a user | role. | | +| | 2. Under **Assigned People**, select **Add People**. | | +| | 3. Search for and select the user name, then select **Add** to grant the Secure Connection Manager role to that user. | | ++---------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------+ | Remove the System Manager role from a single user | 1. Go to **System Console > User Management > Delegated Granular Administration**, then select the **System Manager** role. | ``mmctl permissions role unassign system_manager bob-smith`` | | | 2. Under **Assigned People**, search for the user, then select **Remove**. | | +---------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------+ @@ -89,7 +107,7 @@ There are two ways to assign roles: Edit privileges of admin roles (advanced) ------------------------------------------ -System admins can grant read/write access to other areas of the System Console, as well as remove read/write access (including default access), for all system roles except the Custom Group Manager role. +System admins can grant read/write access to other areas of the System Console, as well as remove read/write access (including default access), for all system roles except the Custom Group Manager, Shared Channel Manager, and Secure Connection Manager roles. There are two ways to assign roles: @@ -134,6 +152,8 @@ Roles - ``system_manager`` - ``system_user_manager`` - ``system_custom_group_admin`` +- ``shared_channel_manager`` +- ``secure_connection_manager`` - ``system_read_only_admin`` Privileges