From fb72d42c90a7e5621a6e3f0342af445a82d0765d Mon Sep 17 00:00:00 2001 From: wiggin77 Date: Wed, 18 Feb 2026 12:46:43 -0500 Subject: [PATCH 1/4] Doc changes for MM-67647 that adds two new roles to manage secure connections (shared channels) --- ...ced-permissions-backend-infrastructure.rst | 16 ++++++++++++-- .../onboard/connected-workspaces.rst | 2 +- .../delegated-granular-administration.rst | 22 ++++++++++++++++++- 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst index 7e792f9ebda..afaed7a6661 100644 --- a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst +++ b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst @@ -206,7 +206,11 @@ Permissions in Mattermost are a property of the server code base and are not cre +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | demote_to_guest | system | Demote member users to guests. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| manage_remote_clusters | system | Add, remove, and view remote clusters for shared channels. | +| manage_remote_clusters (deprecated) | system | Add, remove, and view remote clusters for shared channels. Renamed to ``manage_secure_connections``. | ++----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| manage_shared_channels | system | Share and unshare channels with secure connections to remote Mattermost instances. | ++----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| manage_secure_connections | system | Create, manage, and remove secure connections to remote Mattermost servers. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | manage_post_bleve_indexes_job | system | Manage the status of a Bleve post indexing job. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -378,7 +382,7 @@ The following built-in roles with default permissions are available: - invite_user - manage_shared_channels - remove_others_reactions -- manage_remote_clusters +- manage_secure_connections - sysconsole_write_user_management_users - sysconsole_read_experimental - sysconsole_write_compliance @@ -473,6 +477,14 @@ The following built-in roles with default permissions are available: - manage members - restore +*shared_channel_manager* + +- manage_shared_channels + +*secure_connection_manager* + +- manage_secure_connections + *system_guest* - create_group_channel diff --git a/source/administration-guide/onboard/connected-workspaces.rst b/source/administration-guide/onboard/connected-workspaces.rst index 72e06959c6d..4ff18fa9ff1 100644 --- a/source/administration-guide/onboard/connected-workspaces.rst +++ b/source/administration-guide/onboard/connected-workspaces.rst @@ -62,7 +62,7 @@ Create a secure connection .. tab:: Slash Commands - By default, only system admins can use slash commands to create workspace connections. You can grant the ability to **Manage Shared Channels** and **Managed Secure Connections** to Mattermost users by modifying permissions of the :ref:`system scheme ` or :ref:`team override scheme `. + By default, only system admins can use slash commands to create workspace connections. You can delegate these capabilities using the built-in **Shared Channel Manager** and **Secure Connection Manager** :doc:`delegated administration roles `. Alternatively, you can grant the ability to **Manage Shared Channels** and **Manage Secure Connections** to Mattermost users by modifying permissions of the :ref:`system scheme ` or :ref:`team override scheme `. System admins can :doc:`run the following slash command ` to create a secure connection invitation: diff --git a/source/administration-guide/onboard/delegated-granular-administration.rst b/source/administration-guide/onboard/delegated-granular-administration.rst index a4e80d62253..013ef858932 100644 --- a/source/administration-guide/onboard/delegated-granular-administration.rst +++ b/source/administration-guide/onboard/delegated-granular-administration.rst @@ -19,6 +19,8 @@ A system admin can configure the following delegated granular administration rol - **System Manager:** This role can be configured to have read/write permissions in different management areas. - **User Manager:** This role can be configured to have read/write to all the user management areas and to authentication - **Custom Group Manager** This role has permissions to :doc:`create, edit, restore, and delete custom user groups `. This role can be used to assign individual users the ability to manage custom groups when **Custom Groups** permissions are removed for **All Members** via **System Console > Permissions > Edit Scheme > Custom Groups**. +- **Shared Channel Manager** This role has the ``manage_shared_channels`` permission, allowing assigned users to share and unshare channels with secure connections. +- **Secure Connection Manager** This role has the ``manage_secure_connections`` permission, allowing assigned users to create, manage, and remove secure connections to remote servers. - **Viewer:** The Viewer role can view all areas of the System Console, and can be configured with write access where needed. When a user is assigned a system role, they have role-based access to the System Console and the underlying API endpoints. Each role has a different set of default permissions, and what users can access or view depends on the role they've been assigned. @@ -44,6 +46,12 @@ The table below lists the default permissions for each role. Admins should caref +----------------------+-----------------------+---------------------------------------+ | Custom Group Manager | Custom User Groups | N/A | +----------------------+-----------------------+---------------------------------------+ +| Shared Channel | Shared Channels | N/A | +| Manager | | | ++----------------------+-----------------------+---------------------------------------+ +| Secure Connection | Secure Connections | N/A | +| Manager | | | ++----------------------+-----------------------+---------------------------------------+ | Viewer | N/A | - All pages within the System Console | +----------------------+-----------------------+---------------------------------------+ @@ -82,6 +90,16 @@ There are two ways to assign roles: | | **System Console > User Management > Permissions > Edit Scheme**. Under **All Members**, clear all of | | | | the **Custom Groups** permissions, including **Create**, **Manage members**, **Edit**, and **Delete**. | | +---------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------+ +| Grant the Shared Channel Manager role to a user | 1. Go to **System Console > User Management > Delegated Granular Administration**, then select the **Shared Channel Manager** | ``mmctl permissions role assign shared_channel_manager user-name`` | +| | role. | | +| | 2. Under **Assigned People**, select **Add People**. | | +| | 3. Search for and select the user name, then select **Add** to grant the Shared Channel Manager role to that user. | | ++---------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------+ +| Grant the Secure Connection Manager | 1. Go to **System Console > User Management > Delegated Granular Administration**, then select the **Secure Connection Manager** | ``mmctl permissions role assign secure_connection_manager user-name`` | +| role to a user | role. | | +| | 2. Under **Assigned People**, select **Add People**. | | +| | 3. Search for and select the user name, then select **Add** to grant the Secure Connection Manager role to that user. | | ++---------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------+ | Remove the System Manager role from a single user | 1. Go to **System Console > User Management > Delegated Granular Administration**, then select the **System Manager** role. | ``mmctl permissions role unassign system_manager bob-smith`` | | | 2. Under **Assigned People**, search for the user, then select **Remove**. | | +---------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------+ @@ -89,7 +107,7 @@ There are two ways to assign roles: Edit privileges of admin roles (advanced) ------------------------------------------ -System admins can grant read/write access to other areas of the System Console, as well as remove read/write access (including default access), for all system roles except the Custom Group Manager role. +System admins can grant read/write access to other areas of the System Console, as well as remove read/write access (including default access), for all system roles except the Custom Group Manager, Shared Channel Manager, and Secure Connection Manager roles. There are two ways to assign roles: @@ -134,6 +152,8 @@ Roles - ``system_manager`` - ``system_user_manager`` - ``system_custom_group_admin`` +- ``shared_channel_manager`` +- ``secure_connection_manager`` - ``system_read_only_admin`` Privileges From b44d94d9c7739b437b47275c9dde2135308b3f0a Mon Sep 17 00:00:00 2001 From: wiggin77 Date: Wed, 18 Feb 2026 13:26:04 -0500 Subject: [PATCH 2/4] Add more clarity to docs around sysadmin vs secure connections admin --- .../onboard/connected-workspaces.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/source/administration-guide/onboard/connected-workspaces.rst b/source/administration-guide/onboard/connected-workspaces.rst index 4ff18fa9ff1..1c2483c7f8c 100644 --- a/source/administration-guide/onboard/connected-workspaces.rst +++ b/source/administration-guide/onboard/connected-workspaces.rst @@ -19,16 +19,16 @@ The process of connecting Mattermost workspaces involves the following 5 steps: 2. `Enable the connected workspaces functionality <#enable-connected-workspaces>`__ for each Mattermost Enterprise instance you want to connect. -3. System admins must `create a secure and trusted connection <#create-a-secure-connection>`__ with other Mattermost Enterprise instances using the System Console or slash commands. This process involves creating a password-protected, encrypted invitation, creating a strong decryption password, then sending the invitation and password to the system admin of a remote Mattermost instance. From Mattermost v11.0, remote cluster invitations use PBKDF2 key derivation for enhanced security. +3. System admins or users with the **Secure Connection Manager** role must `create a secure and trusted connection <#create-a-secure-connection>`__ with other Mattermost Enterprise instances using the System Console or slash commands. This process involves creating a password-protected, encrypted invitation, creating a strong decryption password, then sending the invitation and password to the admin of a remote Mattermost instance. From Mattermost v11.0, remote cluster invitations use PBKDF2 key derivation for enhanced security. -4. When a remote system admin receives the invitation, they must `accept the invitation <#accept-a-secure-connection-invitation>`__ using the System Console or slash commands. +4. When a remote admin receives the invitation, they must `accept the invitation <#accept-a-secure-connection-invitation>`__ using the System Console or slash commands. -5. Once a trusted relationship is established between 2 Mattermost servers, system admins can `share specific public or private channels <#share-channels-with-secure-connections>`__ with secure connections. +5. Once a trusted relationship is established between 2 Mattermost servers, system admins or users with the **Shared Channel Manager** role can `share specific public or private channels <#share-channels-with-secure-connections>`__ with secure connections. .. note:: - - System admins can only create secure connections with other Mattermost Enterprise instances, and can only share channels with secured connections. - - System admins must use Mattermost to generate a password-protected encrypted invitation code. However, sending secure connection invitations is not completed using Mattermost. System admins must have an independent way to extend the secure connection invitation, such as by email. + - Only system admins or users with the appropriate :doc:`delegated administration role ` can create secure connections with other Mattermost Enterprise instances and share channels with secured connections. + - Users creating secure connections must use Mattermost to generate a password-protected encrypted invitation code. However, sending secure connection invitations is not completed using Mattermost. They must have an independent way to extend the secure connection invitation, such as by email. - A channel shared by a host organization cannot be shared from the receiving organization to another organization. Organizations can't share a channel originating from another organization. Enable connected workspaces @@ -64,7 +64,7 @@ Create a secure connection By default, only system admins can use slash commands to create workspace connections. You can delegate these capabilities using the built-in **Shared Channel Manager** and **Secure Connection Manager** :doc:`delegated administration roles `. Alternatively, you can grant the ability to **Manage Shared Channels** and **Manage Secure Connections** to Mattermost users by modifying permissions of the :ref:`system scheme ` or :ref:`team override scheme `. - System admins can :doc:`run the following slash command ` to create a secure connection invitation: + Authorized users can :doc:`run the following slash command ` to create a secure connection invitation: ``/secure-connection create --name <--displayname> --password`` @@ -116,7 +116,7 @@ Accept a connection invitation Share channels with secure connections -------------------------------------- -Once a connection is established between two Mattermost servers, system admins can share channels across secured workspaces. +Once a connection is established between two Mattermost servers, system admins or users with the **Shared Channel Manager** role can share channels across secured workspaces. .. tab:: System Console @@ -200,7 +200,7 @@ When ``EnableSharedChannelsMemberSync`` is disabled, channel membership changes Manage connections and invitations ---------------------------------- -System admins can `edit <#edit-a-connected-workspace>`__ or `delete <#delete-a-connected-workspace>`__ a connected workspace, and `review connection status <#review-connection-status>`__, and `regenerate invitation codes and passwords <#regenerate-invitation-codes-for-pending-connections>`__ for pending connections. +System admins or users with the **Secure Connection Manager** role can `edit <#edit-a-connected-workspace>`__ or `delete <#delete-a-connected-workspace>`__ a connected workspace, and `review connection status <#review-connection-status>`__, and `regenerate invitation codes and passwords <#regenerate-invitation-codes-for-pending-connections>`__ for pending connections. Edit a connected workspace ~~~~~~~~~~~~~~~~~~~~~~~~~~ From 9499fa85170504634fb22929837c7cfd5c572320 Mon Sep 17 00:00:00 2001 From: wiggin77 Date: Sun, 22 Feb 2026 11:22:00 -0500 Subject: [PATCH 3/4] Fix wording to remove Mattermost from server types we can connect to --- .../onboard/advanced-permissions-backend-infrastructure.rst | 4 ++-- .../onboard/delegated-granular-administration.rst | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst index afaed7a6661..ee82ac7661c 100644 --- a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst +++ b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst @@ -208,9 +208,9 @@ Permissions in Mattermost are a property of the server code base and are not cre +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | manage_remote_clusters (deprecated) | system | Add, remove, and view remote clusters for shared channels. Renamed to ``manage_secure_connections``. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| manage_shared_channels | system | Share and unshare channels with secure connections to remote Mattermost instances. | +| manage_shared_channels | system | Share and unshare channels with existing connections to remote servers. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| manage_secure_connections | system | Create, manage, and remove secure connections to remote Mattermost servers. | +| manage_secure_connections | system | Create, manage, and remove secure connections to remote servers. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | manage_post_bleve_indexes_job | system | Manage the status of a Bleve post indexing job. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/source/administration-guide/onboard/delegated-granular-administration.rst b/source/administration-guide/onboard/delegated-granular-administration.rst index 013ef858932..2e29b9906b3 100644 --- a/source/administration-guide/onboard/delegated-granular-administration.rst +++ b/source/administration-guide/onboard/delegated-granular-administration.rst @@ -19,7 +19,7 @@ A system admin can configure the following delegated granular administration rol - **System Manager:** This role can be configured to have read/write permissions in different management areas. - **User Manager:** This role can be configured to have read/write to all the user management areas and to authentication - **Custom Group Manager** This role has permissions to :doc:`create, edit, restore, and delete custom user groups `. This role can be used to assign individual users the ability to manage custom groups when **Custom Groups** permissions are removed for **All Members** via **System Console > Permissions > Edit Scheme > Custom Groups**. -- **Shared Channel Manager** This role has the ``manage_shared_channels`` permission, allowing assigned users to share and unshare channels with secure connections. +- **Shared Channel Manager** This role has the ``manage_shared_channels`` permission, allowing assigned users to share and unshare channels with existing connections to remote servers. - **Secure Connection Manager** This role has the ``manage_secure_connections`` permission, allowing assigned users to create, manage, and remove secure connections to remote servers. - **Viewer:** The Viewer role can view all areas of the System Console, and can be configured with write access where needed. From 775f9a147753f49b6de29b8ebacd61552fe9072e Mon Sep 17 00:00:00 2001 From: wiggin77 Date: Fri, 6 Mar 2026 23:05:39 -0500 Subject: [PATCH 4/4] Add server version info for manage_remote_clusters permission deprecation. --- .../onboard/advanced-permissions-backend-infrastructure.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst index ee82ac7661c..e1631476307 100644 --- a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst +++ b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst @@ -206,7 +206,7 @@ Permissions in Mattermost are a property of the server code base and are not cre +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | demote_to_guest | system | Demote member users to guests. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| manage_remote_clusters (deprecated) | system | Add, remove, and view remote clusters for shared channels. Renamed to ``manage_secure_connections``. | +| manage_remote_clusters (deprecated in v5.36) | system | Add, remove, and view remote clusters for shared channels. Deprecated in v5.36; renamed to ``manage_secure_connections``. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | manage_shared_channels | system | Share and unshare channels with existing connections to remote servers. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+