Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating licenses, access, and RBAC #6310

Merged
merged 10 commits into from
Oct 18, 2024
2 changes: 1 addition & 1 deletion website/docs/best-practices/how-we-mesh/mesh-5-faqs.md
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ There’s model-level access within dbt, role-based access for users and groups

First things first: access to underlying data is always defined and enforced by the underlying data platform (for example, BigQuery, Databricks, Redshift, Snowflake, Starburst, etc.) This access is managed by executing “DCL statements” (namely `grant`). dbt makes it easy to [configure `grants` on models](/reference/resource-configs/grants), which provision data access for other roles/users/groups in the data warehouse. However, dbt does _not_ automatically define or coordinate those grants unless they are configured explicitly. Refer to your organization's system for managing data warehouse permissions.

[dbt Cloud Enterprise plans](https://www.getdbt.com/pricing) support [role-based access control (RBAC)](/docs/cloud/manage-access/enterprise-permissions#how-to-set-up-rbac-groups-in-dbt-cloud) that manages granular permissions for users and user groups. You can control which users can see or edit all aspects of a dbt Cloud project. A user’s access to dbt Cloud projects also determines whether they can “explore” that project in detail. Roles, users, and groups are defined within the dbt Cloud application via the UI or by integrating with an identity provider.
[dbt Cloud Enterprise plans](https://www.getdbt.com/pricing) support [role-based access control (RBAC)](/docs/cloud/manage-access/about-user-access#role-based-access-control-) that manages granular permissions for users and user groups. You can control which users can see or edit all aspects of a dbt Cloud project. A user’s access to dbt Cloud projects also determines whether they can “explore” that project in detail. Roles, users, and groups are defined within the dbt Cloud application via the UI or by integrating with an identity provider.
runleonarun marked this conversation as resolved.
Show resolved Hide resolved

[Model access](/docs/collaborate/govern/model-access) defines where models can be referenced. It also informs the discoverability of those projects within dbt Explorer. Model `access` is defined in code, just like any other model configuration (`materialized`, `tags`, etc).

Expand Down
2 changes: 1 addition & 1 deletion website/docs/docs/cloud/about-cloud/architecture.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ The git repo information is stored on dbt Cloud servers to make it accessible du

### Authentication services

The default settings of dbt Cloud enable local users with credentials stored in dbt Cloud. Still, integrations with various authentication services are offered as an alternative, including [single sign-on services](/docs/cloud/manage-access/sso-overview). Access to features can be granted/restricted by role using [RBAC](/docs/cloud/manage-access/enterprise-permissions).
The default settings of dbt Cloud enable local users with credentials stored in dbt Cloud. Still, integrations with various authentication services are offered as an alternative, including [single sign-on services](/docs/cloud/manage-access/sso-overview). Access to features can be granted/restricted by role using [RBAC](/docs/cloud/manage-access/about-user-access#role-based-access-control-).

SSO features are essential because they reduce the number of credentials a user must maintain. Users sign in once and the authentication token is shared among integrated services (such as dbt Cloud). The token expires and must be refreshed at predetermined intervals, requiring the user to go through the authentication process again. If the user is disabled in the SSO provider service, their access to dbt Cloud is disabled, and they cannot override this with local auth credentials.

Expand Down
2 changes: 1 addition & 1 deletion website/docs/docs/cloud/manage-access/about-access.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ There are three license types in dbt Cloud:

- **Developer** — User can be granted _any_ permissions.
- **Read-Only** — User has read-only permissions applied to all dbt Cloud resources regardless of the role-based permissions that the user is assigned.
- **IT** — User has [Security Admin](/docs/cloud/manage-access/enterprise-permissions#security-admin) and [Billing Admin](/docs/cloud/manage-access/enterprise-permissions#billing-admin) permissions applied, regardless of the group permissions assigned.
- **IT** — User has Security Admin and Billing Admin [permissions](/docs/cloud/manage-access/enterprise-permissions) applied, regardless of the group permissions assigned.

Developer licenses will make up a majority of the users in your environment and have the highest impact on billing, so it's important to monitor how many you have at any given time.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ If you're on an Enterprise plan and have the correct [permissions](/docs/cloud/m

- To add a user, go to **Account Settings** and select **Users**.
- Click the [**Invite Users**](/docs/cloud/manage-access/invite-users) button.
- For fine-grained permission configuration, refer to [Role based access control](/docs/cloud/manage-access/enterprise-permissions).
- For fine-grained permission configuration, refer to [Role based access control](/docs/cloud/manage-access/about-user-access#role-based-access-control-).


</TabItem>
Expand Down
18 changes: 5 additions & 13 deletions website/docs/docs/cloud/manage-access/enterprise-permissions.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,22 +22,14 @@ The following roles and permission sets are available for assignment in dbt Clou

:::tip Licenses or Permission sets

The user's [license](/docs/cloud/manage-access/seats-and-users) type always overrides their assigned permission set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.
The user's [license](/docs/cloud/manage-access/about-access) type always overrides their assigned permission set. This means that even if a user belongs to a dbt Cloud group with 'Account Admin' permissions, having a 'Read-Only' license would still prevent them from performing administrative actions on the account.
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved
:::

<Permissions feature={'/snippets/_enterprise-permissions-table.md'} />

## How to set up RBAC Groups in dbt Cloud
## Additional resources

Role-Based Access Control (RBAC) is helpful for automatically assigning permissions to dbt admins based on their SSO provider group associations. RBAC does not apply to [model groups](/docs/collaborate/govern/model-access#groups).
- [Grant users access](/docs/cloud/manage-access/about-user-access#grant-access)
- [Role-based access control](/docs/cloud/manage-access/about-user-access#role-based-access-control-)
- [Environment-level permissions](/docs/cloud/manage-access/environment-permissions)

1. Click the gear icon to the top right and select **Account Settings**. Click **Groups & Licenses**

<Lightbox src="/img/docs/dbt-cloud/Select-Groups-RBAC.png" width="70%" title="Navigate to Groups"/>

2. Select an existing group or create a new group to add RBAC. Name the group (this can be any name you like, but it's recommended to keep it consistent with the SSO groups). If you have configured SSO with SAML 2.0, you may have to use the GroupID instead of the name of the group.
3. Configure the SSO provider groups you want to add RBAC by clicking **Add** in the **SSO** section. These fields are case-sensitive and must match the source group formatting.
4. Configure the permissions for users within those groups by clicking **Add** in the **Access** section of the window.
<Lightbox src="/img/docs/dbt-cloud/Configure-SSO-Access.png" width="45%" title="Configure SSO groups and Access permissions"/>

5. When you've completed your configurations, click **Save**. Users will begin to populate the group automatically once they have signed in to dbt Cloud with their SSO credentials.
Original file line number Diff line number Diff line change
Expand Up @@ -77,4 +77,4 @@ If the user has the same roles across projects, you can apply environment access


## Related docs
-[Environment-level permissions setup](/docs/cloud/manage-access/environment-permissions-setup)
- [Environment-level permissions setup](/docs/cloud/manage-access/environment-permissions-setup)
145 changes: 0 additions & 145 deletions website/docs/docs/cloud/manage-access/licenses-and-groups.md

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ If the verification information looks appropriate, then you have completed the c

## Setting up RBAC
Now you have completed setting up SSO with GSuite, the next steps will be to set up
[RBAC groups](/docs/cloud/manage-access/enterprise-permissions) to complete your access control configuration.
[RBAC groups](/docs/cloud/manage-access/about-user-access#role-based-access-control-) to complete your access control configuration.

## Troubleshooting

Expand Down
2 changes: 1 addition & 1 deletion website/docs/docs/cloud/manage-access/set-up-sso-okta.md
Original file line number Diff line number Diff line change
Expand Up @@ -190,4 +190,4 @@ configured in the steps above.

## Setting up RBAC
Now you have completed setting up SSO with Okta, the next steps will be to set up
[RBAC groups](/docs/cloud/manage-access/enterprise-permissions) to complete your access control configuration.
[RBAC groups](/docs/cloud/manage-access/about-user-access#role-based-access-control-) to complete your access control configuration.
Loading
Loading