adjust info about RBAC

equinor · Aug 14, 2023 · 8848da9 · 8848da9
1 parent 7e09b84
commit 8848da9
Showing 1 changed file with 16 additions and 14 deletions.
diff --git a/public-site/docs/src/docs/topic-security/index.md b/public-site/docs/src/docs/topic-security/index.md
@@ -5,21 +5,23 @@ title: Security
 # Security
 
 ## Role Based Access Control
-RBAC within the Radix Platform is structured into different roles, each tailored to grant varying degrees of access.
-
-### Radix Platform User
-Membership in the 'Radix Platform User' AD group grants access to
-
-- Radix Web Console
-- Grafana Dashboard (Monitoring)
-
-Only members of the AD group provided during application registration, will be able to see the application listed in the Radix web console. Same AD group also controls who will be able to change the configuration of the application in the Radix web console.
-
-### Radix Application Reader Role
-A newer addition to the Radix RBAC is the 'Radix application reader' role. This role is designed for users who require read-only access to information about a Radix application. 
-These users should not be able to perform any actions that could impact the application's state, such as starting or stopping components or deleting the application.
+There are three roles which govern access to the management plane of Radix.
+
+#### Radix Platform User
+The Radix Platform User role is scoped to the entirety of the Radix platform. Members of the Radix Platform User AD 
+group are granted access to create new Radix applications, view the Radix Web Console and the Grafana Dashboard (Monitoring). 
+Membership of this AD group is granted by submitting an application in AccessIT.
+
+#### Radix Application Admin Role
+Each Radix application has a list of AD groups whose members are granted the Radix Application Admin role.
+Users with this role can view and modify all attributes of a Radix applications, including, but not limited to, 
+the application's configuration, environment variables, and secrets.
+
+#### Radix Application Reader Role
+Similar to the Radix Application Admin role, each Radix application has a list of AD groups whose members are granted the 
+Radix Application Reader role. This role is designed for users who require read-only access to information about a Radix application. 
+These users can not perform any actions that could impact the application's state, such as starting or stopping components or deleting the application.
 Readers have the privilege to access logs associated with the application's replicas and jobs. This access enables troubleshooting and gathering insights without having the risk of impacting the application.
-The 'Radix application reader' role is an Azure AD group that can be assigned under 'Access control' in the Configuration page of the application.
 
 ## Authentication