#24698 user roles documentation

docs/panel/spaces.md

@@ -101,7 +101,9 @@ When the administrator changes the plan:
 Administrators can manage users outside the Space context.
 This allows Administrators to have an overview of all users within the Organization.
 
-Users can be added independently of Spaces, without being assigned to a specific Space.
+Users can be added independently of Spaces, without being assigned to a specific Space. 
+
+If a user is assigned to a Space, there are ways to manage their access to space content. If you wish to restrict user actions, consider adding a [Space Role](./user-roles.md) for the user. Users without any assigned role will have unrestricted access to all resources.
 
 To display the user list, navigate to the `Users` tab in the Organization management view.
 

docs/panel/user-roles.md

@@ -0,0 +1,88 @@
+title: User Roles
+description: How to manage User Roles in Flotiq.
+
+# User Roles
+
+!!! note
+    Flotiq user roles can be customized in the enterprise version only.
+    Reach out to us to discuss possible implementation.
+
+## What is a User Role?
+
+A user role represents a specific set of actions assigned to a group of users. By assigning user roles, you can control the actions each user can perform in the system.
+The actions that can you determine are:
+
+1. Read: Permits users to view existing content without making changes.
+2. Create: Allows users to add new content.
+3. Update: Grants permission for users to make changes to existing content.
+4. Delete: Provides authority for removing content.
+
+User role allows you to resctrit the actions for specific Content Type Definition or Content Type Objects.
+
+!!! note
+    Managing user roles is available only for `Organization Admin`. It’s important to note that a user without any assigned role has unrestricted access to all resources.
+
+## List User Roles
+
+To manage user roles, navigate to the dedicated **User Roles** section within the application.
+
+![](images/user-roles/roles_list.png)
+
+In this section, you have the ability to customize grid column widths and set the results per page limit. Additionally, you can create new user roles by clicking the **Add User Role** button or duplicate existing ones.
+
+## Add User Role
+
+1. **Role Creation**: To add a new user role, complete the form by providing a name, description, and at least one rule. These rules determine the permissions associated with the role.
+2. **Assigning Actions**: You can assign various actions to different Content Types. If you need additional rules, click **Add Rule**. To remove a rule, simply click the trash icon.
+3. **Rule Types**:
+    * `CO`: These rules apply to specific Content Objects of a certain Type. However, for managing the type definition itself, add a separate rule with the `CTD` type.
+    * `CTD`: These rules apply to Content Type Definitions.
+
+![](images/user-roles/empty-role-form.png){: .center .width75 .border}
+
+!!! note 
+    An essential point to note is that every Content Type has read access to its definition via the API. However, these definitions remain hidden in the dashboard until you explicitly add a rule granting read access for a specific definition.
+
+## Assign User Role
+
+1. Navigate to the `Users` tab in the Organization management view.
+2. Find a user and edit their details.
+3. In the right sidebar, you’ll find a dropdown with existing user roles within a single space. If you have multiple spaces, you’ll see several forms with roles. If a space doesn’t have any roles added, the form won’t be visible.
+
+![](images/user-roles/assign_role.png)
+
+## Examples
+
+!!! hint
+    In the examples, the media, webhook, and plugin pages are not visible in the menu. They require additional permissions for managing.
+
+### Read Blogposts
+
+Users have read access to Content Objects of Type Blogposts. However, they won’t be able to view the definition of Blogposts in the **Definition Builder** section.
+
+![](images/user-roles/blogposts_role.png){: .center .width75 .border}
+
+Outcome for the user with the assigned role:
+
+![](images/user-roles/blogposts_role_effect.png)
+
+### Manage Blogposts and read Content Type Definitions
+
+We grant users permission to perform any action with Content Objects of type Blogposts and allow them to read any Content Type Definitions in the Dashboard.
+
+![](images/user-roles/blogposts_and_ctds_role.png){: .center .width75 .border}
+
+Outcome for the user with the assigned role:
+
+![](images/user-roles/blogposts_and_ctds_role_effect.png)
+
+### Manage Content Type Definitions
+
+We grant users permission to perform any action with any Content Type Definitions, but disallow them from interacting with their Content Objects.
+
+![](images/user-roles/ctds_role.png){: .center .width75 .border}
+
+Outcome for the user with the assigned role:
+
+![](images/user-roles/ctds_role_effect.png)
+

mkdocs.yml

@@ -146,6 +146,7 @@ nav:
     - 'Content objects': panel/content-objects.md
     - 'Media library': panel/media-library.md
     - 'Users': panel/users.md
+    - 'User Roles': panel/user-roles.md
     - Webhooks:
       - 'Overview': panel/webhooks/index.md
       - 'Async CO webhooks': panel/webhooks/async-co-webhook.md