From c72797ae3198e01f115326dc6ff08051ffe88dd7 Mon Sep 17 00:00:00 2001 From: Brendan Bondurant Date: Wed, 11 Jun 2025 13:29:13 -0700 Subject: [PATCH 1/4] Update section for clarity --- docs/studio/groups/group-rules.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/studio/groups/group-rules.mdx b/docs/studio/groups/group-rules.mdx index 3a3008ef..05957b3c 100644 --- a/docs/studio/groups/group-rules.mdx +++ b/docs/studio/groups/group-rules.mdx @@ -26,7 +26,7 @@ You can assign multiple roles to a group using the `Add rule` button. If no grou -Each role can be added only once per group. After assigning a role, you may associate it with multiple resources, but you cannot create additional rules for the same role. +Each role type can only be added once per group. For example, you can assign the `Organization Admin` and `Organization Viewer` roles in the same group, however you cannot assign the same role type more than once. You could also add a `Graph Admin` role to that group, as long as each role type appears only once. The order in which the roles are assigned to the role doesn't have any effect when performing checks. For example, given the following group: From 5aef2eea3294e747d115028c5889461770d3dfc0 Mon Sep 17 00:00:00 2001 From: Brendan Bondurant Date: Wed, 11 Jun 2025 13:30:09 -0700 Subject: [PATCH 2/4] Change however to but --- docs/studio/groups/group-rules.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/studio/groups/group-rules.mdx b/docs/studio/groups/group-rules.mdx index 05957b3c..25f34791 100644 --- a/docs/studio/groups/group-rules.mdx +++ b/docs/studio/groups/group-rules.mdx @@ -26,7 +26,7 @@ You can assign multiple roles to a group using the `Add rule` button. If no grou -Each role type can only be added once per group. For example, you can assign the `Organization Admin` and `Organization Viewer` roles in the same group, however you cannot assign the same role type more than once. You could also add a `Graph Admin` role to that group, as long as each role type appears only once. +Each role type can only be added once per group. For example, you can assign the `Organization Admin` and `Organization Viewer` roles in the same group, but you cannot assign the same role type more than once. You could also add a `Graph Admin` role to that group, as long as each role type appears only once. The order in which the roles are assigned to the role doesn't have any effect when performing checks. For example, given the following group: From 2cf82a1dc6e3f89c6792bba456d6782da6697556 Mon Sep 17 00:00:00 2001 From: Brendan Bondurant Date: Wed, 11 Jun 2025 13:39:38 -0700 Subject: [PATCH 3/4] Copy edit everything --- docs/studio/groups/group-rules.mdx | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/studio/groups/group-rules.mdx b/docs/studio/groups/group-rules.mdx index 25f34791..a49d9710 100644 --- a/docs/studio/groups/group-rules.mdx +++ b/docs/studio/groups/group-rules.mdx @@ -12,10 +12,10 @@ A **group rule** defines the roles and associated resources that determine what When a group rule doesn't have any explicit resources, the group will always have access to all resources within the organization. -In the same way, if a rule is limited to a single resource and that resource is deleted from the organization, the rule will fallback to having access to all resources within the organization. +In the same way, if a rule is limited to a single resource and that resource is deleted from the organization, the rule will fall back to granting access to all resources in the organization. - Unlike limiting resources, if a group doesn't have any rule assigned, this will result in the group effectively not having access to any resource. + Unlike assigning specific resources, if a group doesn't have any rule assigned, this will result in the group effectively not having access to any resource. ## Roles @@ -28,7 +28,7 @@ You can assign multiple roles to a group using the `Add rule` button. If no grou Each role type can only be added once per group. For example, you can assign the `Organization Admin` and `Organization Viewer` roles in the same group, but you cannot assign the same role type more than once. You could also add a `Graph Admin` role to that group, as long as each role type appears only once. -The order in which the roles are assigned to the role doesn't have any effect when performing checks. For example, given the following group: +The order in which roles are assigned does not affect how access checks are performed. For example, given the following group: @@ -36,9 +36,9 @@ The order in which the roles are assigned to the role doesn't have any effect wh The members for this group will have **Admin** access to the `default` namespace and **Viewer** to the `test` and any other namespace that may exist in the organization. -If the namespace `default` is deleted, the **Admin** would take priority as the limitation no-longer exists. +If the namespace `default` is deleted, the **Admin** role is no longer scoped and will apply to all resources. -With this in mind, members of the following example will have **Organization Admin** access to all resources. +In the next example, the group has only the **Organization Admin** role, which grants access to all resources. @@ -53,7 +53,7 @@ These roles apply at the organization level and cannot be limited to specific re 3. **API Key Manager** — Permissions to create, modify, and delete API keys. 4. **Viewer** — Read-only access to all organizational objects. -An organization **Developer** have access to manage namespaces, create and publish graphs while an **Admin** is able to perform these operations on top of managing the organization settings. +An organization **Developer** can manage namespaces and publish graphs. An **Admin** can do the same, plus manage organization-wide settings. ### Namespace Roles @@ -96,7 +96,7 @@ If no subgraph resources are assigned, the group will have access to all subgrap -Resources represent the entities available within your organization, including but not limited to: +Resources represent entities in your organization, including but not limited to: - Namespaces - Federated Graphs From 3c4f85a0528ab4d80493fcf33140a5469120838c Mon Sep 17 00:00:00 2001 From: Brendan Bondurant Date: Wed, 11 Jun 2025 13:45:05 -0700 Subject: [PATCH 4/4] Revert that line, previous was more clear --- docs/studio/groups/group-rules.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/studio/groups/group-rules.mdx b/docs/studio/groups/group-rules.mdx index a49d9710..c19e93ec 100644 --- a/docs/studio/groups/group-rules.mdx +++ b/docs/studio/groups/group-rules.mdx @@ -38,7 +38,7 @@ The members for this group will have **Admin** access to the `default` namespace If the namespace `default` is deleted, the **Admin** role is no longer scoped and will apply to all resources. -In the next example, the group has only the **Organization Admin** role, which grants access to all resources. +With this in mind, members of the following example will have **Organization Admin** access to all resources.