From 62cd5eee84444a77a2ed1ef45876aca65346336f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Kotiuk?= <kotiuk@zohomail.eu>
Date: Tue, 13 Jun 2023 10:01:55 +0200
Subject: [PATCH] docs: Describe changing default permissions

---
 .../docs/administration/advanced/iam_system_roles.md   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/site/content/en/docs/administration/advanced/iam_system_roles.md b/site/content/en/docs/administration/advanced/iam_system_roles.md
index 17cd5d79a5fc..c69a78a9fbd4 100644
--- a/site/content/en/docs/administration/advanced/iam_system_roles.md
+++ b/site/content/en/docs/administration/advanced/iam_system_roles.md
@@ -7,4 +7,14 @@ weight: 70
 <!--lint disable heading-style-->
 
 ## System roles
+
+By default CVAT users can be assigned to one of the following groups: `admin`, `business`, `user` and `worker`.
+
+Each of these groups gives a set of permissions.
 TBD
+
+## Changing permissions
+
+System permissions are defined using `.rego` files stored in `cvat/apps/iam/rules/`. Rego is a declarative language used for defining OPA policies. It's syntax is defined in [OPA docs](https://www.openpolicyagent.org/docs/latest/policy-language/).
+
+After applying changes to the `.rego` files, you need to rebuilt and restart the docker compose for the changes to take effect. In this case you need to include `docker-compose.dev.yml` compose config file to `docker compose` command.