Add information about Default role and stacking roles

https://community.theforeman.org/t/organizing-access-in-foreman-seems-overly-tedious/40278/11
theforeman · Dec 6, 2024 · a4d0371 · a4d0371
1 parent 88fa936
commit a4d0371
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/...common/modules/con_best-practices-for-role-based-access-control-in-project.adoc b/...common/modules/con_best-practices-for-role-based-access-control-in-project.adoc
@@ -6,9 +6,13 @@ Define the subset of the {Project} infrastructure that you want the role to acce
 Think of the responsibilities of the role and how it differs from other roles.
 
 * Use predefined roles whenever possible:
-{Project} provides several sample roles that can be used alone or as part of a role combination.
+{Project} provides several sample roles that you can use.
 Copying and editing an existing role can be a good start for creating a custom role.
 
+* Adopt a granular approach to user role management:
+Define roles with specific, well-scoped permissions.
+Note that each user can have multiple roles assigned and that permissions from these roles are cumulative.
+
 * Add permissions gradually and test the results:
 When creating a custom role, start with a limited set of permissions and add permissions one by one, while testing continuously.
 Ensure to test your custom role to verify that it works as intended.

diff --git a/guides/common/modules/con_creating-and-managing-roles.adoc b/guides/common/modules/con_creating-and-managing-roles.adoc
@@ -16,7 +16,16 @@ For a list of these roles, see xref:Predefined_Roles_Available_in_{project-conte
 endif::[]
 You can also configure custom roles.
 
-Apart from the administrator role, the following types of roles are common:
+[NOTE]
+====
+One of the predefined roles is the *Default role*.
+{Project} assigns the *Default role* to every user in the system.
+By default, the *Default role* grants only a limited set of permissions.
+Be aware that if you add a permission to the *Default role*, every {Project} users will gain that permission.
+Assigning a different role to a user does not remove the *Default role* from the user.
+====
+
+The following types of roles are commonly defined within various {Project} deployments:
 
 Roles related to applications or parts of infrastructure::
 For example, roles for owners of {client-os} as the operating system as opposed to roles for owners of application servers and database servers.