docs: user and role permission model
This commit is contained in:
parent
036382d82d
commit
c793785e30
3 changed files with 20 additions and 0 deletions
|
|
@ -336,6 +336,12 @@ Zerobyte allows you to easily restore your data from backups. To restore data, n
|
|||
|
||||
Zerobyte uses [better-auth](https://github.com/better-auth/better-auth) for authentication and session management. The authentication system automatically adapts to your deployment scenario:
|
||||
|
||||
### Users and roles
|
||||
|
||||
Zerobyte does not currently provide fine-grained RBAC for backup operations. Authenticated organization members are trusted operators for repositories, volumes, backup schedules, restores, and notification destinations in their organization.
|
||||
|
||||
Organization roles mainly restrict organization-management and instance-management actions. For example, normal members cannot manage members, SSO settings, invitations, registration, or global users, but they can still operate backup resources. Only add users to an organization if you are comfortable with them using the storage, volume, and notification capabilities configured for the instance.
|
||||
|
||||
### Cookie security
|
||||
|
||||
- **IP Address/HTTP access**: Set `BASE_URL=http://192.168.1.50:4096` (or your IP). Cookies will use `Secure: false`, allowing immediate login without SSL.
|
||||
|
|
|
|||
|
|
@ -30,6 +30,16 @@ Invited SSO users behave differently: Zerobyte creates their membership in the i
|
|||
Zerobyte also has an instance-wide user role named `admin` for global tasks such as registration control and user management. That global role is separate from organization roles like `member`, `admin`, and `owner`.
|
||||
</Callout>
|
||||
|
||||
## Current permission model
|
||||
|
||||
Zerobyte does not currently provide fine-grained RBAC for backup operations. Authenticated organization members are trusted operators for the organization's repositories, volumes, backup schedules, restores, and notification destinations.
|
||||
|
||||
The `member`, `admin`, and `owner` roles mainly control organization-management actions. For example, standard members cannot manage members, SSO settings, invitations, or recovery-key downloads, but they can still operate backup resources inside the organization.
|
||||
|
||||
<Callout type="warn">
|
||||
Only add users to an organization if you are comfortable with them managing that organization's backup resources and using the storage, volume, and notification capabilities configured for the Zerobyte instance.
|
||||
</Callout>
|
||||
|
||||
## Invitations
|
||||
|
||||
Organization invitations carry four important pieces of data:
|
||||
|
|
|
|||
|
|
@ -78,6 +78,10 @@ In practice, an **eligible local account** means an account that already belongs
|
|||
|
||||
The invitation UI lets you assign `member`, `admin`, or `owner` at invite time. The accepted membership is created with that invited role.
|
||||
|
||||
<Callout type="warn">
|
||||
Zerobyte does not currently provide fine-grained RBAC for backup operations. Invited members can operate backup resources inside the organization. Roles mainly restrict organization-management actions such as SSO settings, invitations, member management, and recovery-key downloads.
|
||||
</Callout>
|
||||
|
||||
## Auto-linking semantics
|
||||
|
||||
- Auto-linking is stored **per provider**, not globally.
|
||||
|
|
|
|||
Loading…
Reference in a new issue