role and member management

Signed-off-by: Roland.Ma <rolandma@yunify.com>

content/en/docs/devops-user-guide/devops-administration/role-and-member-management.md

@@ -7,4 +7,75 @@ description: 'Role and Member Management'
 weight: 2240
 ---
 
-TBD
+This guide demonstrates how to manage roles and members in your DevOps project. For the overview of KubeSphere roles, see the [Overview of Role Management](../todo). 
+
+In DevOps project scope, you can grant the following resources' permissions to a role:
+
+- Pipelines
+- Credentials
+- DevOps Settings
+- Access Control
+
+## Prerequisites
+
+At least one DevOps project has been created, such as `demo-devops`. And you need an account of the `devops-admin` role. See the [Create Workspace, Project, Account and Role](../../../quick-start/create-workspace-and-project/) if not yet.
+
+## Built-in roles
+
+In **Project Roles**, there are three available built-in roles as shown below. Built-in roles are created automatically by KubeSphere when creating the DevOps project and they cannot be edited or deleted.
+
+| Built-in Roles     | Description                                                  |
+| ------------------ | ------------------------------------------------------------ |
+| viewer | Allows viewer access to view all resources in the DevOps project. |
+| operator   | Normal member in a DevOps project who can create pipeline credentials in the DevOps project.|
+| admin     | Allows admin access to perform any action on any resource. It gives full control over all resources in the DevOps project. |
+
+## Create a DevOps Project Role
+
+1. Log in the console as `devops-admin` and select `demo-devops` under **DevOps Projects** list.
+2. Go to **Project Roles** in **Project Management**, click **Create** and set a **Role Identifier**. In this example, a role named `pipeline-creator` will be created.
+
+![Create a devops project role](/images/docs/devops-admin/devops_role_step1.png)
+
+Click **Edit Authorization** to continue.
+
+3. In **Pipelines Management**, select the authorization that you want the user granted this role to have. For example, **Pipelines Management** and **Pipelines View** are selected for this role. Click OK to finish.
+
+![Edit Authorization](/images/docs/devops-admin/devops_role_step2.png)
+
+{{< notice note >}} 
+
+**Depend on** means the major authorization (the one listed after **Depend on**) needs to be selected first so that the affiliated authorization can be assigned.
+
+{{</ notice >}} 
+
+4. Newly-created roles will be listed in **Project Roles**. You can click the three dots on the right to edit it.
+
+![Edit Roles](/images/docs/devops-admin/devops_role_list.png)
+
+{{< notice note >}} 
+
+The role of `pipeline-creator` is only granted with Pipeline create/view permission, which may not satisfy your demand. This example is only for demonstration purpose. You can create customized roles based on your needs.
+
+{{</ notice >}} 
+
+## Invite a New Member
+
+1. In **Project Management**, select **Project Members** and click **Invite Member**.
+
+2. Invite a user to the DevOps project. Grant the role of `pipeline-creator` to the user. 
+
+![invite member](/images/docs/devops-admin/devops_invite_member.png)
+
+{{< notice note >}} 
+
+The user must be invited to the DevOps project's workspace first.
+
+{{</ notice >}} 
+
+3. After you add a user to the DevOps project, click **OK**. In **Project Members**, you can see the newly invited member listed.
+
+4. You can also change the role of an existing member by editing it or remove it from the DevOps project.
+
+![edit member role](/images/docs/devops-admin/devops_user_edit.png)
+

content/en/docs/project-administration/project-members.md

@@ -1,10 +0,0 @@
----
-title: "Project Members"
-keywords: 'KubeSphere, kubernetes, docker, helm, jenkins, istio, prometheus'
-description: 'Project Members'
-
-linkTitle: "Project Members"
-weight: 2130
----
-
-TBD

content/en/docs/project-administration/project-roles.md

@@ -1,10 +0,0 @@
----
-title: "Project Roles"
-keywords: 'KubeSphere, kubernetes, docker, helm, jenkins, istio, prometheus'
-description: 'Volume Snapshots'
-
-linkTitle: "Project Roles"
-weight: 2130
----
-
-TBD

content/en/docs/project-administration/role-and-member-management.md

@@ -0,0 +1,89 @@
+---
+title: "Role and Member Management"
+keywords: 'KubeSphere, kubernetes, docker, helm, jenkins, istio, prometheus'
+description: 'Role and Member Management in a Project'
+
+linkTitle: "Role and Member Management"
+weight: 2130
+---
+
+This guide demonstrates how to manage roles and members in your project. For the overview of KubeSphere roles, see the [Overview of Role Management](../todo). 
+
+In project scope, you can grant the following resources' permissions to a role:
+
+- Application Workloads
+- Storage
+- Configurations
+- Monitoring & Alerting
+- Project Settings
+- Access Control
+
+## Prerequisites
+
+At least one project has been created, such as `demo-project`. And you need an account of the `project-admin` role. See the [Create Workspace, Project, Account and Role](../../quick-start/create-workspace-and-project/) if not yet.
+
+## Built-in roles
+
+In **Project Roles**, there are three available built-in roles as shown below. Built-in roles are created automatically by KubeSphere when creating the project and they cannot be edited or deleted. You can only review permissions and authorized users.
+
+| Built-in Roles     | Description                                                  |
+| ------------------ | ------------------------------------------------------------ |
+| viewer | Allows viewer access to view all resources in the namespace. |
+| regular   | The maintainer of the project who can manage resources other than users and roles in the project. |
+| admin     | Allows admin access to perform any action on any resource. It gives full control over all resources in the namespace. |
+
+1. In **Project Roles** , click on the title of `admin`.
+
+![view role details](/images/docs/project-admin/project_role_detail.png)
+
+2. You can also switch to the **Authorized Users** tab, to see all the users that are granted with an `admin` role.
+
+## Create a Project Role
+
+1. Log in the console as `project-admin` and select `demo-project` under **Projects** list.
+2. Go to **Project Roles** in **Project Settings**, click **Create** and set a **Role Identifier**. In this example, a role named `project-monitor` will be created.
+
+![Create a project role](/images/docs/project-admin/project_role_create_step1.png)
+
+Click **Edit Authorization** to continue.
+
+3. Select the authorization that you want the user granted this role to have. For example, **Application Workloads View** in **Application Workloads**, **Alerting Messages View** and **Alerting Policies View** in **Monitoring & Alerting** are selected for this role. Click **OK** to finish.
+
+![Edit Authorization](/images/docs/project-admin/project_role_create_step2.png)
+
+{{< notice note >}} 
+
+**Depend on** means the major authorization (the one listed after **Depend on**) needs to be selected first so that the affiliated authorization can be assigned.
+
+{{</ notice >}} 
+
+4. Newly-created roles will be listed in **Project Roles**. You can click the three dots on the right to edit it.
+
+![Edit Roles](/images/docs/project-admin/project_role_list.png)
+
+{{< notice note >}} 
+
+The role of `project-monitor` is only granted with Monitoring & Alerting view permission, which may not satisfy your demand. This example is only for demonstration purpose. You can create customized roles based on your needs.
+
+{{</ notice >}} 
+
+## Invite a New Member
+
+1. In **Project Settings**, select **Project Members** and click **Invite Member**.
+
+2. Invite a user to the project. Grant the role of `project-monitor` to the user. 
+
+![invite member](/images/docs/project-admin/project_invite_member_step2.png)
+
+{{< notice note >}} 
+
+The user must be invited to the project's workspace first.
+
+{{</ notice >}} 
+
+3. After you add a user to the project, click **OK**. In **Project Members**, you can see the newly invited member listed.
+
+4. You can also change the role of an existing member by editing it or remove it from the project.
+
+![edit member role](/images/docs/project-admin/project_user_edit.png)
+

content/en/docs/workspaces-administration/release-v210.md

@@ -1,10 +0,0 @@
----
-title: "Role and Member Management"
-keywords: "kubernetes, workspace, kubesphere, multitenancy"
-description: "Role and Member Management in a Workspace"
-
-linkTitle: "Role and Member Management"
-weight: 200
----
-
-TBD

content/en/docs/workspaces-administration/role-and-member-management.md

@@ -0,0 +1,90 @@
+---
+title: "Role and Member Management"
+keywords: "kubernetes, workspace, kubesphere, multitenancy"
+description: "Role and Member Management in a Workspace"
+
+linkTitle: "Role and Member Management"
+weight: 200
+---
+
+This guide demonstrates how to manage roles and members in your workspace. For the overview of KubeSphere roles, see the [Overview of Role Management](../todo). 
+
+In workspace scope, you can grant the following resources' permissions to a role:
+
+- Projects
+- DevOps
+- Access Control
+- Apps Management
+- Workspace Settings
+
+## Prerequisites
+
+At least one workspace has been created, such as `demo-workspace`. And you need an account of the `workspace-admin` role. See the [Create Workspace, Project, Account and Role](../../quick-start/create-workspace-and-project/) if not yet.
+
+{{< notice note >}} 
+
+The actual role name follows a naming convention: `workspace name-role name`. For example, in this workspace named `demo-workspace`, the actual role name of the role `workspace-admin` is `demo-workspace-admin`.
+
+{{</ notice >}} 
+
+## Built-in roles
+
+In **Workspace Roles**, there are four available built-in roles as shown below. Built-in roles are created automatically by KubeSphere when creating the workspace and they cannot be edited or deleted. You can only review permissions and authorized users.
+
+| Built-in Roles     | Description                                                  |
+| ------------------ | ------------------------------------------------------------ |
+| workspace-viewer | Allows viewer access to view all resources in the workspace. |
+| workspace-self-provisioner     | Regular user in the workspace who can create namespaces and DevOps projects.          |
+| workspace-regular   | Regular user in the workspace who cannot create namespaces or DevOps projects. |
+| workspace-admin     | Allows admin access to perform any action on any resource. It gives full control over all resources in the workspace. |
+
+1. In **Workspace Roles** , click on the title of `workspace-admin`.
+
+![invite member](/images/docs/ws-admin/workspace_role_detail.png)
+
+2. You can also switch to the **Authorized Users** tab, to see all the users that are granted with a `workspace-admin` role.
+
+## Create a Workspace Role
+
+1. Log in the console as `ws-admin` and go to **Workspace Roles** in **Workspace Settings**.
+2. In **Workspace Roles**, click **Create** and set a **Role Identifier**. In this example, a role named `workspace-projects-manager` will be created.
+
+![Create a workspace role](/images/docs/ws-admin/workspace_role_create_step1.png)
+
+Click **Edit Authorization** to continue.
+
+3. In **Projects management**, select the authorization that you want the user granted this role to have. For example, **Projects Create**, **Projects Management**, and **Projects View** are selected for this role. Click **OK** to finish.
+
+![Edit Authorization](/images/docs/ws-admin/workspace_role_create_step2.png)
+
+{{< notice note >}} 
+
+**Depend on** means the major authorization (the one listed after **Depend on**) needs to be selected first so that the affiliated authorization can be assigned.
+
+{{</ notice >}} 
+
+4. Newly-created roles will be listed in **Workspace Roles**. You can click the three dots on the right to edit it.
+
+![Edit Roles](/images/docs/ws-admin/workspace_role_edit.png)
+
+{{< notice note >}} 
+
+The role of `workspace-projects-manager` is only granted with Projects create/view permission, which may not satisfy your demand. This example is only for demonstration purpose. You can create customized roles based on your needs.
+
+{{</ notice >}} 
+
+## Invite a New Member
+
+1. In **Workspace Settings**, select **Workspace Members** and click **Invite Member**.
+
+2. Invite a user to the workspace. Grant the role `workspace-projects-manager` to the user. 
+
+![invite member](/images/docs/ws-admin/workspace_invite_user.png)
+
+
+3. After you add a user to the workspace, click **OK**. In **Workspace Members**, you can see the newly invited member listed.
+
+4. You can also change the role of an existing member by editing it or remove it from the workspace.
+
+![edit member role](/images/docs/ws-admin/workspace_user_edit.png)
+