DOC-13315 Doc for Read-Only Security Admin role and role changes cleanup

modules/learn/pages/security/certificates.adoc

@@ -31,7 +31,7 @@ This page provides a general overview of using certificates with Couchbase Serve
 It assumes you know the basics of Transport Layer Security (TLS) and certificates. 
 To learn more about these topics, see the Wikipedia article on  https://en.wikipedia.org/wiki/Public_key_certificate[Public key certificate^],  and OpenSSL's https://wiki.openssl.org/index.php/Command_Line_Utilities[Command Line Utilities] page.
 
-Managing certificates requires Full Admin, Local User Security Admin, or External User Security Admin privileges.
+Managing certificates requires the Full Admin or Security Admin roles.
 
 For step-by-step instructions for creating and deploying certificate for Couchbase Server and clients, see xref:manage:manage-security/configure-server-certificates.adoc[Configure Server Certificates] and xref:manage:manage-security/configure-client-certificates.adoc[Configure Client Certificates].
 

modules/learn/pages/security/roles.adoc

@@ -100,13 +100,20 @@ This role is also available in Couchbase Server Community Edition.
 === Read-Only Admin
 
 The Read-Only Admin role lets the user read Couchbase Server settings and statistics. 
-This information includes registered usernames with roles and authentication domains, but excludes passwords.
 Users with this role can also read Backup Service data to monitor backup plans and tasks.
 
 The role lets the user log into the Couchbase Server Web Console.
 
 This role is also available in Couchbase Server Community Edition.
 
+NOTE: Prior to Couchbase Server 8.0, this role allowed the user to read security information including listing users and groups.
+In 8.0, these permissions were split off into the <<#ro-security-admin>> role.
+The Read-Only Admin role now does not allow access to any of the security information.
+
++
+When you upgrade Couchbase Server from a version earlier than 8.0 to 8.0 or later, the upgrade process grants any user with this role the <<#ro-security-admin>> role as well.
+Granting this role lets the user retain the privileges they had in prior versions.
+
 [#table_read_only_admin_role,cols="1,2,2,hrows=2"]
 |===
 3+^|  Role: Read-Only Admin (`ro_admin`)
@@ -132,8 +139,8 @@ h| Restrictions
 | Cannot list incoming replications, or add or edit replications.
 
 | *Security* 
-| Can view settings for SAML, certificates, encryption at rest, audits, and other settings.
-| Cannot change settings.
+| None.
+| All.
 
 | *Settings*
 | View all settings
@@ -235,6 +242,77 @@ h| Restrictions
 |===
 
 
+[#ro-security-admin]
+=== Read-Only Security Admin
+
+The Read-
+only Security Admin role allows the user to view all security settings except for users and groups.
+
+This role lets the user log into the Couchbase Server Web Console.
+
+NOTE: This role is new in Couchbase Server 8.0. 
+
+
+[#table_ro_security_admin_role,cols="1,2,2,hrows=2"]
+|===
+3+^| Role: Read-Only Security Admin (`ro_security_admin`)
+
+h| Resource
+h| Permissions
+h| Restrictions
+
+| *Servers* 
+| View configuration and statistics
+| Cannot add, failover, remove, modify services, or rebalance
+
+| *Buckets*
+| List buckets, scopes, and collections
+| Cannot create, drop, or edit settings, or read or write data
+
+| *Backup*
+| None
+| All 
+
+| *XDCR* 
+| List outgoing replications
+| Cannot create, start, alter connections
+
+| *Security* 
+| View LDAP, SAML, certificates, encryption at rest, audit, and logging settings.
+| Cannot make any changes to security settings.
+Cannot view or change users or groups.
+
+| *Settings*
+| View
+| Change
+
+| *Logs*
+| View
+| Collect Information
+
+| *Query*
+| None
+| All
+
+| *Search*
+| None
+| All
+
+| *Analytics*
+| None
+| All
+
+| *Eventing*
+| None
+| All
+
+| *Views*
+| None
+| All
+
+|===
+
+
 [#local-user-security-admin]
 === Local User Admin
 
@@ -530,7 +608,6 @@ Cannot add or edit replications.
 
 |===
 
-
 [#backup-full-admin]
 === Backup Full Admin
 
@@ -1146,7 +1223,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console.
 
 
 [#manage-scope-functions]
-=== Manage Scope Functions (Query and Index)
+=== Manage Scope Functions
 
 The Manage Scope Functions role lets the user create and drop user-defined {sqlpp} functions for one or more scopes.
 When granting this role, You select the scopes where  the user can manage user-defined functions.
@@ -1624,7 +1701,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console.
 |===
 
 [#query_manage_sequences]
-=== Query Manage Sequences
+=== Manage Sequences
 
 This role lets the user manage sequences for one or more scopes. 
 See xref:n1ql:n1ql-language-reference/sequenceops.adoc[] for more information about sequences.
@@ -1635,7 +1712,7 @@ This role lets the user log into Couchbase Server Web Console.
 [#table_query_manage_sequences_role,cols="1,2,2,hrows=2]
 |===
 
-3+^| Role: Query Manage Sequences (`query_manage_sequences`)
+3+^| Role: Manage Sequences (`query_manage_sequences`)
 
 h| Resource
 h| Permissions
@@ -1660,7 +1737,7 @@ Cannot manage sequences in buckets they do have not assigned to them.
 
 
 [#query_use_sequences]
-=== Query Use Sequences
+=== Use Sequences
 
 This role lets the user incorporate sequences into their queries in one or more scopes.
 When you grant this role, you choose the scopes where the user can use sequences.
@@ -1671,7 +1748,7 @@ This role lets the user log into Couchbase Server Web Console.
 [#table_query_use_sequences_role,cols="1,2,2,hrows=2]
 |===
 
-3+^| Role: Query Manage Sequences (`query_use_sequences`)
+3+^| Role: Manage Sequences (`query_use_sequences`)
 
 h| Resource
 h| Permissions
@@ -1730,7 +1807,6 @@ Cannot use the Query Workbench in Couchbase Server Web Console.
 |===
 
 
-
 == Search Roles
 
 The following roles give users privileges to the xref:learn:services-and-indexes/services/search-service.adoc[] features.

modules/manage/pages/manage-security/manage-auditing.adoc

@@ -13,8 +13,8 @@ The records created by the Couchbase Auditing facility capture information on _w
 The records are created by Couchbase Server-processes, which run asynchronously.
 Each record is stored as a JSON document, which can be retrieved and inspected.
 
-Auditing can be configured by the *Full Admin* and the *Local User Security Admin* roles.
-The auditing configuration can be read by the *Full Admin*, the *Local User Security Admin*, and the *Read-Only Admin* roles.
+Auditing can be configured by the *Full Admin* and the *Security Admin* roles.
+The auditing configuration can be read by the *Full Admin*, the *Security Admin*, and the *Read-Only Security Admin* roles.
 
 A conceptual overview of event auditing can be found in xref:learn:security/auditing.adoc[Auditing].
 See the reference page xref:audit-event-reference:audit-event-reference.adoc[Audit Event Reference], for a complete list of the events that can be audited.

modules/manage/pages/manage-statistics/manage-statistics.adoc

@@ -47,8 +47,9 @@ Additional information can be displayed by left-clicking on the *Node Resources*
 === Dashboard Access
 
 All chart-content is provided by _bucket_.
-Users whose roles allow them both to access Couchbase Web Console _and_ see administrative details on one or more buckets are able to see the default chart-content for those buckets.
-For example, the *Full Admin*, *Cluster Admin*, *Read Only Admin*, *Local User Security Admin*, and *External User Security Admin* roles permit display of charts for all buckets defined on the cluster; while the *Bucket Admin* role permits display of charts only for those buckets to which the role has been applied.
+Users whose roles grant them access to Couchbase Web Console and see administrative details on one or more buckets are able to see the default chart-content for those buckets.
+For example, users with the Full Admin, Cluster Admin, Read Only Admin, Security Admin, or Read-Only Security Admin roles can display the charts for all buckets in the cluster.
+The *Bucket Admin* role allows a user to display of charts of buckets to which they were granted administrator access.
 
 Users who can see the default content for some or all buckets can also create their own, customized content for those buckets.
 Note that customized content is saved on Couchbase Server only on a _per user_ basis: therefore, for example, when a *Full Admin* creates customized content, it is visible only to the *Full Admin*, not to any other user.

modules/rest-api/pages/change-master-password.adoc

@@ -14,7 +14,7 @@ POST /node/controller/changeMasterPassword
 == Description
 
 This command sets the master password for the current node.
-The *Full Admin*, *Local User Security Admin*, or *External User Security Admin* role is required.
+Users must have the Full Admin or Security Admin role call it.
 
 For a full description of system secrets and their management, see xref:manage:manage-security/manage-system-secrets.adoc[Manage System Secrets].
 

modules/rest-api/pages/get-trusted-cas.adoc

@@ -21,7 +21,7 @@ Note that this list is therefore _complete_ and _cluster-wide_.
 Note that although support of multiple root certificates is only available in versions of Couchbase Server that are 7.1 and later, this API _can_ be used on clusters that are running different versions of Couchbase Server, some of which are prior to 7.1.
 
 This method and endpoint can be used by unauthorized users: however, cluster-private details are redacted from the output.
-For all details to be returned, the user must have the Full Admin, the Local User Security Admin, or the External User Security Admin role.
+For all details to be returned, the user must have the Full Admin, the Security Admin, or the External User Security Admin role.
 See the examples provided in xref:#output-redaction[Output Redaction], below.
 
 [#curl-syntax]

modules/rest-api/pages/load-trusted-cas.adoc

@@ -19,7 +19,7 @@ Loads trusted certificates into the Couchbase-Server trust store.
 All loaded certificates can be accessed by all nodes.
 Loaded CA (or _root_) certificates can be used to provide authority to the cluster's nodes, and can be used to authenticate clients' access-attempts.
 
-The Full Admin, the Local User Security Admin, or the External User Security Admin role is required.
+This method requires the user to have the Full Admin or Security Admin role.
 
 Note the following:
 

modules/rest-api/pages/rest-auditing.adoc

@@ -28,8 +28,10 @@ A _filterable_ event is an event that can be individually disabled, even when ev
 Events that are not filterable are not included in the list returned by `GET /settings/audit/descriptors`. +
 Events that are not filterable can be retrieved using the `GET` method `/settings/audit/nonFilterableDescriptors`
 
-Auditing can be configured by the *Full Admin* and the *Local User Security Admin* roles.
-The auditing configuration can be read by the *Full Admin*, the *Local User Security Admin*, and the *Read-Only Admin* roles.
+== Required Privileges
+
+Only users with the Full Admin or Security Admin* roles can configure Auditing.
+Users with the Full Admin, Security Admin, or the Read-Only Security Admin roles can read the Auditing configuration.
 
 == Curl Syntax
 

modules/rest-api/pages/rest-cluster-autofailover-settings.adoc

@@ -17,7 +17,7 @@ GET /settings/autoFailover
 The `GET /settings/autoFailover` HTTP method and URI retrieve auto-failover settings for the cluster.
 
 Auto-failover settings are global, and apply to all nodes in the cluster.
-To read auto-failover settings, one of the following roles is required: Full Admin, Cluster Admin, Read-Only Admin, Backup Full Admin, Eventing Full Admin, Local User Security Admin, External User Security Admin.
+
 
 == Curl Syntax
 
@@ -27,6 +27,23 @@ curl -X GET http://<ip-address-or-hostname>:8091/settings/autoFailover
   -u <username>:<password>
 ----
 
+== Required Privileges
+
+You must have one of the following roles to retrieve auto-failover settings:
+
+* xref:learn:security/roles.adoc#full-admin[Full Admin]
+* xref:learn:security/roles.adoc#backup-full-admin[Backup Full Admin]
+* xref:learn:security/roles.adoc#bucket-admin[Bucket Admin]
+* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin]
+* xref:learn:security/roles.adoc#eventing-full-admin[Eventing Full Admin]
+* xref:learn:security/roles.adoc#xdcr-admin[XDCR Admin]
+* xref:learn:security/roles.adoc#read-only-admin[Read-Only Admin]
+* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin]
+* xref:learn:security/roles.adoc#security-admin[Security Admin]
+* xref:learn:security/roles.adoc#external-user-security-admin[External User Admin]
+* xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin]
+* xref:learn:security/roles.adoc#views-admin[Views Admin]
+
 == Responses
 
 Success returns `200 OK`, and an object that contains the following parameters:

modules/rest-api/pages/rest-identify-orchestrator.adoc

@@ -31,7 +31,60 @@ curl -v -X GET -u <username>:<password>
 ----
 
 The `ip-address-or-domain-name` should specify a node within the cluster whose orchestrator-location is to be determined: information returned by the call is that which is _known to the specified node_.
-The `username` and `password` must be those of a user with the Full Admin, Cluster Admin, Read Only Admin, Local User Security Admin, or External User Security role.
+The `username` and `password` must a user with one of the roles listed in the newxt section.
+
+== Required Privileges
+
+You must have one of the following roles to call this method:
+
+* xref:learn:security/roles.adoc#full-admin[Full Admin]
+* xref:learn:security/roles.adoc#analytics-admin[Analytics Admin]
+* xref:learn:security/roles.adoc#analytics-manager[Analytics Manager]
+* xref:learn:security/roles.adoc#analytics-reader[Analytics Reader]
+* xref:learn:security/roles.adoc#analytics-select[Analytics Select]
+* xref:learn:security/roles.adoc#backup-full-admin[Backup Full Admin]
+* xref:learn:security/roles.adoc#bucket-admin[Bucket Admin]
+* xref:learn:security/roles.adoc#application-access[Application Access]
+* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin]
+* xref:learn:security/roles.adoc#data-backup-and-restore[Data Backup & Restore]
+* xref:learn:security/roles.adoc#data-dcp-reader[Data DCP Reader]
+* xref:learn:security/roles.adoc#data-monitor[Data Monitor]
+* xref:learn:security/roles.adoc#data-reader[Data Reader]
+* xref:learn:security/roles.adoc#data-writer[Data Writer]
+* xref:learn:security/roles.adoc#eventing-full-admin[Eventing Full Admin]
+* xref:learn:security/roles.adoc#manage-scope-functions[Manage Scope Functions]
+* xref:learn:security/roles.adoc#search-admin[Search Admin]
+* xref:learn:security/roles.adoc#search-reader[Search Reader]
+* xref:learn:security/roles.adoc#sync-gateway[Sync Gateway]
+* xref:learn:security/roles.adoc#query-delete[Query Delete]
+* xref:learn:security/roles.adoc#execute-scope-external-functions[Execute Scope External Functions]
+* xref:learn:security/roles.adoc#execute-scope-functions[Execute Scope Functions]
+* xref:learn:security/roles.adoc#execute-global-external-functions[Execute Global External Functions]
+* xref:learn:security/roles.adoc#execute-global-functions[Execute Global Functions]
+* xref:learn:security/roles.adoc#query-curl-access[Query CURL Access]
+* xref:learn:security/roles.adoc#query-insert[Query Insert]
+* xref:learn:security/roles.adoc#query-list-index[Query List Index]
+* xref:learn:security/roles.adoc#manage-scope-external-functions[Manage Scope External Functions]
+* xref:learn:security/roles.adoc#manage-scope-functions[Manage Scope Functions]
+* xref:learn:security/roles.adoc#manage-global-external-functions[Manage Global External Functions]
+* xref:learn:security/roles.adoc#manage-global-functions[Manage Global Functions]
+* xref:learn:security/roles.adoc#query-manage-index[Query Manage Index]
+* xref:learn:security/roles.adoc#query_manage_sequences[Manage Sequences]
+* xref:learn:security/roles.adoc#query_manage_system_catalog[Query Manage System Catalog]
+* xref:learn:security/roles.adoc#query-select[Query Select]
+* xref:learn:security/roles.adoc#query-system-catalog[Query System Catalog]
+* xref:learn:security/roles.adoc#query-update[Query Update]
+* xref:learn:security/roles.adoc#query_use_sequences[Use Sequences]
+* xref:learn:security/roles.adoc#xdcr-admin[XDCR Admin]
+* xref:learn:security/roles.adoc#xdcr-inbound[XDCR Inbound]
+* xref:learn:security/roles.adoc#read-only-admin[Read-Only Admin]
+* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin]
+* xref:learn:security/roles.adoc#security-admin[Security Admin]
+* xref:learn:security/roles.adoc#external-user-security-admin[External User Admin]
+* xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin]
+* xref:learn:security/roles.adoc#views-admin[Views Admin]
+* xref:learn:security/roles.adoc#views-reader[Views Reader]
+
 
 == Responses
 
@@ -73,10 +126,10 @@ If the call is successful, `200 OK` is returned, with the following output:
 
 ----
 {
-  "clusterUUID": "21d1c9a5d1f40f5bb8ac73f6df9db8a7",
-  "orchestrator": "ns_1@10.143.210.101",
+  "clusterUUID": "58ea8d6385837b4aa60755a9a6ab81bb",
+  "orchestrator": "ns_1@node3.",
   "isBalanced": true,
-  "clusterCompatVersion": "6.6"
+  "clusterCompatVersion": "8.0"
 }
 ----
 

modules/rest-api/pages/rest-logs-get.adoc

@@ -17,7 +17,7 @@ GET /sasl_logs/<log-name>
 == Description
 
 The `GET /diag` method and URI return general Couchbase-Server diagnostic information.
-This requires the *Full Admin*, the *Cluster Admin*, or the *Local User Security Admin* role.
+
 
 The `GET /sasl_logs` method and URI return the contents of a Couchbase-Server _log_ file.
 This requires the *Full Admin* or the *Cluster Admin* role.
@@ -40,6 +40,18 @@ For a complete list of log files, see xref:manage:manage-logging/manage-logging.
 
 If no `log-name` argument is specified, the default value is `debug`; whereby the contents of the `debug.log` file are displayed.
 
+== Required Privileges
+
+You must have one of the following roles to call this endpoint:
+
+ * Full Admin 
+ * Cluster Admin 
+ * Read-Only Security Admin 
+ * Security Admin 
+ * External User Admin
+ * Local User Admin
+
+
 [#responses]
 == Responses
 For both URIs, success gives `200 OK`, and displays the returned content.

modules/rest-api/pages/rest-regenerate-all-certs.adoc

@@ -47,7 +47,7 @@ Success returns `200 OK` and the text of the regenerated, default root certifica
 An incorrect username-password combination fails with `401 Unauthorized`.
 An incorrectly specified URI fails with `404 Object Not Found`.
 An incorrectly specified IP address or domain name causes the attempted connection to time out, with a `Failed to connect` notification.
-An attempt to regenerate certificates without the Full Admin, the Local User Security Admin, or the External User Security Admin role fails with either `401 Unauthorized` or `403 Forbidden` with a notification such as `"message":"Forbidden. User needs one of the following permissions","permissions":["cluster.admin.security!write"]`.
+An attempt to regenerate certificates without the Full Admin or Security Admin role fails with either `401 Unauthorized` or `403 Forbidden` with a notification such as `"message":"Forbidden. User needs one of the following permissions","permissions":["cluster.admin.security!write"]`.
 
 [#example]
 == Example

modules/rest-api/pages/rest-set-password-policy.adoc

@@ -19,7 +19,7 @@ POST /settings/passwordPolicy
 A cluster's _password policy_ specifies a set of character-related requirements that must be met by all passwords whose definition occurs subsequent to the establishing of the policy.
 Previously defined passwords continue to be valid, even if they do not meet the requirements specified in the most recent policy.
 
-To establish the cluster's password policy, the user must have been assigned the Full Admin, the Local User Security Admin, or the External User Security Admin role.
+To call this endpoint, you must have the Full Admin or Security Admin role.
 
 [#curl-syntax]
 == Curl Syntax