X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/9df4cad4500d092bb07909b6f49e4eaaa6d31984..d15a1d018bf660be8a73b72195d7bddb19318116:/doc/api/permission-model.html.textile.liquid

diff --git a/doc/api/permission-model.html.textile.liquid b/doc/api/permission-model.html.textile.liquid
index a44d2eefa1..d7d5eabd08 100644
--- a/doc/api/permission-model.html.textile.liquid
+++ b/doc/api/permission-model.html.textile.liquid
@@ -77,6 +77,8 @@ A "role" is a subtype of Group that is treated in Workbench as a group of users
 * All roles are owned by the system user.
 * The name of a role is unique across a single Arvados cluster.
 * Roles can be both targets (@head_uuid@) and origins (@tail_uuid@) of permission links.
+* By default, all roles are visible to all active users. However, if the configuration entry @Users.RoleGroupsVisibleToAll@ is @false@, visibility is determined by normal permission rules, _i.e._, a role is only visible to users who have that role, and to admins.
+* By default, any user can create a new role. However, if the configuration entry @Users.CreateRoleGroups@ is @false@, only admins can create roles.
 
 h3. Access through Roles
 
@@ -102,6 +104,8 @@ A user can only read a container record if the user has read permission to a con
 *can_manage* access to a user grants can_manage access to the user, _and everything owned by that user_ .
 If a user A *can_read* role R, and role R *can_manage* user B, then user A *can_read* user B _and everything owned by that user_ .
 
+Modifying a role group requires *can_manage* permission (by contrast, *can_write* is sufficient to modify project groups and other object types).
+
 h2(#system). System user and group
 
 A privileged user account exists for the use by internal Arvados components.  This user manages system objects which should not be "owned" by any particular user.  The system user uuid is @{siteprefix}-tpzed-000000000000000@.