docs: reorganize users and groups documentation (#822)

- Move Users and Groups content from data-model.mdx to user-groups.mdx
- Rename user-groups.mdx title from "User Groups" to "Users and Groups"
- Add Service Account section explaining their purpose
- Consolidate and simplify constraints about service accounts in groups
- Convert constraints to Note component for better visibility
- Rename Role section to IAM and link both Users/Groups and Roles/Permissions
- Reorder navigation to show Users and Groups before Roles and Permissions

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <[email protected]>

Author: d-bytebase

mintlify/administration/custom-approval.mdx

@@ -9,31 +9,70 @@ feature_name: CUSTOM_APPROVAL
 
 <iframe width="675" height="380" src="https://www.youtube.com/embed/K_RWlqdplZQ" title="YouTube video player" className="w-full" frameBorder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="allowFullScreen"></iframe>
 
-<Tip>
+## Overview
 
-- Custom Approval is mostly used by [UI workflow](/change-database/change-workflow/#ui-workflow). If you use [GitOps workflow](/change-database/change-workflow/#gitops-workflow), we recommend you to configure approval in the PR/MR process.
-- By default, you **can not** self-approve your own created issue even if you are a qualified approver. You
-  can [toggle](/change-database/issue/#self-approval) this behavior under project settings.
+Custom Approval allows you to create multi-stage approval workflows based on change risk levels. Each database change can require approvals from specific roles before proceeding to rollout.
 
+<Tip>
+**Best Practices:**
+- Custom Approval works best with [UI workflow](/change-database/change-workflow/#ui-workflow). For [GitOps workflow](/change-database/change-workflow/#gitops-workflow), configure approvals in your PR/MR process instead.
+- By default, users cannot self-approve their own issues. You can [change this setting](/change-database/issue/#self-approval) in project settings if needed.
 </Tip>
 
-In **Settings > Custom Approval**, you can choose which approval flow to use for a [risk level](/administration/risk-center) and define approval flows.
+## How It Works
+
+### Approval Flow Structure
+
+An approval flow consists of one or more **approval nodes** arranged in sequence:
+- Each node specifies a role (e.g., `Project Owner`, `DBA`, or custom role)
+- Any member with that role can approve the node
+- All nodes must be approved before the issue proceeds to rollout
 
-An approval flow can contain one or multiple approval nodes. Each approval node specifies a role. Any member
-of the role can approve that node. An issue will enter the rollout stage once all nodes have been approved.
-Note, depending on how the [rollout policy](/administration/environment-policy/rollout-policy/) is configured,
-it may still require another step to deploy the change manually.
+<Note>
+After approval, the actual deployment may still require manual action depending on your [rollout policy](/administration/environment-policy/rollout-policy/) configuration.
+</Note>
 
 ![Approval Flow](/content/docs/administration/custom-approval/edit-approval-flow.webp)
 
-To create or update approval flows, click the **Approval Flows** tab.
+## Setting Up Custom Approval
+
+### Step 1: Create Approval Flows
+
+1. Navigate to **Settings > Custom Approval**
+2. Click the **Approval Flows** tab
+3. Create or edit an approval flow
+4. Add approval nodes with required roles
+
+### Step 2: Assign Flows to Risk Levels
+
+1. Click the **Rules** tab
+2. Select an approval flow for each [risk level](/administration/risk-center)
+3. Choose "Skip manual approval" if no approval is needed for a specific risk level
+
+## Working with Custom Roles
+
+When built-in roles don't match your approval requirements, you can create [custom roles](/administration/roles) with specific permissions.
+
+**Example use cases:**
+- Create a `Tester` role for QA approval
+- Define a `Compliance Officer` role for regulatory review
+- Set up a `Release Manager` role for deployment coordination
+
+### Adding Custom Roles to Approval Flows
+
+1. First, [create the custom role](/administration/roles#creating-custom-roles)
+2. Navigate to **CI/CD > Custom Approval**
+3. Select the **Approval Flows** tab
+4. Edit your approval flow and add the custom role as an approval node
 
-## Rules
+![add-to-custom-approval-flow](/content/docs/administration/custom-approval/add-to-custom-approval-flow.webp)
 
-To choose the approval flow for a risk level, click the **Rules** tab.
-Choose the preset "Skip manual approval" approval flow for a risk if you don't want an approval flow at all.
+## Approval Process
 
-## Custom roles
+When an issue matches a configured risk level:
 
-Sometimes, the predefined project roles might not fit your needs. e.g. You require tester to approve.
-In that case, you can use [custom roles](/administration/custom-roles).
+1. The issue enters the approval stage
+2. Designated approvers receive notifications
+3. Each approval node must be approved in sequence
+4. After all approvals, the issue proceeds based on rollout policy
+5. Changes are deployed automatically or manually as configured

mintlify/administration/custom-roles.mdx

@@ -1,49 +1,92 @@
 ---
 title: Roles and Permissions
+feature_name: CUSTOM_ROLES
 ---
 
 <Card title="Tutorial: How to Manage Roles" icon="graduation-cap" href="/tutorials/how-to-manage-roles" horizontal />
 
 ## Overview
 
-Bytebase employs RBAC (Role-Based-Access-Control). Permissions are assigned to roles and roles are
-granted to the users and groups.
+Bytebase uses RBAC (Role-Based Access Control) to manage permissions. A **role** is a collection of permissions that can be granted to users and user groups.
 
-**Workspace Roles**
+### Permission Scope
 
-Built-in roles: `Workspace Admin`, `Workspace DBA`, `Workspace Member`.
+Permissions in Bytebase apply to two levels of resources:
 
-The workspace role maps to the roles at the organization level. Every Bytebase user has `Workspace Member` role.
-Users can also be granted `Workspace Admin`, `Workspace DBA`. These 2 roles should be granted judiciously though.
+- **Workspace-level resources**: Settings, instances, environments, and overall workspace management
+- **Project-level resources**: Project settings, databases, issues, and project-specific operations
 
-**Project Roles**
+### Role Types
 
-- Built-in roles: `Project Owner`, `Project Developer`, `Project Releaser`, `SQL Editor User` (previously called `Project Querier`), `Project Exporter`, `Project Viewer`.
-- [Custom roles](/administration/custom-roles/).
+Bytebase provides two types of roles:
 
-In addition to the inherent `Workspace Member` role, most users will be granted project roles. These roles
-allow users to perform specific database operations.
+#### Built-in Roles
 
-<Tip>
+**Workspace roles:**
+- `Workspace Admin` - Full administrative control
+- `Workspace DBA` - Database administration across all projects
+- `Workspace Member` - Basic access (automatically assigned to all users)
+
+**Project roles:**
+- `Project Owner` - Full control over project resources
+- `Project Developer` - Create and manage database changes
+- `Project Releaser` - Approve and release changes
+- `SQL Editor User` - Query databases (formerly `Project Querier`)
+- `Project Exporter` - Export data
+- `Project Viewer` - Read-only access
+
+#### Custom Roles
+
+Organizations can create custom roles with specific permission sets tailored to their needs. Custom roles are defined at the workspace level and can be granted at both workspace and project levels.
 
-To grant users a project role for all the projects, grant that project role at the workspace level.
+### Granting Roles
 
+Roles are granted through IAM policies at two levels:
+
+1. **Workspace IAM Policy** (Workspace > Members page)
+   - Grant roles that apply across all projects
+   - Manage workspace-level permissions
+
+2. **Project IAM Policy** (Project > Members page)
+   - Grant roles for specific project resources
+   - Inherits roles granted at the workspace level
+
+<Tip>
+**Inheritance:** Project IAM policies automatically inherit roles granted at the workspace level. For example, if a user is granted `Project Developer` at the workspace level, they have that role in all projects.
 </Tip>
 
 ![org-role-mapping](/content/docs/rbac/org-role-mapping.webp)
 
-Above diagram describes the mapping between an engineering org and the corresponding roles in the Bytebase workspace. Note, a particular user can be assigned multiple roles as well:
+## Creating Custom Roles
+
+1. Navigate to **IAM & Admin > Custom Roles**
+2. Click **Add role**
+3. Configure permissions for your new role
+
+![add-custom-role](/content/docs/administration/roles/add-custom-role.webp)
+
+Use **Import from role** to start with an existing role's permissions and modify them as needed.
+
+<Tip>
+**Example:** To create a role that can approve and comment on issues but not execute them, create a `Project Approver` role by importing from `Project Releaser` and removing execution permissions.
+</Tip>
+
+## Granting Roles in IAM Policy
+
+Roles (both built-in and custom) can be assigned to users and groups through the Members page at either workspace or project level:
 
-- A user can only be assigned multiple workspace roles.
-- In a particular project, a user can be assigned multiple project roles. A user can also be assigned different project roles in the different projects.
+1. Navigate to **Members** page (either in Workspace or specific Project)
+2. Click **Grant Access** to add users or groups
+3. Select the appropriate roles to grant
+4. Confirm to apply the IAM policy changes
 
-Real-world scenarios:
+When roles are granted at the workspace level, they automatically apply to all projects. Project-level grants only affect the specific project.
 
-- Organizations may not establish a dedicated DBA or platform engineering group. In such case, usaually the application engineering group head and the tech leads will wear those hats. Say a user named Alice can be a `Workspace DBA` and a `Project Owner` for Project Apollo at the same time.
+![grant-project-member](/content/docs/administration/roles/grant-project-member.webp)
 
-- An application developer could be involved in multiple projects. In such case, that engineer would also be assigned project roles in different projects respectively. Say a user named Bob can be a `Workspace Member`, a `Project Owner` for Project Apollo and a `Project Developer` for Project Mars at the same time.
+## Appendix
 
-## Workspace roles
+### Workspace Role Permissions
 
 By default, the first registered user is granted the `Admin` role, all following registered users are granted `Member` role. `Admin` can update any user's role later.
 
@@ -84,10 +127,9 @@ By default, the first registered user is granted the `Admin` role, all following
 | Manage IM integration               |        |     | ✔️    |
 | Change logo                         |        |     | ✔️    |
 
-## Project roles
+### Project Role Permissions
 
-Any user can create project. By default, the project creator is granted the `Project Owner` role.
-`Workspace DBA` and `Workspace Admin` assume the `Project Owner` role for all projects.
+Any user can create project. By default, the project creator is granted the `Project Owner` role. `Workspace DBA` and `Workspace Admin` assume the `Project Owner` role for all projects.
 
 | Project Permission           | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
 | ---------------------------- | --------------- | ---------------- | ----------------- | ------------- | ------------- | --------------- |
@@ -96,7 +138,7 @@ Any user can create project. By default, the project creator is granted the `Pro
 | Archive project              |                 |                  |                   | ✔️            | ✔️            | ✔️              |
 | Configure UI/GitOps workflow |                 |                  |                   | ✔️            | ✔️            | ✔️              |
 
-## Database permissions
+### Database Permissions
 
 Bytebase does not define database specific roles. Whether a user can perform certain action to the database is based on the user's Workspace role and the role of the project owning the database.
 
@@ -107,15 +149,15 @@ Bytebase does not define database specific roles. Whether a user can perform cer
 | Edit database label |                 |                  |                   | ✔️            | ✔️            | ✔️              |
 | Transfer database   |                 |                  |                   | ✔️            | ✔️            | ✔️              |
 
-## Sheet permissions
+### Sheet Permissions
 
 User can save sheets from [SQL Editor](/sql-editor/overview). A sheet always belongs to a project. Sheet has three visibility levels:
 
 - Private
 - Project
 - Public
 
-### Private Sheet
+#### Private Sheet
 
 | Permission | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
 | ---------- | ------- | --------------- | ---------------- | ----------------- | ------------- | ------------- | --------------- |
@@ -124,7 +166,7 @@ User can save sheets from [SQL Editor](/sql-editor/overview). A sheet always bel
 | Write      | ✔️      |                 |                  |                   |               |               |                 |
 | Delete     | ✔️      |                 |                  |                   |               |               |                 |
 
-### Project Sheet
+#### Project Sheet
 
 | Permission | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
 | ---------- | ------- | --------------- | ---------------- | ----------------- | ------------- | ------------- | --------------- |
@@ -133,7 +175,7 @@ User can save sheets from [SQL Editor](/sql-editor/overview). A sheet always bel
 | Write      | ✔️      |                 |                  |                   | ✔️            | ✔️            | ✔️              |
 | Delete     | ✔️      |                 |                  |                   | ✔️            | ✔️            | ✔️              |
 
-### Public Sheet
+#### Public Sheet
 
 | Permission | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Others |
 | ---------- | ------- | --------------- | ---------------- | ----------------- | ------------- | ------ |
@@ -142,7 +184,7 @@ User can save sheets from [SQL Editor](/sql-editor/overview). A sheet always bel
 | Write      | ✔️      |                 |                  |                   | ✔️            |        |
 | Delete     | ✔️      |                 |                  |                   | ✔️            |        |
 
-## Issue permissions
+### Issue Permissions
 
 | Issue Permission          | Assignee | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
 | ------------------------- | -------- | ------- | --------------- | ---------------- | ----------------- | ------------- | ------------- | --------------- |
@@ -153,4 +195,4 @@ User can save sheets from [SQL Editor](/sql-editor/overview). A sheet always bel
 | Subscribe/Unsubscribe     | ✔️       | ✔️      | ✔️              | ✔️               | ✔️                | ✔️            | ✔️            | ✔️              |
 | Add comment               | ✔️       | ✔️      | ✔️              | ✔️               | ✔️                | ✔️            | ✔️            | ✔️              |
 
-\* `Project Owner` can change issue status when the current active [Environment Rollout Policy](/administration/environment-policy/rollout-policy) is set to **Require manual rolling out**.
+\* `Project Owner` can change issue status when the current active [Environment Rollout Policy](/administration/environment-policy/rollout-policy) is set to **Require manual rolling out**.

…tlify/concepts/roles-and-permissions.mdx mintlify/administration/roles.mdxmintlify/concepts/roles-and-permissions.mdx renamed to mintlify/administration/roles.mdx mintlify/concepts/roles-and-permissions.mdx renamed to mintlify/administration/roles.mdx

@@ -1,15 +1,24 @@
 ---
-title: User Groups
+title: Users and Groups
 feature_name: USER_GROUPS
 ---
 
-`User Group` or simply `Group` contains a set of users. `Group` simplifies access management as you can grant
-roles to a `Group` instead of granting to the individual users one by one.
+## User
 
-## Constraints
+A `User` represents anyone who can access and perform operations in Bytebase. Users include both human team members and service accounts.
 
-- Bytebase does not support nested group. A group can only contain users, it can't contain another group.
-- You can only add normal user account to the group and can not add service account. Service account within a group is an [anti-pattern](https://cloud.google.com/iam/docs/best-practices-service-accounts#groups).
+## Service Account
+
+Service accounts are special users designed for automated processes and applications.
+
+## User Group
+
+A `User Group` organizes multiple users together for easier permission management. Workspace admins create groups and add users, then assign these groups to roles within projects.
+
+<Note>
+- Bytebase does not support nested groups. A group can only contain users, it can't contain another group.
+- Service accounts cannot be part of user groups. Since service accounts are for automated processes with specific access needs, including them in groups could grant unintended permissions. This is considered an [anti-pattern](https://cloud.google.com/iam/docs/best-practices-service-accounts#groups).
+</Note>
 
 ## Add group
 
@@ -48,9 +57,3 @@ Now you can see the `Contractor Group` under **View by members** page as well as
 ![project-members-or-roles](/content/docs/administration/user-groups/project-members-or-roles.webp)
 
 All members within this group now share permission to the project.
-
-## Service account
-
-You can only add normal user account to the group and can not add service account.
-
-Service accounts are designed for application use, with each application typically having unique access needs. Since applications rarely perform identical functions, their required resource access tends to differ, making shared or identical permissions uncommon.

mintlify/administration/user-groups.mdx

@@ -10,7 +10,7 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx';
 ## 🚀 New Features
 
 - Sync schema to [multiple target databases](/change-database/synchronize-schema).
-- [Configure](/administration/custom-roles) custom roles for projects.
+- [Configure](/administration/roles) custom roles for projects.
 - Support OceanBase & Redshift.
 - New language option: Spanish 🇪🇸.
 

mintlify/changelog/bytebase-1-17-0.mdx

@@ -10,7 +10,7 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx';
 ## 🚀 New Features
 
 - Support setting parameters for MySQL online schema change.
-- Add **database viewer** role to **Project**. (Check [Roles and Permissions](/concepts/roles-and-permissions/))
+- Add **database viewer** role to **Project**. (Check [Roles and Permissions](/administration/roles))
 - Support OceanBase in Oracle Mode.
 
 ## 🎄 Enhancements