diff --git a/mintlify/administration/roles.mdx b/mintlify/administration/roles.mdx index 98498b2fe..445e99d65 100644 --- a/mintlify/administration/roles.mdx +++ b/mintlify/administration/roles.mdx @@ -28,10 +28,9 @@ Bytebase provides two types of roles: **Project roles:** - `Project Owner` - Full control over project resources -- `Project Developer` - Create and manage database changes +- `Project Developer` - Create and manage database changes; create Export issues for one-time exports - `Project Releaser` - Approve and release changes -- `SQL Editor User` - Query databases (formerly `Project Querier`) -- `Project Exporter` - Export data +- `SQL Editor User` (formerly `Project Querier`) - Query in SQL Editor; export results directly from the Editor - `Project Viewer` - Read-only access #### Custom Roles @@ -130,23 +129,22 @@ By default, the first registered user is granted the `Admin` role, all following Any user can create project. By default, the project creator is granted the `Project Owner` role. `Workspace DBA` and `Workspace Admin` assume the `Project Owner` role for all projects. -| Project Permission | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin | -| ---------------------------- | --------------- | ---------------- | ----------------- | ------------- | ------------- | --------------- | -| Change project role | | | | ✔️ | ✔️ | ✔️ | -| Edit project | | | | ✔️ | ✔️ | ✔️ | -| Archive project | | | | ✔️ | ✔️ | ✔️ | -| Configure UI/GitOps workflow | | | | ✔️ | ✔️ | ✔️ | +| Project Permission | SQL Editor User | Project Developer | Project Owner | Workspace DBA | Workspace Admin | +| ---------------------------- | --------------- | ----------------- | ------------- | ------------- | --------------- | +| Change project role | | | ✔️ | ✔️ | ✔️ | +| Edit project | | | ✔️ | ✔️ | ✔️ | +| Archive project | | | ✔️ | ✔️ | ✔️ | +| Configure UI/GitOps workflow | | | ✔️ | ✔️ | ✔️ | ### Database Permissions Bytebase does not define database specific roles. Whether a user can perform certain action to the database is based on the user's Workspace role and the role of the project owning the database. -| Database Permission | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin | -| ------------------- | --------------- | ---------------- | ----------------- | ------------- | ------------- | --------------- | -| Query | ✔️ | | | ✔️ | ✔️ | ✔️ | -| Export | | ✔️ | | ✔️ | ✔️ | ✔️ | -| Edit database label | | | | ✔️ | ✔️ | ✔️ | -| Transfer database | | | | ✔️ | ✔️ | ✔️ | +| Database Permission | SQL Editor User | Project Developer | Project Owner | Workspace DBA | Workspace Admin | +| ------------------- | --------------- | ----------------- | ------------- | ------------- | --------------- | +| Query | ✔️ | | ✔️ | ✔️ | ✔️ | +| Edit database label | | | ✔️ | ✔️ | ✔️ | +| Transfer database | | | ✔️ | ✔️ | ✔️ | ### Sheet Permissions @@ -158,40 +156,40 @@ User can save sheets from [SQL Editor](/sql-editor/overview). A sheet always bel #### Private Sheet -| Permission | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin | -| ---------- | ------- | --------------- | ---------------- | ----------------- | ------------- | ------------- | --------------- | -| Star | ✔️ | | | | | | | -| Read | ✔️ | | | | | | | -| Write | ✔️ | | | | | | | -| Delete | ✔️ | | | | | | | +| Permission | Creator | SQL Editor User | Project Developer | Project Owner | Workspace DBA | Workspace Admin | +| ---------- | ------- | --------------- | ----------------- | ------------- | ------------- | --------------- | +| Star | ✔️ | | | | | | +| Read | ✔️ | | | | | | +| Write | ✔️ | | | | | | +| Delete | ✔️ | | | | | | #### Project Sheet -| Permission | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin | -| ---------- | ------- | --------------- | ---------------- | ----------------- | ------------- | ------------- | --------------- | -| Star | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| Read | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| Write | ✔️ | | | | ✔️ | ✔️ | ✔️ | -| Delete | ✔️ | | | | ✔️ | ✔️ | ✔️ | +| Permission | Creator | SQL Editor User | Project Developer | Project Owner | Workspace DBA | Workspace Admin | +| ---------- | ------- | --------------- | ----------------- | ------------- | ------------- | --------------- | +| Star | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Read | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Write | ✔️ | | | ✔️ | ✔️ | ✔️ | +| Delete | ✔️ | | | ✔️ | ✔️ | ✔️ | #### Public Sheet -| Permission | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Others | -| ---------- | ------- | --------------- | ---------------- | ----------------- | ------------- | ------ | -| Star | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| Read | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| Write | ✔️ | | | | ✔️ | | -| Delete | ✔️ | | | | ✔️ | | +| Permission | Creator | SQL Editor User | Project Developer | Project Owner | Others | +| ---------- | ------- | --------------- | ----------------- | ------------- | ------ | +| Star | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Read | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Write | ✔️ | | | ✔️ | | +| Delete | ✔️ | | | ✔️ | | ### Issue Permissions -| Issue Permission | Assignee | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin | -| ------------------------- | -------- | ------- | --------------- | ---------------- | ----------------- | ------------- | ------------- | --------------- | -| Create issue | N/A | N/A | | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| Change issue status | ✔️ | | | | | Depends\* | ✔️ | ✔️ | -| Edit name and description | ✔️ | ✔️ | | | | | ✔️ | ✔️ | -| Edit SQL Statement | | ✔️ | | | | | | | -| Subscribe/Unsubscribe | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| Add comment | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Issue Permission | Assignee | Creator | SQL Editor User | Project Developer | Project Owner | Workspace DBA | Workspace Admin | +| ------------------------- | -------- | ------- | --------------- | ----------------- | ------------- | ------------- | --------------- | +| Create issue | N/A | N/A | | ✔️ | ✔️ | ✔️ | ✔️ | +| Change issue status | ✔️ | | | | Depends\* | ✔️ | ✔️ | +| Edit name and description | ✔️ | ✔️ | | | | ✔️ | ✔️ | +| Edit SQL Statement | | ✔️ | | | | | | +| Subscribe/Unsubscribe | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Add comment | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | \* `Project Owner` can change issue status when the current active [Environment Rollout Policy](/change-database/environment-policy/rollout-policy) is set to **Require manual rolling out**. \ No newline at end of file diff --git a/mintlify/change-database/environment-policy/overview.mdx b/mintlify/change-database/environment-policy/overview.mdx index eb901feeb..cbcf4c727 100644 --- a/mintlify/change-database/environment-policy/overview.mdx +++ b/mintlify/change-database/environment-policy/overview.mdx @@ -10,8 +10,6 @@ Configure and manage your database environments including policies, permissions, You can configure any color for an environment either by inputting in **HEX** tab or choosing one in the palette. -![env-color](/content/docs/administration/environment-policy/env-color.webp) - SQL Editor then displays the configured color tab. ![env-color-sql-editor](/content/docs/administration/environment-policy/env-color-sql-editor.webp) @@ -20,8 +18,6 @@ SQL Editor then displays the configured color tab. Once you mark an environment as a production environment, Bytebase will attach a shield icon 🛡️ besides the environment name. -![tier-envs](/content/docs/administration/environment-policy/tier-envs.webp) - ## Rollout policy Control who can deploy changes to each environment and whether deployments happen automatically or require manual approval. @@ -45,15 +41,14 @@ Configure environment-specific restrictions for SQL Editor operations: - **Restrict data copying in SQL Editor**: Only Workspace Admins and DBAs can copy data from query results - **Restrict querying admin data sources**: Limit access to administrative data sources in the SQL Editor -## Statement execution mode +## Statement execution -Even if you have `sql.dml` and `sql.ddl` [database permissions](/security/database-permission/overview/), you can only run read-only statements such as `SELECT` in SQL Editor by default. If you attempt to run mutation DML or DDL, it will prompt you to submit an issue. +By default, users with **SQL Editor User** role or `sql.dml` and `sql.ddl` [database permissions](/security/database-permission/overview/) can execute DDL and DML statements directly in SQL Editor. To restrict statement execution to SELECT-only queries and require users to create issues for data modifications, turn on the following **statement execution** settings (**Default**: `off`/`off`): -![prompt-issue](/content/docs/administration/environment-policy/prompt-issue.webp) +- Disallow running DDL statements in the SQL editor +- Disallow running data-modifying DML statements in the SQL Editor -If you want to run those statements directly in SQL Editor, you need to turn on the **statement execution** setting. - -![statement-execution](/content/docs/administration/environment-policy/statement-execution.webp) +![prompt-issue](/content/docs/administration/environment-policy/prompt-issue.webp) ## Delete an environment diff --git a/mintlify/changelog/bytebase-3-11-0.mdx b/mintlify/changelog/bytebase-3-11-0.mdx index 948334832..183e90208 100644 --- a/mintlify/changelog/bytebase-3-11-0.mdx +++ b/mintlify/changelog/bytebase-3-11-0.mdx @@ -11,11 +11,11 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx'; - **Environment rollout policy update** - **Issue Creators** and **Last Issue Approvers** can no longer roll out issues. Manual rollouts now require specifying workspace/project roles or users with the `bb.taskRuns.create` permission. - - The force rollout mechanism has been replaced by configurable rollout requirements: + - The force rollout mechanism has been replaced by [configurable rollout requirements](/change-database/environment-policy/rollout-policy#configurable-rollout-requirements): - **Require Issue Approval** – ensures issues must be approved before rollout can proceed (default: enabled). - **Plan Check Enforcement** – controls rollout behavior based on plan check results (default: block on errors only). -- Deprecate `bb.sql.export` permission and `roles/projectExporter` role. +- Deprecate `bb.sql.export` permission and `roles/projectExporter` role. It’s merged into `SQL Editor User` role, which now can export directly in SQL Editor; Developer can still create Export issue as before. - Deprecate `request.row_limit` in the project IAM policy. Use `maximum_result_rows` in `QueryDataPolicy` instead. - **API** diff --git a/mintlify/content/docs/administration/environment-policy/env-color.webp b/mintlify/content/docs/administration/environment-policy/env-color.webp deleted file mode 100644 index bfac95c60..000000000 Binary files a/mintlify/content/docs/administration/environment-policy/env-color.webp and /dev/null differ diff --git a/mintlify/content/docs/administration/environment-policy/statement-execution.webp b/mintlify/content/docs/administration/environment-policy/statement-execution.webp deleted file mode 100644 index 6e8887dfa..000000000 Binary files a/mintlify/content/docs/administration/environment-policy/statement-execution.webp and /dev/null differ diff --git a/mintlify/content/docs/administration/environment-policy/tier-envs.webp b/mintlify/content/docs/administration/environment-policy/tier-envs.webp deleted file mode 100644 index bf505a951..000000000 Binary files a/mintlify/content/docs/administration/environment-policy/tier-envs.webp and /dev/null differ diff --git a/mintlify/content/docs/security/database-permission/export/sql-editor-request-export.webp b/mintlify/content/docs/security/database-permission/export/sql-editor-request-export.webp deleted file mode 100644 index 37b40d372..000000000 Binary files a/mintlify/content/docs/security/database-permission/export/sql-editor-request-export.webp and /dev/null differ diff --git a/mintlify/onboarding/sql-editor-data-access-control.mdx b/mintlify/onboarding/sql-editor-data-access-control.mdx index 99088abc1..488698dca 100644 --- a/mintlify/onboarding/sql-editor-data-access-control.mdx +++ b/mintlify/onboarding/sql-editor-data-access-control.mdx @@ -43,15 +43,10 @@ the project. -`SQL Editor User` is a built-in role that allows users to run `EXPLAIN` and `SELECT`. If you want to allow users -to run `EXPLAIN` only, you can create a [custom role](/administration/roles) with `bb.sql.explain` permission. +`SQL Editor User` is a built-in role that allows users to run `EXPLAIN`, `SELECT` and export data. If you want to allow users to run `EXPLAIN` only, you can create a [custom role](/administration/roles) with `bb.sql.explain` permission. -### Fine-Grained Export - -Export is a special case of query access. You need to grant the `Project Exporter` role to the user inside the project. - ### Just-In-Time Access You may disallow any production access by default and only allow temporary access on-demand. Users can this request temporary access diff --git a/mintlify/security/database-permission/export.mdx b/mintlify/security/database-permission/export.mdx index 754acf217..84971e834 100644 --- a/mintlify/security/database-permission/export.mdx +++ b/mintlify/security/database-permission/export.mdx @@ -1,28 +1,21 @@ --- -title: One-Time Export +title: Export Data --- -Except for requesting or being assigned `Project Exporter` role to export data repeatedly, you can also request a one-time export in **Export Center**. +There are two ways to export data: -## One-time Export Request - -Approval flow matches the `Export Data` in [custom approval](/change-database/approval/) if configured. +- As **SQL Editor User**, you can export directly from SQL Editor. +- As **Project Developer**, you can request a one-time export in **Export Center**. -### Request from SQL Editor +## Export directly from SQL Editor -Data can be exported directly from the SQL Editor result panel if you have the export permission for the data. +As **SQL Editor User**, after you run a query, you can export the result by clicking **Export** button. The exported data still respects the masking policy to mask exported columns. ![sql-editor](/content/docs/security/database-permission/export/sql-editor.webp) -Without the export permission, you can request a one-time export via **Request Export**. - -![sql-editor-request-export](/content/docs/security/database-permission/export/sql-editor-request-export.webp) - -You will be redirected to an issue page. **Create** the issue. After approval, you'll be able to export the data one time. - -![sql-editor-export](/content/docs/security/database-permission/export/sql-editor-export.webp) +## One-time Export Request -### Request from Export Center +As **Project Developer**, you can request a one-time export in **Export Center**. Approval flow matches the `Export Data` in [custom approval](/change-database/approval/) if configured. Enter **Export Center** within a project, where you **Request Export**, select a database and click **Next**. @@ -32,7 +25,7 @@ You'll be creating an issue. Enable **Encrypt** and set **Password** if needed, ![export-preview](/content/docs/security/database-permission/export/export-preview.webp) -After approval, you can click **Export** to download the exported file _once_. +After approval, you can click **Export** to download the exported file **unlimited times** within 24 hours. ![export](/content/docs/security/database-permission/export/export.webp) diff --git a/mintlify/security/database-permission/overview.mdx b/mintlify/security/database-permission/overview.mdx index aa3e10a19..09b8d3c49 100644 --- a/mintlify/security/database-permission/overview.mdx +++ b/mintlify/security/database-permission/overview.mdx @@ -14,19 +14,21 @@ You can use Bytebase to manage persistent database permissions as well as implem Database permission controls individual users' or groups' actions within the database. Below shows the built-in roles' database permissions. -| Role | EXPLAIN | Query | Export | Mutation DML | DDL | Admin | -| ----------------- | ------- | ----- | ------ | ------------ | --- | ----- | -| Workspace Admin | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | -| Workspace DBA | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | -| Project Owner | ✅ | ✅ | ✅ | ✅ | ✅ | | -| Project Developer | | | | \* | \* | | -| SQL Editor User | ✅ | ✅ | | ✅ | ✅ | | -| Project Exporter | | | ✅ | | | | -| Project Releaser | | | | | | | -| Project Viewer | | | | | | | - -\* _Project Developers can't execute DML and DDL directly in SQL Editor. On the other hand, they can -request DML/DDL change by creating an issue_. + | Role | EXPLAIN | Query | Export | Mutation DML | DDL | Admin | + | ----------------- | ------- | ----- | ------ | ------------ | --- | ----- | + | Workspace Admin | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | + | Workspace DBA | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | + | Project Owner | ✅ | ✅ | ✅ | ✅ | ✅ | | + | Project Developer | | | \*1 | \*2 | \*2 | | + | SQL Editor User | ✅ | ✅ | ✅ | \*3 | \*3 | | + | Project Releaser | | | | | | | + | Project Viewer | | | | | | | + +\*1 _**Project Developer** can create Export issues for one-time exports. While **SQL Editor User** can export directly from SQL Editor._ + +\*2 _**Project Developer** don’t have SQL Editor access and should request DDL/DML changes through an issue._ + +\*3 _**SQL Editor User** can run DDL/DML in SQL Editor unless restricted by [environment policy](/change-database/environment-policy/overview#statement-execution-mode), but it’s recommended to make these changes through issues for better traceability._ --- diff --git a/mintlify/snippets/database-permission-table.mdx b/mintlify/snippets/database-permission-table.mdx index 311671ba0..fd15f352d 100644 --- a/mintlify/snippets/database-permission-table.mdx +++ b/mintlify/snippets/database-permission-table.mdx @@ -2,7 +2,6 @@ | ----------------------------------------------------------------------------------------------------- | ------------ | --------------- | | [Read](/sql-editor/run-queries/) | EXPLAIN | `sql.explain` | | | Query | `sql.select` | -| | Export | `sql.export` | | Write (subject to [execution mode](/change-database/environment-policy/overview/#execution-mode)) | Mutation DML | `sql.dml` | | | DDL | `sql.ddl` | | [Admin](/sql-editor/admin-mode/) | Admin | `sql.admin` | diff --git a/mintlify/sql-editor/mask-data.mdx b/mintlify/sql-editor/mask-data.mdx index 0be41c2bd..da671e389 100644 --- a/mintlify/sql-editor/mask-data.mdx +++ b/mintlify/sql-editor/mask-data.mdx @@ -2,7 +2,7 @@ title: Data Masking --- -Workspace Admins and DBAs can [configure data masking policy](/security/data-masking/overview) to prevent unauthorized access to the sensitive data. Hovering over the eye icon reveals the masking reason. +**Workspace Admins** and **DBAs** can [configure data masking policy](/security/data-masking/overview) to prevent unauthorized access to the sensitive data. Hovering over the eye icon reveals the masking reason. ![query result](/content/docs/sql-editor/bb-masking-reason.webp) diff --git a/mintlify/tutorials/how-to-manage-roles.mdx b/mintlify/tutorials/how-to-manage-roles.mdx index 3b15fd1c2..15011e937 100644 --- a/mintlify/tutorials/how-to-manage-roles.mdx +++ b/mintlify/tutorials/how-to-manage-roles.mdx @@ -25,7 +25,6 @@ A typical requirement is to create a `Manager` role in Bytebase who can only dep - **Project Owner**: All permissions within the project - **Project Developer**: All viewer permissions, plus permissions for requesting database changes. - **SQL Editor User**: Permissions for querying database data. - - **Project Exporter**: Permissions for exporting database data. - **Project Releaser**: All viewer permissions, plus permission for reviewing database change requests for release purposes. - **Project Viewer**: Read-only permissions for viewing basic project information, accessing databases, and initiating privilege requests.