admin docs

Author: SPRINX0\prochazka

content/admin.md

@@ -0,0 +1,17 @@
+---
+title: Adminstration
+weight: 110
+---
+
+Administration tool is available only on Team Premium edition. In Community edition, please use configuration using [environment variables](/env-variables)
+
+All configuration from administration is saved into database, use [STORAGE_xxx environment variables](/env-variables/#premium-edition-configuration) for configure this.
+
+## Administrator access
+
+Administration page is available on URL https://your_dbgate_instance/admin.html . 
+
+Root adminstrator should have password defined. You could set environment variable ADMIN_PASSWORD. If this variable is not defined, DbGate asks for admin password at first.
+
+You could then add administration permission to different user with different authentication method, but at first, you have to open this admin page.
+

content/admin/_index.md

@@ -0,0 +1,19 @@
+---
+title: Authentication
+weight: 10
+---
+
+## Authentication tab
+![Authentication administration - DbGate](https://media.dbgate.io/img/authentication-administration-light.png)
+
+There are several methods of authentication. Use will choose authentication method on login page. If you have only one authentication method enabled and authentication method doesn't require login page, login page is skipped.
+
+- Local authentication method - user is selected from user list in storage database (configured in "Users" tab)
+- Anonymous - no credentials are required, user have permissions from "anonymous-user" role
+- Use database login - credentials are redirected to database server. User will choose connection from "Connections" tab
+- OAuth 2.0 - generic OAuth provider. With some little effort and proper knowledge, could be configured with most of recent identity providers, like Google, Facebook, Keycloak
+- Active Directory - AD access via LDAP protocol
+- Microsoft Entra - former Azure Active Directory - single sign-on access to Azure databases
+
+### Option "Allow only defined logins"
+For external identity providers, user doesn't have to exist in DbGate storage database. If this checkbox is checked, user, which is not found in storage database, is not allowed to login

content/admin/auth.md

@@ -0,0 +1,12 @@
+---
+title: Connections
+weight: 20
+---
+
+## Connections tab
+Configure connections available in DbGate. Connections must be mapped to users or roles to be available.
+
+![Connections administration - DbGate](https://media.dbgate.io/img/connection-administration-light.png)
+
+## Direct access to storage database
+Admin user has also access to internal storage database, so you could make operations on database directly (eg. exports/imports of users etc.). This permission could be also granted to any other user, "Interal storage" permission

content/admin/connection.md

@@ -0,0 +1,54 @@
+---
+title: Permissions
+weight: 50
+---
+
+## Permissions system
+DbGate uses permission system with two dimensional hiearchy.
+
+One hiearchy dimension is inheritance of permissions from roles.
+- Predefined permission set
+- Predefined role (superadmin/logged-user/anonymous user)
+- Custom roles
+- User
+
+The second hiearchy dimension is inheritance from parent roles.
+
+## Database permissions
+You could configure permissions related to database on "Databases" tab (in Role detail and in User detail)
+
+Database permissions are not used, unless **"All databases"** is permission is active
+
+Each line of databases permission rules table defines permission to matched database. The order of rules is important, permissions at the bottom override permissions at the top.
+
+![Database permissions - DbGate](https://media.dbgate.io/img/dbpermissions-light.png)
+
+**Columns:**
+* Connection - define, on which connection this rule is applied
+* Database names - define database name (by list of names or by regular expression)
+* Role:
+  * View - view database, without access to tables, views, etc.
+  * Read content - access to database content, readonly
+  * Write data - change data of tables
+  * Run script - run any SQL script, create/drop/alter tables
+  * Deny - don't allow access to this database  
+
+## Table Permissions
+You could configure permissions related to database on "Tables/Views/Objects" tab (in Role detail and in User detail)
+
+Tables permissions are not used, unless **"All tables/views/objects"** is permission is active
+
+Each line of databases permission rules table defines permission to matched table. The order of rules is important, permissions at the bottom override permissions at the top.
+
+**Columns:**
+* Connection - define, on which connection this rule is applied
+* Database names - define database name (by list of names or by regular expression)
+* Schema names - define schema name (by list of names or by regular expression)
+* Table names - define table/view/procedure/trigger name (by list of names or by regular expression)
+* Scope - defines types of matched object
+* Role:
+  * Read - read table data
+  * Update only - update table rows, don't allow to insert and delete operations
+  * Run script - allow to run script with this table. In fact, if you don't have "Run script" permission on database level, this cannot be used
+  * Deny - don't allow access to this table
+

content/admin/permissions.md

@@ -0,0 +1,14 @@
+---
+title: Roles
+weight: 40
+---
+
+## Roles tab
+Configure roles, role permissions and role-connection mapping. You could create custom roles and assign users to them, so that permissions and linked connections are shared between all users assigned to this role.
+
+There are some predefined roles:
+- superadmin - role used for admin page, https://your_dbgate_instance/admin.html
+- logged-user - role used for all logged users. You could ovveride permission for specific users
+- anonymous-user - role used for users logged with "Anonymous" authentication method
+
+![Role administration - DbGate](https://media.dbgate.io/img/role-administration-light.png)

content/admin/roles.md

@@ -0,0 +1,10 @@
+---
+title: Users
+weight: 30
+---
+
+## Users tab
+Configure users, passwords, user permissions and user-connection mapping.
+Passwords are used only for "Local" authentication methods. But all methods with external identity providers use user lookup, so you could configure permissions and connections available for user, even for externaly authenticated user. 
+
+![Role administration - DbGate](https://media.dbgate.io/img/user-administration-light.png)