Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions docs/content/docs/reconcile.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -116,10 +116,14 @@ spec:
permissions:
- compute_order_get
- compute_order_update
scopes: # resource types this role can attach to
- compute/order
- name: app_project_viewer # predefined role: override only the fields you list
permissions:
- app_project_get
- resource_aoi_get
scopes: # override the scope too, if you need to
- app/project
- name: old_role
delete: true
```
Expand Down Expand Up @@ -150,6 +154,13 @@ takes those permissions away on the next apply.
Permission references accept any form the server knows: the slug (`compute_order_get`),
`service/resource:verb`, or `service.resource.verb`.

`scopes` is the list of resource types a role can attach to (`app/organization`,
`app/project`, `compute/order`, and so on). Note how it shows up in an export: a custom
role lists its scopes in full, but a predefined role lists `scopes` only when they differ
from the shipped default. So a predefined role whose scope already matches the default
won't show a `scopes` line — the scope is still enforced, it just isn't repeated. The same
goes for `title`: it appears only when you have changed it.

## The Preference kind

`Preference` manages platform settings, like whether new organizations can be created or
Expand Down
Loading