redpanda-data · micheleRP · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026
@@ -14,8 +14,10 @@ content:
   sources:
   - url: .
     branches: HEAD
+  # TEMP DOC-2123: point at sibling PR branch so this preview renders
+  # the docs PR (#1689) single-source content. REVERT `main` before merge.
   - url: https://github.com/redpanda-data/documentation
-    branches: [main, v/*, shared, site-search]
+    branches: [DOC-2123-console-acl-ui-refresh, v/*, shared, site-search]
   - url: https://github.com/redpanda-data/docs-site
     branches: [main]
     start_paths: [home]

@@ -48,23 +48,28 @@ rpk cloud login
 export REDPANDA_BROKERS="<bootstrap-server-address>"
 ```
 
-. Go to the **Security** page, and create a user called **redpanda-chat-account** that uses the SCRAM-SHA-256 mechanism.
+. Go to **Security** > **Users**, click **Create user**, and create a user called **redpanda-chat-account** that uses the SCRAM-SHA-256 mechanism.
 
-. Copy the password, and set the following environment variables on your local machine:
+. In the *User created successfully* dialog, copy the password and set the following environment variables on your local machine:
 +
 ```bash
 export REDPANDA_SASL_USERNAME="redpanda-chat-account"
 export REDPANDA_SASL_PASSWORD="<password>"
 export REDPANDA_SASL_MECHANISM="SCRAM-SHA-256"
 ```
 
-. Click the name of your user, and add the following permissions to the ACL (access control list):
+. Click **Go to user details**.
+
+. Under *ACLs*, click *+ Add ACL*, and define the following rule to grant the user full access to the `chat-room` topic:
 +
-- **Host**: *
-- **Topic name**: `chat-room`
-- **Operations**: All
-+ 
-. Click **Create**.
+- **Resource Type**: Topic
+- **Pattern Type**: Literal
+- **Resource Name**: `chat-room`
+- **Operation**: All
+- **Permission**: Allow
+- **Host**: `*`
++
+. Click **Add ACL**.
 
 . Use `rpk` on your local machine to authenticate to Redpanda as the **redpanda-chat-account** user and get information about the cluster:
 +

@@ -70,7 +70,7 @@ NOTE: After private access is disabled, attempts to reach the private endpoints
 
 . Click **Create cluster**.
 
-. To start working with your cluster, go to the *Topics* page to create a topic and produce messages to it. Add team members and grant them access with ACLs on the *Security* page. 
+. To start working with your cluster, go to the *Topics* page to create a topic and produce messages to it. Add team members on the *Security* > *Users* page, then click into a user to assign roles or add ACLs from their detail page.
 
 == Interact with your cluster
 

@@ -6,6 +6,23 @@
 
 This page lists new features added to Redpanda Cloud.
 
+== May 2026
+
+=== Redpanda Console: redesigned Security page
+
+Redpanda Console has a redesigned Security page with three tabs (*Users*, *Roles*, and *Permissions*). Each user and role has a detail page for managing its permissions.
+
+* The *Users* tab lists each user with their assigned roles and a count of their ACLs. Filter the list by name using regular expressions; for example, `^prod-` matches every user starting with `prod-`.
+* Open a user or role to manage permissions on its detail page. The *ACLs* section shows one row per rule (type, resource, operation, permission, host) and supports three actions:
+** *+ Add ACL* opens a focused form for one rule (resource type, pattern type, resource name, operation, permission, host).
+** *Allow all operations* grants full wildcard access across all resource types in a single step. Use this for testing only; it is too broad for production.
+** Select rows with the checkboxes and click *Delete selected* to remove ACLs in bulk.
+* The *Permissions* tab is a unified, cluster-wide view of every principal with ACLs. Each row shows direct ACL counts and ACLs inherited from roles, with a red badge highlighting any principal that has Deny rules. Expand a row to see all of that principal's ACLs in one table: direct rules first, then sections labeled *VIA ROLE: <role-name>* for each role they inherit from. Search across principals, resources, and roles, or click *Create ACL* to add a rule from scratch.
+
+// TODO DOC-2123: confirm with Jan/Martin whether to call out the per-ACL edit improvement (no permission gap during edits) as a customer-facing benefit.
+
+See xref:security:authorization/acl.adoc[] for the full ACL reference and xref:security:authorization/rbac/rbac_dp.adoc[] for role management.
+
 == April 2026
 
 === Iceberg: Configurable table namespace

@@ -125,14 +125,14 @@ BYOC and Dedicated clusters support unified authentication and authorization bet
 To enable account impersonation:
 
 . Go to the *Dataplane settings* page and select the option to enable account impersonation.
-. Configure permissions for your users on the cluster *Security* page using ACLs or RBAC roles.
+. Configure permissions for your users on the cluster *Security* page: open a user under *Users* (or a role under *Roles*) and add ACLs or assign roles from the detail page.
 
 [IMPORTANT]
 ====
 After enabling account impersonation:
 
 * *Admin users* continue to have full access as before
-* *Reader and Writer users* will lose access to the cluster until you explicitly grant them permissions through ACLs or RBAC roles on the *Security* page
+* *Reader and Writer users* will lose access to the cluster until you explicitly grant them permissions through ACLs or roles on the *Security* page
 
 Plan to configure user permissions before or immediately after enabling this feature to avoid access disruption.
 ====