docs: add authorization and user management user guide

docs/components/identity/authorization.md

@@ -0,0 +1,58 @@
+---
+id: authorization
+title: Authorization
+description: "Learn how to manage authorizations in your Orchestration cluster."
+---
+
+Authorizations are managed through permissions that can be assigned to [users](user.md), groups, roles, and mappings.
+
+## Authorization overview
+
+Camunda 8 Self-Managed [Orchestration clusters](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster) use resource-based authorization control, which grants permissions to entities (like users) to perform specific actions on specified resources. For example, permissions can be set for actions such as reading, updating, creating, or deleting resources, such as process instances.
+
+A user is not granted authorizations by default, and must be explicitly granted permission to access applications or perform actions on resources. Authorizations can be enabled or disabled in Self-Managed deployments via [configuration settings](/self-managed/identity/orchestration-identity/installation.md#enable-api-authentication-and-authorizations).
+
+## Authorization concepts
+
+### Permissions
+
+Permissions are the building blocks of authorizations. They define the actions that can be performed on resources. Permissions are granted to entities (like users) to perform specific actions on specified resources.
+
+Permissions are defined by a combination of a resource type, resource ID, and action. For example, a permission might grant a user the ability to read (the action) a specific process instance (the resource type).
+
+### Resources
+
+Resources are the objects on which actions can be performed. Resources can be entities like process instances, tasks, or users. Resources are identified by a resource ID and type.
+
+### Owners
+
+Owners are the entities to which permissions are granted. Owners can be [users](user.md), groups, roles, or mappings. Owners are identified by an owner ID and type.
+
+## Create an authorization
+
+To create a new authorization:
+
+1. Log in to Identity in your cluster, and click on the **Authorizations** tab.
+2. Select the resource type on the left side of the screen, and click **Create authorization**.
+3. Provide the following information for your authorization:
+   - **Owner type:** The entity (user, group, role, or mapping) to which you want to assign permissions.
+   - **Owner ID:** The ID of the owner to which you want to assign permissions.
+   - **Resource type:** A dropdown pre-populated with the selected resource type.
+   - **Resource ID**: The ID of the resource to which the owner's permissions apply.
+4. Select the permissions this authorization will grant.
+5. Click on the **Create authorization** button to finish.
+
+The authorization is then created, and the user, group, role, or mapping is granted the permission to perform the action on the specified resource.
+
+![identity-create-authorization-tab](./img/create-authorization-tab.png)
+
+## Delete an authorization
+
+To delete an authorization:
+
+1. Log in to Identity in your cluster, and click on the **Authorizations** tab.
+2. Select the resource type of the authorization you want to delete.
+3. Click on the **Delete** button next to the authorization you want to delete.
+4. Confirm the deletion by clicking **Delete** button in the confirmation dialog.
+
+The authorization is deleted, and the user, group, role, or mapping no longer has permission to perform the action on the specified resource.

docs/components/identity/identity-introduction.md

@@ -0,0 +1,9 @@
+---
+id: identity-introduction
+title: Introduction
+description: "Identity provides unified identity management and authorizations in the Camunda 8 stack."
+---
+
+Identity is responsible for managing authentication, authorization, and entities within Camunda 8.
+
+For documentation on deploying Identity as part of Camunda 8 Self-Managed, refer to the [configuration guides](/self-managed/identity/what-is-identity.md).

docs/components/identity/user.md

@@ -0,0 +1,59 @@
+---
+id: user
+title: User management
+description: "Learn how to manage users in your Self-Managed Orchestration cluster."
+---
+
+:::note
+User management in Identity is only supported by Self-Managed deployments. For SaaS, see how to [connect your identity provider](http://localhost:3000/docs/next/components/console/manage-organization/external-sso/).
+:::
+
+User management is the process of creating, updating, and deleting users in your Orchestration cluster. Users can be assigned roles and permissions to access applications and perform actions on resources.
+
+### Create a user
+
+To create a user:
+
+1. Log in to Identity in your cluster, and click on the **Users** tab.
+2. Click on the `Create user` button, and provide the following the user details:
+   - **Username**: The username for the user.
+   - **Name**: The name of the user.
+   - **Email**: The email address of the user.
+   - **Password**: The password for the user.
+3. Click on the **Create user** button to finish.
+
+The user is created, and can now log in to the Camunda 8 web application.
+
+![identity-create-user-tab](./img/create-user-tab.png)
+
+### Update a user
+
+1. Log in to Identity in your cluster, and click on the **Users** tab.
+2. Click on the **pencil icon** next to the user you want to update.
+   :::note
+   You can also select the user, and click the three vertical dots > **Update**.
+   :::
+3. Update the user details:
+   - **Name**: The name of the user.
+   - **Email**: The email address of the user.
+   - **Password**: The password for the user.
+4. Click on the **Save** button to finish.
+
+The user details are updated, and the user can now use these credentials to log in.
+
+![identity-update-user-tab](./img/update-user-tab.png)
+
+### Delete a user
+
+1. Log in to Identity in your cluster, and click on the **Users** tab.
+2. Click on the **Delete** button next to the user you want to delete.
+   :::note
+   You can also select the user, and click the three vertical dots > **Delete**.
+   :::
+3. Confirm the deletion by clicking on the **Delete** button in the confirmation dialog.
+
+The user is deleted, and can no longer log in to the Camunda 8 web application.
+
+### Assign authorizations to a user
+
+See the [authorization](./authorization.md) section to learn how to create authorizations for users.

docs/self-managed/identity/orchestration-identity/installation.md

@@ -11,6 +11,12 @@ Identity is included by default with the deployment of any [Orchestration cluste
 
 Identity for Orchestration clusters is available via [Helm install](/self-managed/setup/install.md), and for local development via [Camunda 8 Run](/self-managed/setup/deploy/local/c8run.md).
 
+:::note
+
+The following guides are on Identity configuration in Self-Managed environments. For information on Identity use and management, see the [user guides](/components/identity/identity-introduction.md).
+
+:::
+
 ## Initial configuration
 
 Following the default installation for [Camunda 8 Run](/self-managed/setup/deploy/local/c8run.md) will result in a cluster with the following:
@@ -66,7 +72,7 @@ Any other users included in the initialization `user` list will also be granted
 
 ### Enable API authentication and authorizations
 
-In Camunda 8 Run installations, basic authentication is enabled on the Camunda web applications, but the API is unprotected, and authorizations are disabled. API protection and authorizations can both be enabled by modifying your `application.yaml` or environment variables:
+In Camunda 8 Run installations, basic authentication is enabled on the Camunda web applications, but the API is unprotected, and [authorizations](/components/identity/authorization.md) are disabled. API protection and authorizations can both be enabled by modifying your `application.yaml` or environment variables:
 
 <Tabs>
   <TabItem value="helm" label="Helm properties">

docs/self-managed/identity/what-is-identity.md

@@ -5,19 +5,25 @@ sidebar_label: "What is Identity?"
 description: "Identity is the component within the Camunda 8 stack responsible for authentication and authorization."
 ---
 
-Identity in the Camunda 8 stack is handled by two distinct components: Identity for [Orchestration clusters](#identity-for-orchestration-clusters), and Identity for [Web Modeler and Console](#identity-for-web-modeler-and-console). In both cases, Identity is responsible for managing authentication and authorization within the Camunda 8 stack, but each implementation requires different configurations. In the case of Web Modeler and Console, Identity must be set up independently.
+Identity in the Camunda 8 stack is handled by two distinct components: Identity for [Orchestration clusters](#identity-for-orchestration-clusters), and Identity for [Web Modeler, Console, and Optimize](#identity-for-web-modeler-and-console). In both cases, Identity is responsible for managing authentication and authorization within the Camunda 8 stack, but each implementation requires different configurations. In the case of Web Modeler, Console, and Optimize, Identity must be set up independently.
 
 For more information on these differences, see the Self-Managed [reference architecture](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console).
 
+:::note
+
+The following guides are on Identity configuration in Self-Managed environments. For information on Identity use and management, see the [user guides](/components/identity/identity-introduction.md).
+
+:::
+
 ## Identity for Orchestration clusters
 
 Identity is included by default in the [Orchestration cluster](/self-managed//reference-architecture/reference-architecture.md#orchestration-cluster), and does not require any external dependencies. For more information, see the Identity [configuration options](/self-managed/identity/orchestration-identity/configuration.md).
 
-## Identity for Web Modeler and Console
+## Identity for Web Modeler, Console, and Optimize
 
-For [Web Modeler and Console deployments](/self-managed/reference-architecture/reference-architecture.md#), Identity runs as a separate and dedicated component. For more information, see the guides on using an [existing Keycloak](/self-managed/setup/guides/using-existing-keycloak.md) instance, and connecting to an [OIDC provider](/self-managed/setup/guides/connect-to-an-oidc-provider.md).
+For [Web Modeler, Console, and Optimize deployments](/self-managed/reference-architecture/reference-architecture.md#), Identity runs as a separate and dedicated component. For more information, see the guides on using an [existing Keycloak](/self-managed/setup/guides/using-existing-keycloak.md) instance, and connecting to an [OIDC provider](/self-managed/setup/guides/connect-to-an-oidc-provider.md).
 
-Once deployed, Identity manages the following in Web Modeler and Console:
+Once deployed, Identity manages the following in Web Modeler, Console, and Optimize:
 
 - Applications
 - APIs

sidebars.js

@@ -675,6 +675,21 @@ module.exports = {
           ],
         },
       ],
+    },
+    {
+      type: "category",
+      label: "Identity",
+      link: {
+        type: "doc",
+        id: "components/identity/identity-introduction",
+      },
+      items: [
+        "components/identity/identity-introduction",
+        "components/identity/authorization",
+        "components/identity/user",
+      ],
+    },
+    {
       "Best Practices": [
         "components/best-practices/best-practices-overview",
         {
@@ -1399,13 +1414,13 @@ module.exports = {
           Identity: [
             "self-managed/identity/what-is-identity",
             {
-              "Orchestration Cluster Identity": [
+              "Identity for Orchestration clusters": [
                 "self-managed/identity/orchestration-identity/installation",
                 "self-managed/identity/orchestration-identity/configuration",
               ],
             },
             {
-              "Identity for Web Modeler and Console": [
+              "Identity for Web Modeler, Console, and Optimize": [
                 "self-managed/identity/getting-started/install-identity",
                 {
                   "User guide": [

versioned_docs/version-8.7/components/modeler/web-modeler/versions.md

@@ -115,7 +115,7 @@ The diagram reverts to the restored version. A new version is created with "(res
 You can create a new diagram by copying a specific version.
 
 1. In the sidebar **Versions** list, hover over the diagram version you want to copy.
-1. Select the three vertical dots to open the actions menu.
+1. Select the three to open the actions menu.
 1. Select **Copy to...**.
 1. Choose a project/folder and select **Copy here** to create the new diagram in the chosen folder.