From 9c3e0fdb582ca55f849ed810e92a8c0b4c5e8a36 Mon Sep 17 00:00:00 2001 From: Sivan Elkabes Date: Wed, 17 Sep 2025 16:58:39 +0300 Subject: [PATCH 1/4] Added the Port support permissions documentation --- docs/security.md | 10 ++++++++ docs/sso-rbac/rbac-overview/rbac-overview.md | 6 +++++ .../users-and-teams/manage-users-teams.md | 23 +++++++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/docs/security.md b/docs/security.md index 0a9088ba04..9e72ffaab3 100644 --- a/docs/security.md +++ b/docs/security.md @@ -75,6 +75,16 @@ Every Port account receives its own dedicated database for data storage, access Customer data is never transferred or stored on employee machines or devices. +### Support user access + +Port's support team may require access to your organization to provide technical assistance. This access is controlled through support user permissions and includes several security measures: + +- Support user actions are not logged in your audit log. +- You can set the access duration or disable support access completely. +- Emergency access requires dual approval (organization + Port). + +For more information, see the [support user permissions](/sso-rbac/users-and-teams/manage-users-teams#support-user-permissions). + ### Data retention Data ingested into Port by its users is managed by them, and if not deleted by the user, will be retained indefinitely. diff --git a/docs/sso-rbac/rbac-overview/rbac-overview.md b/docs/sso-rbac/rbac-overview/rbac-overview.md index 920dc6c9b7..69e71065c7 100644 --- a/docs/sso-rbac/rbac-overview/rbac-overview.md +++ b/docs/sso-rbac/rbac-overview/rbac-overview.md @@ -134,6 +134,12 @@ In addition to the permissions designated for each role, permissions are also in For more details about Port roles, see the [relevant documentation](/sso-rbac/users-and-teams/manage-users-teams#roles--permissions). +### Support user access + +Port's support team may need access to your organization to provide technical assistance. Organizations can control this access through support user permissions, including the ability to set access duration and disable access completely. + +For more information, see the [support user permissions](/sso-rbac/users-and-teams/manage-users-teams#support-user-permissions). + ### Blueprint permissions Blueprint permissions allow a granular configuration of the various roles: admin, member or blueprint collaborator. diff --git a/docs/sso-rbac/users-and-teams/manage-users-teams.md b/docs/sso-rbac/users-and-teams/manage-users-teams.md index 1467acb990..2a7ab4f4cf 100644 --- a/docs/sso-rbac/users-and-teams/manage-users-teams.md +++ b/docs/sso-rbac/users-and-teams/manage-users-teams.md @@ -52,6 +52,29 @@ These roles can be used to define specific permissions for assets in your softwa For example, you can define that all `Members` can create new entities from a specific blueprint, while only `Moderators` can edit them. For more information and examples, see the [catalog RBAC](/build-your-software-catalog/set-catalog-rbac/) section. +## Support user permissions + +Port's support team may need access to your organization to provide technical assistance. You can control this access through support user permissions. + +### Access duration + +Port support user access is enabled by default, you can choose to provide different access to your organization: **1 week**, **1 month**, **1 year**, **Permanent access (default)**. + +### Support user capabilities + +Support users can be created with the following restrictions: + +- **Read-only access** - Support users can be created as `read-only` users. +- **Admin/edit access** - Support users can be created as `admin` users, their actions will appear in your organization's audit log. This requires both Port manager approval and customer approval via the support user permission process. + +:::info Emergency access + +In critical situations, Port can request emergency access to your organization even if support user permissions are disabled. This requires: + +1. **Organization approval** - the organization admin must approve the emergency access request. +2. **Port approval** - Internal Port approval process. +::: + ## Ownership & user management After creating a Port account, two blueprints will be automatically created in your [data model](https://app.getport.io/settings/data-model) - `User` and `Team`. From 846f8172b156dd8118a5ba7d5ab1f27b3dc10ced Mon Sep 17 00:00:00 2001 From: Sivan Elkabes Date: Wed, 17 Sep 2025 17:53:54 +0300 Subject: [PATCH 2/4] fixed CR comments --- docs/generalTemplates/_support_user_permissions.md | 1 + docs/security.md | 6 +++++- docs/sso-rbac/rbac-overview/rbac-overview.md | 4 +++- docs/sso-rbac/users-and-teams/manage-users-teams.md | 10 ++++++---- 4 files changed, 15 insertions(+), 6 deletions(-) create mode 100644 docs/generalTemplates/_support_user_permissions.md diff --git a/docs/generalTemplates/_support_user_permissions.md b/docs/generalTemplates/_support_user_permissions.md new file mode 100644 index 0000000000..a433ac3b9c --- /dev/null +++ b/docs/generalTemplates/_support_user_permissions.md @@ -0,0 +1 @@ +Port's support team may require access to your organization to provide technical assistance. This access is controlled through support user permissions which can be edited in the [Builder](https://app.getport.io/settings/data-model) page of your portal under the `Organization settings` in the left sidebar. \ No newline at end of file diff --git a/docs/security.md b/docs/security.md index 9e72ffaab3..9b29f9916e 100644 --- a/docs/security.md +++ b/docs/security.md @@ -5,6 +5,8 @@ sidebar_label: Security & Compliance sidebar_class_name: custom-sidebar-item sidebar-menu-security --- +import SupportUserPermissions from "/docs/generalTemplates/_support_user_permissions.md" + # Security & Compliance Port is an internal developer portal platform and as such we place the utmost importance on data security, privacy and compliance, so that you can trust that your security needs are met. @@ -77,7 +79,9 @@ Customer data is never transferred or stored on employee machines or devices. ### Support user access -Port's support team may require access to your organization to provide technical assistance. This access is controlled through support user permissions and includes several security measures: + + +It includes several security measures: - Support user actions are not logged in your audit log. - You can set the access duration or disable support access completely. diff --git a/docs/sso-rbac/rbac-overview/rbac-overview.md b/docs/sso-rbac/rbac-overview/rbac-overview.md index 69e71065c7..78a61cea91 100644 --- a/docs/sso-rbac/rbac-overview/rbac-overview.md +++ b/docs/sso-rbac/rbac-overview/rbac-overview.md @@ -1,3 +1,5 @@ +import SupportUserPermissions from "/docs/generalTemplates/_support_user_permissions.md" + # Port RBAC capabilities overview This page provides a comprehensive summary of all of Port's RBAC capabilities, and links to their associated documentation pages. They are grouped into 3 key topics: @@ -136,7 +138,7 @@ For more details about Port roles, see the [relevant documentation](/sso-rbac/us ### Support user access -Port's support team may need access to your organization to provide technical assistance. Organizations can control this access through support user permissions, including the ability to set access duration and disable access completely. + For more information, see the [support user permissions](/sso-rbac/users-and-teams/manage-users-teams#support-user-permissions). diff --git a/docs/sso-rbac/users-and-teams/manage-users-teams.md b/docs/sso-rbac/users-and-teams/manage-users-teams.md index 2a7ab4f4cf..3eac5e50f6 100644 --- a/docs/sso-rbac/users-and-teams/manage-users-teams.md +++ b/docs/sso-rbac/users-and-teams/manage-users-teams.md @@ -5,6 +5,7 @@ sidebar_position: 1 import PortTooltip from "/src/components/tooltip/tooltip.jsx" import BetaFeatureNotice from "/docs/generalTemplates/_beta_feature_notice.md" import PortApiRegion from "/docs/generalTemplates/_port_api_available_regions.md" +import SupportUserPermissions from "/docs/generalTemplates/_support_user_permissions.md" import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; @@ -54,18 +55,19 @@ For more information and examples, see the [catalog RBAC](/build-your-software-c ## Support user permissions -Port's support team may need access to your organization to provide technical assistance. You can control this access through support user permissions. + ### Access duration -Port support user access is enabled by default, you can choose to provide different access to your organization: **1 week**, **1 month**, **1 year**, **Permanent access (default)**. +Support user access is enabled by default. +You can define how long this access will be valid: **1 week**, **1 month**, **1 year**, **Permanent access (default)**. ### Support user capabilities Support users can be created with the following restrictions: -- **Read-only access** - Support users can be created as `read-only` users. -- **Admin/edit access** - Support users can be created as `admin` users, their actions will appear in your organization's audit log. This requires both Port manager approval and customer approval via the support user permission process. +- **Read-only access** - can be created as `read-only` users. +- **Admin/edit access** - can be created as `admin` users, their actions will appear in your organization's audit log. This requires both Port manager approval and customer approval via the support user permission process. :::info Emergency access From 064961757e942171111c3c56a9d36f0bf291d91e Mon Sep 17 00:00:00 2001 From: Sivan Elkabes Date: Thu, 18 Sep 2025 13:32:55 +0300 Subject: [PATCH 3/4] change the placement of Support user permissions in manage users and teams --- .../users-and-teams/manage-users-teams.md | 47 +++++++++---------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/docs/sso-rbac/users-and-teams/manage-users-teams.md b/docs/sso-rbac/users-and-teams/manage-users-teams.md index 3eac5e50f6..c6c1ff362e 100644 --- a/docs/sso-rbac/users-and-teams/manage-users-teams.md +++ b/docs/sso-rbac/users-and-teams/manage-users-teams.md @@ -53,30 +53,6 @@ These roles can be used to define specific permissions for assets in your softwa For example, you can define that all `Members` can create new entities from a specific blueprint, while only `Moderators` can edit them. For more information and examples, see the [catalog RBAC](/build-your-software-catalog/set-catalog-rbac/) section. -## Support user permissions - - - -### Access duration - -Support user access is enabled by default. -You can define how long this access will be valid: **1 week**, **1 month**, **1 year**, **Permanent access (default)**. - -### Support user capabilities - -Support users can be created with the following restrictions: - -- **Read-only access** - can be created as `read-only` users. -- **Admin/edit access** - can be created as `admin` users, their actions will appear in your organization's audit log. This requires both Port manager approval and customer approval via the support user permission process. - -:::info Emergency access - -In critical situations, Port can request emergency access to your organization even if support user permissions are disabled. This requires: - -1. **Organization approval** - the organization admin must approve the emergency access request. -2. **Port approval** - Internal Port approval process. -::: - ## Ownership & user management After creating a Port account, two blueprints will be automatically created in your [data model](https://app.getport.io/settings/data-model) - `User` and `Team`. @@ -449,3 +425,26 @@ Port service accounts are treated like any other users and extend the same RBAC Service accounts can easily be disabled at any time. To disable a service account, update it's `status` property to `Disabled`. Disabled service accounts can no longer generate new API tokens or use existing ones. Disabled service accounts can be re-enabled at any time by updating the `status` property back to `Active`. +## Support user permissions + + + +### Access duration + +Support user access is enabled by default. +You can define how long this access will be valid: **1 week**, **1 month**, **1 year**, **Permanent access (default)**. + +### Support user capabilities + +Support users can be created with the following restrictions: + +- **Read-only access** - can be created as `read-only` users. +- **Admin/edit access** - can be created as `admin` users, their actions will appear in your organization's audit log. This requires both Port manager approval and customer approval via the support user permission process. + +:::info Emergency access + +In critical situations, Port can request emergency access to your organization even if support user permissions are disabled. This requires: + +1. **Organization approval** - the organization admin must approve the emergency access request. +2. **Port approval** - Internal Port approval process. +::: \ No newline at end of file From d920ca1f8a38217b53c0fc4e707eea294f54ab66 Mon Sep 17 00:00:00 2001 From: Sivan Elkabes Date: Sun, 21 Sep 2025 10:37:05 +0300 Subject: [PATCH 4/4] remove support user capabilites part because it's internal info --- docs/sso-rbac/users-and-teams/manage-users-teams.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/docs/sso-rbac/users-and-teams/manage-users-teams.md b/docs/sso-rbac/users-and-teams/manage-users-teams.md index c6c1ff362e..d2412628a8 100644 --- a/docs/sso-rbac/users-and-teams/manage-users-teams.md +++ b/docs/sso-rbac/users-and-teams/manage-users-teams.md @@ -434,13 +434,6 @@ Disabled service accounts can no longer generate new API tokens or use existing Support user access is enabled by default. You can define how long this access will be valid: **1 week**, **1 month**, **1 year**, **Permanent access (default)**. -### Support user capabilities - -Support users can be created with the following restrictions: - -- **Read-only access** - can be created as `read-only` users. -- **Admin/edit access** - can be created as `admin` users, their actions will appear in your organization's audit log. This requires both Port manager approval and customer approval via the support user permission process. - :::info Emergency access In critical situations, Port can request emergency access to your organization even if support user permissions are disabled. This requires: