Closes #43

Describe "user" entitlement group Documentation for entitlements changes in apache/brooklyn-server#108.
apache · Apr 21, 2016 · de490ed · de490ed
2 parents 0de526b + 133eaa9
commit de490ed
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/guide/ops/brooklyn_properties.md b/guide/ops/brooklyn_properties.md
@@ -156,7 +156,9 @@ brooklyn.webconsole.security.ldap.realm=example.com
 After you setup the brooklyn connection to your LDAP server, you can authenticate in brooklyn using your cn (e.g. John Smith) and your password.
 `org.apache.brooklyn.rest.security.provider.LdapSecurityProvider` searches in the LDAP tree in LDAP://cn=John Smith,ou=Users,dc=example,dc=com
 
-If you want to customize the ldap path or something else which is particular to your LDAP setup you can extend `LdapSecurityProvider` class or implement from scratch the `SecurityProvider` interface.
+If you want to customize the ldap path or something else which is particular to your LDAP setup you
+can extend `LdapSecurityProvider` class or implement from scratch the `SecurityProvider` interface.
+
 
 ## Entitlements
 
@@ -175,15 +177,17 @@ The default entitlement manager is one which responds to per-user entitlement ru
 and understands:
 
 * `root`:  full access, including to the Groovy console
+* `user`:  access to everything but actions that affect the server itself. Such actions include the
+  Groovy console, stopping the server and retrieving management context configuration.
 * `readonly`:  read-only access to almost all information
 * `minimal`:  access only to server stats, for use by monitoring systems
 
-These keywords are also understood at the `global` level, so to grant full access to `admin`
-but limited access to other authenticated users and `readonly, 
+These keywords are also understood at the `global` level, so to grant full access to `admin`,
+read-only access to `support`, limited access to `metrics` and regular access to `user`
 you can write:
 
 {% highlight properties %}
-brooklyn.entitlements.global=readonly
+brooklyn.entitlements.global=user
 brooklyn.entitlements.perUser.admin=root
 brooklyn.entitlements.perUser.support=readonly
 brooklyn.entitlements.perUser.metrics=minimal
@@ -195,7 +199,7 @@ so the above can equivalently be written:
 
 {% highlight properties %}
 brooklyn.entitlements.global=org.apache.brooklyn.core.mgmt.entitlement.PerUserEntitlementManager
-brooklyn.entitlements.perUser.default=readonly
+brooklyn.entitlements.perUser.default=user
 brooklyn.entitlements.perUser.admin=root
 brooklyn.entitlements.perUser.support=readonly
 brooklyn.entitlements.perUser.metrics=minimal
@@ -207,7 +211,6 @@ or
 {% include java_link.html class_name="EntitlementManager" package_path="org/apache/brooklyn/api/mgmt/entitlement" project_subpath="api" %}.
 
 
-
 ## HTTPS Configuration
 
 To enable https, you will need a server certificate in a java keystore. To create a self-signed certificate, you can use the