From 500f3d580e3f07f4c8df193c35fc581784bc57d9 Mon Sep 17 00:00:00 2001 From: D059372 Date: Mon, 22 Jun 2026 14:23:42 +0200 Subject: [PATCH] Document space suspension feature Add roles and permissions table for suspended spaces, plus cover who can suspend a space and how Org Manager permissions interact with space roles. Reword the orgs section to match and note the v3 `suspended` boolean alongside the deprecated v2 `status` field. --- _oss_roles_table.html.md.erb | 14 ++ _suspended_space_roles_table.html.md.erb | 204 +++++++++++++++++++++++ roles.html.md.erb | 30 +++- 3 files changed, 244 insertions(+), 4 deletions(-) create mode 100644 _suspended_space_roles_table.html.md.erb diff --git a/_oss_roles_table.html.md.erb b/_oss_roles_table.html.md.erb index bc4ef909..189f6dbb 100644 --- a/_oss_roles_table.html.md.erb +++ b/_oss_roles_table.html.md.erb @@ -156,6 +156,20 @@ + + Suspend or activate a space + Yes + + + Yes + + + + + + + + Create and assign space quota plans Yes diff --git a/_suspended_space_roles_table.html.md.erb b/_suspended_space_roles_table.html.md.erb new file mode 100644 index 00000000..465471b6 --- /dev/null +++ b/_suspended_space_roles_table.html.md.erb @@ -0,0 +1,204 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
User RoleAdminAdmin Read-OnlyGlobal AuditorOrg ManagerOrg AuditorOrg Billing ManagerOrg UserSpace ManagerSpace DeveloperSpace AuditorSpace Supporter
Scope of operationOrgOrgOrgOrgOrgOrgOrgSpaceSpaceSpaceSpace
Assign space rolesYesYes
View users and rolesYesYesYesYesYesYesYesYesYesYesYes
View spacesYesYesYesYesYesYesYesYes
Edit and rename the spaceYesYes
Delete the spaceYes
Suspend or activate a spaceYesYes
View the status, number of instances, service bindings, and resource use of appsYesYesYesYesYesYesYesYes
View app logsYesYesYesYesYesYesYesYes
Deploy, run, and manage apps1Yes
Instantiate and bind services to apps1Yes
Associate routes2, modify resource allocation of apps1Yes
Rename apps1Yes
Manage Application Security Groups for the spaceYes
+ +1A user who holds the Org Manager role and an appropriate space role, such as Space Manager or Space Developer, has the same permissions in a suspended space as they would in an active space. The Org Manager role alone does not grant permission to deploy apps or otherwise modify the contents of any space. + +2Unless deactivated by feature flags. diff --git a/roles.html.md.erb b/roles.html.md.erb index cc29dac9..3d89e075 100644 --- a/roles.html.md.erb +++ b/roles.html.md.erb @@ -14,7 +14,10 @@ Admins, Org Managers, and Space Managers can assign user roles using the Cloud F An org is a development account that an individual or multiple collaborators can own and use. All collaborators access an org with user accounts, which have roles such as Org Manager, Org Auditor, and Org Billing Manager. Collaborators in an org share a resource quota plan, apps, services availability, and custom domains. -By default, an org has the status of _active_. An admin can set the status of an org to _suspended_ for various reasons such as failure to provide payment or misuse. When an org is suspended, users cannot perform certain activities within the org, such as push apps, modify spaces, or bind services. +An admin can suspend an org for various reasons such as failure to provide payment or misuse. When an org is suspended, users cannot perform certain activities within the org, such as push apps, modify spaces, or bind services. + +

+ In the v3 Cloud Controller API, this state is exposed as a boolean suspended field on the org. In the v2 Cloud Controller API, it was formerly known as the status field with values active and suspended.

For more information about the actions that each role can perform, see [User Roles](#roles) and [User Role Permissions](#permissions). @@ -25,7 +28,16 @@ For details on what activities are allowed for suspended orgs, see [Roles and Pe A space provides users with access to a shared location for app development, deployment, and maintenance. An org can contain multiple spaces. Every app, service, and route is scoped to a space. Roles provide access control for these resources and each space role applies only to a particular space. -Org managers can set quotas on the following for a space: +An admin or an Org Manager can suspend a space. When a space is suspended, only admins and Org Managers of the parent org can operate on the space. Other space roles cannot perform actions in the space until it is reactivated. + +The Org Manager role administers the org but does not by itself grant permission to push apps, bind services, or otherwise modify the contents of a space. To perform these actions in a suspended space, a user must hold the Org Manager role and an appropriate space role, such as Space Manager or Space Developer. + +

+ As with orgs, the v3 Cloud Controller API exposes this state as a boolean suspended field on the space. In the v2 Cloud Controller API, it is also known as the status field with values active and suspended.

+ +For details on what activities are allowed for suspended spaces, see [Roles and Permissions for Suspended Spaces](#suspendedspaceroles). + +Org Managers can set quotas on the following for a space: * Usage of paid services * Number of app instances @@ -84,7 +96,7 @@ Before you assign a space role to a user or UAA client, you must first assign th ## User role permissions -Each user role includes different permissions in a <%= vars.app_runtime_abbr %> foundation. The following sections describe the permissions associated with each user role in both active and suspended orgs in <%= vars.app_runtime_abbr %>. +Each user role includes different permissions in a <%= vars.app_runtime_abbr %> foundation. The following sections describe the permissions associated with each user role in active orgs, suspended orgs, and suspended spaces in <%= vars.app_runtime_abbr %>. ### Roles and permissions for active orgs @@ -104,10 +116,20 @@ For more information, see Usi ### Roles and permissions for suspended orgs -The following table describes roles and permissions applied after an operator sets the status of an org to _suspended_. +The following table describes roles and permissions applied after an admin suspends an org. <% if vars.platform_code == "CF" %> <%= partial 'suspended_org_roles_table' %> <% else %> <%= partial "/pcf/core/pcf_suspended_roles_table" %> <% end %> + +### Roles and permissions for suspended spaces + +The following table describes roles and permissions applied after an admin or Org Manager suspends a space. + +<% if vars.platform_code == "CF" %> +<%= partial 'suspended_space_roles_table' %> +<% else %> +<%= partial "/pcf/core/pcf_suspended_space_roles_table" %> +<% end %>