Security

modules/ROOT/pages/getting-started/quick-start-guide.adoc

@@ -0,0 +1,128 @@
+[[aura-quick-start-guide]]
+= Quick start guide
+:description: This page describes how to create a Neo4j Aura account, a new instance and connect to existing instances.
+
+== Create an account
+
+To access Neo4j Aura, you need to have an Aura account.
+Navigate to link:https://console.neo4j.io[Neo4j Aura console] and follow the instructions for registration.
+Once you have accepted the terms and conditions and verified your email address, you can start using the console.
+
+The console exists in two versions, the classic experience, and the early access new console, as mentioned in xref:index.adoc[About Neo4j Aura console].
+You can toggle between the different versions, via the account dropdown in the top right corner.
+
+[[create-instance]]
+== Create an instance
+
+The first step is to select the plan that best suits your needs.
+You can upgrade your plan later if your needs change.
+
+Once you've selected a plan, your instance is created.
+A password is generated for the instance, ensure to either copy or download it, as it will **not** be recoverable after.
+The password is required to access your instance later.
+
+[NOTE]
+====
+You can only create **one Free instance** per account.
+To create more instances, you need to upgrade your plan.
+See link:https://neo4j.com/pricing/[Neo4j Pricing] for more information on the different plans.
+====
+
+[[connect-to-instance]]
+== Connect to an instance
+
+To interact with a database in an instance, you need to establish a connection.
+
+. Go to *Import*, *Explore* or *Query*.
+. Select *Status* and from there you can connect to an instance.
+. You may need your *Username* and *Password* credentials.
+
+[.shadow]
+.Connection banner
+image::connectionbanner.png[]
+
+[.shadow]
+.Connection modal
+image::connectionauthentication.png[]
+
+[cols="20%,80%"]
+|===
+| Field | Description
+
+|Protocol
+|The protocol is used for the communication between the Neo4j database server and the client application or tool.
+If you are a new user, you can use the default the default `neo4j+s//`.
+For more information about connection schemes, see link:https://neo4j.com/docs/operations-manual/current/configuration/connectors/[Operations Manual -> Configure network connectors] and link:https://neo4j.com/docs/bolt/current/bolt/[Bolt Protocol].
+
+|Connection URL
+|You can get this from your instance details
+
+|Database user
+|Neo4j by default
+
+|Password
+|You are given the password when you initially create the instance
+
+|Single sign-on
+|If this is set up, you can use SSO.
+
+|===
+
+== Migrate metadata from Workspace
+
+If you have an existing Aura instance, you can migrate the metadata from Workspace to the new console and continue working with your data in the new experience.
+The metadata includes the data model and saved Cypher queries.
+//Add Perspectives and Scenes when they are available.
+
+=== Data model
+
+From the *Import* tab in Workspace, open the more menu (*...*) and download the model, with or without data.
+
+[.shadow]
+image::export-model.png[width=300]
+
+Then navigate to the new console and select *Import* -> *Graph models*.
+Once you select *New graph model*, you access the more menu (*...*), similar to Workspace, and select *Open model* with or without data.
+
+[.shadow]
+image::import-model.png[width=600]
+
+Note that if you have downloaded your data with the model, you can also go a different route via *Import* -> *Data sources* and select *New data source* and then import locally from files.
+This leads you to the same *Import* frame as the first route and you can use the more menu (*...*) to open the model *with* your data.
+
+=== Saved Cypher
+
+Any saved Cypher snippets can be downloaded from the *Query* tab in Workspace.
+From the Saved Cypher drawer, use the *Export* button to download selected queries as a _.csv_ file.
+
+[.shadow]
+image::export-saved-cypher.png[width=300]
+
+In the new console, navigate to the *Query* tab and open the  *Saved Cypher* drawer.
+Use the *Import* button and select the _.csv_ file you downloaded from Workspace.
+
+[.shadow]
+image::import-saved-cypher.png[width=400]
+
+=== Perspectives
+
+Perspectives, except for the default Perspective (which is automatically re-created in the new console), can be exported from the Perspective drawer in Workspace.
+Use the *Export* option on the Perspective you want to save.
+It is exported as a _.json_ file.
+
+[.shadow]
+image::export-perspective.png[width=300]
+
+In the new console, navigate to the *Explore* tab and open the *Perspective* drawer.
+Use the *Import* option and select the _.json_ file you downloaded from Workspace.
+
+[.shadow]
+image::import-perspective.png[width=600]
+
+
+
+
+
+
+
+

modules/ROOT/pages/security/encryption.adoc

@@ -203,4 +203,4 @@ You will need these in the next steps.
 
 . Go to the Google Cloud console, click into the key and go to *Permissions* then *Grant Access*.
 . In *Add principals* paste the three service accounts from the Aura Console.
-. In *Assign roles* assign both *Cloud KMS CryptoKey Encrypter/Decrypter* and *Cloud KMS Viewer* roles to all three service accounts.
+. In *Assign roles* assign both *Cloud KMS CryptoKey Encrypter/Decrypter* and *Cloud KMS Viewer* roles to all three service accounts.

modules/ROOT/pages/security/tool-auth.adoc

@@ -0,0 +1,15 @@
+[[tool-auth]]
+= Tool authentication
+:description: This section describes the seamless tool authentication functionality in AuraDB.
+
+Organization admins can allow users in a project to seamlessly and securely connect to a project and the instances within it.
+
+This feature can be enabled and configured from the Org settings.
+
+As an Org admin, you maintain access control of all projects within the organization.
+You can select which projects and instances users can connect seamlessly to and which they should be required to use username and password to connect to.
+
+To prevent unauthorized access and allow Project admins full access control, the authentication is used in conjunction with predefined roles with varying levels of access to the database.
+
+This means that Project admins assign roles to the users that grants them seamless connection to the project and its instances as well as certain privileges to the databases there.
+See xref:user-management.adoc#roles[User management - Roles] for more information.

modules/ROOT/pages/user-management.adoc

@@ -152,40 +152,196 @@ Each project can have multiple users with individual accounts allowing access to
 The users with access to a project can be viewed and managed from the **Users** page.
 You can access the **Users** page by selecting **Users** from the sidebar menu of the console.
 
-=== Roles
+[[roles]]
+== Roles
 
-Users within a project can be assigned one of the following roles:
+Users within a project can be assigned one of the following predefined roles:
 
 * _Project Admin_
 * _Project Member_
 * _Project Viewer_
 * _Metrics Reader_
 
+These roles grant the users certain privileges both on the console level as well as on the instance level.
+The roles are immutable and every new user needs to be assigned one.
+
 :check-mark: icon:check[]
 
-.Roles
-[opts="header",cols="3,1,1,1"]
+.Roles and console capabilities
+[opts="header",cols="3,^,^,^"]
 |===
-| Capability | Admin | Member | Viewer
+| Capability | Viewer | Member | Admin
 | View users and their roles | {check-mark} | {check-mark} | {check-mark}
 | View and open instances | {check-mark} | {check-mark} | {check-mark}
 | Access the Neo4j Customer Support Portal | {check-mark} | {check-mark} | {check-mark}
-| Perform all actions on instances footnote:[Actions include creating, deleting, pausing, resuming, and editing instances.] | {check-mark} | {check-mark} |
-| Clone data to new and existing instances | {check-mark} | {check-mark} |
-| Take on-demand snapshots | {check-mark} | {check-mark} |
-| Restore from snapshots | {check-mark} | {check-mark} |
-| Edit the project name | {check-mark} | |
-| Invite new users to the project | {check-mark} | |
-| Edit existing users' roles | {check-mark} | |
-| Delete existing users from the project | {check-mark} | |
-| View and edit billing information | {check-mark} | |
+| Perform all actions on instances footnote:[Actions include creating, deleting, pausing, resuming, and editing instances.] | | {check-mark} | {check-mark}
+| Clone data to new and existing instances | | {check-mark} | {check-mark}
+| Take on-demand snapshots | | {check-mark} | {check-mark}
+| Restore from snapshots | | {check-mark} | {check-mark}
+| Edit the project name | | | {check-mark}
+| Invite new users to the project | | | {check-mark}
+| Edit existing users' roles | | | {check-mark}
+| Delete existing users from the project | | | {check-mark}
+| View and edit billing information | | | {check-mark}
 |===
 
 [NOTE]
 ====
 Each project must have at least one Project Admin, but it is also possible for projects to have multiple Project Admins.
 ====
 
+Additionally, predefined roles are assigned certain privileges on the instance level as well.
+
+.Roles and database privileges
+[options="header", cols="3,^,^,^,^,^"]
+|===
+| Privilege
+| Viewer
+| Member
+3+| Admin
+
+|
+|
+|
+| Free
+| Professional
+| Business Critical
+
+| Access to database
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| List constraints
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Create constraints
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+
+| Delete constraints
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| List indexes
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Create indexes
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Delete indexes
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Find nodes and relationships and read their properties
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Load external data in queries
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Write to the graph
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Name management for node labels, relationship types, and property names.
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| List and end transactions for specified users on the database.
+|
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| List, create, delete, and modify users.
+|
+|
+|
+| {check-mark}
+| {check-mark}
+
+| List roles
+|
+|
+|
+| {check-mark}
+| {check-mark}
+
+| Create roles
+|
+|
+|
+|
+| {check-mark}
+
+| Assign roles
+|
+|
+|
+| {check-mark}
+| {check-mark}
+
+| Rename roles
+|
+|
+|
+|
+| {check-mark}
+
+| Remove roles
+|
+|
+|
+| {check-mark}
+| {check-mark}
+
+| Privilege management footnote:[This includes to list, grant, and revoke privileges.]
+|
+|
+|
+|
+| {check-mark}
+|===
+
 === Inviting users
 
 As an _Admin_, to invite a new user:
@@ -232,7 +388,7 @@ You can select the project(s) you have been invited to and choose to accept or d
 
 // You can also close the **Project invitation** modal without accepting or declining the invite(s) and later manually re-open the modal by selecting the **Pending invites** envelope icon in the console header.
 
-[TIP]
-====
-User management within the Aura console does not replace built-in roles or fine-grained RBAC at the database level.
-====
+// [TIP]
+// ====
+// User management within the Aura console does not replace built-in roles or fine-grained RBAC at the database level.
+// ====