diff --git a/trento/xml/article_sap_trento.xml b/trento/xml/article_sap_trento.xml
index 19f3c4d6..e8f114eb 100644
--- a/trento/xml/article_sap_trento.xml
+++ b/trento/xml/article_sap_trento.xml
@@ -84,131 +84,7 @@ As agreed on https://confluence.suse.com/x/DAEcN on our Trento doc kick off
-
-
- User management
- Trento provides a local permission-based user management feature with
- optional multi-factor authentication. This feature allows for segregation
- of duties in the Trento console and ensures that only authorized users with the right permissions can
- access it.
- User management actions are performed in the Users
- view in the left-hand side panel of the &t.web;.
- By default, a newly created user is granted display access rights
- except for the Users view. Whenever available, a user
- with default access can set up filters and pagination settings matching
- their preferences.
- Additional permissions must be added to a user profile, so that the
- user can perform the corresponding protected activities. The following
- permissions are currently available:
-
-
- all:users: grants full access to user management actions under
- the Users view
-
-
- all:checks_selection: grants check selection capabilities for
- any target in the registered environment for which checks are
- available
-
-
- all:checks_execution: grants check execution capabilities for
- any target in the registered environment for which checks are
- available and have been previously selected
-
-
- all:tags: allows creation and deletion of the available tags
-
-
- cleanup:all: allows triggering housekeeping actions on hosts
- where agents heartbeat is lost and SAP or HANA instances that are no
- longer found
-
-
- all:settings: grants changing capabilities on any system
- settings under the Settings view
-
-
- all:all: grants all the permissions above
-
-
- Using the described permissions, it is possible to create the following types of users:
-
-
-
- User managers:
- users with all:users permission
-
-
-
-
- SAP Basis administrator with Trento display-only access:
- users with default permissions
-
-
-
-
- SAP Basis administrator with Trento configuration access:
- users with all:checks_selection,
- all:tags and all:settings permissions
-
-
-
-
- SAP Basis administrator with Trento operation access:
- users with all:check_execution and
- cleanup:all permissions.
-
-
-
- The default admin user created during the installation process is
- granted all:all permissions and cannot be modified or deleted. Use it
- only to create a first user manager. That is, a user with
- all:users permissions who creates all the other required
- users. Once a user with all:users permissions is created, the default
- admin user must be regarded as a fall-back user to be used
- only in case all other access to the console is lost. If the password
- of the default admin user is lost, it can be reset by updating the
- helm chart or the web component configuration, depending on which
- deployment method was used to install &t.server;.
- User passwords, including the default admin user password, must follow the rules below:
-
-
- Password must contain at least 8 characters
-
-
- The same number or letter must not be repeated three or more times in a row (for
- example: 111 or aaa)
-
-
- Password must not contain four consecutive numbers or letters (for example:
- 1234, abcd or ABCD)
-
-
- The Create User and Edit User views provide a built-in generation
- password action button that allows user managers to easily generate
- secure and compliant passwords. The user manager must provide the user with
- their password through an authorized secure channel.
- A user can reset their password in the Profile view. Here, they can
- also update their name and email address as well as activate
- multi-factor authentication using an authenticator app.
- Multi-factor authentication increases the security of a user account by
- requesting a temporary second password or code when logging in the
- console. User managers can disable multi-factor authentication for any
- given user that has it enabled. However, user managers cannot enable multi-factor authentication
- on their behalf. The default admin user cannot enable its own multi-factor authentication.
-
- Security Tip for Multi-Factor Authentication
- Since multi-factor authentication cannot be enabled for
- the default admin user, keeping its password safe is imperative. If the
- default admin user's password is compromised, reset it immediately by
- updating the helm chart or the web component configuration, depending on
- which deployment method was used to install &t.server;.
-
-
- User managers can enable and disable users. When a user
- logged in the console is disabled by a user admin, their session is
- terminated immediately.
-
+
diff --git a/trento/xml/trento-user-manage.xml b/trento/xml/trento-user-manage.xml
new file mode 100644
index 00000000..61105c8f
--- /dev/null
+++ b/trento/xml/trento-user-manage.xml
@@ -0,0 +1,181 @@
+
+
+
+ %entities;
+]>
+
+ User management
+
+ &trento; provides a local permission-based user management feature with
+ optional multi-factor authentication. This feature enables segregation of
+ duties in the &trento; interface and ensures that only authorized users with
+ the right permissions can access it.
+
+
+ User management actions are performed in the Users view
+ in the left-hand side panel of the &t.web;.
+
+
+ By default, a newly created user is granted display access rights except for
+ the Users view. Where available, a user with default
+ access can configure filters and pagination settings matching their
+ preferences.
+
+
+ To perform protected actions, the user must have additional permissions added
+ to their user profile. Below is the list of currently available permissions:
+
+
+
+
+ all:users: grants full access to user management actions under the
+ Users view
+
+
+
+
+ all:checks_selection: grants check selection
+ capabilities for any target in the registered environment for which
+ checks are available
+
+
+
+
+ all:checks_execution: grants check execution
+ capabilities for any target in the registered environment for which
+ checks are available and have been previously selected
+
+
+
+
+ all:tags: allows creation and deletion of the available tags
+
+
+
+
+ cleanup:all: allows triggering housekeeping actions
+ on hosts where agents heartbeat is lost and SAP or HANA instances that
+ are no longer found
+
+
+
+
+ all:settings: grants changing capabilities on any
+ system settings under the Settings view
+
+
+
+
+ all:all: grants all the permissions above
+
+
+
+
+ Using the described permissions, it is possible to create the following types of users:
+
+
+
+
+ User managers:
+
+ users with all:users permissions
+
+
+
+
+
+ SAP Basis administrator with &trento; display-only access:
+
+ users with default permissions
+
+
+
+
+
+ SAP Basis administrator with &trento; configuration access:
+
+ users with all:checks_selection, all:tags and
+ all:settings permissions
+
+
+
+
+
+ SAP Basis administrator with &trento; operation access:
+
+ users with all:check_execution and cleanup:all permissions.
+
+
+
+
+
+ The default admin user created during the installation process is granted
+ all:all permissions and cannot be modified or deleted.
+ Use it only to create the first user manager (a user with
+ all:users permissions who creates all the other
+ required users). Once a user with all:users permissions
+ is created, the default admin user must be treated as a fallback user in
+ case all other access to the console is lost. If the password of the default
+ admin user is lost, it can be reset by updating the Helm chart or the web
+ component configuration, depending on which deployment method was used to
+ install &t.server;.
+
+
+ User passwords, including the default admin user password, must follow the rules below:
+
+
+
+
+ Password must contain at least 8 characters
+
+
+
+
+ The same number or letter must not be repeated three or more times in a
+ row (for example: 111 or aaa)
+
+
+
+
+ Password must not contain four consecutive numbers or letters (for
+ example: 1234, abcd or ABCD)
+
+
+
+
+ The Create User and Edit User views
+ provide a built-in password generation button that allows user
+ managers to easily generate secure and compliant passwords. The user manager
+ must provide the user with their password through an authorized secure
+ channel.
+
+
+ A user can reset their password in the Profile view. In
+ this view, they can also update their name and email address as well as
+ activate multi-factor authentication using an authenticator app.
+ Multi-factor authentication increases the security of a user account by
+ requesting a temporary second password or code when logging in the console.
+ User managers can disable multi-factor authentication for any given user
+ that has it enabled. However, user managers cannot enable multi-factor
+ authentication on their behalf. The default admin user cannot enable its own
+ multi-factor authentication.
+
+
+ Security Tip for Multi-Factor Authentication
+
+ Since multi-factor authentication cannot be enabled for the default admin
+ user, keeping its password safe is imperative. If the default admin user's
+ password is compromised, reset it immediately by updating the Helm chart
+ or the web component configuration, depending on which deployment method
+ was used to install &t.server;.
+
+
+
+ User managers can enable and disable users. When a user logged in the
+ console is disabled by a user admin, their session is terminated
+ immediately.
+
+