Adding permissions and roles table that was in an ADR, and also adding short procedure on configuring roles.

modules/ROOT/pages/getting-started.adoc

@@ -12,7 +12,7 @@ provide a foundational mechanism for isolating groups of resources within a sing
 {ProductName} scopes all the resources and APIs you interact with to namespaces, including your components, applications, snapshots, secrets, and the Tekton PipelineRuns that perform builds, tests, and releases.
 
 === Tenant namespace
-Tenant namespaces are where Tekton Pipelines produce artifacts that more than one individual can access according to their roles and the permissions defined by link:https://konflux-ci.dev/architecture/ADR/0011-roles-and-permissions.html[those roles].
+Tenant namespaces are where Tekton Pipelines produce artifacts that more than one individual can access according to their roles and the permissions defined by xref:reference:permissions.adoc[those roles].
 The tenant namespaces can be either for an individual or a team.
 
 //TODO: Document the process for getting access to/creating new namespaces (We should store this information in a seperate file and link to it. It doesn't need to be in this document).

modules/ROOT/pages/share-with-community.adoc

@@ -2,7 +2,7 @@
 
 As a tenant admin, you may want to give visibility on your project to the Konflux users outside your team.
 
-For this purpose, Konflux allows you to bind the `system:authenticated` group to the link:https://konflux-ci.dev/architecture/ADR/0011-roles-and-permissions.html[konflux-viewer-user-actions Role].
+For this purpose, Konflux allows you to bind the `system:authenticated` group to the xref:reference:permissions.adoc[konflux-viewer-user-actions Role].
 As a result, each authenticated user in Konflux will be allowed to view your Tenant namespace and its resources from CLI and UI.
 
 include::partial${context}-share-community-first-paragraph.adoc[]

modules/glossary/pages/index.adoc

@@ -68,4 +68,4 @@
 
 [[tekton-results]]Tekton results:: A mechanism that stores PipelineRun and TaskRun metadata in a separate database and underlying pod logs in cloud storage. After this metadata is stored in a separate database, the original resources are removed from the cluster.
 
-[[tenant-namespace]]tenant namespace:: A Kubernetes namespace which is owned by either an individual or a group of individuals. All Tekton Pipelines are run within a tenant namespace including build, test, and release pipelines. Access can be granted to individuals in link:https://konflux-ci.dev/architecture/ADR/0011-roles-and-permissions.html[three tiers], `Viewer`, `Contributor`, `Maintainer`, and `Admin`.
+[[tenant-namespace]]tenant namespace:: A Kubernetes namespace which is owned by either an individual or a group of individuals. All Tekton Pipelines are run within a tenant namespace including build, test, and release pipelines. Access can be granted to individuals in xref:reference:permissions.adoc[four tiers], `Viewer`, `Contributor`, `Maintainer`, and `Admin`.

modules/reference/nav.adoc

@@ -1,5 +1,6 @@
 * xref:index.adoc[Reference]
 ** xref:sample-repositories.adoc[Sample repositories]
+** xref:permissions.adoc[Roles and permissions]
 ** xref:kube-apis/index.adoc[Konflux Kubernetes APIs]
 *** xref:kube-apis/application-api.adoc#k8s-api-github-com-konflux-ci-application-api-api-v1alpha1-application[Application]
 *** xref:kube-apis/application-api.adoc#k8s-api-github-com-konflux-ci-application-api-api-v1alpha1-component[Component]

modules/reference/pages/permissions.adoc

@@ -0,0 +1,338 @@
+= Roles and Permissions for Konflux
+
+Konflux uses Kubernetes for managing user roles and permissions. Leveraging the Kubernetes RBAC system enhances the testability of Konflux, including enabling the well-documented and widely-used Kubernetes APIs for testing and validation. User roles are mapped to specific permissions in the Kubernetes RBAC system in terms of API groups, verbs, and resources.
+
+The following are the Konflux user roles:
+
+* *Viewer:* Members who are mainly interested in CI results.
+
+* *Contributor:* Members who interact with the workspace mostly through
+pull requests.
+
+* *Maintainer:* Members who manage the workspace without
+access to sensitive or destructive actions. 
+
+* *Admin:* Members who have full access to the workspace including sensitive and potentially destruction actions.
+
+
+This section contains the following: 
+
+* Table listing available roles and permissions
+* Procedures on how to configure Konflux's roles and permissions
+
+== Roles and permissions table
+
+The roles and permissions table lists:
+
+* Roles
+* Permissions
+* API Groups
+* Verbs
+* Resources
+
+
+[cols=",,,,",options="header",]
+|===
+|Role |Permissions |API Groups |Verbs |Resources
+|Viewer |Workspace |Access to namespaces that backs workspace |  | 
+
+|  |Application |appstudio.redhat.com |get, list, watch |applications
+
+| |Component |appstudio.redhat.com |get, list, watch |components,
+componentdetectionqueries
+
+|  |ImageRepository |appstudio.redhat.com |get, list, watch
+|imagerepositories
+
+|  |Environment |appstudio.redhat.com |get, list, watch |promotionruns,
+snapshotenvironmentbindings, snapshots, environments
+
+|  |DeploymentTarget |appstudio.redhat.com |get, list, watch
+|deploymenttargets
+
+|  |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch
+|deploymenttargetclaims
+
+|  |_GitOps_ |managed-gitops.redhat.com |get, list, watch
+|gitopsdeployments, gitopsdeploymentmanagedenvironments,
+gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns
+
+| |PipelineRun |tekton.dev |get, list, watch |pipelineruns
+
+| |Pipeline Results |results.tekton.dev |get, list |results, records,
+logs
+
+| |IntegrationTestScenario |appstudio.redhat.com |get, list, watch
+|integrationtestscenarios
+
+| |Enterprise contract |appstudio.redhat.com |get, list, watch
+|enterprisecontractpolicies
+
+| |_Release Service_ |appstudio.redhat.com |get, list, watch |releases,
+releaseplans, releaseplanadmissions
+
+| |_JVM Build Service_ |jvmbuildservice.io |get, list, watch
+|jbsconfigs, artifactbuilds
+
+| |_Service Access_ |appstudio.redhat.com |get, list, watch
+|spiaccesstokenbindings, spiaccesschecks, spiaccesstokens,
+spifilecontentrequests
+
+| |_Remote Secrets_ |appstudio.redhat.com |get, list, watch
+|remotesecrets
+
+| |Build Service |appstudio.redhat.com |get, list, watch
+|buildpipelineselectors
+
+| |Project Controller |projctl.konflux.dev |get, list, watch |projects,
+projectdevelopmentstreams, projectdevelopmentstreamtemplates
+
+| |_Configs_ ||get, list, watch |configmaps
+
+| |_Secrets_ | | |secrets
+
+| |Add User | | |
+
+| |User group (with SSO) | | |
+
+| |CronJob |batch |get, list, watch |cronjobs, jobs
+
+|Contributor |Workspace |Access to namespaces that backs workspace | |
+
+| |Application |appstudio.redhat.com |get, list, watch |applications
+
+| |Component |appstudio.redhat.com |get, list, watch |components,
+componentdetectionqueries
+
+| |ImageRepository |appstudio.redhat.com |get, list, watch
+|imagerepositories
+
+| |Environment |appstudio.redhat.com |get, list, watch |promotionruns,
+snapshotenvironmentbindings, snapshots, environments
+
+| |DeploymentTarget |appstudio.redhat.com |get, list, watch
+|deploymenttargets
+
+| |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch
+|deploymenttargetclaims
+
+| |_GitOps_ |managed-gitops.redhat.com |get, list, watch
+|gitopsdeployments, gitopsdeploymentmanagedenvironments,
+gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns
+
+| |PipelineRun |tekton.dev |get, list, watch |pipelineruns
+
+| |Pipeline Results |results.tekton.dev |get, list |results, records,
+logs
+
+| |IntegrationTestScenario |appstudio.redhat.com |get, list, watch
+|integrationtestscenarios
+
+| |Enterprise contract |appstudio.redhat.com |get, list, watch
+|enterprisecontractpolicies
+
+| |_Release Service_ |appstudio.redhat.com |get, list, watch |releases,
+releaseplans, releaseplanadmissions
+
+| |_JVM Build Service_ |jvmbuildservice.io |get, list, watch
+|jbsconfigs, artifactbuilds
+
+| |_Service Access_ |appstudio.redhat.com |get, list, watch
+|spiaccesstokenbindings, spiaccesschecks, spiaccesstokens,
+spifilecontentrequests
+
+| |_Remote Secrets_ |appstudio.redhat.com |get, list, watch
+|remotesecrets
+
+| |Build Service |appstudio.redhat.com |get, list, watch
+|buildpipelineselectors
+
+| |Project Controller |projctl.konflux.dev |get, list, watch |projects,
+projectdevelopmentstreams, projectdevelopmentstreamtemplates
+
+| |_Configs_ | |get, list, watch |configmaps
+
+| |_Secrets_ | | |secrets
+
+| |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch
+|pulpaccessrequests
+
+| |Add User | | |
+
+| |User group (with SSO) | | |
+
+|  |CronJob |batch |get, list, watch |cronjobs, jobs
+
+|  |RoleBinding |rbac.authorization.k8s.io |get, list |rolebindings
+
+|Maintainer |Workspace |Access to namespaces that backs workspace |  | 
+
+|  |Application |appstudio.redhat.com |get, list, watch, create, update,
+patch |applications, snapshots
+
+|  |Component |appstudio.redhat.com |get, list, watch, create, update,
+patch |components, componentdetectionqueries
+
+|  |ImageRepository |appstudio.redhat.com |get, list, watch, create,
+update, patch |imagerepositories
+
+|  |Environment |appstudio.redhat.com |get, list, watch |promotionruns,
+snapshotenvironmentbindings, environments
+
+|  |DeploymentTarget |appstudio.redhat.com |get, list, watch
+|deploymenttargets
+
+|  |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch
+|deploymenttargetclaims
+
+|  |_GitOps_ |managed-gitops.redhat.com |get, list, watch
+|gitopsdeployments, gitopsdeploymentmanagedenvironments,
+gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns
+
+|  |PipelineRun |tekton.dev |get, list, watch |pipelineruns
+
+|  |Pipeline Results |results.tekton.dev |get, list |results, records,
+logs
+
+|  |IntegrationTestScenario |appstudio.redhat.com |get, list, watch,
+create, update, patch, delete |integrationtestscenarios
+
+|  |Enterprise contract |appstudio.redhat.com |get, list, watch
+|enterprisecontractpolicies
+
+|  |_Release Service_ |appstudio.redhat.com |get, list, watch, create,
+update, patch, delete |releases, releaseplans, releaseplanadmissions
+
+|  |_JVM Build Service_ |jvmbuildservice.io |get, list, watch, create,
+update, patch |jbsconfigs, artifactbuilds
+
+|  |_Service Access_ |appstudio.redhat.com |get, list, watch, create,
+update, patch |spiaccesstokenbindings, spiaccesschecks, spiaccesstokens,
+spifilecontentrequests, spiaccesstokendataupdates
+
+|  |_Remote Secrets_ |appstudio.redhat.com |get, list, watch
+|remotesecrets
+
+|  |Build Service |appstudio.redhat.com |get, list, watch, create
+|buildpipelineselectors
+
+|  |Project Controller |projctl.konflux.dev |get, list, watch, create,
+update, patch |projects, projectdevelopmentstreams,
+projectdevelopmentstreamtemplates
+
+|  |_Configs_ |  |get, list, watch |configmaps
+
+|  |_Secrets_ |  |  |secrets
+
+|  |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch,
+create, update, patch |pulpaccessrequests
+
+|  |Add User |  |  | 
+
+|  |User group (with SSO) |  |  | 
+
+|  |CronJob |batch |get, list, watch, create, update, patch |cronjobs,
+jobs
+
+|  |RoleBinding |rbac.authorization.k8s.io |get, list |rolebindings
+
+|Admin |Workspace |Access to namespaces that backs workspace |  | 
+
+|  |Application |appstudio.redhat.com |get, list, watch, create, update,
+patch, delete, deletecollection |applications
+
+|  |Component |appstudio.redhat.com |get, list, watch, create, update,
+patch, delete, deletecollection |components, componentdetectionqueries
+
+|  |ImageRepository |appstudio.redhat.com |get, list, watch, create,
+update, patch, delete, deletecollection |imagerepositories
+
+|  |Environment |appstudio.redhat.com |get, list, watch, create, update,
+patch, delete |promotionruns, snapshotenvironmentbindings, snapshots,
+environments
+
+|  |DeploymentTarget |appstudio.redhat.com |get, list, watch, create,
+update, patch, delete |deploymenttargets
+
+|  |DeploymentTargetClaim |appstudio.redhat.com |get, list, watch,
+create, update, patch, delete |deploymenttargetclaims
+
+|  |_GitOps_ |managed-gitops.redhat.com |get, list, watch
+|gitopsdeployments, gitopsdeploymentmanagedenvironments,
+gitopsdeploymentrepositorycredentials, gitopsdeploymentsyncruns
+
+|  |PipelineRun |tekton.dev |get, list, watch, create, update, patch,
+delete |pipelineruns
+
+|  |Pipeline Results |results.tekton.dev |get, list |results, records,
+logs
+
+|  |IntegrationTestScenario |appstudio.redhat.com |get, list, watch,
+create, update, patch, delete |integrationtestscenarios
+
+|  |Enterprise contract |appstudio.redhat.com |get, list, watch, create,
+update, patch, delete |enterprisecontractpolicies
+
+|  |_Release Service_ |appstudio.redhat.com |get, list, watch, create,
+update, patch, delete |releases, releaseplans, releaseplanadmissions
+
+|  |Release Admission Plan |appstudio.redhat.com |get, list, watch,
+create, update, patch, delete |releaseplanadmissions
+
+|  |_JVM Build Service_ |jvmbuildservice.io |get, list, watch, create,
+update, patch, delete |jbsconfigs, artifactbuilds
+
+|  |_Service Access_ |appstudio.redhat.com |get, list, watch, create,
+update, patch, delete |spiaccesstokenbindings, spiaccesschecks,
+spiaccesstokens,spifilecontentrequests, spiaccesstokendataupdates
+
+|  |_Remote Secrets_ |appstudio.redhat.com |get, list, watch, create,
+update, patch, delete |remotesecrets
+
+|  |Build Service |appstudio.redhat.com |get, list, watch, create,
+update, patch, delete |buildpipelineselectors
+
+|  |Project Controller |projctl.konflux.dev |get, list, watch, create,
+update, patch, delete |projects, projectdevelopmentstreams,
+projectdevelopmentstreamtemplates
+
+|  |_Configs_ |  |get, list, watch, create, update, patch, delete
+|configmaps
+
+|  |_Secrets_ |  |get, list, watch, create, update, patch, delete
+|secrets
+
+|  |_Exec to pods_ |  |create |pods/exec
+
+|  |Pulp Access Controller |pulp.konflux-ci.dev |get, list, watch,
+create, update, patch |pulpaccessrequests
+
+|  |SpaceBindingRequest |toolchain.dev.openshift.com |get, list, watch,
+create, update, patch, delete |spacebindingrequests
+
+|  |Add User |  |  | 
+
+|  |User group (with SSO) |  |  | 
+
+|  |CronJob |batch |get, list, watch, create, update, patch, delete
+|cronjobs, jobs
+
+|  |RoleBinding |rbac.authorization.k8s.io |get, list, create, update,
+patch, delete |rolebindings, roles
+
+|  |ServiceAccount |  |get, list, create, update, patch, delete
+|serviceaccounts
+
+| |Token | |create |serviceaccounts/token
+|===
+
+== Configuring user roles and permissions for Konflux
+
+To configure roles and permissions in Konflux, you configure two yaml files using the information in the roles and permissions table.
+
+Model your yaml files according to these example yaml files:
+
+* link:https://github.com/konflux-ci/konflux-ci/blob/main/konflux-ci/rbac/core/kustomization.yaml[Kustomization]
+
+* link:https://github.com/konflux-ci/konflux-ci/blob/main/konflux-ci/rbac/core/konflux-admin-user-actions.yaml[Admin]
+