Seamless and predefined roles

modules/ROOT/content-nav.adoc

@@ -95,6 +95,7 @@ Generic Start
 ** xref:security/secure-connections.adoc[Secure connections]
 ** xref:security/single-sign-on.adoc[Single sign-on]
 ** xref:security/encryption.adoc[Encryption]
+** xref:security/tool-auth.adoc[Tool authentication]
 
 * xref:user-management.adoc[User management]
 

modules/ROOT/pages/security/tool-auth.adoc

@@ -0,0 +1,12 @@
+= Tool authentication
+:description: This section describes the seamless tool authentication functionality in AuraDB.
+
+Organization admins can allow users in a project to seamlessly and securely connect to a project and the instances within it.
+
+This feature can be enabled and configured from the Org settings.
+
+As an Org admin, you maintain access control of all projects within the organization.
+You can select which projects and instances users can connect seamlessly to and which they should be required to use username and password to connect to.
+To prevent unauthorized access and allow Project admins full access control, the authentication is used in conjunction with predefined roles with varying levels of access to the database.
+This means that Project admins assign roles to the users that grants them seamless connection to the project and its instances as well as certain privileges to the databases there.
+See xref:user-management.adoc#roles[User management - Roles] for more information.

modules/ROOT/pages/user-management.adoc

@@ -162,29 +162,164 @@ Users within a project can be assigned one of the following roles:
 
 :check-mark: icon:check[]
 
-.Roles
+.Roles and console capabilities
 [opts="header",cols="3,1,1,1"]
 |===
-| Capability | Admin | Member | Viewer
+| Capability | Viewer | Member | Admin
 | View users and their roles | {check-mark} | {check-mark} | {check-mark}
 | View and open instances | {check-mark} | {check-mark} | {check-mark}
 | Access the Neo4j Customer Support Portal | {check-mark} | {check-mark} | {check-mark}
-| Perform all actions on instances footnote:[Actions include creating, deleting, pausing, resuming, and editing instances.] | {check-mark} | {check-mark} |
-| Clone data to new and existing instances | {check-mark} | {check-mark} |
-| Take on-demand snapshots | {check-mark} | {check-mark} |
-| Restore from snapshots | {check-mark} | {check-mark} |
-| Edit the project name | {check-mark} | |
-| Invite new users to the project | {check-mark} | |
-| Edit existing users' roles | {check-mark} | |
-| Delete existing users from the project | {check-mark} | |
-| View and edit billing information | {check-mark} | |
+| Perform all actions on instances footnote:[Actions include creating, deleting, pausing, resuming, and editing instances.] | | {check-mark} | {check-mark}
+| Clone data to new and existing instances | | {check-mark} | {check-mark}
+| Take on-demand snapshots | | {check-mark} | {check-mark}
+| Restore from snapshots | | {check-mark} | {check-mark}
+| Edit the project name | | | {check-mark}
+| Invite new users to the project | | | {check-mark}
+| Edit existing users' roles | | | {check-mark}
+| Delete existing users from the project | | | {check-mark}
+| View and edit billing information | | | {check-mark}
 |===
 
 [NOTE]
 ====
 Each project must have at least one Project Admin, but it is also possible for projects to have multiple Project Admins.
 ====
 
+Additionally, predefined roles are assigned certain privileges on the instance level as well.
+
+.Roles and database privileges
+[options="header", cols="3,^,^,^,^,^"]
+|===
+| Privilege
+| Viewer
+| Member
+3+| Admin
+
+|
+|
+|
+| Free
+| Professional
+| Business Critical
+
+| Access to database
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| List constraints
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| Create constraints
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| Delete constraints
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| List indexes
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| Create indexes
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| Delete indexes
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| Find nodes and relationships and read their properties
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| Load external data in queries
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| Write to the graph
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| Name management for node labels, relationship types, and property names.
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| List and end transactions for specified users on the database.
+|
+|
+| {check-mark}
+| {check-mark}
+| {check-mark}
+| List, create, delete, and modify users.
+|
+|
+|
+| {check-mark}
+| {check-mark}
+| List roles
+|
+|
+|
+| {check-mark}
+| {check-mark}
+| Create roles
+|
+|
+|
+|
+| {check-mark}
+| Assign roles
+|
+|
+|
+| {check-mark}
+| {check-mark}
+| Rename roles
+|
+|
+|
+|
+| {check-mark}
+| Remove roles
+|
+|
+|
+| {check-mark}
+| {check-mark}
+
+| Privilege management footnote:[This includes to list, grant, and revoke privileges.]
+|
+|
+|
+|
+| {check-mark}
+|===
+
 === Inviting users
 
 As an _Admin_, to invite a new user:
@@ -231,7 +366,7 @@ You can select the project(s) you have been invited to and choose to accept or d
 
 // You can also close the **Project invitation** modal without accepting or declining the invite(s) and later manually re-open the modal by selecting the **Pending invites** envelope icon in the console header.
 
-[TIP]
-====
-User management within the Aura console does not replace built-in roles or fine-grained RBAC at the database level.
-====
+// [TIP]
+// ====
+// User management within the Aura console does not replace built-in roles or fine-grained RBAC at the database level.
+// ====