From 2f46f4368588db59d5ddfee9df1451b73c0ff714 Mon Sep 17 00:00:00 2001 From: pwseg Date: Thu, 23 Jan 2025 16:50:00 -0600 Subject: [PATCH 1/8] address issue --- src/segment-app/iam/labels.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/segment-app/iam/labels.md b/src/segment-app/iam/labels.md index d742ca0e57..d454fcf8c8 100644 --- a/src/segment-app/iam/labels.md +++ b/src/segment-app/iam/labels.md @@ -5,12 +5,12 @@ plan: iam Labels allow workspace owners to assign permissions to users to grant them access to groups. Groups represent collections of Sources, or collections of Spaces. -To create or configure labels, go to the **Labels** tab in your workspace settings. Only workspace Owners can manage labels for the entire workspace. +To create or configure labels in your Segment workspace, go to the **Settings > Admin**, then click the Label Management. Only workspace Owners can manage labels for the entire workspace. > info "" > All workspaces include labels for `Dev` (development) and `Prod` (production) environments. Business Tier customers can create an unlimited number of labels. -## Custom Environments +## Custom environments By default, all workspaces include labels for Dev (development) and Prod (production) environments. Workspace owners can configure what these labels are applied to, and can create up to five custom environments. From d697a7c0c1e912cbabdb4f1f7c6aecf61cdd53ce Mon Sep 17 00:00:00 2001 From: pwseg Date: Thu, 23 Jan 2025 16:52:12 -0600 Subject: [PATCH 2/8] some style cleanup --- src/segment-app/iam/labels.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/segment-app/iam/labels.md b/src/segment-app/iam/labels.md index d454fcf8c8..badec8e68c 100644 --- a/src/segment-app/iam/labels.md +++ b/src/segment-app/iam/labels.md @@ -3,9 +3,9 @@ title: Using Label-Based Access Control plan: iam --- -Labels allow workspace owners to assign permissions to users to grant them access to groups. Groups represent collections of Sources, or collections of Spaces. +Labels allow workspace owners to assign permissions to users to grant them access to groups. Groups represent collections of [sources](/docs/connections/sources/), or collections of Spaces. -To create or configure labels in your Segment workspace, go to the **Settings > Admin**, then click the Label Management. Only workspace Owners can manage labels for the entire workspace. +To create or configure labels in your Segment workspace, go to **Settings > Admin**, then click the Label Management tab. Only workspace owners can manage labels for the entire workspace. > info "" > All workspaces include labels for `Dev` (development) and `Prod` (production) environments. Business Tier customers can create an unlimited number of labels. From 64a191087cbf53207d914756a51214e21e3f0cd1 Mon Sep 17 00:00:00 2001 From: pwseg Date: Thu, 23 Jan 2025 17:06:19 -0600 Subject: [PATCH 3/8] more style fixes --- src/segment-app/iam/labels.md | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/src/segment-app/iam/labels.md b/src/segment-app/iam/labels.md index badec8e68c..6c66ea9b7e 100644 --- a/src/segment-app/iam/labels.md +++ b/src/segment-app/iam/labels.md @@ -3,53 +3,56 @@ title: Using Label-Based Access Control plan: iam --- -Labels allow workspace owners to assign permissions to users to grant them access to groups. Groups represent collections of [sources](/docs/connections/sources/), or collections of Spaces. +Labels let workspace owners assign permissions to users by organizing resources into groups. Groups can represent collections of [sources](/docs/connections/sources/) or Spaces. -To create or configure labels in your Segment workspace, go to **Settings > Admin**, then click the Label Management tab. Only workspace owners can manage labels for the entire workspace. + +To create or configure labels in your Segment workspace, go to **Settings > Admin**, then click the Label Management tab. Only Workspace Owners can manage labels for the entire workspace. > info "" > All workspaces include labels for `Dev` (development) and `Prod` (production) environments. Business Tier customers can create an unlimited number of labels. ## Custom environments -By default, all workspaces include labels for Dev (development) and Prod (production) environments. Workspace owners can configure what these labels are applied to, and can create up to five custom environments. +By default, all workspaces include labels for `Dev` (development) and `Prod` (production) environments. Workspace Owners can configure what these labels are applied to, and can create up to 5 custom environments. -Labels must be in `key:value` format, both the key and value must begin with a letter, and they can only contain letters, numbers, hyphens or dashes. +Labels must use the `key:value` format. Both the key and value must begin with a letter, and they can only contain letters, numbers, hyphens, or dashes. -To apply labels to Sources and Spaces, click the **Assign Labels** tab from the Labels screen. In the screen that appears, select the Sources and Spaces to apply the label to. +To apply labels to sources and spaces, click the **Assign Labels** tab from the Manage Labels screen. In the screen that appears, select the sources and spaces to apply the label to. Once a label is in use (either assigned to a resource or used to restrict permissions on a user), the label cannot be deleted. You must first manually remove the label from any resources and permissions before you can delete it. > info "" -> While only Workspace Owners can bulk-edit labels, Source and Space admins can edit the labels on the sources and spaces they have access to. To do this, go to the **Settings** tab for each item. +> While only Workspace Owners can bulk-edit labels, source and space admins can edit the labels on the sources and spaces they have access to. To do this, go to the **Settings** tab for each item. -Workspace owners can also grant specific [Roles](/docs/segment-app/iam/roles/) access to specific labels. For example, you might give a Source Admin access to only Sources that have the `Prod` label. +Workspace Owners can also grant specific [role access](/docs/segment-app/iam/roles/) to specific labels. For example, you might give a Source Admin access to only sources that have the `Prod` label. Permissions can then be assigned to users in Access Management by label, on the Source Admin, Source Read-Only, Engage Admin, Engage User and Engage Read-Only users. ![Screenshot of the Select Sources popup, with the Assign Source Admin to: All Sources in Workspace including future Sources option selected.](images/labels-access-mgmt.png) -## Custom Labels +## Custom labels + +> info "" +> All Segment workspaces can create up to 5 custom labels. Additional label types (in addition to environment labels) are available to Segment Business Tier accounts. -> note "" -> **Note**: All Segment workspaces can create up to five custom labels. Additional label types (in addition to environment labels) are available to Segment Business Tier accounts. +To create additional custom labels, a Workspace Owner can create new key types in the Manage Labels screen. The Workspace Owner can customize any combination of labels to mirror how resources should be partitioned in their organization. -To create additional custom labels, a workspace owner can create new key types in the Labels screen. The workspace owner can customize any combination of labels to mirror how resources should be partitioned in their organization. For example, some organizations may prefer to restrict access on their Sources and Spaces by brand or product area while other organizations may find it more useful to restrict their resources by tech stack or engineering department. +For example, some organizations may prefer to restrict access on their sources and spaces by brand or product area, while other organizations may find it more useful to restrict their resources by tech stack or engineering department. -When you create a new key, it becomes available in the Sources page as a column type that can be used to organize sources. +When you create a new key, it becomes available in the S ources page as a column type that can be used to organize sources. -## Labels FAQ +## FAQ ##### Where can I create labels? -Workspace owners can create labels for sources and Spaces from the Segment workspace **Settings** -> **Admin** -> **Labels**. +You can create labels for sources and spaces from Segment workspace by going to **Settings -> Admin** and then clicking the **Label Management** tab. ##### What resources can I assign a label to? -Labels currently only apply to Sources and Spaces. +You can apply labels to sources and spaces. ##### Where can I assign labels? -Workspace owners can assign bulk assign labels to sources and Spaces using the "Assign Labels" tab in the **Labels** screen. Source admins and Space admins can edit the labels on their individual resources in the "Settings" tab. +You can assign labels to sources and spaces using the **Assign Labels** tab in the **Manage Labels** screen. Source Admins and Space Admins can edit the labels on their individual resources in the **Settings** tab. ##### Where can labels be used? From 37f3664ade1d382997eccc7543a92ea3c44097ed Mon Sep 17 00:00:00 2001 From: pwseg Date: Thu, 23 Jan 2025 17:13:21 -0600 Subject: [PATCH 4/8] moreeee cleanup --- src/segment-app/iam/labels.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/segment-app/iam/labels.md b/src/segment-app/iam/labels.md index 6c66ea9b7e..9381766c08 100644 --- a/src/segment-app/iam/labels.md +++ b/src/segment-app/iam/labels.md @@ -60,19 +60,19 @@ Once a label has been created and has been assigned to resources within the work ##### Can I delete a label? -Workspace owners can only delete a label if it is not being used (either assigned to a resource or used to restrict permissions on a user). First, manually remove the label from any resources or user permissions. +Workspace owners can delete a label only if it’s not in use. See [Custom Environments](#custom-environments) for details on removing labels. ##### Can I rename a label? -No, a label cannot be renamed. If you need to rename a label, we recommend you create the new label, and then assign it to all resources named the old label before deleting the old label. +No. If you need to rename a label, first create a new label, assign it to all resources using the old label, and then delete the old label. -##### Can I assign a resource multiple values from the same category? -(for example, a source as both brand:A and brand:B)) +##### Can I assign multiple values from the same category to a resource? -No, you can only assign one value per category. This is to ensure there is no confusion in logic around permissions. For example, if a user is assigned permission to brand:A, it would be unclear to the workspace owner if this user gets access to a source labeled both `brand:A` and `brand:B` or only sources with the sole label `brand:A`. +No, you can assign only one value per category. This prevents confusion about permissions. For example, if a user has access to `brand:A`, it’s unclear whether they should also access sources labeled both `brand:A` and `brand:B`. To avoid this, each resource can have just one value per label category. -##### How does assigning a user permissions based on labels work? -Labels are additive, so you can only further restrict a user's permissions by adding more labels. If a user has access to everything labeled environment:production, we assume no restrictions on any other category of label. This user has less restricted permissions than another user who has access to everything with `environment:production` AND `region:apac`. +##### How does assigning permissions based on labels work? + +Labels are additive, meaning they can only further restrict a user's permissions. For example, if a user has access to everything labeled `environment:production`, then they're not restricted by other label categories. This results in broader permissions compared to a user with access to both `environment:production` AND `region:apac`. For example, if the following sources had these set of labels: @@ -82,13 +82,13 @@ For example, if the following sources had these set of labels: | B | `environment:prod`, `product:truck` | | C | `environment:dev, product: car` | -Then the following through users with Source Admin restricted with Labels will only have access to the following Sources: +Then the following users with Source Admin restricted with labels will only have access to the following sources: -| User | Source Admin with Labels | Access to Sources | +| User | Source Admin with labels | Access to sources | | ----- | ----------------------------------- | ----------------- | | Sally | `environment:prod` | A, B | | Bob | `environment:prod`, `product:truck` | B | | Jane | `product: car` | A, C | -##### Can I grant a user permissions with OR statements? +##### Can I grant a user permissions with `OR` statements? You can only assign one set of additive labels on a per-user basis. However, to give a user who needs access to all sources labeled `brand:a` or `brand:b`, we recommend that you use Group permissions and assign this user to two separate groups, where one group has Source Admin access to `brand:a` and the other has Source Admin access to `brand:b`. From 659d80f9a111dbe3d7ab65337a4a69227ddf0dd8 Mon Sep 17 00:00:00 2001 From: pwseg Date: Thu, 23 Jan 2025 17:17:34 -0600 Subject: [PATCH 5/8] simplify FAQ language --- src/segment-app/iam/labels.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/segment-app/iam/labels.md b/src/segment-app/iam/labels.md index 9381766c08..2a3c34b1bc 100644 --- a/src/segment-app/iam/labels.md +++ b/src/segment-app/iam/labels.md @@ -37,9 +37,9 @@ Permissions can then be assigned to users in Access Management by label, on the To create additional custom labels, a Workspace Owner can create new key types in the Manage Labels screen. The Workspace Owner can customize any combination of labels to mirror how resources should be partitioned in their organization. -For example, some organizations may prefer to restrict access on their sources and spaces by brand or product area, while other organizations may find it more useful to restrict their resources by tech stack or engineering department. +For example, some organizations may restrict access to sources and spaces by brand or product area, while others might organize resources by tech stack or engineering department. -When you create a new key, it becomes available in the S ources page as a column type that can be used to organize sources. +When you create a new key, it becomes available in the Sources page as a column type that can be used to organize sources. ## FAQ @@ -68,7 +68,7 @@ No. If you need to rename a label, first create a new label, assign it to all re ##### Can I assign multiple values from the same category to a resource? -No, you can assign only one value per category. This prevents confusion about permissions. For example, if a user has access to `brand:A`, it’s unclear whether they should also access sources labeled both `brand:A` and `brand:B`. To avoid this, each resource can have just one value per label category. +No, each resource can have only one value per label category. This prevents confusion about permissions. For example, if a user has access to `brand:A`, it’s unclear whether they should also have access to sources labeled both `brand:A` and `brand:B`. Limiting resources to one value per category avoids this confusion. ##### How does assigning permissions based on labels work? @@ -91,4 +91,6 @@ Then the following users with Source Admin restricted with labels will only have | Jane | `product: car` | A, C | ##### Can I grant a user permissions with `OR` statements? -You can only assign one set of additive labels on a per-user basis. However, to give a user who needs access to all sources labeled `brand:a` or `brand:b`, we recommend that you use Group permissions and assign this user to two separate groups, where one group has Source Admin access to `brand:a` and the other has Source Admin access to `brand:b`. + +To grant a user access to sources labeled `brand:a` or `brand:b`, use group permissions. Create two groups: one with Source Admin access to `brand:a` and another with Source Admin access to `brand:b`, then assign the user to both groups. + From db6b6608406cd5fcc6488b06b60fd3d3d2384909 Mon Sep 17 00:00:00 2001 From: pwseg <86626706+pwseg@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:20:47 -0600 Subject: [PATCH 6/8] goodbye whitespace --- src/segment-app/iam/labels.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/segment-app/iam/labels.md b/src/segment-app/iam/labels.md index 2a3c34b1bc..eb7c9312d9 100644 --- a/src/segment-app/iam/labels.md +++ b/src/segment-app/iam/labels.md @@ -5,7 +5,6 @@ plan: iam Labels let workspace owners assign permissions to users by organizing resources into groups. Groups can represent collections of [sources](/docs/connections/sources/) or Spaces. - To create or configure labels in your Segment workspace, go to **Settings > Admin**, then click the Label Management tab. Only Workspace Owners can manage labels for the entire workspace. > info "" @@ -93,4 +92,3 @@ Then the following users with Source Admin restricted with labels will only have ##### Can I grant a user permissions with `OR` statements? To grant a user access to sources labeled `brand:a` or `brand:b`, use group permissions. Create two groups: one with Source Admin access to `brand:a` and another with Source Admin access to `brand:b`, then assign the user to both groups. - From 3872986ace42d089c4accda294f4dee49affbf3c Mon Sep 17 00:00:00 2001 From: pwseg <86626706+pwseg@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:53:29 -0600 Subject: [PATCH 7/8] Update src/segment-app/iam/labels.md Co-authored-by: forstisabella <92472883+forstisabella@users.noreply.github.com> --- src/segment-app/iam/labels.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/segment-app/iam/labels.md b/src/segment-app/iam/labels.md index eb7c9312d9..f72a8fae46 100644 --- a/src/segment-app/iam/labels.md +++ b/src/segment-app/iam/labels.md @@ -3,7 +3,7 @@ title: Using Label-Based Access Control plan: iam --- -Labels let workspace owners assign permissions to users by organizing resources into groups. Groups can represent collections of [sources](/docs/connections/sources/) or Spaces. +Labels let workspace owners assign permissions to users by organizing resources into groups. Groups can represent collections of [sources](/docs/connections/sources/) or [spaces](/docs/unify/quickstart/). To create or configure labels in your Segment workspace, go to **Settings > Admin**, then click the Label Management tab. Only Workspace Owners can manage labels for the entire workspace. From 01c7444c5b6a657d970a3e1e7b499b71bf3a2699 Mon Sep 17 00:00:00 2001 From: pwseg <86626706+pwseg@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:53:42 -0600 Subject: [PATCH 8/8] Update src/segment-app/iam/labels.md Co-authored-by: forstisabella <92472883+forstisabella@users.noreply.github.com> --- src/segment-app/iam/labels.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/segment-app/iam/labels.md b/src/segment-app/iam/labels.md index f72a8fae46..3a6669ef60 100644 --- a/src/segment-app/iam/labels.md +++ b/src/segment-app/iam/labels.md @@ -59,7 +59,7 @@ Once a label has been created and has been assigned to resources within the work ##### Can I delete a label? -Workspace owners can delete a label only if it’s not in use. See [Custom Environments](#custom-environments) for details on removing labels. +Workspace owners can only delete a label if it’s not in use. See [Custom Environments](#custom-environments) for details on removing labels. ##### Can I rename a label?