docs: Describe remote user management webui

docs/_shared/attn-enterprise-edition.txt

@@ -0,0 +1,3 @@
+.. attention::
+
+   This feature applies only to Determined Enterprise Edition.

docs/manage/security/rbac.rst

@@ -14,8 +14,8 @@
 
 .. warning::
 
-   If you are looking to enable RBAC on an existing Determined installation, please see the
-   :ref:`migration guide below <rbac-migrate-existing>`.
+   If you want to enable RBAC on an existing Determined installation, consult the :ref:`migration
+   guide <rbac-migrate-existing>`.
 
 By default, a Determined installation comes with role-based access control disabled. To enable RBAC,
 set the following option in the master config:
@@ -140,6 +140,8 @@ engineers will only have access to the experiments in their respective workspace
    det -u mle-stop-00 experiment list --all
    det -u mle-traffic-00 experiment list --all
 
+.. _manage-rbac:
+
 *************
  Manage RBAC
 *************
@@ -150,6 +152,12 @@ Inspecting the Setup
 CLI
 ---
 
+To get help with the ``user`` command:
+
+.. code::
+
+   det user -h
+
 To get the current user's permission list:
 
 .. code:: bash
@@ -169,50 +177,72 @@ To list all existing roles and their permissions:
 
    det rbac list-roles
 
-To list existing users, group and their membership:
+To list all users, groups, and their membership:
 
 .. code:: bash
 
-   det user list
+   det user list --all
    det user-group list
    det user-group describe GROUP_NAME
 
+To list only **active** users, remove the ``--all`` (or ``--a``) option:
+
+.. code:: bash
+
+   det user list
+
+To create a new :ref:`remote user <remote-users>`:
+
+.. code:: bash
+
+   det -u admin user create <username> --remote
+
 To list the role assignments for a user or a group:
 
 .. code:: bash
 
    det rbac list-groups-roles GROUP_NAME
    det rbac list-users-roles USER_NAME
 
+.. _manage-users-groups-webui:
+
 WebUI
 -----
 
-To see the user and group management UI,
+To manage users and groups via the WebUI:
+
+#. View **Admin Settings** by selecting your profile in the upper left corner and then choosing
+   **Admin**.
 
-#. Click on your username in the upper left corner.
-#. Click "Settings"
-#. See "User Management" and "Group Management" tabs at the top.
+Admin Settings displays the **Users** and **Groups** lists.
 
-To create new users, use "New User" button at the "User Management" screen.
+To create new users, select **Add User**. To set the user as a :ref:`remote user <remote-users>`:,
+select the **Remote** option.
 
-To see or modify user roles assigned at the global scope,
+.. note::
+
+   You can edit any existing user and set them as a remote user to prevent password sign-on and
+   requiring the user to sign on via the organization's IdP.
+
+To manage user roles assigned at the global scope:
 
 #. Click triple-dot icon on the right of the user entry.
-#. Select "Edit" option in the dropdown.
+#. Choose **Edit User**.
 
-To see or modify group roles assigned at the global scope,
+To manage group roles assigned at the global scope:
 
 #. Click triple-dot icon on the right of the group entry.
-#. Select "Add Roles" option in the dropdown.
+#. Select **Edit Group**.
+#. Click inside **Select Global Roles** and add or remove roles.
 
-To see group membership, click on the plus icon on the left of the group entry.
+To manage group membership, expand the group by selecting the plus icon.
 
-To remove member users, open group membership list and "Remove" button next to the user entry.
+To remove member users, open the group membership list and select **Remove** next to the user entry.
 
 To add member users,
 
 #. Click triple-dot icon on the right of the group entry.
-#. Select "Edit/Add Users" option in the dropdown.
+#. Choose **Add Members to Group**.
 
 Managing User Groups
 ====================
@@ -253,20 +283,20 @@ WebUI
 
 .. attention::
 
-   Only users with the ClusterAdmin role can add/remove users and groups.
+   Only users with the ClusterAdmin role can add or remove users and groups.
 
-To see user group management UI,
+To manage user groups via the WebUI:
 
-#. Click on your username in the upper left corner.
-#. Click "Admin".
-#. Click the "Groups" tab at the top.
+#. View **Admin Settings** by selecting your profile in the upper left corner and then choosing
+   **Admin**.
+#. Select the **Groups** tab.
 
-To create new groups, use "New Group" button at the "Groups" screen.
+To create new groups, select **New Group**.
 
-To delete a group,
+To delete a group:
 
-#. Click triple-dot icon on the right of the group entry.
-#. Select "Delete" option in the dropdown.
+#. Select the triple-dot icon on the right of the group entry.
+#. Choose **Delete Group**.
 
 Managing Role Assignments
 =========================
@@ -296,42 +326,42 @@ WORKSPACE_NAME`` switch:
 WebUI
 -----
 
-To assign or unassign a role for a user or a group globally, first go to user or group management
-UI:
+To assign or unassign a role for a user or a group globally, navigate to user or group management in
+the WeUI:
 
 .. attention::
 
    Only users with the ClusterAdmin role can add/edit global role assignments for users and groups
    from the "Admin" menu as described immediately below.
 
-#. Click on your username in the upper left corner.
-#. Click "Admin".
-#. See "Users" and "Groups" tabs at the top.
+#. View **Admin Settings** by selecting your profile in the upper left corner and then choosing
+   **Admin**.
+
+Admin Settings displays the **Users** and **Groups** lists.
 
 Then, for users:
 
 #. Click triple-dot icon on the right of the user entry.
-#. Select "Edit" option in the dropdown.
+#. Choose **Edit User**.
 
 For groups:
 
 #. Click triple-dot icon on the right of the group entry.
-#. Select "Add Roles" option in the dropdown.
+#. Choose **Edit Group**.
 
-To assign or unassign a role for a user or a group on a particular workspace,
+To assign or unassign a role for a user or a group on a particular workspace:
 
 .. attention::
 
    Only users with the WorkspaceAdmin role can add/edit workspace-scoped role assignments for users
    and groups.
 
 #. Go to the workspaces page, select the target workspace.
-#. Click "Members" tab at the top.
-#. To create new role assignments, click the "Add Members" button at the top right.
+#. Select the **Members** tab.
+#. To create new role assignments, click **Add Members**.
 #. To remove existing role assignments, click the triple-dot menu for a user/group and select
-   "Remove".
-#. To edit the role, click on the dropdown in the role column for a user/group and make your
-   selection.
+   **Remove**.
+#. To edit the role, click on the dropdown in the role column for a user/group and choose a role.
 
 .. _rbac-concepts:
 

docs/manage/users-remote.rst

@@ -0,0 +1,162 @@
+.. _remote-users:
+
+#######################
+ Managing Remote Users
+#######################
+
+Determined lets you manage users and user provisioning remotely. Remote user provisioning lets you
+include and synchronize any information about the user stored in your IdP such as their username,
+display name, and groups. Once configured, you can manage remote users without having to manually
+modify the users or update them via SCIM. Each time the remote user accesses Determined, their
+information is synchronized.
+
+.. include:: ../_shared/attn-enterprise-edition.txt
+
+.. note::
+
+   As of 026.4, OIDC is supported.
+
+*******************************
+ Enable Remote User Management
+*******************************
+
+Set the Auto Provision Option
+=============================
+
+The first step is to configure the :ref:`master configuration file <master-config-reference>` to
+enable auto provisioning users and the remote management of any information attached to the users.
+
+.. tabs::
+
+   .. tab::
+
+      OIDC
+
+      -  Enable OIDC.
+      -  Set ``oidc.auto_provision_users`` option to ``true`` in your :ref:`master configuration
+         file <master-config-reference>`.
+
+      .. note::
+
+         If ``scim_enabled`` is ``true``, then ``oidc.auto_provision_users`` must be ``false``.
+
+      For example:
+
+      .. code:: yaml
+
+         oidc:
+             enabled: true
+             provider: "Okta"
+             idp_recipient_url: "https://determined.example.com/oidc/sso"
+             idp_sso_url: "https://dev-00000000.okta.com"
+             client_id: "xx0xx0"
+             client_secret: "xx0xx0"
+             auto_provision_users: true
+             display_name_claim_name: "XYZ"
+
+   .. tab::
+
+      SAML
+
+      -  Enable SAML.
+      -  Set ``saml.auto_provision_users`` option to ``true`` in your :ref:`master configuration
+         file <master-config-reference>`.
+
+      .. note::
+
+         If ``scim_enabled`` is ``true``, then ``saml.auto_provision_users`` must be ``false``.
+
+      For example:
+
+      .. code:: yaml
+
+         saml:
+             enabled: true
+             provider: "Okta"
+             idp_recipient_url: "https://determined.example.com/saml/sso"
+             idp_sso_url: "https://myorg.okta.com/app/...sso/saml"
+             idp_cert_path: "okta.cert"
+             auto_provision_users: true
+
+Determined sets the username of the user to the IdP email address. You cannot set the username
+independently.
+
+Set the Groups Claim Name Option
+================================
+
+Determined receives OIDC and SAML claims via a JSON Web Token (JWT) that you send from your IdP. If
+there is a group that does not already exist in Determined, then the system creates the group.
+
+To enable group membership synchronization:
+
+.. tabs::
+
+   .. tab::
+
+      OIDC
+
+      -  Set the ``groups_claim_name`` option to match the claim name for group memberships from
+         your authenticator (i.e., ``groups_memberships``, ``usergroup_memberships``, etc.).
+
+      For example, in the following claim, let's say the user-group information is passed through
+      ``group_memberships`` in your IdP.
+
+      .. code::
+
+         {
+           email: [email protected]
+           group_memberships: ['A', 'B'],
+           displayName: "Dee Ray"
+          }
+
+      Then, Determined creates the following user:
+
+      .. code::
+
+         {
+          username: [email protected]
+          groups: ['A', 'B'],
+          displayName: "Dee Ray"
+         }
+
+   .. tab::
+
+      SAML
+
+      -  Set the ``groups_attribute_name`` option to match the claim name for group memberships from
+         your authenticator (i.e., ``groups_memberships``, ``usergroup_memberships``, etc.).
+
+Each time the authenticated user accesses Determined, their information is passed to Determined, and
+group memberships are updated. For example, when a user is assigned to a new group via your IdP,
+that information is updated in Determined.
+
+Complete the Auto Provision Process
+===================================
+
+Once auto provisioning is configured, the user simply signs in with their username.
+
+For example, to sign in to Determined via Okta, the user performs the following steps:
+
+-  Visit the Determined URL, e.g., https://determined.example.com.
+-  Under **Sign in with Okta**, enter the SSO-enabled email address.
+
+If the sign in is successful, Determined provisions the user, adds the user to the user table, and
+authenticates the user to Determined.
+
+**********************************************
+ Manage Remote Users and Groups via the WebUI
+**********************************************
+
+Admins can manage users and groups in the WebUI. To do this:
+
+-  Sign in to the Determined cluster via the Determined URL, e.g., https://determined.example.com,
+   as a cluster admin.
+-  View **Admin Settings** by selecting your profile in the upper left corner and then choosing
+   **Admin**.
+
+Actions you can take include adding new users, switching existing users to remote users, performing
+bulk actions, and more. For example, using the filters, you can select to view only active users.
+You can also manage user groups.
+
+To find out how to manage remote users via the WebUI, including adding a new remote user, visit
+:ref:`manage-users-groups-webui`.