DOC-11529 Docs for sec/authz: refine Roles on CC console (Metrics viewer role on CockroachDB Cloud) (#20329)

- In authorization.md, added sections for Cluster Monitor and Metrics Viewer with limited access note.
- In cloud-roles-table.md, added columns for Cluster Monitor and Metrics Viewer with limited access note, row for View sql activity, and links in column headers.
- In export-metrics-advanced.md, export-metrics.md, export-logs-advanced.md and export-logs.md, added link to Metrics Viewer.
- In insights-page.md, jobs-page.md, sessions-page.md, statements-page.md, transactions-page.md, added link to Cluster Monitor.
- In metrics.md, added link to Metrics Viewer.
- In cockroachdb-feature-availability, added section under limited access for Metrics Viewer and Cluster Monitor roles.

Author: florence-crl

src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md

@@ -2,53 +2,55 @@ The following table describes the high level permissions given by each Cockroach
 
 <div class="roles-table" markdown="1">
 
-|  | Org. Member | Org. Admin | Billing Coord. | Cluster Creator | Cluster Operator | Cluster Admin | Cluster Developer | Folder Admin | Folder Mover |
-|---|-------------|-------------|------------------|------------------|-------------------|----------------|--------------------|----------------|----------------|
+|  | [Org. Member]({% link cockroachcloud/authorization.md %}#organization-member) | [Org. Admin]({% link cockroachcloud/authorization.md %}#organization-admin) | [Billing Coord.]({% link cockroachcloud/authorization.md %}#billing-coordinator) | [Cluster Creator]({% link cockroachcloud/authorization.md %}#cluster-creator) | [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator) | [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin) | [Cluster Developer]({% link cockroachcloud/authorization.md %}#cluster-developer) | [Cluster Monitor]({% link cockroachcloud/authorization.md %}#cluster-monitor)<sup id="fnref1"><a href="#fn1">1</a></sup> | [Metrics Viewer]({% link cockroachcloud/authorization.md %}#metrics-viewer)<sup id="fnref1"><a href="#fn1">1</a></sup> | [Folder Admin]({% link cockroachcloud/authorization.md %}#folder-admin) | [Folder Mover]({% link cockroachcloud/authorization.md %}#folder-mover) |
+|---|-------------|-------------|------------------|------------------|-------------------|----------------|--------------------|------------------|----------------|----------------|----------------|
 | **User/Access Management** |  |  |  |  |  |  |  |  |  |
-| Assign and revoke roles | — | ✓ | — | — | — | ✓ | — | — | — |
-| Assign {{ site.data.products.cloud }} user and service account roles | — | — | — | — | — | ✓ | — | — | — |
-| Manage SQL users | — | — | — | — | — | ✓ | — | — | — |
-| Manage {{ site.data.products.cloud }} users and service accounts | — | ✓ | — | — | — | ✓ | — | — | — |
-| Apply roles at the [folder]({% link cockroachcloud/folders.md %}) scope | — | — | — | — | — | — | — | ✓ | — |
+| Assign and revoke roles | — | ✓ | — | — | — | ✓ | — | — | — | — | — |
+| Assign {{ site.data.products.cloud }} user and service account roles | — | — | — | — | — | ✓ | — | — | — | — | — |
+| Manage SQL users | — | — | — | — | — | ✓ | — | — | — | — | — |
+| Manage {{ site.data.products.cloud }} users and service accounts | — | ✓ | — | — | — | ✓ | — | — | — | — | — |
+| Apply roles at the [folder]({% link cockroachcloud/folders.md %}) scope | — | — | — | — | — | — | — | — | — | ✓ | — |
 | **Cluster & Infrastructure** |  |  |  |  |  |  |  |  |  |
-| Create cluster or [private cluster]({% link cockroachcloud/private-clusters.md %}) | — | — | — | ✓ | — | — | — | — | — |
-| Create / edit / delete cluster | — | — | — | — | — | ✓ | — | — | — |
-| Edit / delete clusters created by this user | — | — | — | ✓ | — | — | — | — | — |
-| Create / delete / manage [folders]({% link cockroachcloud/folders.md %}) | — | — | — | — | — | — | — | ✓ | — |
-| Move cluster between [folders]({% link cockroachcloud/folders.md %}) | — | — | — | — | — | — | — | — | ✓ |
-| Scale nodes | — | — | — | — | ✓ | ✓ | — | — | — |
-| Upgrade CockroachDB | — | — | — | — | ✓ | ✓ | — | — | — |
-| Configure [maintenance windows]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) | — | — | — | — | ✓ | ✓ | — | — | — |
-| Use the [{{ site.data.products.cloud }} Terraform provider]({% link cockroachcloud/provision-a-cluster-with-terraform.md %}) | — | — | — | ✓ | — | ✓ | — | — | — |
+| Create cluster or [private cluster]({% link cockroachcloud/private-clusters.md %}) | — | — | — | ✓ | — | — | — | — | — | — | — |
+| Create / edit / delete cluster | — | — | — | — | — | ✓ | — | — | — | — | — |
+| Edit / delete clusters created by this user | — | — | — | ✓ | — | — | — | — | — | — | — |
+| Create / delete / manage [folders]({% link cockroachcloud/folders.md %}) | — | — | — | — | — | — | — | — | — | ✓ | — |
+| Move cluster between [folders]({% link cockroachcloud/folders.md %}) | — | — | — | — | — | — | — | — | — | — | ✓ |
+| Scale nodes | — | — | — | — | ✓ | ✓ | — | — | — | — | — |
+| Upgrade CockroachDB | — | — | — | — | ✓ | ✓ | — | — | — | — | — |
+| Configure [maintenance windows]({% link cockroachcloud/advanced-cluster-management.md %}#set-a-maintenance-window) | — | — | — | — | ✓ | ✓ | — | — | — | — | — |
+| Use the [{{ site.data.products.cloud }} Terraform provider]({% link cockroachcloud/provision-a-cluster-with-terraform.md %}) | — | — | — | ✓ | — | ✓ | — | — | — | — | — |
 | **Monitoring & Observability** |  |  |  |  |  |  |  |  |  |
-| View cluster details | — | — | — | — | — | — | ✓ | — | — |
-| View [audit logs]({% link cockroachcloud/cloud-org-audit-logs.md %}) | — | — | — | — | ✓ | — | — | — | — |
-| View [insights]({% link cockroachcloud/insights-page.md %}) | — | — | — | — | ✓ | ✓ | — | — | — |
-| View [jobs]({% link cockroachcloud/jobs-page.md %}) | — | — | — | — | ✓ | — | — | — | — |
-| View [metrics]({% link cockroachcloud/metrics.md %}) | — | — | — | — | ✓ | ✓ | — | — | — |
-| Send [test alerts]({% link cockroachcloud/alerts-page.md %}#send-a-test-alert) | — | — | — | — | ✓ | — | — | — | — |
-| Access [DB console]({% link cockroachcloud/network-authorization.md %}#db-console) | — | — | — | — | ✓ | ✓ | ✓ | — | — |
+| View cluster details | — | — | — | — | — | — | ✓ | — | — | — | — |
+| View [audit logs]({% link cockroachcloud/cloud-org-audit-logs.md %}) | — | — | — | — | ✓ | ✓ | — | — | — | — | — |
+| View [insights]({% link cockroachcloud/insights-page.md %}) | — | — | — | — | ✓ | ✓ | — | ✓ | — | — | — |
+| View [jobs]({% link cockroachcloud/jobs-page.md %}) | — | — | — | — | ✓ | ✓ | — | ✓ | — | — | — |
+| View [sql activity]({% link cockroachcloud/statements-page.md %}) | — | — | — | — | ✓ | ✓ | — | ✓ | — | — | — |
+| View [metrics]({% link cockroachcloud/metrics.md %}) | — | — | — | — | ✓ | ✓ | — | — | ✓ | — | — |
+| Send [test alerts]({% link cockroachcloud/alerts-page.md %}#send-a-test-alert) | — | — | — | — | ✓ | ✓ | — | — | — | — | — |
+| Access [DB console]({% link cockroachcloud/network-authorization.md %}#db-console) | — | — | — | — | ✓ | ✓ | ✓ | — | — | — | — |
 | **Security** |  |  |  |  |  |  |  |  |  |
-| Configure [cluster SSO]({% link cockroachcloud/cloud-sso-sql.md %}) | — | — | — | — | ✓ | ✓ | — | — | — |
-| Manage [egress perimeter controls]({% link cockroachcloud/egress-perimeter-controls.md %}) | — | — | — | — | — | ✓ | — | — | — |
-| Manage [network authorization]({% link cockroachcloud/network-authorization.md %}) | — | — | — | — | ✓ | ✓ | — | — | — |
-| View PCI status | — | — | — | — | ✓ | ✓ | — | — | — |
+| Configure [cluster SSO]({% link cockroachcloud/cloud-sso-sql.md %}) | — | — | — | — | ✓ | ✓ | — | — | — | — | — |
+| Manage [egress perimeter controls]({% link cockroachcloud/egress-perimeter-controls.md %}) | — | — | — | — | — | ✓ | — | — | — | — | — |
+| Manage [network authorization]({% link cockroachcloud/network-authorization.md %}) | — | — | — | — | ✓ | ✓ | — | — | — | — | — |
+| View PCI status | — | — | — | — | ✓ | ✓ | — | — | — | — | — |
 | **Database & Data** |  |  |  |  |  |  |  |  |  |
-| Manage databases | — | — | — | — | ✓ | ✓ | — | — | — |
-| View / restore [backups]({% link cockroachcloud/backup-and-restore-overview.md %}) | — | — | — | — | ✓ | ✓ | — | — | — |
+| Manage databases | — | — | — | — | ✓ | ✓ | — | — | — | — | — |
+| View / restore [backups]({% link cockroachcloud/backup-and-restore-overview.md %}) | — | — | — | — | ✓ | ✓ | — | — | — | — | — |
 | **Billing & Licensing** |  |  |  |  |  |  |  |  |  |
-| Manage [billing]({% link cockroachcloud/billing-management.md %}) | — | — | ✓ | — | — | — | — | — | — |
-| Manage [email alerts]({% link cockroachcloud/alerts-page.md %}#configure-alerts) | — | ✓ | — | — | — | — | — | — | — |
-| Manage CockroachDB [Self-Hosted cluster licenses]({% link {{ site.current_cloud_version }}/licensing-faqs.md %}#obtain-a-license) | — | ✓ | — | — | — | — | — | — | — |
+| Manage [billing]({% link cockroachcloud/billing-management.md %}) | — | — | ✓ | — | — | — | — | — | — | — | — |
+| Manage [email alerts]({% link cockroachcloud/alerts-page.md %}#configure-alerts) | — | ✓ | — | — | — | — | — | — | — | — | — |
+| Manage CockroachDB [Self-Hosted cluster licenses]({% link {{ site.current_cloud_version }}/licensing-faqs.md %}#obtain-a-license) | — | ✓ | — | — | — | — | — | — | — | — | — |
 
 </div>
+<a id="fn1"><sup>1</sup></a>**This feature is in [limited access]({% link {{ site.current_cloud_version }}/cockroachdb-feature-availability.md %})** and is only available to enrolled organizations. To enroll your organization, contact your Cockroach Labs account team. This feature is subject to change.
 
 Some roles can be assigned to users at specific levels of scope to provide more granular permission control:
 
 | **Scope level** | **Description** | **Applicable roles** |
 |---|---|---|
-| `Organization` | Applies to the entire CockroachDB {{ site.data.products.cloud }} organization, including all clusters and folders | `Cluster Operator`, `Cluster Admin`, `Cluster Creator`, `Cluster Developer`, `Billing Coordinator`, `Organization Admin`, `Folder Admin`, `Folder Mover` |
-| `Folder` | Applies to clusters within a specific [folder]({% link cockroachcloud/folders.md %}). Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Operator`, `Cluster Admin`, `Cluster Creator`, `Cluster Developer`, `Folder Admin`, `Folder Mover` |
-| `Cluster` | Applies to a specific cluster | `Cluster Operator`, `Cluster Admin`, `Cluster Developer` |
+| `Organization` | Applies to the entire CockroachDB {{ site.data.products.cloud }} organization, including all clusters and folders | `Cluster Operator`, `Cluster Admin`, `Cluster Creator`, `Cluster Developer`, `Cluster Monitor`, `Metrics Viewer`, `Billing Coordinator`, `Organization Admin`, `Folder Admin`, `Folder Mover` |
+| `Folder` | Applies to clusters within a specific [folder]({% link cockroachcloud/folders.md %}). Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Operator`, `Cluster Admin`, `Cluster Creator`, `Cluster Developer`, `Cluster Monitor`, `Metrics Viewer`, `Folder Admin`, `Folder Mover` |
+| `Cluster` | Applies to a specific cluster | `Cluster Operator`, `Cluster Admin`, `Cluster Developer`, `Cluster Monitor`, `Metrics Viewer` |
 
-{% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions given, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %}
+{% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions given, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %}

src/current/cockroachcloud/authorization.md

@@ -132,10 +132,37 @@ This role can be assigned at the scope of the organization or on a folder. If as
 
 ### Cluster Developer
 
-The **Cluster Developer** role allows users view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Admin to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster.
+The **Cluster Developer** role allows users to view cluster details and access the [DB Console]({% link cockroachcloud/network-authorization.md %}#db-console), allowing them to [export a connection string from the cluster page UI]({% link cockroachcloud/authentication.md %}#the-connection-string), although they will still need a Cluster Admin to [provision their SQL credentials]({% link cockroachcloud/managing-access.md %}#manage-sql-users-on-a-cluster) for the cluster.
 
 This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
 
+### Cluster Monitor
+
+{{site.data.alerts.callout_info}}
+{% include feature-phases/limited-access.md %}
+{{site.data.alerts.end}}
+
+The **Cluster Monitor** role provides read‑only visibility into SQL activity and workload health without broader administrative privileges. Users with this role can view the SQL Activity pages ([Sessions]({% link cockroachcloud/sessions-page.md %}), [Statements]({% link cockroachcloud/statements-page.md %}), and [Transactions]({% link cockroachcloud/transactions-page.md %})), the [Jobs page]({% link cockroachcloud/jobs-page.md %}), and the [Insights page]({% link cockroachcloud/insights-page.md %}).
+
+This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
+
+### Metrics Viewer
+
+{{site.data.alerts.callout_info}}
+{% include feature-phases/limited-access.md %}
+{{site.data.alerts.end}}
+
+The **Metrics Viewer** role grants read‑only access to observability metrics for a cluster without any administrative or data‑manipulation privileges.
+
+- Users with this role can view a cluster's Metrics from the [Metrics page]({% link cockroachcloud/metrics.md %}#cockroachdb-cloud-console-metrics-page).
+- Service accounts with this role can access the [metrics export API]({% link cockroachcloud/export-metrics.md %}#the-metricexport-endpoint) and the [log export API]({% link cockroachcloud/export-logs.md %}#the-logexport-endpoint) to integrate with external observability systems.
+
+This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
+
+{{site.data.alerts.callout_info}}
+To give a developer the ability to both connect to a cluster and monitor performance with least privilege, combine [**Cluster Developer**](#cluster-developer) with **Metrics Viewer** (and optionally [**Cluster Monitor**](#cluster-monitor)).
+{{site.data.alerts.end}}
+
 ### Folder Admin
 
 {% capture folder_admin_docs %}{% include cockroachcloud/org-roles/folder-admin.md %}{% endcapture %}

src/current/cockroachcloud/export-logs-advanced.md

@@ -24,6 +24,7 @@ Access to the `logexport` endpoint requires a valid CockroachDB {{ site.data.pro
 - [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin)
 - [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin)
 - [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator)
+- [Metrics Viewer]({% link cockroachcloud/authorization.md %}#metrics-viewer)
 
 The following methods are available for use with the `logexport` endpoint:
 

src/current/cockroachcloud/export-logs.md

@@ -24,6 +24,7 @@ Access to the `logexport` endpoint requires a valid CockroachDB {{ site.data.pro
 - [Organization Admin]({% link cockroachcloud/authorization.md %}#organization-admin)
 - [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin)
 - [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator)
+- [Metrics Viewer]({% link cockroachcloud/authorization.md %}#metrics-viewer)
 
 The following methods are available for use with the `logexport` endpoint:
 

src/current/cockroachcloud/export-metrics-advanced.md

@@ -27,7 +27,11 @@ Datadog            | `https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_
 Prometheus         | `https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_id}/metricexport/prometheus`
 Azure Monitor      | `https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_id}/metricexport/azuremonitor`
 
-Access to the `metricexport` endpoints requires a valid CockroachDB {{ site.data.products.cloud }} [service account]({% link cockroachcloud/managing-access.md %}#manage-service-accounts) with the appropriate permissions (`admin` privilege, Cluster Admin role, or Cluster Operator role).
+Access to the `metricexport` endpoints requires a valid CockroachDB {{ site.data.products.cloud }} [service account]({% link cockroachcloud/managing-access.md %}#manage-service-accounts) assigned one of the following [roles]({% link cockroachcloud/managing-access.md %}#edit-roles-on-a-service-account):
+
+- [Metrics Viewer]({% link cockroachcloud/authorization.md %}#metrics-viewer)
+- [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator)
+- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin)
 
 The following methods are available for use with the `metricexport` endpoints, and require the listed service account permissions:
 

src/current/cockroachcloud/export-metrics.md

@@ -26,7 +26,11 @@ Amazon CloudWatch  | `https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_
 Datadog            | `https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_id}/metricexport/datadog`
 Prometheus         | `https://cockroachlabs.cloud/api/v1/clusters/{your_cluster_id}/metricexport/prometheus`
 
-Access to the `metricexport` endpoints requires a valid CockroachDB {{ site.data.products.cloud }} [service account]({% link cockroachcloud/managing-access.md %}#manage-service-accounts) with the appropriate permissions (`admin` privilege or Cluster Admin role).
+Access to the `metricexport` endpoints requires a valid CockroachDB {{ site.data.products.cloud }} [service account]({% link cockroachcloud/managing-access.md %}#manage-service-accounts) assigned one of the following [roles]({% link cockroachcloud/managing-access.md %}#edit-roles-on-a-service-account):
+
+- [Metrics Viewer]({% link cockroachcloud/authorization.md %}#metrics-viewer)
+- [Cluster Operator]({% link cockroachcloud/authorization.md %}#cluster-operator)
+- [Cluster Admin]({% link cockroachcloud/authorization.md %}#cluster-admin)
 
 The following methods are available for use with the `metricexport` endpoints, and require the listed service account permissions: