New section for user mgmt feature

trento/xml/article_sap_trento.xml

@@ -673,6 +673,131 @@ As agreed on https://confluence.suse.com/x/DAEcN on our Trento doc kick off
   <xi:include href="ansible-install.xml"/>
   </section>
 
+  <section xml:id="sec-trento-user-management">
+    <title>Managing Trento user management</title>
+    <para> Trento provides a local permission-based user management feature with
+      optional multi-factor authentication. This feature allows for segregation
+      of duties in the Trento console and ensures that only authorized users with the right permissions can
+      access it. </para>
+    <para> User management actions are performed in the <guimenu>Users</guimenu>
+      view in the left-hand side panel of the &t.web;. </para>
+    <para> By default, a newly created user is granted display access rights
+      except for the <guimenu>Users</guimenu> view. Whenever available, a user
+      with default access can set up filters and pagination settings matching
+      their preferences. </para>
+    <para> Additional permissions must be added to a user profile, so that the
+      user can perform the corresponding protected activities. The following
+      permissions are currently available: </para>
+    <itemizedlist>
+      <listitem>
+        <para><constant>all:users</constant>: grants full access to user management actions under
+          the <guimenu>Users</guimenu> view</para>
+      </listitem>
+      <listitem>
+        <para><constant>all:checks_selection</constant>: grants check selection capabilities for
+          any target in the registered environment for which checks are
+          available</para>
+      </listitem>
+      <listitem>
+        <para><constant>all:checks_execution</constant>: grants check execution capabilities for
+          any target in the registered environment for which checks are
+          available and have been previously selected</para>
+      </listitem>
+      <listitem>
+        <para><constant>all:tags</constant>: allows creation and deletion of the available tags</para>
+      </listitem>
+      <listitem>
+        <para><constant>cleanup:all</constant>: allows triggering housekeeping actions on hosts
+          where agents heartbeat is lost and SAP or HANA instances that are no
+          longer found</para>
+      </listitem>
+      <listitem>
+        <para><constant>all:settings</constant>: grants changing capabilities on any system
+          settings under the <guimenu>Settings</guimenu> view</para>
+      </listitem>
+      <listitem>
+        <para><constant>all:all</constant>: grants all the permissions above</para>
+      </listitem>
+    </itemizedlist>
+    <para>Using the described permissions, it is possible to create the following types of users:</para>
+    <itemizedlist>
+      <listitem>
+        <formalpara>
+          <title>User managers:</title>
+          <para>users with <constant>all:users</constant> permission</para>
+        </formalpara>
+      </listitem>
+      <listitem>
+        <formalpara>
+          <title>SAP administrator with Trento display-only access:</title>
+          <para>users with default permissions</para>
+        </formalpara>
+      </listitem>
+      <listitem>
+        <formalpara>
+          <title>SAP administrator with Trento configuration access:</title>
+          <para>users with <constant>all:checks_selection</constant>,
+          <constant>all:tags</constant> and <constant>all:settings</constant> permissions</para>
+          </formalpara>
+      </listitem>
+      <listitem>
+        <formalpara>
+          <title>SAP administrator with Trento operation access:</title>
+          <para>users with <constant>all:check_execution</constant> and
+          <constant>cleanup:all</constant> permissions.</para>
+        </formalpara>
+      </listitem>
+    </itemizedlist>
+    <para>The default admin user created during the installation process is
+      granted <constant>all:all</constant> permissions and cannot be modified or deleted. Use it
+      only to create a first user manager. That is, a user with
+      <constant>all:users</constant> permissions who creates all the other required
+      users. Once a user with all:users permissions is created, the default
+      admin user must be regarded as a fall-back user to be used
+      only in case all other access to the console is lost. If the password
+      of the default admin user is lost, it can be reset by updating the
+      helm chart or the web component configuration, depending on which
+      deployment method was used to install &t.server;. </para>
+    <para>User passwords, including the default admin user password, must follow the rules below:</para>
+    <itemizedlist>
+      <listitem>
+        <para>Password must contain at least 8 characters</para>
+      </listitem>
+      <listitem>
+        <para>The same number or letter must not be repeated three or more times in a row (for
+          example: 111 or aaa)</para>
+      </listitem>
+      <listitem>
+        <para>Password must not contain four consecutive numbers or letters (for example:
+          1234, abcd or ABCD)</para>
+      </listitem>
+    </itemizedlist>
+    <para>The <guimenu>Create User</guimenu> and <guimenu>Edit User</guimenu> views provide a built-in generation
+      password action button that allows user managers to easily generate
+      secure and compliant passwords. The user manager must provide the user with
+      their password through an authorized secure channel. </para>
+    <para>A user can reset their password in the <guimenu>Profile</guimenu> view. Here, they can
+      also update their name and email address as well as activate
+      multi-factor authentication using an authenticator app.
+      Multi-factor authentication increases the security of a user account by
+      requesting a temporary second password or code when logging in the
+      console. User managers can disable multi-factor authentication for any
+      given user that has it enabled. However, user managers cannot enable multi-factor authentication
+      on their behalf. The  default admin user cannot enable its own multi-factor authentication.</para>
+    <note>
+      <title>Security Tip for Multi-Factor Authentication</title>
+      <para>Since multi-factor authentication cannot be enabled for
+      the default admin user, keeping its password safe is imperative. If the
+      default admin user's password is compromised, reset it immediately by
+      updating the helm chart or the web component configuration, depending on
+      which deployment method was used to install &t.server;. </para>
+    </note>
+    <para>
+      User managers can enable and disable users. When a user 
+      logged in the console is disabled by a user admin, their session is
+      terminated immediately. </para>
+  </section>
+
   <section xml:id="sec-trento-installing-trentoagent">
     <title>Installing &t.agent;s</title>
     <important>