Finish disassociating 'grant' and 'privilege' from console roles

Author: jhlodin

src/current/_includes/cockroachcloud/org-roles/cloud-roles-table.md

@@ -1,13 +1,13 @@
-The following table describes the high level permissions granted to each CockroachDB {{ site.data.products.cloud }} user role. Permissions are additive, so a user with multiple roles that grant different permissions are granted the highest level privileges given by their assigned roles.
+The following table describes the high level permissions given by each CockroachDB {{ site.data.products.cloud }} user role. Permissions are additive, so a user with multiple roles is given all permissions in each area across all assigned roles.
 
 | **Role name** | **User management** | **Billing management** | **Cluster management** | **Database management** | **Monitoring & observability** | **Security & access** | **Backup & restore** | **Folder management** | **Other permissions** |
 |---|---|---|---|---|---|---|---|---|---|
 | `Organization Member` | None | None | None | None | None | None | None | None | None |
-| `Organization Admin` | Manage users and service accounts, grant and revoke roles | None | None | None | None | None | None | None | Manage email alerts (maintenance/issues) |
+| `Organization Admin` | Manage users and service accounts, assign and revoke roles | None | None | None | None | None | None | None | Manage email alerts (maintenance/issues) |
 | `Billing Coordinator` | None | Manage billing | None | None | None | None | None | None | None |
 | `Cluster Operator` | None | None | Scale nodes, upgrade CockroachDB | Manage Databases | View metrics / insights / logs / jobs | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None | Access DB console, configure maintenance windows, send test alerts |
-| `Cluster Admin` | Manage SQL users, manage service accounts, grant user roles | None | Create / edit / delete cluster, scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None, unless role is granted with organization scope | Access DB console, configure maintenance windows |
-| `Cluster Creator` | None | None | Create cluster (grants `Cluster Admin` role for that cluster), edit / delete clusters created by this user | None | None | None, unless role is granted with organization scope | None | None, unless role is granted with organization scope | None |
+| `Cluster Admin` | Manage SQL users, manage service accounts, assign user roles | None | Create / edit / delete cluster, scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None, unless role is assigned with organization scope | Access DB console, configure maintenance windows |
+| `Cluster Creator` | None | None | Create cluster (assigns `Cluster Admin` role for that cluster), edit / delete clusters created by this user | None | None | None, unless role is assigned with organization scope | None | None, unless role is assigned with organization scope | None |
 | `Cluster Developer` | None | None | None | None | None | None | None | None | Access DB console, view cluster details |
 | `Folder Admin` | Assign roles to folders | None | None | None | None | None | None | Create / delete / manage folders | None |
 | `Folder Mover` | None | None | Move cluster between folders | None | None | None | None | None | None |
@@ -20,4 +20,4 @@ Some roles can be assigned to users at specific levels of scope to provide more
 | `Folder` | Applies to clusters within a specific folder. Only available as a selectable scope if folders have been created within the organization by a user with the `Folder Admin` role | `Cluster Creator`, `Cluster Admin`, `Folder Admin`, `Folder Mover` |
 | `Cluster` | Applies to a specific cluster | `Cluster Admin`, `Cluster Operator`, `Cluster Developer` |
 
-{% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions granted, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %}
+{% if page.name != 'authorization.md' %}For more information on these roles and the specific permissions given, see [Organization user roles]({% link cockroachcloud/authorization.md %}#organization-member).{% endif %}

src/current/advisories/c20230118.md

@@ -31,13 +31,13 @@ All users assigned the Developer role in a CockroachDB Cloud organization will n
 
 See [Role Options](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/alter-user#{% if site.current_cloud_version == "v22.1" %}parameters{% else %}role-options{% endif %}) for more information on these roles.
 
-The users assigned the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster [SQL admin user](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization#admin-role), as it is intended to be an all-access, highly privileged role.
+The users assigned the [Organization Admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster [SQL admin user](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization#admin-role), as it is intended to be an all-access, highly privileged role.
 
 ## Mitigation
 
 A fix has been automatically applied to all CockroachDB Cloud organizations. With this change, the risk related to this issue, of the possibility of accessing data from any cluster in a cloud organization by users that have been assigned the Developer role, has been removed. This change follows the least privilege principle by ensuring that users with the lower-privilege Developer role only have the underlying SQL permissions applicable to their role level.
 
-It is recommended that admins in a CockroachDB Cloud organization follow the authorization best practice of the principle of least privilege - whereby a user is granted exactly the minimum set of permissions necessary to perform the task required - and grant the [org admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) to only those users who are required to have access to all the data in a cluster. In all other cases, the [Developer role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-developer-legacy) should be assigned to reduce the insider risk of data exfiltration. 
+It is recommended that admins in a CockroachDB Cloud organization follow the authorization best practice of the principle of least privilege - whereby a user is granted exactly the minimum set of permissions necessary to perform the task required - and assign the [Organization Admin role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#organization-admin) to only those users who are required to have access to all the data in a cluster. In all other cases, the [Developer role](https://www.cockroachlabs.com/docs/cockroachcloud/authorization#org-developer-legacy) should be assigned to reduce the insider risk of data exfiltration. 
 
 Admins should also ensure that when users access a cluster’s DB Console directly from the CockroachDB Cloud’s [Tools page](https://www.cockroachlabs.com/docs/cockroachcloud/tools-page#access-the-db-console), they authenticate with specific SQL users that have been assigned only the required SQL privileges within the cluster. See [Authorization (Self-Hosted)](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/authorization.html) and [Authorization in CockroachDB](https://www.cockroachlabs.com/docs/{{site.current_cloud_version}}/security-reference/authorization) for more information.
 

src/current/cockroachcloud/authorization.md

@@ -33,12 +33,12 @@ CockroachDB {{ site.data.products.cloud }} has a hierarchical authorization mode
 The levels within the hierarchy intersect, because administering SQL-level users on specific clusters within an organization is an organization-level function.
 
 {{site.data.alerts.callout_info}}
-SQL users are assigned a distinct set of roles and privileges that are specific to data management on the cluster, independent of the {{ site.data.products.cloud }} Console roles and privileges described on this page. For the main pages covering users and roles at the SQL level within a specific database cluster, refer to the main [Authorization in CockroachDB documentation]({% link {{site.current_cloud_version}}/security-reference/authorization.md %})
-{{site.data.alerts.end}}
+SQL users are granted a distinct set of roles and privileges that are specific to data management on the cluster, independent of the {{ site.data.products.cloud }} Console roles and permissions described on this page. For the main pages covering users and roles at the SQL level within a specific database cluster, refer to the main [Authorization in CockroachDB documentation]({% link {{site.current_cloud_version}}/security-reference/authorization.md %})
+{{site.data.alerts.end}}. The [GRANT]({% link {{site.current_cloud_version}}/grant.md %}) SQL statement cannot be used to assign {{ site.data.products.cloud }} Console roles and permissions.
 
 ## Organization user roles
 
-When a user or service account is first added to an organization, they are granted the default Console role, **Organization Member**, which adds no permissions and only indicates membership in the organization. Users with the Organization or Cluster Admin role may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} Console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider.
+When a user or service account is first added to an organization, they are assigned the default Console role, **Organization Member**, which adds no permissions and only indicates membership in the organization. Users with the Organization or Cluster Admin role may [edit the roles assigned to organization users]({% link cockroachcloud/managing-access.md %}#change-a-team-members-role) in the CockroachDB {{ site.data.products.cloud }} Console's [**Access Management** page](https://cockroachlabs.cloud/access), or using the CockroachDB {{ site.data.products.cloud }} API or Terraform Provider.
 
 {% include_cached cockroachcloud/first-org-user-roles.md %}
 
@@ -50,15 +50,15 @@ The following sections describe the available CockroachDB {{ site.data.products.
 
 ### Organization Member
 
-The **Organization Member** role is assigned by default to all organization users when they are invited or provisioned. This role grants no additional permissions.
+The **Organization Member** role is assigned by default to all organization users when they are invited or provisioned. This role gives no additional permissions.
 
 ### Organization Admin
 
 The **Organization Admin** role allows users to perform the following actions:
 
 - [Invite users to join that organization]({% link cockroachcloud/managing-access.md %}#invite-team-members-to-an-organization).
 - [Create service accounts]({% link cockroachcloud/managing-access.md %}#create-a-service-account).
-- Grant and revoke {{ site.data.products.cloud }} Console roles for both [users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users) and [service accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts).
+- Assign and revoke {{ site.data.products.cloud }} Console roles for both [users]({% link cockroachcloud/managing-access.md %}#manage-an-organizations-users) and [service accounts]({% link cockroachcloud/managing-access.md %}#manage-service-accounts).
 
 Organization Admins automatically receive [email alerts]({% link cockroachcloud/alerts-page.md %}) about planned cluster maintenance and when CockroachDB {{ site.data.products.cloud }} detects that a cluster is overloaded or experiencing issues. In addition, Organization Admins can subscribe other members to the email alerts, and configure how alerts work for the organization.
 
@@ -102,7 +102,7 @@ The **Cluster Operator** role allows actions that are dependent on whether it is
   - [View and configure a cluster's Egress Rules]({% link cockroachcloud/egress-perimeter-controls.md %}).
   - [Configure the export of metrics to DataDog or Amazon CloudWatch]({% link cockroachcloud/export-metrics.md %}).
 
-This role can be considered a more restricted alternative to [Cluster Admin](#cluster-admin), as it grants all of the permissions of that role but does **not** allow users to:
+This role can be considered a more restricted alternative to [Cluster Admin](#cluster-admin), as it gives all of the permissions of that role but does **not** allow users to:
 
 - Manage cluster-scoped roles on organization users.
 - Manage SQL users from the cloud console.