From 5c9b4d66f3ebb1961a3fee2c2f8c91f213e662aa Mon Sep 17 00:00:00 2001 From: fbugarski Date: Mon, 26 Jan 2026 11:58:49 +0100 Subject: [PATCH 1/2] Document UI flows, roles, and audit logs Signed-off-by: fbugarski --- docs/security/audit-logs.md | 112 +++++++++++++++++++ docs/security/roles-and-access-control.md | 120 +++++++++++++++++++++ docs/ui/domains.md | 124 ++++++++++++++++++++++ docs/ui/overview.md | 122 +++++++++++++++++++++ docs/ui/user-actions.md | 117 ++++++++++++++++++++ sidebars.ts | 21 ++++ 6 files changed, 616 insertions(+) create mode 100644 docs/security/audit-logs.md create mode 100644 docs/security/roles-and-access-control.md create mode 100644 docs/ui/domains.md create mode 100644 docs/ui/overview.md create mode 100644 docs/ui/user-actions.md diff --git a/docs/security/audit-logs.md b/docs/security/audit-logs.md new file mode 100644 index 0000000..e59ac4e --- /dev/null +++ b/docs/security/audit-logs.md @@ -0,0 +1,112 @@ +--- +id: audit-logs +title: Audit Logs +sidebar_position: 2 +--- + +Audit logs provide visibility into security-relevant and administrative actions +performed within Cube AI. They help administrators and operators monitor +activity, investigate issues, and support compliance and accountability +requirements. + +--- + +## Audit Logs Overview + +Audit logs record important events that occur within the Cube AI system, +particularly those related to: +- User activity +- Domain-level changes +- Access control and security-sensitive operations + +Audit logging is **domain-scoped**, meaning events are associated with the domain +in which they occurred. + +--- + +## What Is Recorded + +Depending on configuration and permissions, audit logs may include events such as: + +- User login and logout activity +- Domain creation or deletion +- Changes to domain membership +- Role assignments or updates +- Administrative actions performed through the UI +- Security-related configuration changes + +Each audit log entry typically captures: +- The type of action performed +- The user who performed the action +- The affected resource or domain +- A timestamp of when the action occurred + +--- + +## Accessing Audit Logs + +Audit logs are accessible through the Cube AI UI to users with sufficient +permissions. + +Access to audit logs is restricted to authorized roles to ensure sensitive +information is not exposed to unauthorized users. + +--- + +## Using Audit Logs + +Audit logs can be used to: + +- Review recent administrative activity +- Investigate unexpected behavior or configuration changes +- Track access-related events +- Support security reviews and incident analysis + +Audit logs provide an immutable record of events and are intended for +observability rather than real-time monitoring. + +--- + +## Audit Logs and Roles + +Visibility into audit logs depends on the user’s role within a domain. + +Typically: +- Administrative roles can view audit logs +- Standard users may not have access to audit information + +For more details on role-based permissions, see: +πŸ‘‰ **Security & Access β†’ Roles and Access Control** + +--- + +## Audit Logs and Domain Context + +All audit log entries are associated with a specific domain. + +When switching domains: +- The visible audit logs change accordingly +- Only events related to the active domain are shown + +This ensures isolation and clarity when managing multiple domains. + +--- + +## Security and Compliance + +Audit logging is a key component of Cube AI’s security posture. + +By maintaining a record of critical actions, audit logs help: +- Detect misuse or misconfiguration +- Support forensic analysis +- Demonstrate accountability and operational transparency + +--- + +## Next Steps + +To understand how permissions affect access to audit information, review: +πŸ‘‰ **Security & Access β†’ Roles and Access Control** + +For domain-level workflows, see: +πŸ‘‰ **UI β†’ Domains** diff --git a/docs/security/roles-and-access-control.md b/docs/security/roles-and-access-control.md new file mode 100644 index 0000000..da881e6 --- /dev/null +++ b/docs/security/roles-and-access-control.md @@ -0,0 +1,120 @@ +--- +id: roles-and-access-control +title: Roles and Access Control +sidebar_position: 1 +--- + +Cube AI uses role-based access control (RBAC) to manage what users can see and do +within a domain. Roles define permissions at the domain level and ensure that +actions are performed only by authorized users. + +--- + +## Role-Based Access Control Overview + +Access control in Cube AI is **domain-scoped**. + +This means that: +- Users can belong to one or more domains +- A user may have different roles in different domains +- Permissions apply only within the currently active domain + +Roles determine which UI features and actions are available to a user. + +--- + +## Roles in Cube AI + +Cube AI provides a set of predefined roles that control access to domain features. + +While the exact role names and permissions may vary depending on deployment and +configuration, roles typically differentiate between: + +- **Administrative users** – users with elevated permissions +- **Standard users** – users with access to core functionality +- **Restricted users** – users with limited or read-only access + +--- + +## Common Permissions + +Roles may control access to actions such as: + +- Creating or managing domains +- Inviting or managing domain members +- Assigning or changing user roles +- Accessing administrative UI sections +- Viewing or managing security-related information +- Interacting with models and chat interfaces + +Not all users have access to all features. The UI dynamically reflects the +permissions granted by the user’s role. + +--- + +## Domain Membership + +Users must be members of a domain to access its resources. + +Within a domain: +- Each user is assigned a specific role +- Role assignments apply only to that domain +- Removing a user from a domain immediately revokes domain access + +Domain membership and role assignments are managed through the Cube AI UI by users +with sufficient permissions. + +--- + +## UI Behavior Based on Roles + +The Cube AI UI adapts based on the active user’s role. + +Depending on permissions: +- Certain navigation items may be hidden +- Some actions may be disabled or unavailable +- Administrative sections may only be visible to authorized users + +This ensures that users only interact with features they are allowed to access. + +--- + +## Role Changes + +When a user’s role is updated: +- The change takes effect immediately +- UI visibility and available actions are updated accordingly +- No page reload may be required, depending on the UI state + +Role changes affect only the selected domain. + +--- + +## Access Control and Security + +Role-based access control helps enforce security boundaries by: +- Limiting access to sensitive operations +- Reducing the risk of accidental or unauthorized changes +- Ensuring clear separation of responsibilities within a domain + +RBAC works together with other Cube AI security mechanisms, such as authentication +and auditing, to provide a controlled and observable environment. + +--- + +## Auditing and Role-Related Events + +Changes to domain membership and roles may be recorded as security-relevant events. + +For details on how such events are tracked, see: +πŸ‘‰ **Security & Access β†’ Audit Logs** + +--- + +## Next Steps + +To understand how access-related actions are monitored, continue with: +πŸ‘‰ **Security & Access β†’ Audit Logs** + +For domain workflows, see: +πŸ‘‰ **UI β†’ Domains** diff --git a/docs/ui/domains.md b/docs/ui/domains.md new file mode 100644 index 0000000..e5ef031 --- /dev/null +++ b/docs/ui/domains.md @@ -0,0 +1,124 @@ +--- +id: domains +title: Domains +sidebar_position: 2 +--- + +Domains are a core organizational concept in Cube AI. A domain represents an +isolated workspace where users interact with models, manage access, and perform +LLM-powered operations. + +Domains provide logical isolation between different teams or workloads while +sharing the same Cube AI deployment. + +--- + +## What is a Domain? + +A **domain** acts as an isolated environment that groups: +- Users and their roles +- Models and backend configurations +- Chat and inference activity + +All interactions in Cube AI happen **within the context of a selected domain**. +This ensures clear separation between different teams, projects, or use cases. + +--- + +## Accessing Domains + +After logging in, users are presented with the Cube AI dashboard, where available +domains are listed. + +From the dashboard, users can: +- Open an existing domain +- Create a new domain (if permitted) + +The currently active domain defines the scope of all actions in the UI. + +For a step-by-step onboarding flow, see: +πŸ‘‰ **Getting Started** + +--- + +## Creating a Domain + +To create a new domain: + +1. Log in to the Cube AI UI. +2. From the dashboard, click **Create Domain**. +3. Enter a **Name** and **Route** for the domain. +4. Click **Create**. +5. When the domain appears in the list, click **Open Domain**. + +Once opened, you are redirected into the domain workspace. + +![Create domain screen](/img/getting-started-create-domain.png) + +--- + +## Domain Workspace + +After opening a domain, the UI switches into the domain context. + +Inside a domain, users can: +- Access the chat interface +- Select and interact with available models +- Perform domain-scoped operations + +Navigation within the domain is handled through the left-side menu. + +![Chat interface](/img/getting-started-chat.png) + +--- + +## Domain Context + +The active domain determines: +- Which users and roles apply +- Which models are available +- Which resources and actions are visible in the UI + +Switching domains changes this context entirely, ensuring isolation between +different environments. + +:::note +Switching domains updates the entire UI context, including available models, +users, and permissions. +::: + +--- + +## Domain Membership and Roles + +Users belong to one or more domains and may have different roles in each domain. +Roles define what actions a user is allowed to perform within that domain. + +Details about roles and permissions are documented in: + +πŸ‘‰ **Security & Access β†’ Roles and Access Control** + +--- + +## Typical Domain Workflow + +A common user flow in Cube AI looks like this: + +1. Log in to the Cube AI UI +2. Select or create a domain +3. Enter the domain workspace +4. Interact with models and services within that domain +5. Switch domains as needed + +--- + +## Next Steps + +After creating and entering a domain, you can explore: +- User actions and profile management +- Role-based access control +- Audit logs and security events +- API access scoped to domains + +For first-time users, see: +πŸ‘‰ **UI β†’ User Actions** diff --git a/docs/ui/overview.md b/docs/ui/overview.md new file mode 100644 index 0000000..d116dd5 --- /dev/null +++ b/docs/ui/overview.md @@ -0,0 +1,122 @@ +--- +id: overview +title: UI Overview +sidebar_position: 1 +--- + +The Cube AI user interface provides a web-based environment for interacting with +large language models, managing domains, and performing user and +domain-scoped operations. + +This section gives a high-level overview of the Cube AI UI structure and common +user workflows. + +--- + +## UI Structure + +The Cube AI UI is organized around a few core concepts: + +- **Authentication** – users log in using their credentials +- **Domains** – isolated workspaces that define context and scope +- **Navigation** – access to domain-specific features through the UI menu +- **Actions** – user and domain operations performed through the interface + +All user interactions occur either before selecting a domain (authentication) +or within the context of an active domain. + +--- + +## Authentication Flow + +Users begin by accessing the Cube AI login screen. + +After successful authentication: +- The user is redirected to the dashboard +- Available domains are displayed +- The user selects or creates a domain to continue + +Account-related actions such as sign up, verification, password reset, and +profile management are documented in: + +πŸ‘‰ **UI β†’ User Actions** + +--- + +## Domain-Centric Navigation + +Once a domain is opened, the UI switches into **domain context**. + +Within this context: +- All visible resources belong to the active domain +- Available actions depend on the user’s role in that domain +- Models and services are scoped to the domain + +Switching domains updates the entire UI context accordingly. + +For more details, see: +πŸ‘‰ **UI β†’ Domains** + +--- + +## Common User Workflows + +Typical workflows in the Cube AI UI include: + +- Logging in and selecting a domain +- Creating and managing domains +- Interacting with models through the chat interface +- Switching models within a domain +- Managing users and roles (if permitted) +- Viewing system and security-related events + +Each workflow is documented in its respective section of the UI documentation. + +--- + +## Roles and Permissions + +Access to UI features is controlled by role-based permissions. + +Depending on their assigned role, users may be able to: +- Create or manage domains +- Invite or manage other users +- Access administrative or security features + +Role definitions and permissions are covered in: + +πŸ‘‰ **Security & Access β†’ Roles and Access Control** + +--- + +## Security and Auditing + +Cube AI provides visibility into security-relevant actions through audit logs. + +Audit logs help track: +- User activity +- Domain-level changes +- Security-sensitive operations + +For details, see: +πŸ‘‰ **Security & Access β†’ Audit Logs** + +--- + +## Developer-Focused UI Documentation + +This section focuses on **user-facing UI behavior**. + +Developer-oriented documentation related to UI integration and customization, +such as the Chat UI, is available in: + +πŸ‘‰ **Developer Guide β†’ Chat UI** + +--- + +## Next Steps + +To continue exploring the Cube AI UI: +- Start with **UI β†’ Domains** to understand domain workflows +- Review **UI β†’ User Actions** for account-related operations +- Explore **Security & Access** for roles and auditing features diff --git a/docs/ui/user-actions.md b/docs/ui/user-actions.md new file mode 100644 index 0000000..39eda93 --- /dev/null +++ b/docs/ui/user-actions.md @@ -0,0 +1,117 @@ +--- +id: user-actions +title: User Actions +sidebar_position: 3 +--- + +This section describes common user-facing actions in the Cube AI UI, including +authentication, account verification, password management, and profile-related +operations. + +--- + +## Login + +### Purpose +Authenticate to Cube AI using an email and password. + +### Where in the UI +Login page. + +![Cube AI login screen](/img/getting-started-login.png) + +### Steps +1. Open the Cube AI UI. +2. Enter your email address and password. +3. Click **Sign in**. + +### Expected result +You are authenticated and redirected to the dashboard or your last active domain. + +--- + +## Sign up + +### Purpose +Create a new Cube AI user account. + +### Steps +1. Open the Cube AI UI. +2. Click **Sign up**. +3. Enter your email address and password. +4. Submit the registration form. + +### Expected result +A new account is created and a verification email is sent. + +--- + +## Account verification + +### Purpose +Verify ownership of the email address associated with a user account. + +### How it works +After registration, Cube AI sends a verification email containing a secure link. + +### Steps +1. Open the verification email. +2. Click the verification link. +3. Return to the Cube AI UI. + +### Expected result +The account is marked as verified and full access is enabled. + +--- + +## Password reset + +### Purpose +Regain access to an account if the password is forgotten. + +### Where in the UI +Login page β†’ **Forgot password**. + +### Steps +1. Click **Forgot password**. +2. Enter your email address. +3. Follow the instructions received by email. + +### Expected result +You can set a new password and log in again. + +--- + +## Profile management + +### Purpose +Manage personal account settings. + +### How to access +After logging in, users can access profile-related actions from the user menu in +the UI (typically available via the user icon). + +### Available actions +Depending on configuration and permissions, users may be able to: +- View their account information +- Update personal details +- Change their password +- View account verification status +- Log out of the application + +Profile actions affect only the user account and do **not** modify domain +membership or role assignments. + +--- + +## Logout + +### Purpose +End the current authenticated session. + +### Steps +1. Open the user menu. +2. Click **Log out**. + +### Expected result +The session is terminated and the user is redirected to the login page. diff --git a/sidebars.ts b/sidebars.ts index 36d3fcd..cd44573 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -62,6 +62,27 @@ const sidebars: SidebarsConfig = { 'developer-guide/auth-and-request-flow', ], }, + + // --- UI --- + { + type: 'category', + label: 'UI', + items: [ + 'ui/overview', + 'ui/domains', + 'ui/user-actions', + ], + }, + + // --- Security & Access --- + { + type: 'category', + label: 'Security & Access', + items: [ + 'security/roles-and-access-control', + 'security/audit-logs', + ], + }, ], }; From cb18f3d04067fb6e4125d49d23e3b100e928e4a0 Mon Sep 17 00:00:00 2001 From: fbugarski Date: Mon, 26 Jan 2026 12:17:12 +0100 Subject: [PATCH 2/2] Fix CI Signed-off-by: fbugarski --- docs/security/audit-logs.md | 5 ++ docs/security/roles-and-access-control.md | 5 ++ docs/ui/domains.md | 5 ++ docs/ui/overview.md | 5 ++ docs/ui/user-actions.md | 64 +++++++++++++++-------- 5 files changed, 63 insertions(+), 21 deletions(-) diff --git a/docs/security/audit-logs.md b/docs/security/audit-logs.md index e59ac4e..7b14682 100644 --- a/docs/security/audit-logs.md +++ b/docs/security/audit-logs.md @@ -15,6 +15,7 @@ requirements. Audit logs record important events that occur within the Cube AI system, particularly those related to: + - User activity - Domain-level changes - Access control and security-sensitive operations @@ -36,6 +37,7 @@ Depending on configuration and permissions, audit logs may include events such a - Security-related configuration changes Each audit log entry typically captures: + - The type of action performed - The user who performed the action - The affected resource or domain @@ -72,6 +74,7 @@ observability rather than real-time monitoring. Visibility into audit logs depends on the user’s role within a domain. Typically: + - Administrative roles can view audit logs - Standard users may not have access to audit information @@ -85,6 +88,7 @@ For more details on role-based permissions, see: All audit log entries are associated with a specific domain. When switching domains: + - The visible audit logs change accordingly - Only events related to the active domain are shown @@ -97,6 +101,7 @@ This ensures isolation and clarity when managing multiple domains. Audit logging is a key component of Cube AI’s security posture. By maintaining a record of critical actions, audit logs help: + - Detect misuse or misconfiguration - Support forensic analysis - Demonstrate accountability and operational transparency diff --git a/docs/security/roles-and-access-control.md b/docs/security/roles-and-access-control.md index da881e6..f4b2989 100644 --- a/docs/security/roles-and-access-control.md +++ b/docs/security/roles-and-access-control.md @@ -15,6 +15,7 @@ actions are performed only by authorized users. Access control in Cube AI is **domain-scoped**. This means that: + - Users can belong to one or more domains - A user may have different roles in different domains - Permissions apply only within the currently active domain @@ -57,6 +58,7 @@ permissions granted by the user’s role. Users must be members of a domain to access its resources. Within a domain: + - Each user is assigned a specific role - Role assignments apply only to that domain - Removing a user from a domain immediately revokes domain access @@ -71,6 +73,7 @@ with sufficient permissions. The Cube AI UI adapts based on the active user’s role. Depending on permissions: + - Certain navigation items may be hidden - Some actions may be disabled or unavailable - Administrative sections may only be visible to authorized users @@ -82,6 +85,7 @@ This ensures that users only interact with features they are allowed to access. ## Role Changes When a user’s role is updated: + - The change takes effect immediately - UI visibility and available actions are updated accordingly - No page reload may be required, depending on the UI state @@ -93,6 +97,7 @@ Role changes affect only the selected domain. ## Access Control and Security Role-based access control helps enforce security boundaries by: + - Limiting access to sensitive operations - Reducing the risk of accidental or unauthorized changes - Ensuring clear separation of responsibilities within a domain diff --git a/docs/ui/domains.md b/docs/ui/domains.md index e5ef031..500c7a4 100644 --- a/docs/ui/domains.md +++ b/docs/ui/domains.md @@ -16,6 +16,7 @@ sharing the same Cube AI deployment. ## What is a Domain? A **domain** acts as an isolated environment that groups: + - Users and their roles - Models and backend configurations - Chat and inference activity @@ -31,6 +32,7 @@ After logging in, users are presented with the Cube AI dashboard, where availabl domains are listed. From the dashboard, users can: + - Open an existing domain - Create a new domain (if permitted) @@ -62,6 +64,7 @@ Once opened, you are redirected into the domain workspace. After opening a domain, the UI switches into the domain context. Inside a domain, users can: + - Access the chat interface - Select and interact with available models - Perform domain-scoped operations @@ -75,6 +78,7 @@ Navigation within the domain is handled through the left-side menu. ## Domain Context The active domain determines: + - Which users and roles apply - Which models are available - Which resources and actions are visible in the UI @@ -115,6 +119,7 @@ A common user flow in Cube AI looks like this: ## Next Steps After creating and entering a domain, you can explore: + - User actions and profile management - Role-based access control - Audit logs and security events diff --git a/docs/ui/overview.md b/docs/ui/overview.md index d116dd5..36ab541 100644 --- a/docs/ui/overview.md +++ b/docs/ui/overview.md @@ -32,6 +32,7 @@ or within the context of an active domain. Users begin by accessing the Cube AI login screen. After successful authentication: + - The user is redirected to the dashboard - Available domains are displayed - The user selects or creates a domain to continue @@ -48,6 +49,7 @@ profile management are documented in: Once a domain is opened, the UI switches into **domain context**. Within this context: + - All visible resources belong to the active domain - Available actions depend on the user’s role in that domain - Models and services are scoped to the domain @@ -79,6 +81,7 @@ Each workflow is documented in its respective section of the UI documentation. Access to UI features is controlled by role-based permissions. Depending on their assigned role, users may be able to: + - Create or manage domains - Invite or manage other users - Access administrative or security features @@ -94,6 +97,7 @@ Role definitions and permissions are covered in: Cube AI provides visibility into security-relevant actions through audit logs. Audit logs help track: + - User activity - Domain-level changes - Security-sensitive operations @@ -117,6 +121,7 @@ such as the Chat UI, is available in: ## Next Steps To continue exploring the Cube AI UI: + - Start with **UI β†’ Domains** to understand domain workflows - Review **UI β†’ User Actions** for account-related operations - Explore **Security & Access** for roles and auditing features diff --git a/docs/ui/user-actions.md b/docs/ui/user-actions.md index 39eda93..d0baedb 100644 --- a/docs/ui/user-actions.md +++ b/docs/ui/user-actions.md @@ -12,87 +12,106 @@ operations. ## Login -### Purpose +### Login purpose + Authenticate to Cube AI using an email and password. -### Where in the UI +### Login location in the UI + Login page. ![Cube AI login screen](/img/getting-started-login.png) -### Steps +### Login steps + 1. Open the Cube AI UI. 2. Enter your email address and password. 3. Click **Sign in**. -### Expected result +### Login expected result + You are authenticated and redirected to the dashboard or your last active domain. --- ## Sign up -### Purpose +### Sign up purpose + Create a new Cube AI user account. -### Steps +### Sign up steps + 1. Open the Cube AI UI. 2. Click **Sign up**. 3. Enter your email address and password. 4. Submit the registration form. -### Expected result +### Sign up expected result + A new account is created and a verification email is sent. --- ## Account verification -### Purpose +### Account verification purpose + Verify ownership of the email address associated with a user account. -### How it works +### Account verification how it works + After registration, Cube AI sends a verification email containing a secure link. -### Steps +### Account verification steps + 1. Open the verification email. 2. Click the verification link. 3. Return to the Cube AI UI. -### Expected result +### Account verification expected result + The account is marked as verified and full access is enabled. --- ## Password reset -### Purpose +### Password reset purpose + Regain access to an account if the password is forgotten. -### Where in the UI +### Password reset location in the UI + Login page β†’ **Forgot password**. -### Steps +### Password reset steps + 1. Click **Forgot password**. 2. Enter your email address. 3. Follow the instructions received by email. -### Expected result +### Password reset expected result + You can set a new password and log in again. --- ## Profile management -### Purpose +### Profile management purpose + Manage personal account settings. -### How to access +### Profile management how to access + After logging in, users can access profile-related actions from the user menu in the UI (typically available via the user icon). -### Available actions +### Profile management available actions + Depending on configuration and permissions, users may be able to: + - View their account information - Update personal details - Change their password @@ -106,12 +125,15 @@ membership or role assignments. ## Logout -### Purpose +### Logout purpose + End the current authenticated session. -### Steps +### Logout steps + 1. Open the user menu. 2. Click **Log out**. -### Expected result +### Logout expected result + The session is terminated and the user is redirected to the login page.