From a4637d732dea15b7a1ff5ea1ae0e4d559acfefbb Mon Sep 17 00:00:00 2001
From: Chance <139784371+UnicornChance@users.noreply.github.com>
Date: Fri, 10 May 2024 06:46:26 -0600
Subject: [PATCH] docs: inital commit for doc (#395)

## Description
Add docs for uds-core admin / auditor and where they map to in other
applications and IDP's.

## Related Issue

Fixes #393

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request)
followed
---
 docs/UDS_CORE_GROUPS.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 docs/UDS_CORE_GROUPS.md

diff --git a/docs/UDS_CORE_GROUPS.md b/docs/UDS_CORE_GROUPS.md
new file mode 100644
index 000000000..34c2579a2
--- /dev/null
+++ b/docs/UDS_CORE_GROUPS.md
@@ -0,0 +1,37 @@
+# UDS-CORE Groups
+
+UDS Core deploys Keycloak which has some preconfigured groups that applications inherit from SSO and IDP configurations.
+
+## Applications
+### Grafana
+Grafana [maps the groups](https://github.com/defenseunicorns/uds-core/blob/49cb11a058a9209cee7019fa552b8c0b2ef73368/src/grafana/values/values.yaml#L37) from Keycloak to it's internal `Admin` and `Viewer` groups.
+
+| Keycloak Group | Mapped Grafana Group |
+|----------------|----------------------|
+| `Admin`        | `Admin`              |
+| `Auditor`      | `Viewer`             |
+
+If a user doesn't belong to either of these Keycloak groups the user will be unauthorized when accessing Grafana.
+
+### Neuvector
+Neuvector [maps the groups](https://github.com/defenseunicorns/uds-core/blob/main/src/neuvector/chart/templates/uds-package.yaml#L31-L35) from Keycloak to it's internal `admin` and `reader` groups.
+
+| Keycloak Group | Mapped Neuvector Group |
+|----------------|------------------------|
+| `Admin`        | `admin`                |
+| `Auditor`      | `reader`               |
+
+## Keycloak 
+> [!IMPORTANT]
+> All groups are under the Uds Core parent group. Frequently a group will be referred to as Uds Core/Admin or Uds Core/Auditor. In the Keycloak UI this requires an additional click to get down to the sub groups.
+
+### Identity Providers ( IDP )
+
+UDS Core ships with a [templated](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/realm.json#L1712-L1813) Google SAML IDP, more documentation to configure the `realmInitEnv` values in [uds-identity-config](https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#customizing-realm).
+
+Configuring your own IDP can be achieved via:
+* Custom uds-identity-config with a templated realm.json
+
+* Keycloak Admin UI and click ops
+
+* Custom [realm.json](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/realm.json#L1712-L1813) for direct import in Keycloak