Skip to content

Commit 072152f

Browse files
fern-api[bot]fern-supportbot_apkdevalog
authored
Update RBAC docs: password-based RBAC on Team plans, add CLI note (#4335)
Co-authored-by: fern-support <support@buildwithfern.com> Co-authored-by: bot_apk <apk@cognition.ai> Co-authored-by: Devin Logan <devinannlogan@gmail.com>
1 parent b87cbd7 commit 072152f

5 files changed

Lines changed: 41 additions & 21 deletions

File tree

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
---
2+
tags: ["security"]
3+
---
4+
5+
## Password-based RBAC
6+
7+
You can now set up multiple passwords in the Dashboard, each mapped to a different role. Combined with [role-based access control (RBAC)](/learn/docs/authentication/features/rbac), this lets you control which pages and sections different groups can access — without needing JWT or OAuth.
8+
9+
To get started, go to **Settings** > **Password** in the [Dashboard](https://dashboard.buildwithfern.com/).
10+
11+
<Button intent="none" outlined rightIcon="arrow-right" href="/learn/dashboard/configuration/password-protection">Read the docs</Button>

fern/products/dashboard/pages/password-protection.mdx

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ description: Manage password protection for your documentation site from the Fer
55

66
<Markdown src="/snippets/team-plan.mdx"/>
77

8-
Protect your published documentation site with a shared password directly from the [Fern Dashboard](https://dashboard.buildwithfern.com/). When enabled, visitors must enter the password before they can view any content.
8+
Protect your published documentation site with a shared password directly from the [Fern Dashboard](https://dashboard.buildwithfern.com/). When enabled, visitors must enter the password before they can view any content. You can also set up multiple passwords for use with [RBAC](/learn/docs/authentication/features/rbac).
99

1010
<Note>
1111
Password-protected sites aren't indexed by search engines.
@@ -26,18 +26,23 @@ Navigate to the [Fern Dashboard](https://dashboard.buildwithfern.com/) and selec
2626
Open the **Settings** page for your docs site. You'll see a **Password** card at the top of the page.
2727
</Step>
2828

29-
<Step title="Set a password">
29+
<Step title="Set password(s)">
3030

31-
Enter a password and click **Save**. A confirmation dialog will appear — select **Enable** to activate password protection.
31+
Enter a single password for your entire set, or select **Add roles** to add multiple passwords that are each mapped to a user role you define. You can add a maximum of three user roles. Click **Save** to activate password protection.
3232

33-
Once enabled, the card displays the current password along with when and by whom it was last updated.
33+
Once enabled, the card displays the current password(s) along with when and by whom they were last updated.
34+
</Step>
35+
36+
<Step title="Configure RBAC (optional)">
37+
38+
If you set up multiple passwords with different user roles, configure [role-based access control (RBAC)](/learn/docs/authentication/features/rbac) in `docs.yml` to restrict pages and sections of your site by role.
3439
</Step>
3540
</Steps>
3641

3742
## Manage password protection
3843

39-
In the same dialog, you can **Reset** the password, or **Remove** the password to make your site publicly accessible.
44+
In the same dialog, you can **Reset** the password(s), or **Remove** the password(s) to make your site publicly accessible.
4045

41-
<Note title="Roles">
42-
All [role types](/learn/dashboard/configuration/permissions) can view the current password. Only Admins can set, reset, or remove a password.
46+
<Note>
47+
All [members](/learn/dashboard/configuration/permissions) can view the current password(s). Only Admins can set, reset, or remove a password.
4348
</Note>

fern/products/docs/pages/authentication/overview.mdx

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ Fern offers four ways to authenticate users on your documentation site.
99

1010
<CardGroup cols={2}>
1111
<Card title="Password protection" icon="fa-duotone fa-lock" href="/learn/docs/authentication/setup/password-protection">
12-
A single shared password for the entire site
12+
A shared password for the entire site or multiple passwords mapped to roles
1313
</Card>
1414
<Card title="SSO" icon="fa-duotone fa-user-check" href="/learn/docs/authentication/setup/sso">
1515
Corporate credentials for internal docs
@@ -24,10 +24,10 @@ Fern offers four ways to authenticate users on your documentation site.
2424

2525
## Which option should I use?
2626

27-
- **[Password protection](/learn/docs/authentication/setup/password-protection)** — You need quick gating with a single shared password. No per-user accounts, no setup beyond `docs.yml`.
27+
- **[Password protection](/learn/docs/authentication/setup/password-protection)** — You need quick gating with a shared password (no per-user accounts). Supports multiple passwords mapped to roles for [role-based access control](/learn/docs/authentication/features/rbac).
2828
- **[SSO](/learn/docs/authentication/setup/sso)** — Your team should log in with corporate credentials (Okta, Google Workspace, etc.) for internal docs or wikis.
29-
- **[JWT](/learn/docs/authentication/setup/jwt)** — You want to integrate with your existing login system and control the entire auth flow yourself. Enables [role-based access control](/learn/docs/authentication/features/rbac) and [API key injection](/learn/docs/authentication/features/api-key-injection).
30-
- **[OAuth](/learn/docs/authentication/setup/oauth)** — You want to integrate with your existing login system but have Fern manage the auth flow via your OAuth provider. Enables [role-based access control](/learn/docs/authentication/features/rbac) and [API key injection](/learn/docs/authentication/features/api-key-injection).
29+
- **[JWT](/learn/docs/authentication/setup/jwt)** — You want to integrate with your existing login system and control the entire auth flow yourself. Supports [role-based access control](/learn/docs/authentication/features/rbac) and [API key injection](/learn/docs/authentication/features/api-key-injection).
30+
- **[OAuth](/learn/docs/authentication/setup/oauth)** — You want to integrate with your existing login system but have Fern manage the auth flow via your OAuth provider. Supports [role-based access control](/learn/docs/authentication/features/rbac) and [API key injection](/learn/docs/authentication/features/api-key-injection).
3131

3232
JWT and OAuth share the same capabilities — the difference is who manages the auth flow. Both can be used for login-only gating, or combined with [RBAC](/learn/docs/authentication/features/rbac) and [API key injection](/learn/docs/authentication/features/api-key-injection) for granular access control and pre-filled API keys.
3333

fern/products/docs/pages/authentication/password.mdx

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,13 +7,13 @@ subtitle: Protect your documentation site with a shared password for simple acce
77

88
<Markdown src="/snippets/team-plan.mdx"/>
99

10-
Password protection allows you to restrict access to your documentation site using a shared password. This is useful for pre-release documentation, internal resources, or any content you want to keep private without requiring individual user accounts.
10+
Password protection allows you to restrict access to your documentation site using a single shared password or multiple passwords (up to three), each mapped to a role. This is useful for pre-release documentation, internal resources, or any content you want to keep private without requiring individual user accounts.
1111

12-
[Set up and manage password protection](/learn/dashboard/configuration/password-protection) in the [Fern Dashboard](https://dashboard.buildwithfern.com/).
12+
[Set up and manage password protection](/learn/dashboard/configuration/password-protection) in the [Fern Dashboard](https://dashboard.buildwithfern.com/). If you set up multiple passwords for different user roles, then configure [RBAC](/learn/docs/authentication/features/rbac) to control which content different groups can access.
1313

1414
## How it works
1515

16-
When password protection is enabled, visitors to your documentation site are prompted to enter a password before they can view any content. Once authenticated, users can browse the site until their session expires.
16+
When password protection is enabled, visitors to your documentation site are prompted to enter a password before they can view any content. Once authenticated, users can browse the site until their session expires. If multiple passwords are configured, the password entered determines the user's role and which content they can access.
1717

1818
<Note>
1919
When password protection is active, search engines won't index your site.

fern/products/docs/pages/authentication/rbac.mdx

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,21 @@ description: Learn how to restrict access to your documentation using role-based
66

77
<Markdown src="/snippets/agent-directive.mdx"/>
88

9-
<Markdown src="/snippets/enterprise-plan.mdx"/>
9+
<Warning title="Team and Enterprise feature">
10+
Password-based RBAC is available on the [Team and Enterprise plans](https://buildwithfern.com/pricing). JWT and OAuth-based RBAC require the [Enterprise plan](https://buildwithfern.com/pricing).
11+
</Warning>
1012

11-
RBAC is a feature of [JWT](/learn/docs/authentication/setup/jwt) and [OAuth](/learn/docs/authentication/setup/oauth) authentication. Once a user logs in through either method, Fern checks the [`fern_token`](/learn/docs/authentication/overview#how-authentication-works) cookie to determine their roles and controls access to pages, sections, and other navigation items accordingly.
13+
RBAC controls access to pages, sections, and other navigation items based on user roles. It works with [password protection](/learn/docs/authentication/setup/password-protection), [JWT](/learn/docs/authentication/setup/jwt), and [OAuth](/learn/docs/authentication/setup/oauth) authentication.
1214

13-
RBAC is useful for partner docs, beta features, tiered access, and internal content. You can combine it with [API key injection](/learn/docs/authentication/features/api-key-injection) in a single token. When RBAC is configured, [Ask Fern](/learn/docs/ai-features/ask-fern/overview) automatically respects these permissions.
14-
15-
<Note>If you'd like restricted pages to be visible but locked to unauthenticated users (rather than completely hidden), let Fern know during setup.</Note>
15+
RBAC is useful for partner docs, beta features, tiered access, and internal content. You can combine it with [API key injection](/learn/docs/authentication/features/api-key-injection) when using JWT or OAuth authentication. When RBAC is configured, [Ask Fern](/learn/docs/ai-features/ask-fern/overview) automatically respects these permissions. By default, restricted pages are completely hidden from unauthorized users — if you'd like them to be visible but locked instead, let Fern know during setup.
1616

1717
## Setup
1818

19-
To enable RBAC, follow the [JWT](/learn/docs/authentication/setup/jwt) or [OAuth](/learn/docs/authentication/setup/oauth) setup guide, then define your roles in `docs.yml`:
19+
<Info>
20+
RBAC is configured in `docs.yml` and managed through the [Fern CLI](/learn/cli-api-reference/cli-reference/overview). If you set up your site using the [guided UI](https://dashboard.buildwithfern.com/get-started), you'll need to work with your Fern configuration files directly instead of through the Fern Dashboard.
21+
</Info>
22+
23+
To enable RBAC, first set up an authentication method — [password protection](/learn/docs/authentication/setup/password-protection), [JWT](/learn/docs/authentication/setup/jwt), or [OAuth](/learn/docs/authentication/setup/oauth) — then define your roles in `docs.yml`:
2024

2125
```yml docs.yml
2226
roles:
@@ -26,7 +30,7 @@ roles:
2630
- admins
2731
```
2832
29-
Every user automatically has the `everyone` role, including unauthenticated visitors. If a user lacks the required role or isn't authenticated, Fern redirects them to your login page.
33+
Every user automatically has the `everyone` role, including unauthenticated visitors. If a user lacks the required role or isn't authenticated, Fern redirects them to your login page. There is no limit on the number of roles you can define, unless you're using [password protection](/learn/docs/authentication/setup/password-protection), which supports up to three.
3034

3135
## Restricting content
3236

0 commit comments

Comments
 (0)