docs: Describe changing default OPA permissions (#6294)

Follow up to discussion from: #6224 This issue is linked with: #3788 which introduced IAM, but not document some aspects. .
cvat-ai · Jun 13, 2023 · f578e47 · f578e47
1 parent e95c0a1
commit f578e47
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/site/content/en/docs/administration/advanced/iam_system_roles.md b/site/content/en/docs/administration/advanced/iam_system_roles.md
@@ -7,4 +7,17 @@ weight: 70
 <!--lint disable heading-style-->
 
 ## System roles
+
+By default CVAT users can be assigned to one of the following groups: `admin`, `business`, `user` and `worker`.
+
+Each of these groups gives a set of permissions.
 TBD
+
+## Changing permissions
+
+System permissions are defined using `.rego` files stored in `cvat/apps/iam/rules/`.
+Rego is a declarative language used for defining OPA policies.
+It's syntax is defined in [OPA docs](https://www.openpolicyagent.org/docs/latest/policy-language/).
+
+After changing the `.rego` files, you need to rebuilt and restart the docker compose for the changes to take effect.
+In this case you need to include `docker-compose.dev.yml` compose config file to `docker compose` command.