[docs] protect sensitive configuration(#216)

docs/administration/protect-sensitive-configuration.md

@@ -0,0 +1,43 @@
+# Protect sensitive configuration
+
+Some administrative actions and configuration modifications via the user interface can lead to data loss during ingestion, loss of data visibility for users, disruption of predefined automations, slowness
+, etc.
+To protect platforms from uncontrolled actions and make administrators' tasks easier, it is possible to restrict the modification of certain configurations to specific users.
+
+## Concept
+
+Protected elements are clearly identifiable, bounded by a block with an red border and a “Danger zone” chip.
+
+![platform_organization_sensitive.png](assets%2Fplatform_organization_sensitive.png)
+
+![role_administrator_sensitive_chip.png](assets%2Frole_administrator_sensitive_chip.png)
+
+When a configuration is sensitive, it remains visible to user with access rights, but all
+possible actions are disabled.
+
+The sensitive configurations identified are:
+- Modification of specific roles and groups
+- Activation/deactivation of inference rules
+- Main platform Organization modification
+- Modification of specific marking definitions
+- Enterprise Edition deactivation
+- File indexing pause/reset
+
+## Configuration
+
+The configuration is done in the application configuration file. By default (in ``default.json``), ``platform_protected_sensitive_config`` is disabled.
+
+Once the protection is enabled, it is possible to activate it around specific areas in the platform, as listed previously. It is also possible to choose which `Roles`, `Groups`  or `Marking definitions` will be protected.
+
+By default, built-in `Groups` , `Roles` and `Markings` are protected:
+- Roles ``default``, ``administrator`` and ``connector``
+- Groups ``default``, ``administrators`` and ``connectors``
+- Marking definitions ``TLP`` and ``PAP``
+
+Once the platform is running, a platform administrator can restrict access to the sensitive configuration scoped in the platform settings through a capability in the RBAC, via ``Settings > Security > Roles > Capabilities list``.
+Only users with `Allow modification of sensitive configuration` capability enabled will be able to modify sensitive configurations.
+
+![check_allow_modification_sensitive_conf.png](assets%2Fcheck_allow_modification_sensitive_conf.png)
+
+![role_allow_modification_sensitive_conf.png](assets%2Frole_allow_modification_sensitive_conf.png)
+

docs/deployment/configuration.md

@@ -238,6 +238,22 @@ Here are the configuration keys, for both containers (environment variables) and
 | ai:model        | AI__MODEL            |               | Model to be used for text generation (depending on type)  |
 | ai:model_images | AI__MODEL_IMAGES     |               | Model to be used for image generation (depending on type) |
 
+#### Protect Sensitive Configurations
+
+| Parameter                                                               | Environment variable                                      | Default value | Description                                          |
+|:------------------------------------------------------------------------|:----------------------------------------------------------|:--------------|:-----------------------------------------------------|
+| protected_sensitive_config:enabled                                      | PROTECT_SENSITIVE_CONFIG__ENABLED                         | false         | Enable Protect Sensitive Configurations              |
+| protected_sensitive_config:markings:enabled                             | PROTECT_SENSITIVE_CONFIG__MARKINGS__ENABLED               | true          | Protect Markings                                     |
+| protected_sensitive_config:markings:protected_definitions               | PROTECT_SENSITIVE_CONFIG__MARKINGS__PROTECTED_DEFINITIONS | ["TLP:CLEAR", "TLP:GREEN", "TLP:AMBER", "TLP:AMBER+STRICT", "TLP:RED", "PAP:CLEAR", "PAP:GREEN", "PAP:AMBER", "PAP:RED"]            | List of protected Markings definitions               |
+| protected_sensitive_config:groups:enabled                               | PROTECT_SENSITIVE_CONFIG__GROUPS__ENABLED                 | true          | Enabled Groups protection                            |
+| protected_sensitive_config:groups:protected_names                       | PROTECT_SENSITIVE_CONFIG__GROUPS__PROTECTED_NAMES         | ["Administrators", "Connectors", "Default"]               | List of protected Groups                             |
+| protected_sensitive_config:roles:enabled                                | PROTECT_SENSITIVE_CONFIG__ROLES__ENABLED                  | true          | Enabled Roles protection                             |
+| protected_sensitive_config:roles:protected_names                        | PROTECT_SENSITIVE_CONFIG__ROLES__PROTECTED_NAMES          | ["Administrators", "Connectors", "Default"]               | List of protected Roles                              |
+| protected_sensitive_config:rules:enabled                                | PROTECT_SENSITIVE_CONFIG__RULES__ENABLED                  | true          | Enabled Rules protection                             |
+| protected_sensitive_config:ce_ee_toggle:enabled                         | PROTECT_SENSITIVE_CONFIG__CE_EE_TOGGLE__ENABLED           | true          | Enabled Enterpise/Community Editon toggle protection |
+| protected_sensitive_config:file_indexing:enabled                        | PROTECT_SENSITIVE_CONFIG__FILE_INDEXING__ENABLED          | true          | Enabled File Indexing protection                     |
+| protected_sensitive_config:platform_organization:enabled                | PROTECT_SENSITIVE_CONFIG__PLATFORM_ORGANIZATION__ENABLED  | true          | Enabled main Platform Organization protection        |
+
 #### Using a credentials provider
 
 In some cases, it may not be possible to put directly dependencies credentials directly in environment variables or static configuration. The platform can then retrieve them from a credentials provider. Here is the list of supported providers: