From d63b6e0ad47ff0e3cfcedeb9e753dca71c5b829c Mon Sep 17 00:00:00 2001 From: Amy Blais <29708087+amyblais@users.noreply.github.com> Date: Mon, 11 May 2026 09:56:44 +0300 Subject: [PATCH 1/9] Changelog automation fixes (#8947) * Update generate_changelog.py * Update generate_changelog.py --- .github/scripts/generate_changelog.py | 33 +++++++++++++++++++-------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/.github/scripts/generate_changelog.py b/.github/scripts/generate_changelog.py index 7ec3b1da06c..a8c213bc3d2 100644 --- a/.github/scripts/generate_changelog.py +++ b/.github/scripts/generate_changelog.py @@ -79,17 +79,30 @@ def get_milestone_number(repo: str, title: str) -> int | None: """Look up the numeric ID for a milestone by its title in the given repo.""" url = f"https://api.github.com/repos/{repo}/milestones" - params = {"state": "all", "per_page": 100} - resp = requests.get(url, headers=HEADERS, params=params) - resp.raise_for_status() - milestones = resp.json() - for m in milestones: - if m["title"] == title: - return m["number"] + page = 1 + recent_titles = [] + while True: + params = { + "state": "all", + "per_page": 100, + "page": page, + "sort": "due_on", # sort by due date + "direction": "desc", # most recently due first, so active milestones are found quickly + } + resp = requests.get(url, headers=HEADERS, params=params, timeout=30) + resp.raise_for_status() + milestones = resp.json() + if not milestones: + break + for m in milestones: + if m["title"] == title: + return m["number"] + if page == 1: + recent_titles = [m["title"] for m in milestones[:10]] + page += 1 print(f" ⚠️ Milestone '{title}' not found in {repo} — skipping") - available = [m["title"] for m in milestones] - if available: - print(f" Available milestones: {', '.join(available[:10])}") + if recent_titles: + print(f" Most recently due milestones: {', '.join(recent_titles)}") return None From 6fe245e8ffdd262548334dad04b8f1a98812b039 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 20:21:31 +0000 Subject: [PATCH 2/9] Document ABAC permission policies and team-scoped membership policies (v11.7) - ABAC overview: cautious "ABAC can be used with" framing covering system-wide access, permission, team-scoped membership, and channel-specific access policies; clarifies who manages each. - System-wide policies: unique-name validation note for parent policies and new Permission policies section covering attribute-based file upload and file download restrictions. - Channel access rules: new "Manage team-scoped membership policies in Team Settings" section covering Team Admin workflow via the Membership Policies tab, manage_team_access_rules permission, Team Settings sync status footer (Last sync time, Sync now), team-scope sync limits, and auto-run sync on team admin policy creation. - Share files in messages: short "Restricted file attachments" end-user note. - Permissions reference: manage_team_access_rules added to the permission table and to the team_admin built-in role. Co-authored-by: Combs7th --- .../admin/abac-channel-access-rules.rst | 36 +++++++++++++++++++ .../admin/abac-system-wide-policies.rst | 18 ++++++++-- .../admin/attribute-based-access-control.rst | 13 +++++-- ...ced-permissions-backend-infrastructure.rst | 3 ++ .../collaborate/share-files-in-messages.rst | 9 ++++- 5 files changed, 73 insertions(+), 6 deletions(-) diff --git a/source/administration-guide/manage/admin/abac-channel-access-rules.rst b/source/administration-guide/manage/admin/abac-channel-access-rules.rst index 09c79ce35cb..327c8009a14 100644 --- a/source/administration-guide/manage/admin/abac-channel-access-rules.rst +++ b/source/administration-guide/manage/admin/abac-channel-access-rules.rst @@ -86,6 +86,42 @@ When you save changes that affect membership, a confirmation dialog shows you: - Option to view the specific users affected - Confirmation required before applying changes +Manage team-scoped membership policies in Team Settings +------------------------------------------------------- + +From Mattermost v11.7, Team Admins can create, edit, and delete channel membership policies directly from Team Settings, scoped to private channels within their team. This lets teams self-manage attribute-based membership for their own channels without requiring a System Admin to create or modify a system-wide policy. + +Prerequisites +~~~~~~~~~~~~~ + +- :doc:`Attribute-Based Access Control (ABAC) ` must be enabled by a System Admin in **System Console > System Attributes > Attribute-Based Access**. +- You need Team Admin permissions for the team and the ``manage_team_access_rules`` permission. +- Team-scoped membership policies apply only to private channels within the team. + +Team Admin workflow +~~~~~~~~~~~~~~~~~~~ + +1. Open **Team Settings** from the team menu, and go to the **Membership Policies** tab. This tab is only visible to Team Admins with the ``manage_team_access_rules`` permission when ABAC is enabled system-wide. +2. Select **Add Policy** and enter a name for the policy. Parent policy names must be unique; if you enter a name that's already in use, Mattermost displays a user-friendly error and prevents the policy from being saved. +3. Define the attribute rules that determine which users can be members of channels assigned to this policy. Rules use the same attribute conditions available for channel-specific access rules. +4. Assign the applicable private channels in the team to the policy. +5. Select **Save** to create or update the policy. Team-scoped policies can be edited or deleted from the same tab at any time. + +Team Settings sync status footer +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The **Membership Policies** tab includes a sync status footer that shows: + +- **Last sync time**: The time of the most recent membership synchronization for policies in this team. +- **Sync now**: An on-demand action that triggers an immediate synchronization for the team's policies. + +Team-scoped sync is limited to the team admin's team scope. Triggering **Sync now** from Team Settings does not affect channels or policies outside the current team. + +Auto-run sync on team admin policy creation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When a Team Admin creates a new team-scoped membership policy that has auto-add or sync behavior enabled, Mattermost automatically runs a sync job to apply the policy's rules to the assigned channels. Team Admins don't need to manually trigger **Sync now** for newly created policies in this case; the sync runs as part of policy creation. + Policy inheritance -------------------- diff --git a/source/administration-guide/manage/admin/abac-system-wide-policies.rst b/source/administration-guide/manage/admin/abac-system-wide-policies.rst index bd7aa811b5a..02f3bf520c3 100644 --- a/source/administration-guide/manage/admin/abac-system-wide-policies.rst +++ b/source/administration-guide/manage/admin/abac-system-wide-policies.rst @@ -20,7 +20,7 @@ Define access control policies You can add multiple rules to a single policy, and each rule can include multiple attribute values. 1. In the System Console, go to **System Attributes > Attribute-Based Access** and select **Add Policy**. -2. Enter a unique policy name. +2. Enter a unique policy name. Parent access control policy names must be unique; if you enter a name that's already in use, Mattermost displays a user-friendly error message and prevents the policy from being saved until you choose a different name. 3. Choose whether to automatically add users who match your configured attribute values as new members. Automatic synchronization is disabled by default. * **True**: Automatically maintains channel membership according to the defined rules as user attributes change. @@ -102,4 +102,18 @@ You can assign an existing access control policy to a private channels for more Remove channel policies ~~~~~~~~~~~~~~~~~~~~~~~ -Disable the policy for the channel by selecting **Remove Policy**. You can then link the channel to a different policy if preferred. \ No newline at end of file +Disable the policy for the channel by selecting **Remove Policy**. You can then link the channel to a different policy if preferred. + +Permission policies +------------------- + +From Mattermost v11.7, System Admins can define attribute-based **permission policies** that restrict specific user actions in addition to channel membership. Permission policies use the same attribute-based rules as access policies, but they apply to user actions rather than channel access. + +Permission policies can be used to restrict the following actions based on user attributes: + +- **File upload**: Prevent users who don't match the defined attribute rules from uploading file attachments. +- **File download**: Prevent users who don't match the defined attribute rules from downloading file attachments. + +When a permission policy applies, users who don't match the configured attribute values can't perform the restricted action. Users may see file attachments as unavailable or redacted in messages they would otherwise have access to. See :ref:`Restricted file attachments ` for the end-user-facing behavior. + +Permission policies follow the same unique-name requirement as access policies: each parent permission policy must have a unique name, and Mattermost surfaces a user-friendly error if a duplicate name is entered. \ No newline at end of file diff --git a/source/administration-guide/manage/admin/attribute-based-access-control.rst b/source/administration-guide/manage/admin/attribute-based-access-control.rst index e188d2efbf1..57418677cc0 100644 --- a/source/administration-guide/manage/admin/attribute-based-access-control.rst +++ b/source/administration-guide/manage/admin/attribute-based-access-control.rst @@ -16,10 +16,12 @@ From Mattermost v10.9, system admins in large or complex organizations who requi Enforcing strict access controls based on user attributes eliminates manual role adjustment processes that can lead to security risks, inefficiencies, or inappropriate access, while maintaining security and compliance by ensuring that only authorized users can access specific Mattermost channels. -Attribute-based access control (ABAC) provides 2 levels of control: +Attribute-based access control (ABAC) can be used with the following policy types: -- **System-wide policies** (managed by System Admins): Centralized policies that can be applied across multiple channels in the System Console. See :doc:`System-wide attribute-based access policies `. -- **Channel-specific rules** (managed by Channel Admins): Self-service access rules that Channel Admins can configure directly in Channel Settings for individual channels. See :doc:`Channel-specific access rules `. +- **System-wide access policies** (managed by System Admins): Centralized policies created in the System Console that can be applied across multiple channels. See :doc:`System-wide attribute-based access policies `. +- **Permission policies** (managed by System Admins): Attribute-based restrictions on user actions such as file upload and file download. See :ref:`Permission policies `. +- **Team-scoped membership policies** (managed by Team Admins): Channel membership policies that Team Admins can create, edit, and delete directly from Team Settings for private channels in their team. See :ref:`Manage team-scoped membership policies in Team Settings `. +- **Channel-specific access rules** (managed by Channel Admins): Self-service access rules that Channel Admins can configure directly in Channel Settings for individual channels. See :doc:`Channel-specific access rules `. Before you begin ------------------ @@ -41,6 +43,11 @@ Once enabled, you have multiple ways to configure access policies in Mattermost: - Create :doc:`system-wide access policies ` that can be assigned across multiple channels in the System Console. - Assign :ref:`individual channel policies ` to specific channels in the System Console. +- Define :ref:`permission policies ` that restrict actions such as file upload and file download based on user attributes. + +**Team Admins can:** + +- Create, edit, and delete :ref:`team-scoped channel membership policies ` for private channels in their team directly from Team Settings, when granted the appropriate permission. **Channel Admins can:** diff --git a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst index 3b7939d8cf1..54d954a2aff 100644 --- a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst +++ b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst @@ -244,6 +244,8 @@ Permissions in Mattermost are a property of the server code base and are not cre +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | manage_channel_access_rules | channel | Manage attribute-based access control rules for channels. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| manage_team_access_rules | team | Manage attribute-based channel membership policies for a team from Team Settings. | ++----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ``Roles`` field ~~~~~~~~~~~~~~~ @@ -654,6 +656,7 @@ The following built-in roles with default permissions are available: - order_bookmark_private_channel - manage_channel_banner - manage_channel_access_rules +- manage_team_access_rules *team_guest* diff --git a/source/end-user-guide/collaborate/share-files-in-messages.rst b/source/end-user-guide/collaborate/share-files-in-messages.rst index 590b109a819..7e7783d9880 100644 --- a/source/end-user-guide/collaborate/share-files-in-messages.rst +++ b/source/end-user-guide/collaborate/share-files-in-messages.rst @@ -104,4 +104,11 @@ The following media formats are supported on most browsers: - Audio: MP3, M4A - Files: PDF, TXT -Other document previews (such as Word, Excel, or PPT) are not yet supported. \ No newline at end of file +Other document previews (such as Word, Excel, or PPT) are not yet supported. + +Restricted file attachments +--------------------------- + +If your administrator has configured attribute-based permission policies on your Mattermost instance, file uploads or file downloads may be restricted based on your user attributes. When a policy applies, you may see file attachments as unavailable or redacted in messages, or you may be prevented from uploading a file attachment. + +If you expect to have access to a restricted file and don't, contact your Mattermost administrator. For administrator-facing details, see :ref:`Permission policies `. \ No newline at end of file From f32cab9123deab6e290c321aa3e6b6aeac5b45d7 Mon Sep 17 00:00:00 2001 From: Combs7th <147677911+Combs7th@users.noreply.github.com> Date: Mon, 11 May 2026 13:28:54 -0700 Subject: [PATCH 3/9] Update generate_changelog.py --- .github/scripts/generate_changelog.py | 28 +++++++-------------------- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/.github/scripts/generate_changelog.py b/.github/scripts/generate_changelog.py index a8c213bc3d2..3a65fc98dd7 100644 --- a/.github/scripts/generate_changelog.py +++ b/.github/scripts/generate_changelog.py @@ -79,27 +79,13 @@ def get_milestone_number(repo: str, title: str) -> int | None: """Look up the numeric ID for a milestone by its title in the given repo.""" url = f"https://api.github.com/repos/{repo}/milestones" - page = 1 - recent_titles = [] - while True: - params = { - "state": "all", - "per_page": 100, - "page": page, - "sort": "due_on", # sort by due date - "direction": "desc", # most recently due first, so active milestones are found quickly - } - resp = requests.get(url, headers=HEADERS, params=params, timeout=30) - resp.raise_for_status() - milestones = resp.json() - if not milestones: - break - for m in milestones: - if m["title"] == title: - return m["number"] - if page == 1: - recent_titles = [m["title"] for m in milestones[:10]] - page += 1 + params = {"state": "all", "per_page": 100} + resp = requests.get(url, headers=HEADERS, params=params) + resp.raise_for_status() + milestones = resp.json() + for m in milestones: + if m["title"] == title: + return m["number"] print(f" ⚠️ Milestone '{title}' not found in {repo} — skipping") if recent_titles: print(f" Most recently due milestones: {', '.join(recent_titles)}") From 8d2a37d9ffe2c63642ff4ac30d9002ef26c659d9 Mon Sep 17 00:00:00 2001 From: Combs7th <147677911+Combs7th@users.noreply.github.com> Date: Mon, 11 May 2026 13:29:45 -0700 Subject: [PATCH 4/9] Update generate_changelog.py --- .github/scripts/generate_changelog.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/generate_changelog.py b/.github/scripts/generate_changelog.py index 3a65fc98dd7..a22ffc2fe9a 100644 --- a/.github/scripts/generate_changelog.py +++ b/.github/scripts/generate_changelog.py @@ -79,7 +79,7 @@ def get_milestone_number(repo: str, title: str) -> int | None: """Look up the numeric ID for a milestone by its title in the given repo.""" url = f"https://api.github.com/repos/{repo}/milestones" - params = {"state": "all", "per_page": 100} +params = {"state": "all", "per_page": 100} resp = requests.get(url, headers=HEADERS, params=params) resp.raise_for_status() milestones = resp.json() From 9ee1b9214d34df9ad809d1e28c4e0ce82e10b30f Mon Sep 17 00:00:00 2001 From: Combs7th <147677911+Combs7th@users.noreply.github.com> Date: Mon, 11 May 2026 13:30:47 -0700 Subject: [PATCH 5/9] Update generate_changelog.py --- .github/scripts/generate_changelog.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/scripts/generate_changelog.py b/.github/scripts/generate_changelog.py index a22ffc2fe9a..8c0899cd2a0 100644 --- a/.github/scripts/generate_changelog.py +++ b/.github/scripts/generate_changelog.py @@ -87,8 +87,9 @@ def get_milestone_number(repo: str, title: str) -> int | None: if m["title"] == title: return m["number"] print(f" ⚠️ Milestone '{title}' not found in {repo} — skipping") - if recent_titles: - print(f" Most recently due milestones: {', '.join(recent_titles)}") + available = [m["title"] for m in milestones] + if available: + print(f" Available milestones: {', '.join(available[:10])}") return None From 426da39c2a98391fb38fce60f586301e56c913e9 Mon Sep 17 00:00:00 2001 From: Combs7th <147677911+Combs7th@users.noreply.github.com> Date: Mon, 11 May 2026 13:31:50 -0700 Subject: [PATCH 6/9] Update generate_changelog.py --- .github/scripts/generate_changelog.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/generate_changelog.py b/.github/scripts/generate_changelog.py index 8c0899cd2a0..453f5498b23 100644 --- a/.github/scripts/generate_changelog.py +++ b/.github/scripts/generate_changelog.py @@ -79,7 +79,7 @@ def get_milestone_number(repo: str, title: str) -> int | None: """Look up the numeric ID for a milestone by its title in the given repo.""" url = f"https://api.github.com/repos/{repo}/milestones" -params = {"state": "all", "per_page": 100} + params = {"state": "all", "per_page": 100} resp = requests.get(url, headers=HEADERS, params=params) resp.raise_for_status() milestones = resp.json() From 5bb842818fccbc48308936cf4aeb487e2a7c4514 Mon Sep 17 00:00:00 2001 From: Combs7th <147677911+Combs7th@users.noreply.github.com> Date: Mon, 11 May 2026 13:32:11 -0700 Subject: [PATCH 7/9] Update generate_changelog.py --- .github/scripts/generate_changelog.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/generate_changelog.py b/.github/scripts/generate_changelog.py index 453f5498b23..7ec3b1da06c 100644 --- a/.github/scripts/generate_changelog.py +++ b/.github/scripts/generate_changelog.py @@ -87,7 +87,7 @@ def get_milestone_number(repo: str, title: str) -> int | None: if m["title"] == title: return m["number"] print(f" ⚠️ Milestone '{title}' not found in {repo} — skipping") - available = [m["title"] for m in milestones] + available = [m["title"] for m in milestones] if available: print(f" Available milestones: {', '.join(available[:10])}") return None From 260da2fe18098a79c9b9d4c1f2f440c0baa79b70 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 23:23:35 +0000 Subject: [PATCH 8/9] Name manage_team_access_rules permission explicitly Replace vague "appropriate permission" wording with the explicit manage_team_access_rules permission key, per CodeRabbit feedback, so admins can validate role mappings without guessing. Co-authored-by: Combs7th --- .../manage/admin/attribute-based-access-control.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/administration-guide/manage/admin/attribute-based-access-control.rst b/source/administration-guide/manage/admin/attribute-based-access-control.rst index 57418677cc0..f8fd0173c10 100644 --- a/source/administration-guide/manage/admin/attribute-based-access-control.rst +++ b/source/administration-guide/manage/admin/attribute-based-access-control.rst @@ -47,7 +47,7 @@ Once enabled, you have multiple ways to configure access policies in Mattermost: **Team Admins can:** -- Create, edit, and delete :ref:`team-scoped channel membership policies ` for private channels in their team directly from Team Settings, when granted the appropriate permission. +- Create, edit, and delete :ref:`team-scoped channel membership policies ` for private channels in their team directly from Team Settings, when granted the ``manage_team_access_rules`` permission. **Channel Admins can:** From 5c402bddf1590593f3cfbada4f870d0e4d538c92 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Thu, 14 May 2026 04:14:59 +0000 Subject: [PATCH 9/9] Apply pvev review fixes to ABAC v11.7 docs - Team-scoped membership policies apply to public and private channels (not private-only). - Distinguish public (advisory, add-only) vs private (enforced, can remove) sync behavior in a new "Sync behavior by channel type" subsection. - Auto-run sync triggers on any rule, channel, or active-state change; no longer described as gated behind auto-add. Rename the subsection to "Automatic sync on policy changes". - End-user "Restricted file attachments" note now references the actual UI placeholders (**Files not available** / **Access to files is restricted based on attributes**). Co-authored-by: Combs7th --- .../manage/admin/abac-channel-access-rules.rst | 18 +++++++++++++----- .../admin/attribute-based-access-control.rst | 4 ++-- .../collaborate/share-files-in-messages.rst | 2 +- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/source/administration-guide/manage/admin/abac-channel-access-rules.rst b/source/administration-guide/manage/admin/abac-channel-access-rules.rst index 327c8009a14..0a35cd60eb4 100644 --- a/source/administration-guide/manage/admin/abac-channel-access-rules.rst +++ b/source/administration-guide/manage/admin/abac-channel-access-rules.rst @@ -89,14 +89,14 @@ When you save changes that affect membership, a confirmation dialog shows you: Manage team-scoped membership policies in Team Settings ------------------------------------------------------- -From Mattermost v11.7, Team Admins can create, edit, and delete channel membership policies directly from Team Settings, scoped to private channels within their team. This lets teams self-manage attribute-based membership for their own channels without requiring a System Admin to create or modify a system-wide policy. +From Mattermost v11.7, Team Admins can create, edit, and delete channel membership policies directly from Team Settings, scoped to channels within their team. This lets teams self-manage attribute-based membership for their own channels without requiring a System Admin to create or modify a system-wide policy. Prerequisites ~~~~~~~~~~~~~ - :doc:`Attribute-Based Access Control (ABAC) ` must be enabled by a System Admin in **System Console > System Attributes > Attribute-Based Access**. - You need Team Admin permissions for the team and the ``manage_team_access_rules`` permission. -- Team-scoped membership policies apply only to private channels within the team. +- Team-scoped membership policies can be assigned to both public and private channels within the team. Team Admin workflow ~~~~~~~~~~~~~~~~~~~ @@ -117,10 +117,18 @@ The **Membership Policies** tab includes a sync status footer that shows: Team-scoped sync is limited to the team admin's team scope. Triggering **Sync now** from Team Settings does not affect channels or policies outside the current team. -Auto-run sync on team admin policy creation -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Sync behavior by channel type +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Sync behavior for team-scoped membership policies depends on the type of channel the policy is assigned to: + +- **Public channels**: Sync is advisory and add-only. Users who match the policy's rules are added to the channel, but no users are removed if their attributes change. +- **Private channels**: Sync is enforced. Users who match the policy's rules are added to the channel, and users who no longer match the rules are removed during the next synchronization. + +Automatic sync on policy changes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -When a Team Admin creates a new team-scoped membership policy that has auto-add or sync behavior enabled, Mattermost automatically runs a sync job to apply the policy's rules to the assigned channels. Team Admins don't need to manually trigger **Sync now** for newly created policies in this case; the sync runs as part of policy creation. +Mattermost automatically runs a sync job whenever a team-scoped membership policy is created, or its rules, assigned channels, or active state change. Team Admins don't need to manually trigger **Sync now** for these updates; the sync runs as part of the change. Policy inheritance -------------------- diff --git a/source/administration-guide/manage/admin/attribute-based-access-control.rst b/source/administration-guide/manage/admin/attribute-based-access-control.rst index f8fd0173c10..ce289d2f44e 100644 --- a/source/administration-guide/manage/admin/attribute-based-access-control.rst +++ b/source/administration-guide/manage/admin/attribute-based-access-control.rst @@ -20,7 +20,7 @@ Attribute-based access control (ABAC) can be used with the following policy type - **System-wide access policies** (managed by System Admins): Centralized policies created in the System Console that can be applied across multiple channels. See :doc:`System-wide attribute-based access policies `. - **Permission policies** (managed by System Admins): Attribute-based restrictions on user actions such as file upload and file download. See :ref:`Permission policies `. -- **Team-scoped membership policies** (managed by Team Admins): Channel membership policies that Team Admins can create, edit, and delete directly from Team Settings for private channels in their team. See :ref:`Manage team-scoped membership policies in Team Settings `. +- **Team-scoped membership policies** (managed by Team Admins): Channel membership policies that Team Admins can create, edit, and delete directly from Team Settings for channels in their team. See :ref:`Manage team-scoped membership policies in Team Settings `. - **Channel-specific access rules** (managed by Channel Admins): Self-service access rules that Channel Admins can configure directly in Channel Settings for individual channels. See :doc:`Channel-specific access rules `. Before you begin @@ -47,7 +47,7 @@ Once enabled, you have multiple ways to configure access policies in Mattermost: **Team Admins can:** -- Create, edit, and delete :ref:`team-scoped channel membership policies ` for private channels in their team directly from Team Settings, when granted the ``manage_team_access_rules`` permission. +- Create, edit, and delete :ref:`team-scoped channel membership policies ` for channels in their team directly from Team Settings, when granted the ``manage_team_access_rules`` permission. **Channel Admins can:** diff --git a/source/end-user-guide/collaborate/share-files-in-messages.rst b/source/end-user-guide/collaborate/share-files-in-messages.rst index 7e7783d9880..4aca8a84f44 100644 --- a/source/end-user-guide/collaborate/share-files-in-messages.rst +++ b/source/end-user-guide/collaborate/share-files-in-messages.rst @@ -109,6 +109,6 @@ Other document previews (such as Word, Excel, or PPT) are not yet supported. Restricted file attachments --------------------------- -If your administrator has configured attribute-based permission policies on your Mattermost instance, file uploads or file downloads may be restricted based on your user attributes. When a policy applies, you may see file attachments as unavailable or redacted in messages, or you may be prevented from uploading a file attachment. +If your administrator has configured attribute-based permission policies on your Mattermost instance, file uploads or downloads may be restricted based on your user attributes. Restricted attachments appear in messages with the placeholder **Files not available** and the subtitle **Access to files is restricted based on attributes**. If you expect to have access to a restricted file and don't, contact your Mattermost administrator. For administrator-facing details, see :ref:`Permission policies `. \ No newline at end of file