[DOC-13661] Update RBAC for SQL++ (Capella)

modules/n1ql/pages/n1ql-language-reference/alterbucket.adoc

@@ -22,15 +22,13 @@ You can update only a limited set of bucket settings.
 You cannot change its core properties such as the bucket name and type. 
 For more information, see the <<alterbucket-syntax,Syntax>> section.
 
-== RBAC Privileges
+== Prerequisites
 
-Only administrators with the following roles can execute the ALTER BUCKET statement:
+To execute the ALTER BUCKET statement, you must have at least one of the following roles:
 
-* Full Admin
-* Cluster Admin
-* Bucket Admin (if privileges are extended to the specific bucket or all buckets on the cluster)
-
-For more information about roles and privileges, see {roles}[Roles].
+* xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] 
+* xref:projects:project-roles.adoc#project-owner-role[`Project Owner`]
+* xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Data Writer`]
 
 [[alterbucket-syntax]]
 == Syntax

modules/n1ql/pages/n1ql-language-reference/altergroup.adoc

@@ -21,9 +21,13 @@ CAUTION: When you add new roles to a group, the ALTER GROUP statement replaces t
 It updates the entire role list, so any existing roles not included in the new list will be removed.
 If you want to add or remove specific roles without affecting the others, use the xref:n1ql:n1ql-language-reference/grant.adoc[GRANT] and xref:n1ql:n1ql-language-reference/revoke.adoc[REVOKE] statements instead.
 
-== RBAC Privileges
+== Prerequisites
 
-To execute the ALTER GROUP statement, you must be an xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] or xref:projects:project-roles.adoc#project-owner-role[`Project Owner`].
+To execute the ALTER GROUP statement, you must have at least one of the following roles:
+
+* xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] 
+* xref:projects:project-roles.adoc#project-owner-role[`Project Owner`]
+* xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Data Writer`]
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/alterindex.adoc

@@ -40,7 +40,9 @@ If a node goes down while an {doctitle} operation is happening, then the index w
 //tag::prerequisites[]
 == Prerequisites
 
-Only users with the RBAC role of `Administrator` are allowed to run the `{doctitle}` directive.
+To execute the `{doctitle}` statement, your client must have the `Write` privilege on the keyspace.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
+
 //end::prerequisites[]
 
 == Syntax

modules/n1ql/pages/n1ql-language-reference/altersequence.adoc

@@ -38,9 +38,13 @@ Similarly, when you restore a bucket, sequences are restored in accordance with
 
 == Prerequisites
 
-.RBAC Privileges
+ifdef::granular-rbac[]
 To execute the ALTER SEQUENCE statement, your client must have the _Query Manage Sequences_ privilege granted on the scope.
 For more details about cluster access privileges, see {authorization-overview}[].
+endif::granular-rbac[]
+
+To execute the ALTER SEQUENCE statement, your client must have the `Write` privilege on the scope.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/alteruser.adoc

@@ -17,9 +17,13 @@ This statement helps manage access control and keeps user information up to date
 CAUTION: When you add new groups to a user, the ALTER USER statement replaces the user's existing group assignments with the new ones you provide. 
 It updates the entire group list, so any existing groups not included in the new list will be removed.
 
-== RBAC Privileges
+== Prerequisites
 
-To execute the ALTER USER statement, you must be an xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] or xref:projects:project-roles.adoc#project-owner-role[`Project Owner`].
+To execute the ALTER USER statement, you must have at least one of the following roles:
+
+* xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] 
+* xref:projects:project-roles.adoc#project-owner-role[`Project Owner`]
+* xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Data Writer`]
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/build-index.adoc

@@ -60,12 +60,13 @@ If the data set changes dramatically, you must drop and rebuild the index to upd
 
 == Prerequisites
 
-[discrete]
-===== RBAC Privileges
-
+ifdef::granular-rbac[]
 The client executing the BUILD INDEX statement must have the _Query Manage Index_ privilege granted on the keyspace.
-For more details about cluster access privileges, see
-{authorization-overview}[].
+For more details about cluster access privileges, see {authorization-overview}[].
+endif::granular-rbac[]
+
+To execute the BUILD INDEX statement, your client must have the `Write` privilege on the keyspace.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/comma.adoc

@@ -37,8 +37,13 @@ Refer to the examples below for further details.
 
 == Prerequisites
 
+ifdef::granular-rbac[]
 To select data from keyspace or expression, your client must have the [.param]`query_select` privilege on that keyspace.
 For more details about cluster access privileges, see {authorization}[].
+endif::granular-rbac[]
+
+To select data from keyspace or expression, your client must have the `Read` privilege on that keyspace.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/createbucket.adoc

@@ -25,10 +25,13 @@ When you create a new bucket, a `_default` scope and a `_default` collection are
 The name of the bucket must be unique within the cluster and you cannot change it once you create the bucket.
 You can have a maximum of 30 buckets per cluster.
 
-== RBAC Privileges
+== Prerequisites
 
-To execute the CREATE BUCKET statement, you must have either the Full Admin or the Cluster Admin role.
-For more information about roles and privileges, see {roles}[Roles].
+To execute the CREATE BUCKET statement, you must have at least one of the following roles:
+
+* xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] 
+* xref:projects:project-roles.adoc#project-owner-role[`Project Owner`]
+* xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Data Writer`]
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/createcollection.adoc

@@ -20,6 +20,11 @@ include::partial$n1ql-language-reference/horizontal-style.adoc[]
 [abstract]
 The `CREATE COLLECTION` statement enables you to create a named collection within a scope.
 
+== Prerequisites
+
+To execute the CREATE COLLECTION statement, your client must have the `Write` privilege on the keyspace.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
+
 == Syntax
 
 [source,ebnf]

modules/n1ql/pages/n1ql-language-reference/createfunction.adoc

@@ -51,7 +51,11 @@ include::javascript-udfs:partial$sqlpp-managed-udfs.adoc[]
 
 == Prerequisites
 
-* To manage user-defined functions on your operational cluster, you must have the xref:projects:project-roles.adoc#project-owner-role[`Project Owner`] or the xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Cluster Data Reader/Writer`] role.
+To execute the `CREATE FUNCTION` statement, you must have at least one of the following roles:
+
+* xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] 
+* xref:projects:project-roles.adoc#project-owner-role[`Project Owner`]
+* xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Data Writer`]
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/creategroup.adoc

@@ -15,9 +15,13 @@ You can specify the group's name, description, and assign it one or more roles.
 By creating groups, you can organize users and assign roles collectively.
 When you add users to a group, they automatically inherit the roles assigned to that group.
 
-== RBAC Privileges
+== Prerequisites
 
-To execute the CREATE GROUP statement, you must be an xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] or xref:projects:project-roles.adoc#project-owner-role[`Project Owner`].
+To execute the CREATE GROUP statement, you must have at least one of the following roles:
+
+* xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] 
+* xref:projects:project-roles.adoc#project-owner-role[`Project Owner`]
+* xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Data Writer`]
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/createindex.adoc

@@ -66,12 +66,13 @@ If the data set changes dramatically, you must drop and rebuild the index to upd
 //tag::prerequisites[]
 == Prerequisites
 
-[discrete]
-===== RBAC Privileges
-
+ifdef::granular-rbac[]
 To execute the {doctitle} statement, your client must have the `Query Manage Index` privilege granted on the keyspace.
-For more information about cluster access privileges, see
-{authorization-overview}[].
+For more information about cluster access privileges, see {authorization-overview}[].
+endif::granular-rbac[]
+
+To execute the `{doctitle}` statement, your client must have the `Write` privilege on the keyspace.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
 //end::prerequisites[]
 
 == Syntax

modules/n1ql/pages/n1ql-language-reference/createprimaryindex.adoc

@@ -41,12 +41,13 @@ See <<index-with,WITH Clause>> for more details.
 
 == Prerequisites
 
-[discrete]
-===== RBAC Privileges
-
+ifdef::granular-rbac[]
 To execute the `CREATE PRIMARY INDEX` statement, your client must have the `Query Manage Index` privilege granted on the keyspace.
-For more information about cluster access privileges, see
-{authorization-overview}[].
+For more information about cluster access privileges, see {authorization-overview}[].
+endif::granular-rbac[]
+
+To execute the `CREATE PRIMARY INDEX` statement, your client must have the `Write` privilege on the keyspace.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/createscope.adoc

@@ -18,6 +18,11 @@ include::partial$n1ql-language-reference/horizontal-style.adoc[]
 [abstract]
 The `CREATE SCOPE` statement enables you to create a scope.
 
+== Prerequisites
+
+To execute the `CREATE SCOPE` statement, you must have the `Write` privilege on the bucket.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
+
 == Syntax
 
 [source,ebnf]

modules/n1ql/pages/n1ql-language-reference/createsequence.adoc

@@ -38,9 +38,13 @@ Similarly, when you restore a bucket, sequences are restored in accordance with
 
 == Prerequisites
 
-.RBAC Privileges
+ifdef::granular-rbac[]
 To execute the CREATE SEQUENCE statement, your client must have the _Query Manage Sequences_ privilege granted on the scope.
 For more details about cluster access privileges, see {authorization-overview}[].
+endif::granular-rbac[]
+
+To execute the CREATE SEQUENCE statement, your client must have the `Write` privilege on the scope.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/createuser.adoc

@@ -16,9 +16,13 @@ By default, Couchbase Server assigns the user to the local authentication domain
 When you create a user, you can specify their basic attributes such as username, password, full name, and assign them to one or more groups. 
 If you do not specify a group, the user is not assigned to any group by default.
 
-== RBAC Privileges
+== Prerequisites
 
-To execute the CREATE USER statement, you must be an xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] or xref:projects:project-roles.adoc#project-owner-role[`Project Owner`].
+To execute the CREATE USER statement, you must have at least one of the following roles:
+
+* xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] 
+* xref:projects:project-roles.adoc#project-owner-role[`Project Owner`]
+* xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Data Writer`]
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/delete.adoc

@@ -16,15 +16,20 @@
 include::partial$n1ql-language-reference/horizontal-style.adoc[]
 include::partial$n1ql-language-reference/collapsible-style.adoc[]
 
+[abstract]
 {description}
 
 == Prerequisites
 
-=== RBAC Privileges
-
+ifdef::granular-rbac[]
 To execute the DELETE statement, your client must have the _Query Delete_ privilege granted on the target keyspace.
 If the statement has any RETURNING clauses that need data read, then the _Query Select_ privilege is also required on the keyspaces referred in the respective clauses.
 For more details about cluster access privileges, see {authorization-overview}[].
+endif::granular-rbac[]
+
+To execute the DELETE statement, your client must have the `Write` privilege on the target keyspace.
+If the statement includes any `RETURNING` clauses that need data read, the client must also have `Read` privileges on the keyspaces referred in the respective clauses.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
 
 .RBAC Examples
 [%collapsible]

modules/n1ql/pages/n1ql-language-reference/dropbucket.adoc

@@ -23,15 +23,13 @@ It also deletes all associated indexes, metadata, and other bucket resources.
 
 WARNING: This operation is irreversible, so use this statement with caution.
 
-== RBAC Privileges
+== Prerequisites
 
-Only administrators with the following roles can execute the DROP BUCKET statement:
+To execute the DROP BUCKET statement, you must have at least one of the following roles:
 
-* Full Admin
-* Cluster Admin
-* Bucket Admin (if privileges are extended to the specific bucket or all buckets on the cluster)
-
-For more information about roles and privileges, see {roles}[Roles].
+* xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] 
+* xref:projects:project-roles.adoc#project-owner-role[`Project Owner`]
+* xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Data Writer`]
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/dropcollection.adoc

@@ -18,6 +18,11 @@ include::partial$n1ql-language-reference/horizontal-style.adoc[]
 [abstract]
 The `DROP COLLECTION` statement enables you to delete a named collection from a scope.
 
+== Prerequisites
+
+To execute the DROP COLLECTION statement, your client must have the `Write` privilege on the keyspace.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
+
 == Syntax
 
 [source,ebnf]

modules/n1ql/pages/n1ql-language-reference/dropfunction.adoc

@@ -12,7 +12,11 @@ include::partial$n1ql-language-reference/horizontal-style.adoc[]
 
 == Prerequisites
 
-* To manage user-defined functions on your operational cluster, you must have the xref:projects:project-roles.adoc#project-owner-role[`Project Owner`] or the xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Cluster Data Reader/Writer`] role.
+To execute the `DROP FUNCTION` statement, you must have at least one of the following roles:
+
+* xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] 
+* xref:projects:project-roles.adoc#project-owner-role[`Project Owner`]
+* xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Data Writer`]
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/dropgroup.adoc

@@ -14,9 +14,13 @@ You can use this statement to clean up groups that are no longer needed.
 Deleting a group removes all roles and privileges associated with the group.
 Users in the deleted group no longer inherit the roles granted to it.
 
-== RBAC Privileges
+== Prerequisites
 
-To execute the DROP GROUP statement, you must be an xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] or xref:projects:project-roles.adoc#project-owner-role[`Project Owner`].
+To execute the DROP GROUP statement, you must have at least one of the following roles:
+
+* xref:organizations:organization-user-roles.adoc#organization-role-organization-owner[`Organization Owner`] 
+* xref:projects:project-roles.adoc#project-owner-role[`Project Owner`]
+* xref:projects:project-roles.adoc#project-cluster-data-reader-writer[`Data Writer`]
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/dropindex.adoc

@@ -28,12 +28,13 @@ For compatibility with legacy versions of Couchbase Server, you can also use DRO
 // tag::prerequisites[]
 == Prerequisites
 
-[discrete]
-===== RBAC Privileges
-
+ifdef::granular-rbac[]
 To use the {doctitle} statement, your client must have the `Query Manage Index` privilege on the keyspace or bucket.
-For more information about cluster access privileges, see
-{authorization-overview}[].
+For more information about cluster access privileges, see {authorization-overview}[].
+endif::granular-rbac[]
+
+To use the {doctitle} statement, your client must have the `Write` privilege on the keyspace or bucket.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
 // end::prerequisites[]
 
 == Syntax

modules/n1ql/pages/n1ql-language-reference/dropprimaryindex.adoc

@@ -18,11 +18,13 @@ NOTE: For compatibility with legacy versions of Couchbase Server, you can also u
 
 == Prerequisites
 
-[discrete]
-===== RBAC Privileges
-
+ifdef::granular-rbac[]
 To execute the DROP PRIMARY INDEX statement, your client must have the `Query Manage Index` privilege granted on the keyspace.
 For more information about cluster access privileges, see {roles}[].
+endif::granular-rbac[]
+
+To execute the DROP PRIMARY INDEX statement, your client must have the `Write` privilege on the keyspace.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
 
 == Syntax
 

modules/n1ql/pages/n1ql-language-reference/dropscope.adoc

@@ -17,6 +17,11 @@ include::partial$n1ql-language-reference/horizontal-style.adoc[]
 [abstract]
 The `DROP SCOPE` statement enables you to delete a scope.
 
+== Prerequisites
+
+To execute the DROP SCOPE statement, your client must have the `Write` privilege on the keyspace.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
+
 == Syntax
 
 [source,ebnf]

modules/n1ql/pages/n1ql-language-reference/dropsequence.adoc

@@ -21,9 +21,13 @@ include::./sequenceops.adoc[tags=overview]
 
 == Prerequisites
 
-.RBAC Privileges
+ifdef::granular-rbac[]
 To execute the DROP SEQUENCE statement, your client must have the _Query Manage Sequences_ privilege granted on the scope.
 For more details about cluster access privileges, see {authorization-overview}[].
+endif::granular-rbac[]
+
+To execute the DROP SEQUENCE statement, your client must have the `Write` privilege on the scope.
+For more information about access privileges, see xref:clusters:manage-database-users.adoc[].
 
 == Syntax