feathr-ai · xiaoyongzhu · Aug 10, 2022 · Aug 9, 2022 · Aug 9, 2022
diff --git a/registry/access_control/README.md b/registry/access_control/README.md
@@ -16,7 +16,7 @@ flowchart TD
     G -- Yes --> H[Return API Results]
 ```
 
-If Access control plugin is NOT enabled, the flow will start from **Call Downstream API***
+If Access control plugin is NOT enabled, the flow will directly **Call Downstream API***.
 
 ## Access Control Registry API
 
@@ -72,12 +72,48 @@ Supported scenarios status are tracked below:
   - [x] Initialize default Project Admin role for project creator
   - [ ] Initialize default Global Admin Role for workspace creator
 - UI Experience
-  - [x] Hidden page `../management` for project admin to make CUD requests to `userroles` table
+  - [x] `management` page for project admin to make CUD requests to `userroles` table
   - [x] Use id token in Management API Request headers to identify requestor
 - Future Enhancements:
   - [x] Support AAD Application token  
   - [x] Support OAuth tokens with `email` attributes
   - [x] Functional in Feathr Client
+  - [ ] Add Access Control Dev Guide (include deployment tips)
+  - [ ] Add Access Control User Guide (UI & Client Experience)
   - [ ] Support AAD Groups
   - [ ] Support Other OAuth Providers
-
+
+## Access Control Management APIs
+### UserRole
+| Field        | Comments                                     |
+| ------------ | -------------------------------------------- |
+| scope        | Project name or `global`                     |
+| userName     | User email or APP ID                         |
+| roleName     | Admin or Producer or Consumer                |
+| createBy     | The admin user name who assigned this role   |
+| createReason | The reason for this role assignment          |
+| createTime   | Auto generated during record creation        |
+| deleteBy     | For audit purpose, not used in API returns   |
+| deleteReason | For audit purpose, not used in API returns   |
+| deleteTime   | Auto generated when record marked as deleted |
+| access       | A list of permissions of this role           |
+
+### `GET /userroles` 
+Get `userrole` records of projects that requestor has `manage` access.
++ Response Type: [`UserRole`](#userrole)
+
+### `POST /users/{user}/userroles/add `
+Create a new role assignment 
++ Request Params:
+  + project: project name or `global`
+  + user: user email or app id
+  + role: admin or producer or consumer
+  + reason: create reason
+
+### `DELETE /users/{user}/userroles/delete`
+Delete an existing role assignment
++ Request Params:
+  + project: project name or `global`
+  + user: user email or app id
+  + role: admin or producer or consumer
+  + reason: delete reason
@@ -51,14 +51,14 @@ const RoleManagementForm: React.FC<RoleManagementFormProps> = ({
       >
         <Space direction="vertical" size="large" style={styling}>
           <Form.Item name="scope" label="Scope" rules={[{ required: true }]}>
-            <Input disabled={!editMode} />
+            <Input disabled={!editMode} placeholder="Project Name or Global" />
           </Form.Item>
           <Form.Item
             name="userName"
             label="User Name"
             rules={[{ required: true }]}
           >
-            <Input disabled={!editMode} />
+            <Input disabled={!editMode} placeholder="Email Account or App Id"/>
           </Form.Item>
           <Form.Item
             name="roleName"
@@ -72,7 +72,7 @@ const RoleManagementForm: React.FC<RoleManagementFormProps> = ({
             </Select>
           </Form.Item>
           <Form.Item name="reason" label="Reason" rules={[{ required: true }]}>
-            <Input disabled={!editMode} />
+            <Input disabled={!editMode} placeholder="For Audit Purpose" />
           </Form.Item>
         </Space>
         <Form.Item wrapperCol={{ offset: 11 }}>

@@ -136,8 +136,9 @@ const UserRoles: React.FC = () => {
         <div style={{ flex: 1 }}>
           <>
             <p style={{ width: "80%" }}>
-              This page is protected by Feathr Access Control. Only Global Admin
-              can retrieve management details and grant or delete user roles.
+              This page is protected by Feathr Access Control. Only Project
+              Admins can retrieve management details and grant or delete user
+              roles.
             </p>
           </>
         </div>