[DPE-7323] Define MySQL roles page (#682)

sinclert-canonical · web-flow · commit f122090305d0 · 2025-09-12T13:23:27.000+02:00
diff --git a/docs/explanation/architecture.md b/docs/explanation/architecture.md
@@ -4,7 +4,7 @@
 
 ## HLD (High Level Design)
 
-The charm design leverages on the SNAP “[charmed-mysql](https://snapcraft.io/charmed-mysql)” which is deployed by Juju on the specified VM/MAAS/bare-metal machine based on Ubuntu Jammy/22.04. SNAP allows to run MySQL service(s) in a secure and isolated environment ([strict confinement](https://ubuntu.com/blog/demystifying-snap-confinement)). The installed SNAP:
+The charm design leverages on the SNAP “[charmed-mysql](https://snapcraft.io/charmed-mysql)” which is deployed by Juju on the specified VM/MAAS/bare-metal machine based on Ubuntu Jammy/22.04. SNAP allows to run MySQL service(s) in a secure and isolated environment ([strict confinement](https://snapcraft.io/blog/demystifying-snap-confinement)). The installed SNAP:
 
 ```
 > juju ssh mysql/0
diff --git a/docs/explanation/index.md b/docs/explanation/index.md
@@ -21,6 +21,7 @@ Legacy charm <legacy-charm>
 :maxdepth: 2
 
 Users <users>
+Roles <roles>
 Logs <logs/index>
 ```
 
diff --git a/docs/explanation/roles.md b/docs/explanation/roles.md
@@ -0,0 +1,64 @@
+# Roles
+
+```{note}
+The following roles are available starting on revision 412
+```
+
+There are several definitions of roles in Charmed MySQL:
+* Predefined instance-level roles
+* Predefined database-level roles
+
+```{seealso}
+[](/explanation/users)
+```
+
+## MySQL roles
+MySQL does not provide any built-in roles for users to get permissions from.
+
+## Charmed MySQL instance-level roles
+
+Charmed MySQL introduces the following instance-level predefined roles:
+
+* `charmed_backup`: used for the `backups` user.
+* `charmed_stats`: used for the `monitoring` user.
+* `charmed_read`: used to provide data read permissions to all databases.
+* `charmed_dml`: used to provide data read / write permissions to all databases.
+* `charmed_ddl`: used to provide schema modification permissions to all databases.
+* `charmed_dba`: used to provide data, schema, and system configuration permissions to all databases.
+ 
+Currently, `charmed_backup` cannot be requested through the relation as extra user roles.
+
+```text
+mysql> SELECT host, user FROM mysql.user;
++-----------+------------------+
+| host      | user             |
++-----------+------------------+
+| ...       | ...              |
+| %         | charmed_backup   |
+| %         | charmed_dba      |
+| %         | charmed_ddl      |
+| %         | charmed_dml      |
+| %         | charmed_read     |
+| %         | charmed_stats    |
+| ...       | ...              |
++-----------+------------------+
+```
+
+Additionally, the role `charmed_router` is available to ease the integration with [Charmed MySQL Router](https://charmhub.io/mysql-router).
+This role contains all the necessary permissions for a MySQL Router relation user to operate.
+
+## Charmed MySQL database-level roles
+
+Charmed MySQL also introduces database level roles, with permissions tied to each database that's created.
+Example for a database named `test`:
+
+```text
+mysql> SELECT host, user FROM mysql.user WHERE user LIKE '%_test';
++-----------+------------------+
+| host      | user             |
++-----------+------------------+
+| %         | charmed_dba_test |
++-----------+------------------+
+```
+
+The `charmed_dba_<database>` role contains every data and schema related permission, scoped to the database it references.
