website/docs: docs about initial perms (#14263)

* basic procedural steps

* more questions, more typos

* more typos

* tweaks

* more content, new links

* fixed link

* tweak

* fix things

* more fixes

* yet more fixes

* Apply suggestions from code review

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/users-sources/access-control/initial_permissions.mdx

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* dewi's edits

* dominic's edits

* gergo edits and more dominic edits

* one more

* yet one more fix

* final gergo observation

* tweak

---------

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tana@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>

website/docs/users-sources/access-control/initial_permissions.mdx

@@ -0,0 +1,66 @@
+---
+title: "Initial permissions"
+description: "Set permissions for object creation."
+authentik_version: "2025.4.0"
+authentik_preview: true
+---
+
+Initial permissions automatically assigns [object-level permissions](./permissions.md#object-permissions) between a newly created object and its creator.
+
+The purpose of initial permissions is to assign a specific user (or role) a set of pre-selected permissions that are required for them to accomplish their tasks.
+
+An authentik Admin creates an initial permissions object (a set of selected permissions) and then associates it with either: 1. An individual user. 2. A role - in which case everyone in a group with that role will have the same initial permissions.
+
+## Common use cases
+
+Imagine you have a new team tasked with creating [flows](../../add-secure-apps/flows-stages/flow/index.md) and [stages](../../add-secure-apps/flows-stages/stages/index.md). These team members need the ability to view and manage all the flow and stage objects created by other team members. However, they should not have permissions to perform any other actions within the Admin interface.
+
+In the example use case above, the specific objects that the users or role create and manage could be any object. For example, you might have a team responsible for creating new users and managing those user objects, but they should not be able to create flows, blueprints, or brands.
+
+## High-level workflow
+
+The fundamental steps to implement initial permissions are as follows:
+
+1. Create a role. Initial permissions will be assigned whenever a user with this role creates a new object.
+2. Create a group, and assign the new role to it, and add any members that you want to use the initial permissions set. You can also create new users later, and add them to the group.
+3. Create an initial permissions object, and add all needed permissions to it.
+4. Optionally, create additional users and add them to the group to which the role is assigned.
+
+Because the new initial permissions object is coupled with the role (and that role is assigned to a group), the initial permissions object is applied automatically to any new objects (users or flows or any object) that the member user creates.
+
+:::info
+Typically, initial permissions are assigned to a user or role that is not a super-user nor administrator. In this scenario, the administrator needs to verify that the user has the `Can view Admin interface` permission (which allows the user to access the Admin interface). For details, see Step 5 below.
+
+Be aware that any rights beyond viewing the Admin interface will need to be assigned as well; for example, if you want a non-administrator user to be able to create flows in the Admin interface, you need to grant those global permissions to add flows.
+:::
+
+## Create and implement initial permissions
+
+To create a new set of initial permissions and apply them to either a single user or a role (and every user with that role), follow these steps:
+
+1. Log in to authentik as an administrator, and open the authentik Admin interface.
+
+2. [Create a new role](../roles/manage_roles.md): navigate to **Directory** > **Roles** and click **Create**.
+
+3. [Create a new group](../groups/manage_groups.mdx): navigate to **Directory** > **Groups** and click **Create**. After creating the group:
+
+    - [assign the new role to the group](../groups/manage_groups.mdx#assign-a-role-to-a-group)
+    - [add any members](../user/user_basic_operations.md#add-a-user-to-a-group) that require the initial permissions. You can add already existing users, or [create new users](../user/user_basic_operations.md#create-a-user).
+
+4. Create an initial permissions object: navigate to **Directory** > **Initial Permissions** and click **Create**. Configure the following settings:
+
+    - **Name**: Provide a descriptive name for the new initial permissions object.
+
+    - **Role**: Select the role to which you want to apply initial permissions. When a member of a group with this assigned role creates an object, initial permissions will be applied to that object.
+
+    - **Mode**: select whether you want to attach the initial permission to a _role_ or to a _single user_.
+
+        - **Role**: select this to allow everyone with that role (i.e. everyone in a group to which this role is assigned) to be able to see each others' objects.
+
+        - **User**: select this to apply the initial permissions _only_ to a user
+
+    - **Permissions**: select all permissions to add to the initial permissions object.
+
+5. To ensure that the user or role (whichever you selected in the **Mode** configuration step above) to whom you assign the initial permissions _also_ has access to the Admin interface, check to see if the users also need [the global permission `Can view admin interface`](./manage_permissions#assign-can-view-admin-interface-permissions). Furthermore, verify that the user(s) has the global permissions to add specific objects.
+
+6. Optionally, create new users and add them to the group. Each new user added to the group will automatically have the set of permissions included within the initial permissions object.

website/docs/users-sources/access-control/manage_permissions.md

@@ -3,7 +3,9 @@ title: "Manage permissions"
 description: "Learn how to use global and object permissions in authentik."
 ---
 
-Refer to the following topics for instructions to view and manage permissions. To learn more about the concepts and fundamanetals of authentik permissions, refer to [About Permissions](./permissions.md).
+For instructions on viewing and managing permissions, see the following topics.To learn more about the concepts and fundamentals of authentik permissions, refer to [About Permissions](./permissions.md).
+
+To learn about using Initial Permissions, a pre-defined set of permissions, refer to our [documentation](./initial_permissions.mdx).
 
 ## View permissions
 
@@ -30,7 +32,7 @@ To view _object_ permissions for a specific user or role:
 
 ### View stage permissions
 
-\_These instructions apply to all objects that **do not** have a detail page.\_\_
+_These instructions apply to all objects that **do not** have a detail page._
 
 1. Go to the Admin interface and navigate to **Flows and Stages -> Stages**.
 2. On the row for the specific stage whose permissions you want to view, click the **lock icon**.
@@ -68,14 +70,30 @@ To assign or remove _global_ permissions for a user:
 6. In the **Assign permission to user** box, click the plus sign (**+**) and then click the checkbox beside each permission that you want to assign to the user. To remove permissions, deselect the checkbox.
 7. Click **Add**, and then click **Assign** to save your changes and close the box.
 
-### Assign or remove permissions on a specific group
+### Assign `Can view Admin interface` permissions
+
+You can grant regular users, who are not superusers nor Admins, the right to view the Admin interface. This can be useful in scenarios where you have a team who needs to be able to create certain objects (flows, other users, etc) but who should not have full access to the Admin interface.
+
+To assign the `Can view Admin interface` permission to a user (follow the same steps for a role):
+
+1. Go to the Admin interface and navigate to **Directory -> User**.
+2. Select a specific user the clicking on the user's name.
+3. Click the **Permissions** tab at the top of the page.
+4. Click **Assigned Global Permissions** to the left.
+5. In the **Assign permissions** area, click **Assign Permission**.
+6. In the **Assign permission to user** box, click the plus sign (**+**), enter `admin` in the Search field and click the search icon.
+7. Select the returned permission, click **Add**, and then click **Assign** to save your changes and close the box.
+
+Be aware that any rights beyond viewing the Admin interface will need to be assigned as well; for example, if you want a non-administrator user to be able to create flows in the Admin interface, you need to grant those global permissions to add flows.
+
+### Assign or remove object permissions on a group
 
 :::info
 Note that groups themselves do not have permissions. Rather, users and roles have permissions assigned that allow them to create, modify, delete, etc., a group.
 Also there are no global permissions for groups.
 :::
 
-To assign or remove _object_ permissions on a specific group by users and roles:
+To assign or remove _object_ permissions on a specific group for users and roles:
 
 1. Go to the Admin interface and navigate to **Directory -> Groups**.
 2. Select a specific group by clicking the group's name.

website/docs/users-sources/access-control/permissions.md

@@ -18,6 +18,8 @@ There are two main types of permissions in authentik:
 - [**Global permissions**](#global-permissions)
 - [**Object permissions**](#object-permissions)
 
+Additionally, authentik employs _initial permissions_ to streamline the process of granting object-level permissions when an object (user or role) is created. This feature enables an Admin to proactively assign specific rights to a user for object creation, as well as for viewing and managing those objects and other objects created by individuals in the same role. For more details, refer to [Initial permissions](./initial_permissions.mdx).
+
 ### Global permissions
 
 Global permissions define who can do what on a global level across the entire system. Some examples in authentik are the ability to add new [flows](../../add-secure-apps/flows-stages/flow/index.md) or to create a URL for users to recover their login credentials.

website/docs/users-sources/groups/manage_groups.mdx

@@ -31,7 +31,7 @@ Starting with authentik version 2025.2, the permission to change super-user stat
 
 To [add or remove users](../user/user_basic_operations.md#add-a-user-to-a-group) from the group, or to manage permissions assigned to the group, click on the name of the group to go to the group's detail page and then click on the **Permissions** tab.
 
-For more information about permissions, refer to [Assign or remove permissions for a specific group](../access-control/manage_permissions.md#assign-or-remove-permissions-on-a-specific-group).
+For more information about permissions, refer to [Assign or remove permissions for a specific group](../access-control/manage_permissions.md#assign-or-remove-object-permissions-on-a-group).
 
 ## Delete a group
 
@@ -47,7 +47,7 @@ You can assign a role to a group, and then all users in the group inherit the pe
 
 ## Delegating group member management:ak-version[2024.4]
 
-To give a specific Role or User the ability to manage group members, the following permissions need to be granted on the matching Group object:
+To give a specific role or user the ability to manage group members, the following permissions need to be granted on the matching group object:
 
 - Can view group
 - Can add user to group

website/sidebars.js

@@ -495,6 +495,7 @@ export default {
                     items: [
                         "users-sources/access-control/permissions",
                         "users-sources/access-control/manage_permissions",
+                        "users-sources/access-control/initial_permissions",
                     ],
                 },
                 {