MM-68216 - add docs about team scoped channels abac

[pvev]

Summary

This PR adds documentation for the team-level channel membership policies feature introduced as part of the ABAC phase 2 work. It covers how Team Admins create and manage attribute-based access policies for private channels within their team from Team Settings, including the new manage_team_access_rules permission. Existing ABAC and roles docs are updated to reflect the new three-tier hierarchy and cross-link to the new page.

Ticket Link

https://mattermost.atlassian.net/browse/MM-68216

[github-actions]

Newest code from mattermost has been published to preview environment for Git SHA 7b48897

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds documentation and permissions for a new team-level ABAC feature enabling Team Admins to create and manage attribute-based membership policies for private channels within their team; updates ABAC overview, team settings and role docs, and introduces the manage_team_access_rules permission.

Changes

Cohort / File(s)	Summary
Team-Level ABAC Policies Documentation source/administration-guide/manage/admin/abac-team-channel-policies.rst, source/administration-guide/manage/admin/attribute-based-access-control.rst, source/administration-guide/manage/admin/abac-channel-access-rules.rst	Added a new admin page for team-scoped channel membership policies; updated ABAC overview to include "Team-level channel policies"; appended cross-reference in channel-access guidance to the new team-level docs.
Permission and Role Infrastructure source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst	Introduced built-in permission manage_team_access_rules (scope: team) and granted it to the team_admin role by default.
End-User Documentation source/end-user-guide/collaborate/learn-about-roles.rst, source/end-user-guide/collaborate/team-settings.rst	Added Team Admin privilege text describing team-level ABAC management and a Membership Policies section/tab in Team settings referencing the new team-level policy docs.

Sequence Diagram(s)

sequenceDiagram
  participant TeamAdmin as Team Admin
  participant UI as Team Settings UI
  participant AppServer as Application Server
  participant PolicyStore as Policy Store
  participant SyncJob as Membership Sync Job
  participant SystemPolicy as System-wide Policy Engine

  TeamAdmin->>UI: Open Membership Policies tab
  UI->>AppServer: Request team policies (check ABAC enabled + permission)
  AppServer->>PolicyStore: Fetch team policies for team
  PolicyStore-->>AppServer: Return policies
  AppServer-->>UI: Render policies list

  TeamAdmin->>UI: Create/Edit policy + assign private channels
  UI->>AppServer: Submit policy (validate permission)
  AppServer->>SystemPolicy: Validate no conflict with system-wide policies
  SystemPolicy-->>AppServer: Validation result
  AppServer->>PolicyStore: Save policy and channel assignments
  PolicyStore-->>AppServer: Ack
  AppServer-->>UI: Confirm save

  AppServer->>SyncJob: Trigger immediate sync for affected channels
  SyncJob->>PolicyStore: Read applicable system + team policies
  SyncJob->>PolicyStore: Evaluate membership changes (apply auto-add, removals)
  SyncJob-->>AppServer: Sync complete
  AppServer-->>UI: Notify TeamAdmin of completion

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• MM-66625 - drop EnableChannelScopeAccessControl config #8856: Updates ABAC channel access rules documentation and prerequisites; overlaps content and wording changes for ABAC visibility and prerequisites.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding documentation for team-scoped ABAC channel policies, which aligns with all file modifications.
Description check	✅ Passed	The description is directly related to the changeset, providing context about the ABAC phase 2 feature, team-level policies, and documentation updates across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch MM-68216-add-team-settings-abac-channels-scope-access-docs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Newest code from mattermost has been published to preview environment for Git SHA 79b2d9d

[isacikgoz]

Looks good overall but one correction is needed. Also one thing to confirm.

[github-actions]

Newest code from mattermost has been published to preview environment for Git SHA 8e41512

[github-actions]

Newest code from mattermost has been published to preview environment for Git SHA 2add867

[isacikgoz]

Looks good, just one correction needed, since it's a small one approving and leaving to you to fix before merge.

[isacikgoz]

I think this also needs to be updated, they are seeing what a regular team admin can see.

[github-actions]

Newest code from mattermost has been published to preview environment for Git SHA 77998b0

[github-actions]

Newest code from mattermost has been published to preview environment for Git SHA 66c1791

[esethna]

This is a nice doc @pvev :)

[esethna]

Same note about rebasing to the right docs branch. If this is v11.7 the branch will be cut in the next few days @pvev

[github-actions]

Newest code from mattermost has been published to preview environment for Git SHA 9690760

[github-actions]

Newest code from mattermost has been published to preview environment for Git SHA b280c27