diff --git a/TOC-tidb-cloud-essential.md b/TOC-tidb-cloud-essential.md
index b20037c226b92..c258d22abd8f0 100644
--- a/TOC-tidb-cloud-essential.md
+++ b/TOC-tidb-cloud-essential.md
@@ -29,6 +29,7 @@
## GUIDES
- [Select Your Plan](/tidb-cloud/select-cluster-tier.md)
+- [Manage TiDB Cloud Resources and Projects](/tidb-cloud/manage-projects-and-resources.md)
- Manage {{{ .essential }}} Instances
- [Create a {{{ .essential }}} Instance](/tidb-cloud/create-tidb-cluster-serverless.md)
- Connect to Your {{{ .essential }}} Instance
diff --git a/TOC-tidb-cloud-premium.md b/TOC-tidb-cloud-premium.md
index b5694ea84b962..a04905a36d823 100644
--- a/TOC-tidb-cloud-premium.md
+++ b/TOC-tidb-cloud-premium.md
@@ -125,6 +125,7 @@
## GUIDES
- [Select Your Plan](/tidb-cloud/select-cluster-tier.md)
+- [Manage TiDB Cloud Resources and Projects](/tidb-cloud/manage-projects-and-resources.md)
- Manage {{{ .premium }}} Instances
- [Create a {{{ .premium }}} Instance](/tidb-cloud/premium/create-tidb-instance-premium.md)
- Connect to Your {{{ .premium }}} Instance
diff --git a/TOC-tidb-cloud-starter.md b/TOC-tidb-cloud-starter.md
index 0e7050aa27d1b..eb17eb80429e0 100644
--- a/TOC-tidb-cloud-starter.md
+++ b/TOC-tidb-cloud-starter.md
@@ -31,6 +31,7 @@
## GUIDES
- [Select Your Plan](/tidb-cloud/select-cluster-tier.md)
+- [Manage TiDB Cloud Resources and Projects](/tidb-cloud/manage-projects-and-resources.md)
- Manage {{{ .starter }}} Instances
- [Create a {{{ .starter }}} Instance](/tidb-cloud/create-tidb-cluster-serverless.md)
- Connect to Your {{{ .starter }}} Instance
diff --git a/TOC-tidb-cloud.md b/TOC-tidb-cloud.md
index ea087cbceca74..20bacdc5fa4de 100644
--- a/TOC-tidb-cloud.md
+++ b/TOC-tidb-cloud.md
@@ -30,11 +30,12 @@
## GUIDES
-- Manage Cluster
- - Plan Your Cluster
- - [Select Your Plan](/tidb-cloud/select-cluster-tier.md)
- - [Determine Your TiDB Size](/tidb-cloud/size-your-cluster.md)
- - [TiDB Cloud Performance Reference](/tidb-cloud/tidb-cloud-performance-reference.md)
+- Plan Your Cluster
+ - [Select Your Plan](/tidb-cloud/select-cluster-tier.md)
+ - [Determine Your TiDB Size](/tidb-cloud/size-your-cluster.md)
+ - [TiDB Cloud Performance Reference](/tidb-cloud/tidb-cloud-performance-reference.md)
+- [Manage TiDB Cloud Resources and Projects](/tidb-cloud/manage-projects-and-resources.md)
+- Manage {{{ .dedicated }}} Clusters
- [Create a TiDB Cloud Dedicated Cluster](/tidb-cloud/create-tidb-cluster.md)
- Connect to Your TiDB Cloud Dedicated Cluster
- [Network Connection Overview](/tidb-cloud/connect-to-tidb-cluster.md)
diff --git a/develop/dev-guide-build-cluster-in-cloud.md b/develop/dev-guide-build-cluster-in-cloud.md
index 9a4a4afe246b5..6d987904240a1 100644
--- a/develop/dev-guide-build-cluster-in-cloud.md
+++ b/develop/dev-guide-build-cluster-in-cloud.md
@@ -20,7 +20,7 @@ If you need to run TiDB on your local machine, see [Starting TiDB Locally](/quic
3. On the [**My TiDB**](https://tidbcloud.com/tidbs) page, click **Create Resource**.
-4. On the **Create** page, **Starter** is selected by default. Enter a name for your {{{ .starter }}} instance, and then select the region where you want to create it.
+4. On the **Create Resource** page, **Starter** is selected by default. Enter a name for your {{{ .starter }}} instance, and then select the cloud provider and region where you want to create it.
5. Click **Create** to create a {{{ .starter }}} instance.
diff --git a/tidb-cloud/create-tidb-cluster-serverless.md b/tidb-cloud/create-tidb-cluster-serverless.md
index 14f3fae51b53b..11344a0267b0a 100644
--- a/tidb-cloud/create-tidb-cluster-serverless.md
+++ b/tidb-cloud/create-tidb-cluster-serverless.md
@@ -46,9 +46,9 @@ If you are in the `Organization Owner` or the `Project Owner` role, you can crea
You can start with a **Starter** instance and later upgrade to an **Essential** instance as your needs grow. For more information, see [Select a Plan](/tidb-cloud/select-cluster-tier.md).
-4. Choose a cloud provider and a region where you want to host your instance.
+4. Enter a name for your instance, and then choose a cloud provider and a region where you want to host your instance.
-5. Update the default instance name if necessary.
+5. (Optional) To group this instance in a project for management, click **Group Your Instance in a Project**, and then select the target project for the instance. If there is no project in your organization, you can create one by clicking **Create a Project**.
6. Update the capacity of the instance.
diff --git a/tidb-cloud/create-tidb-cluster.md b/tidb-cloud/create-tidb-cluster.md
index c369bedea0f41..37b24bc2468ec 100644
--- a/tidb-cloud/create-tidb-cluster.md
+++ b/tidb-cloud/create-tidb-cluster.md
@@ -20,24 +20,7 @@ If you do not have a TiDB Cloud account, click [here](https://tidbcloud.com/sign
- For Azure Marketplace users, you can also sign up through Azure Marketplace. To do that, search for `TiDB Cloud` in [Azure Marketplace](https://azuremarketplace.microsoft.com), subscribe to TiDB Cloud, and then follow the onscreen instructions to set up your TiDB Cloud account.
- For Google Cloud Marketplace users, you can also sign up through Google Cloud Marketplace. To do that, search for `TiDB Cloud` in [Google Cloud Marketplace](https://console.cloud.google.com/marketplace), subscribe to TiDB Cloud, and then follow the onscreen instructions to set up your TiDB Cloud account.
-## (Optional) Step 1. Use your default project or create a new project
-
-Once you log in to the [TiDB Cloud console](https://tidbcloud.com/), you have a default [project](/tidb-cloud/tidb-cloud-glossary.md#project). When there is only one project in your organization, your TiDB Cloud Dedicated cluster will be created in that project. For more information about projects, see [Organizations and projects](/tidb-cloud/manage-user-access.md#organizations-and-projects).
-
-If you are an organization owner, you can rename the default project or create a new project for the TiDB Cloud Dedicated cluster according to your need as follows:
-
-1. In the [TiDB Cloud console](https://tidbcloud.com/), click the combo box in the upper-left corner. Your default organization and project are displayed.
-
-2. Click the name of your organization, and then click **Projects** in the left navigation pane.
-
-3. On the **Projects** page, do one of the following:
-
- - To rename the default project, click **...** > **Rename** in the **Actions** column.
- - To create a project, click **Create New Project**, enter a name for your project, and then click **Confirm**.
-
-4. To go to the cluster list page of your project, click the project name on the **Projects** page.
-
-## Step 2. Create a TiDB Cloud Dedicated cluster
+## Step 1. Create a TiDB Cloud Dedicated cluster
If you are in the `Organization Owner` or the `Project Owner` role, you can create a TiDB Cloud Dedicated cluster as follows:
@@ -49,9 +32,11 @@ If you are in the `Organization Owner` or the `Project Owner` role, you can crea
2. Click **Create Resource**.
-3. On the **Create** page, select **Dedicated**, and then configure the cluster information as follows:
+3. On the **Create Resource** page, select **Dedicated**, and then configure the cluster information as follows:
- 1. Choose a cloud provider and a region.
+ 1. Select a project for your TiDB Cloud Dedicated cluster. If there is no project in your organization, you can create one by clicking **Create a Project**.
+ 2. Enter a name for your TiDB Cloud Dedicated cluster.
+ 3. Choose a cloud provider and a region.
> **Note:**
>
@@ -60,9 +45,9 @@ If you are in the `Organization Owner` or the `Project Owner` role, you can crea
> - If you signed up for TiDB Cloud through [Azure Marketplace](https://azuremarketplace.microsoft.com), the cloud provider is Azure Cloud, and you cannot change it in TiDB Cloud.
> - If you signed up for TiDB Cloud through [Google Cloud Marketplace](https://console.cloud.google.com/marketplace), the cloud provider is Google Cloud, and you cannot change it in TiDB Cloud.
- 2. Configure the [cluster size](/tidb-cloud/size-your-cluster.md) for TiDB, TiKV, and TiFlash (optional) respectively.
- 3. Update the default cluster name and port number if necessary.
- 4. If CIDR has not been configured for this region, you need to set the CIDR. If you do not see the **Project CIDR** field, it means that CIDR has already been configured for this region.
+ 4. Configure the [cluster size](/tidb-cloud/size-your-cluster.md) for TiDB, TiKV, and TiFlash (optional) respectively.
+ 5. Update the default port number if necessary.
+ 6. If CIDR has not been configured for this region, you need to set the CIDR. If you do not see the **Project CIDR** field, it means that CIDR has already been configured for this region.
> **Note:**
>
@@ -85,7 +70,7 @@ If you are in the `Organization Owner` or the `Project Owner` role, you can crea
>
> The cluster creation time can vary by region and might take longer than 30 minutes. If the process takes significantly longer than expected, contact [TiDB Cloud Support](/tidb-cloud/tidb-cloud-support.md).
-## Step 3. Set the root password
+## Step 2. Set the root password
After your TiDB Cloud Dedicated cluster is created, take the following steps to set the root password:
diff --git a/tidb-cloud/data-service-api-key.md b/tidb-cloud/data-service-api-key.md
index 7e982061e5722..0d7a1b0d519c2 100644
--- a/tidb-cloud/data-service-api-key.md
+++ b/tidb-cloud/data-service-api-key.md
@@ -86,6 +86,11 @@ The following sections describe how to create, edit, delete, and expire API keys
To create an API key for a Data App, perform the following steps:
1. Navigate to the [**Data Service**](https://tidbcloud.com/project/data-service) page of your project.
+
+ > **Tip:**
+ >
+ > If you have multiple projects, to navigate to the **Data Service** page of your target project, click the **Project view** tab on the [**My TiDB**](https://tidbcloud.com/tidbs) page, click ... for your target project, and then click **Data Service**.
+
2. In the left pane, click the name of your target Data App to view its details.
3. In the **Authentication** area, click **Create API Key**.
4. In the **Create API Key** dialog box, do the following:
diff --git a/tidb-cloud/data-service-get-started.md b/tidb-cloud/data-service-get-started.md
index 330f80eba402c..a5a9298963fe5 100644
--- a/tidb-cloud/data-service-get-started.md
+++ b/tidb-cloud/data-service-get-started.md
@@ -27,7 +27,7 @@ Before creating a Data App, make sure that you have created a [{{{ .starter }}}]
Creating a sample Data App is the best way to get started with Data Service. If your project does not have any Data App yet, you can follow the on-screen instructions on the **Data Service** page to create a sample Data App and use this App to explore Data Service features.
-1. In the [TiDB Cloud console](https://tidbcloud.com), click **Data Service** in the left navigation pane.
+1. In the [TiDB Cloud console](https://tidbcloud.com), click the **Project view** tab on the [**My TiDB**](https://tidbcloud.com/tidbs) page, click ... for your project, and then click **Data Service**.
2. On the **Data Service** page, click **Create Sample Data App**. A dialog is displayed.
@@ -51,7 +51,7 @@ To get started with Data Service, you can also create your own Data App, and the
To create a Data App, perform the following steps:
-1. In the [TiDB Cloud console](https://tidbcloud.com), click **Data Service** in the left navigation pane.
+1. In the [TiDB Cloud console](https://tidbcloud.com), click the **Project view** tab on the [**My TiDB**](https://tidbcloud.com/tidbs) page, click ... for your project, and then click **Data Service**.
2. On the [**Data Service**](https://tidbcloud.com/project/data-service) page of your project, click **Create DataApp** in the left pane.
diff --git a/tidb-cloud/manage-projects-and-resources.md b/tidb-cloud/manage-projects-and-resources.md
new file mode 100644
index 0000000000000..f3fd5a4817277
--- /dev/null
+++ b/tidb-cloud/manage-projects-and-resources.md
@@ -0,0 +1,136 @@
+---
+title: Manage TiDB Cloud Resources and Projects
+summary: Learn how to manage your TiDB Cloud resources and projects on the My TiDB page.
+---
+
+# Manage TiDB Cloud Resources and Projects
+
+In the [TiDB Cloud console](https://tidbcloud.com/), you can discover, access, and manage all TiDB Cloud resources and projects within your organization on the [**My TiDB**](https://tidbcloud.com/tidbs) page.
+
+## What are TiDB Cloud resources and projects?
+
+### TiDB Cloud resources
+
+A TiDB Cloud resource is a deployable unit that you can manage. It can be one of the following:
+
+- A TiDB X instance, which is a service-oriented TiDB Cloud offering built on the [TiDB X architecture](/tidb-cloud/tidb-x-architecture.md), such as a {{{ .starter }}}, {{{ .essential }}}, or {{{ .premium }}} instance
+- A {{{ .dedicated }}} cluster
+
+### TiDB Cloud projects
+
+In TiDB Cloud, you can use [projects](/tidb-cloud/tidb-cloud-glossary.md#project) to organize and manage your TiDB Cloud resources.
+
+- For TiDB X instances, projects are optional, which means you can either group these instances in a project or keep them at the organization level.
+- For {{{ .dedicated }}} clusters, projects are required.
+
+## Manage TiDB Cloud resources
+
+This section describes how to view, create, and manage TiDB Cloud resources using the [**My TiDB**](https://tidbcloud.com/tidbs) page.
+
+### View TiDB Cloud resources
+
+By default, the [**My TiDB**](https://tidbcloud.com/tidbs) page shows the resource view, which displays all resources within your current organization that you have permission to access.
+
+If your organization has many instances or clusters, you can use the filters at the top of the page to quickly find what you need.
+
+To view detailed information about a TiDB Cloud resource, click the name of the target resource to go to its overview page.
+
+### Create TiDB Cloud resources
+
+To create a TiDB Cloud resource, navigate to the [**My TiDB**](https://tidbcloud.com/tidbs) page of your organization, and then click **Create Resource**.
+
+For more information, see the following documents:
+
+- [Create a {{{ .starter }}} or Essential Instance](/tidb-cloud/create-tidb-cluster-serverless.md)
+- [Create a {{{ .premium }}} Instance](/tidb-cloud/premium/create-tidb-instance-premium.md)
+- [Create a {{{ .dedicated }}} Cluster](/tidb-cloud/create-tidb-cluster.md)
+
+### Manage TiDB Cloud resources
+
+On the **My TiDB** page, you can click **...** in the row of the target resource to perform quick actions on a TiDB Cloud resource, such as deleting, renaming, and importing data.
+
+To perform more operations and manage settings of a specific TiDB Cloud resource, click the name of the target resource to go to its overview page.
+
+## Manage TiDB Cloud projects
+
+This section describes how to view, create, and manage TiDB Cloud projects using the [**My TiDB**](https://tidbcloud.com/tidbs) page.
+
+### View projects
+
+To view your TiDB Cloud resources grouped by projects, click the **Project view** tab on the [**My TiDB**](https://tidbcloud.com/tidbs) page.
+
+> **Tip:**
+>
+> If you are in multiple organizations, use the combo box in the upper-left corner to switch to your target organizations first.
+
+In the project view, you can see the projects you belong to in the organization:
+
+- TiDB X instances that do not belong to any project are displayed in a table named `Out of project`.
+- TiDB X instances that belong to specific projects are displayed in their corresponding TiDB X project tables.
+- TiDB Cloud Dedicated clusters are displayed in their corresponding Dedicated project tables. These tables have a **D** in the folder icon to identify the **Dedicated** project type.
+
+### Create a project
+
+> **Note:**
+>
+> - For free trial users, you cannot create a new project.
+> - For TiDB X instances, creating a project is optional. For TiDB Cloud Dedicated clusters, you must use the default project or create new projects to manage them.
+
+If you are in the `Organization Owner` role, you can create projects in your organization.
+
+To create a new project, take the following steps:
+
+1. In the [TiDB Cloud console](https://tidbcloud.com), navigate to the [**My TiDB**](https://tidbcloud.com/tidbs) page of your organization, and then click **Create Project**.
+
+ > **Tip:**
+ >
+ > If you are in multiple organizations, use the combo box in the upper-left corner to switch to your target organizations first.
+
+2. In the displayed dialog, enter a project name.
+
+3. Depending on which type of TiDB Cloud resources you are creating the project for, do one of the following:
+
+ - If the project is created for TiDB X instances, click **Confirm**.
+ - If the project is created for {{{ .dedicated }}} clusters, select the **Create for Dedicated Cluster** option, configure [Customer-Managed Encryption Keys (CMEK)](/tidb-cloud/tidb-cloud-encrypt-cmek-aws.md) and [maintenance window](/tidb-cloud/configure-maintenance-window.md) for the project, and then click **Confirm**.
+
+### Manage a project
+
+If you are in the `Organization Owner` or `Project Owner` role, you can manage your project.
+
+To manage a project, take the following steps:
+
+1. In the TiDB Cloud console, navigate to the [**My TiDB**](https://tidbcloud.com/tidbs) page of your organization, and then click the **Project view** tab.
+
+ > **Tip:**
+ >
+ > If you are in multiple organizations, use the combo box in the upper-left corner to switch to your target organizations first.
+
+2. In the project view, locate your target project, and then manage it as follows:
+
+ - For both TiDB X and TiDB Dedicated projects, you can click **...** in the row of the target project to perform quick actions on a project, such as renaming the project or inviting members to the project. For more information, see [Manage project access](/tidb-cloud/manage-user-access.md).
+ - For TiDB Dedicated projects, you can also click the icon in the row of the target project to manage settings, such as networking, maintenance, alert subscriptions, and encryption access, for {{{ .dedicated }}} clusters by project.
+
+### Move a TiDB X instance between projects
+
+If you are in the `Organization Owner` or `Project Owner` role, you can move a TiDB X instance to a project or out of any project.
+
+> **Note:**
+>
+> Only TiDB X instances support moving between TiDB X projects and out of any TiDB X project. TiDB Cloud Dedicated clusters do not support moving between projects.
+
+To move a TiDB X instance, take the following steps:
+
+1. In the [TiDB Cloud console](https://tidbcloud.com), navigate to the [**My TiDB**](https://tidbcloud.com/tidbs) page of your organization, and then click the **Project view** tab.
+
+2. In the project view, expand the project folder that contains the TiDB X instance to be moved, click **...** for the target TiDB X instance, and then click **Move**.
+
+ > **Tip:**
+ >
+ > If the TiDB X instance is not in any project, it is displayed in the **Out of project** folder.
+
+3. In the displayed dialog, do one of the following:
+
+ - To move the TiDB X instance to a project, select **To a project**, and then select the target project from the drop-down list.
+ - To move the TiDB X instance out of any project, select **Outside any project**.
+
+4. Click **Move**.
\ No newline at end of file
diff --git a/tidb-cloud/manage-user-access.md b/tidb-cloud/manage-user-access.md
index ace1f4c75a8ba..1dcdfa6aff258 100644
--- a/tidb-cloud/manage-user-access.md
+++ b/tidb-cloud/manage-user-access.md
@@ -5,78 +5,104 @@ summary: Learn how to manage identity access in TiDB Cloud.
# Identity Access Management
-This document describes how to manage access to organizations, projects, roles, and user profiles in TiDB Cloud.
+This document describes how to manage access to organizations, projects, resources, roles, and user profiles in TiDB Cloud.
Before accessing TiDB Cloud, [create a TiDB Cloud account](https://tidbcloud.com/free-trial). You can either sign up with email and password so that you can [manage your password using TiDB Cloud](/tidb-cloud/tidb-cloud-password-authentication.md), or choose your Google, GitHub, or Microsoft account for single sign-on (SSO) to TiDB Cloud.
-## Organizations and projects
+## Organizations, projects, and resources
-TiDB Cloud provides a hierarchical structure based on organizations and projects to facilitate the management of TiDB Cloud users and clusters. If you are an organization owner, you can create multiple projects in your organization.
+TiDB Cloud uses a hierarchical structure based on organizations, projects, and resources to help you manage users and TiDB deployments.
-For example:
+- An organization is a top level entity (such as a company or a customer) you created to manage your TiDB Cloud accounts (including a management account with any number of multiple member accounts), [projects](#projects), and [resources](/tidb-cloud/tidb-cloud-glossary.md#tidb-cloud-resource).
+- A project is a container for TiDB Cloud resources.
+
+ - For {{{ .starter }}} and Essential instances, a project is a logical container and optional, which means you can either group these instances in a project or keep these instances at the organization level.
+ - For {{{ .dedicated }}} clusters, a project is infrastructure-bound and required, which means {{{ .dedicated }}} clusters must be grouped in projects for management purposes.
+- A resource in TiDB Cloud can be either a TiDB X instance (for example, {{{ .starter }}} or {{{ .essential }}}) or a {{{ .dedicated }}} cluster.
+
+If you are an organization owner, you can create multiple projects in your organization.
+
+- For TiDB X instances, you can either group them into projects or keep them directly at the organization level.
+- For TiDB Cloud Dedicated clusters, you must group them into projects.
+
+The following is an example of the hierarchical structure:
```
- Your organization
- - Project 1
- - Cluster 1
- - Cluster 2
- - Project 2
- - Cluster 3
- - Cluster 4
- - Project 3
- - Cluster 5
- - Cluster 6
+ - TiDB X instances out of any project
+ - {{{ .starter }}} instance 1
+ - {{{ .essential }}} instance 1
+ - TiDB X project 1
+ - {{{ .starter }}} instance 2
+ - {{{ .starter }}} instance 3
+ - {{{ .essential }}} instance 2
+ - TiDB Dedicated project 1
+ - {{{ .dedicated }}} cluster 1
+ - {{{ .dedicated }}} cluster 2
```
Under this structure:
- To access an organization, a user must be a member of that organization.
- To access a project in an organization, a user must at least have the read access to the project in that organization.
-- To manage clusters in a project, a user must be in the `Project Owner` role.
+- To access a specific TiDB X instance, a user can be granted access through either a project role or an instance role.
+- To access a TiDB Cloud Dedicated cluster, a user must have the read access to the project in which the cluster is located.
For more information about user roles and permissions, see [User Roles](#user-roles).
### Organizations
-An organization can contain multiple projects.
+An organization can contain multiple projects and TiDB X instances that are not grouped in any project.
-TiDB Cloud calculates billing at the organization level and provides the billing details for each project.
+TiDB Cloud calculates billing at the organization level and provides billing details for each project and resource.
If you are an organization owner, you have the highest permission in your organization.
For example, you can do the following:
- Create different projects (such as development, staging, and production) for different purposes.
-- Assign different users with different organization roles and project roles.
+- Assign different users with different organization roles, project roles, and instance roles.
- Configure organization settings. For example, configure the time zone for your organization.
### Projects
-A project can contain multiple clusters.
+A project groups and manages TiDB Cloud resources.
-If you are a project owner, you can manage clusters and project settings for your project.
+In TiDB Cloud, there are three types of projects:
-For example, you can do the following:
+- **TiDB Dedicated project**: This project type is used only for {{{ .dedicated }}} clusters. It helps you manage settings for {{{ .dedicated }}} clusters separately by project, such as RBAC, networks, maintenance, alert subscriptions, and encryption access.
+- **TiDB X project**: This project type is used only for TiDB X instances ({{{ .starter }}} and {{{ .essential }}}). It helps you manage RBAC for TiDB X instances by project. A TiDB X project is the default project type when you create a project on the [**My TiDB**](https://tidbcloud.com/tidbs) page.
+- **TiDB X virtual project**: This project is virtual and does not provide any management capabilities. It acts as a virtual container for TiDB X instances ({{{ .starter }}} and {{{ .essential }}}) that do not belong to any project, so these instances can be accessed through the TiDB Cloud API by using a project ID. Each organization has a unique virtual project ID. You can get this ID from the project view on the [**My TiDB**](https://tidbcloud.com/tidbs) page.
-- Create multiple clusters according to your business need.
-- Assign different users with different project roles.
-- Configure project settings. For example, configure different alert settings for different projects.
+The following table lists the differences between these project types:
+
+| Feature | TiDB Dedicated Project | TiDB X Project | TiDB X Virtual Project |
+|---|---|---|---|
+| Project icon in the TiDB Cloud console | | | N/A |
+| Resource type in the project | {{{ .dedicated}}} clusters only | TiDB X instances only | TiDB X instances only |
+| Project is optional | ❌ (Each {{{ .dedicated }}} cluster must belong to a Dedicated project) | ✅ (You can either group a TiDB X instance in a TiDB X project or keep it at the organization level) | N/A (TiDB X instances not grouped in any TiDB X project are automatically grouped in the TiDB X virtual project) |
+| Project settings | ✅ | ❌ | ❌ |
+| Infrastructure binding | ✅ (Strong binding) | ❌ | ❌ |
+| RBAC model | Organization -> Project | Organization -> Project -> Instance | Organization -> Project -> Instance |
+| Project-level RBAC | ✅ | ✅ | ❌ |
+| Project-level Billing | ✅ | ✅ | ❌ |
+| Instance movement between TiDB X projects or the global scope | ❌ | ✅ | ✅ (Global only) |
## User roles
-TiDB Cloud defines different user roles to manage different permissions of TiDB Cloud users in organizations, projects, or both.
+TiDB Cloud defines different user roles to manage permissions at the organization, project, and instance levels.
-You can grant roles to a user at the organization level or at the project level. Make sure to carefully plan the hierarchy of your organizations and projects for security considerations.
+You can grant roles to a user at the organization level, the project level, or the instance level. Make sure to carefully plan the hierarchy of your organizations, projects, and resources for security considerations.
### Organization roles
-At the organization level, TiDB Cloud defines four roles, in which `Organization Owner` can invite members and grant organization roles to members.
+At the organization level, TiDB Cloud defines five roles, in which `Organization Owner` can invite members and grant organization roles to members.
| Permission | `Organization Owner` | `Organization Billing Manager` | `Organization Billing Viewer` | `Organization Console Audit Manager` | `Organization Viewer` |
|---|---|---|---|---|---|
| Manage organization settings, such as projects, API keys, and time zones. | ✅ | ❌ | ❌ | ❌ | ❌ |
| Invite users to or remove users from an organization, and edit organization roles of users. | ✅ | ❌ | ❌ | ❌ | ❌ |
-| All the permissions of `Project Owner` for all projects in the organization. | ✅ | ❌ | ❌ | ❌ | ❌ |
+| All the permissions of `Project Owner` for all projects in the organization, and all the permissions of TiDB X instance roles for all TiDB X instances in the organization. | ✅ | ❌ | ❌ | ❌ | ❌ |
| Create projects with Customer-Managed Encryption Key (CMEK) enabled. | ✅ | ❌ | ❌ | ❌ | ❌ |
| Edit payment information for the organization. | ✅ | ✅ | ❌ | ❌ | ❌ |
| View bills and use [cost explorer](/tidb-cloud/tidb-cloud-billing.md#cost-explorer). | ✅ | ✅ | ✅ | ❌ | ❌ |
@@ -90,13 +116,15 @@ At the organization level, TiDB Cloud defines four roles, in which `Organization
### Project roles
-At the project level, TiDB Cloud defines three roles, in which `Project Owner` can invite members and grant project roles to members.
+At the project level, TiDB Cloud defines four roles, in which `Project Owner` can invite members and grant project roles to members.
> **Note:**
>
-> - `Organization Owner` has all the permissions of Project Owner for all projects so `Organization Owner` can invite project members and grant project roles to members too.
-> - Each project role has all the permissions of Organization Viewer by default.
+> - `Organization Owner` has all the permissions of `Project Owner` for all projects so `Organization Owner` can invite project members and grant project roles to members too.
+> - Each project role has all the permissions of `Organization Viewer` by default.
> - If a user in your organization does not belong to any projects, the user does not have any project permissions.
+> - For both TiDB X projects and TiDB Dedicated projects, project roles control access to resources in the project. For TiDB Dedicated projects, project roles also control Dedicated-specific project settings.
+> - Project roles do not apply to the TiDB X virtual project because TiDB X virtual project does not provide any management capabilities. To manage RBAC for a specific TiDB X instance that are not grouped in any TiDB X project, use [instance roles](#instance-roles).
| Permission | `Project Owner` | `Project Data Access Read-Write` | `Project Data Access Read-Only` | `Project Viewer` |
|---|---|---|---|---|
@@ -104,16 +132,42 @@ At the project level, TiDB Cloud defines three roles, in which `Project Owner` c
| Invite users to or remove users from a project, and edit project roles of users. | ✅ | ❌ | ❌ | ❌ |
| Manage [database audit logging](/tidb-cloud/tidb-cloud-auditing.md) of the project. | ✅ | ❌ | ❌ | ❌ |
| Manage [spending limit](/tidb-cloud/manage-serverless-spend-limit.md) for all {{{ .starter }}} instances in the project. | ✅ | ❌ | ❌ | ❌ |
-| Manage cluster operations in the project, such as cluster creation, modification, and deletion. | ✅ | ❌ | ❌ | ❌ |
+| Manage resource operations in the project, such as creating, modifying, moving, and deleting instances or clusters supported by the project type. | ✅ | ❌ | ❌ | ❌ |
| Manage branches for {{{ .starter }}} and {{{ .essential }}} instances in the project, such as branch creation, connection, and deletion. | ✅ | ❌ | ❌ | ❌ |
-| Manage cluster data such as data import, data backup and restore, and data migration. | ✅ | ✅ | ❌ | ❌ |
+| Manage resource data such as data import, data backup and restore, and data migration. | ✅ | ✅ | ❌ | ❌ |
| Manage [Data Service](/tidb-cloud/data-service-overview.md) for data read-only operations such as using or creating endpoints to read data. | ✅ | ✅ | ✅ | ❌ |
| Manage [Data Service](/tidb-cloud/data-service-overview.md) for data read and write operations. | ✅ | ✅ | ❌ | ❌ |
-| View cluster data using [SQL Editor](/tidb-cloud/explore-data-with-chat2query.md). | ✅ | ✅ | ✅ | ❌ |
-| Modify and delete cluster data using [SQL Editor](/tidb-cloud/explore-data-with-chat2query.md). | ✅ | ✅ | ❌ | ❌ |
+| View resource data using [SQL Editor](/tidb-cloud/explore-data-with-chat2query.md), if supported by the resource type. | ✅ | ✅ | ✅ | ❌ |
+| Modify and delete resource data using [SQL Editor](/tidb-cloud/explore-data-with-chat2query.md), if supported by the resource type. | ✅ | ✅ | ❌ | ❌ |
| Manage [changefeeds](/tidb-cloud/changefeed-overview.md). | ✅ | ✅ | ✅ | ❌ |
-| Review and reset cluster passwords. | ✅ | ❌ | ❌ | ❌ |
-| View cluster overview, backup records, metrics, events, and [changefeeds](/tidb-cloud/changefeed-overview.md) in the project. | ✅ | ✅ | ✅ | ✅ |
+| Review and reset resource passwords, if supported by the resource type. | ✅ | ❌ | ❌ | ❌ |
+| View resource overview, backup records, metrics, events, and [changefeeds](/tidb-cloud/changefeed-overview.md) in the project. | ✅ | ✅ | ✅ | ✅ |
+
+### Instance roles
+
+TiDB X instances support instance-level roles so that you can grant access to a single TiDB X instance without granting the same access to all resources in a project.
+
+> **Note:**
+>
+> - Instance roles apply only to {{{ .starter }}} and {{{ .essential }}}. TiDB Cloud Dedicated clusters do not support instance roles.
+> - `Organization Owner` automatically has all permissions for all TiDB X instances in the organization.
+> - Each instance role inherits all the permissions of the `Organization Viewer` role by default.
+> - Project roles and instance roles are additive. A user can inherit access from a project role and also have a more specific role on an individual instance.
+
+| Permission | `Instance Manager` | `TiDB X Instance Data Access Read-Write` | `TiDB X Instance Data Access Read-Only` | `TiDB X Instance Viewer` |
+|---|---|---|---|---|
+| Manage instance operations, such as instance creation, modification, and deletion. | ✅ | ❌ | ❌ | ❌ |
+| View and modify instance data using [SQL Editor](/tidb-cloud/explore-data-with-chat2query.md). | ✅ | ✅ | ❌ | ❌ |
+| View instance data using [SQL Editor](/tidb-cloud/explore-data-with-chat2query.md). | ✅ | ✅ | ✅ | ❌ |
+| Manage instance-scoped roles. | ✅ | ❌ | ❌ | ❌ |
+| View backup records of the TiDB X instance. | ✅ | ❌ | ❌ | ✅ |
+| Restore the TiDB X instance from backups. | ✅ | ❌ | ❌ | ❌ |
+| View instance overview. | ✅ | ❌ | ❌ | ✅ |
+| View network settings. | ✅ | ❌ | ❌ | ✅ |
+| View monitor and metrics. | ✅ | ❌ | ❌ | ✅ |
+| View alerts. | ✅ | ❌ | ❌ | ✅ |
+
+Use project roles when you want to manage all resources in a project, and use instance roles when you want to grant access only to a specific TiDB X instance.
## Manage organization access
@@ -144,32 +198,34 @@ To change the local timezone setting, take the following steps:
4. Click **Update**.
-### Invite an organization member
+### Invite a user to your organization
If you are in the `Organization Owner` role, you can invite users to your organization.
> **Note:**
>
-> You can also [invite a user to your project](#invite-a-project-member) directly according to your need, which also makes the user your organization member.
+> You can also [invite a user to your project](#invite-a-project-member) or [grant a user access to a TiDB X instance](#grant-access-to-a-tidb-x-instance) directly according to your need, which also makes the user your organization member.
-To invite a member to an organization, take the following steps:
+To invite a user to your organization, take the following steps:
1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.
2. In the left navigation pane, click **Organization Settings** > **Users**.
-3. On the **Users** page, click the **By Organization** tab.
+3. On the **Users** page, click **Invite User** in the upper-right corner.
-4. Click **Invite**.
-
-5. Enter the email address of the user to be invited, and then select an organization role for the user.
+4. Enter the email address of the user to be invited.
> **Tip:**
>
- > - If you want to invite multiple members at one time, you can enter multiple email addresses.
- > - The invited user does not belong to any projects by default. To invite a user to a project, see [Invite a project member](#invite-a-project-member).
+ > If you want to invite multiple members at one time, you can enter multiple email addresses.
-6. Click **Confirm**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link.
+5. (Optional) The invited user does not have any project or instance permissions by default. To grant project or instance roles to the user, do the following:
+
+ - To grant project-level access to the user, click **Add Roles and Select Project**, and then grant roles and select the target projects for the user.
+ - To grant access to a specific TiDB X instance to the user, click **Add Roles and Select Instance**, and then grant roles and select the target TiDB X instance for the user.
+
+6. Click **Invite**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link.
7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows.
@@ -179,20 +235,6 @@ To invite a member to an organization, take the following steps:
>
> The verification link in the email expires in 24 hours. If the user you want to invite does not receive the email, click **Resend**.
-### Modify organization roles
-
-If you are in the `Organization Owner` role, you can modify organization roles of all members in your organization.
-
-To modify the organization role of a member, take the following steps:
-
-1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.
-
-2. In the left navigation pane, click **Organization Settings** > **Users**.
-
-3. On the **Users** page, click the **By Organization** tab.
-
-4. Click the role of the target member, and then modify the role.
-
### Remove an organization member
If you are in the `Organization Owner` role, you can remove organization members from your organization.
@@ -201,128 +243,144 @@ To remove a member from an organization, take the following steps:
> **Note:**
>
-> If a member is removed from an organization, the member is removed from the belonged projects either.
+> If a member is removed from an organization, the member is also removed from all projects and loses all instance access in the organization.
1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.
2. In the left navigation pane, click **Organization Settings** > **Users**.
-3. On the **Users** page, click the **By Organization** tab.
+3. On the **Users** page, locate the row of the target member, click **...** in the row, and then click **Delete**.
-4. In the row of the target member, click **...** > **Delete**.
+4. In the confirmation dialog, click **Delete**.
## Manage project access
-### View and switch between projects
+This section describes how to rename a project and how to invite and remove project members. To learn how to create or manage a project, see [Manage projects](/tidb-cloud/manage-projects-and-resources.md#manage-projects).
-To view and switch between projects, take the following steps:
+### Rename a project
-1. In the [TiDB Cloud console](https://tidbcloud.com), click the combo box in the upper-left corner. The list of organizations and projects you belong to is displayed.
+If you are in the `Organization Owner` role, you can rename any projects in your organization. If you are in the `Project Owner` role, you can rename your project.
+
+To rename a project, take the following steps:
+
+1. In the TiDB Cloud console, navigate to the [**My TiDB**](https://tidbcloud.com/tidbs) page of your organization, and then click the **Project view** tab.
> **Tip:**
>
- > - If you are currently on the page of a specific TiDB Cloud resource, after clicking the combo box in the upper-left corner, you also need to click ← in the combo box to return to the organization and project list.
- > - If you are a member of multiple projects, you can click the target project name in the combo box to switch between projects.
+ > If you are in multiple organizations, use the combo box in the upper-left corner to switch to your target organizations first.
+
+2. In the project view, locate the table of your target project, click **...** in the upper-right corner of the table, and then click **Rename**.
-2. To view the detailed information of your project, click the project name, and then click **Project Settings** in the left navigation pane.
+3. Enter a new project name.
-### Create a project
+4. Click **Confirm**.
+
+### Invite a project member
+
+If you are in the `Organization Owner` or `Project Owner` role, you can invite members to your projects.
> **Note:**
>
-> For free trial users, you cannot create a new project.
+> When a user not in your organization joins your project, the user automatically joins your organization as well.
-If you are in the `Organization Owner` role, you can create projects in your organization.
+To invite a member to a project, take the following steps:
-To create a new project, take the following steps:
+1. In the TiDB Cloud console, navigate to the [**My TiDB**](https://tidbcloud.com/tidbs) page of your organization, and then click the icon to go to the project view.
-1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.
+ > **Tip:**
+ >
+ > If you are in multiple organizations, use the combo box in the upper-left corner to switch to your target organizations first.
-2. In the left navigation pane, click **Projects**.
+2. In the project view, locate the table of your target project, click **...** in the upper-right corner of the table, and then click **Invite**.
-3. On the **Projects** page, click **Create New Project**.
+3. In the displayed dialog, enter the email address of the user to be invited, and then select a project role for the user.
-4. Enter your project name.
+ > **Tip:**
+ >
+ > If you want to invite multiple members at one time, you can enter multiple email addresses.
-5. Click **Confirm**.
+4. Click **Confirm**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link.
-### Rename a project
+5. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows.
-If you are in the `Organization Owner` role, you can rename any projects in your organization. If you are in the `Project Owner` role, you can rename your project.
+6. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. If the email address has been signed up for a TiDB Cloud account, the user is directed to the sign-in page. After sign-in, the account joins the project automatically.
-To rename a project, take the following steps:
+> **Note:**
+>
+> The verification link in the email will expire in 24 hours. If your user doesn't receive the email, click **Resend**.
+
+### Remove project access for a user
+
+If you are in the `Organization Owner` or `Project Owner` role, you can remove project members.
+
+To remove a member from a project, take the following steps:
1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.
-2. In the left navigation pane, click **Projects**.
+2. In the left navigation pane, click **Organization Settings** > **Users**.
-3. In the row of your project to be renamed, click **...** > **Rename**.
+3. On the **Users** page, locate the row of the target member, click **...** in the row, and then click **Edit Role**.
-4. Enter a new project name.
+4. On the **Edit Role** dialog, locate the target project, and then click the icon.
-5. Click **Confirm**.
+5. Click **Save**.
-### Invite a project member
+## Manage instance access
-If you are in the `Organization Owner` or `Project Owner` role, you can invite members to your projects.
+### Grant access to a TiDB X instance {#grant-access-to-a-tidb-x-instance}
+
+If you are in the `Organization Owner` or `Project Owner` role, you can grant an instance role for a specific TiDB X instance to a user.
> **Note:**
>
-> When a user not in your organization joins your project, the user automatically joins your organization as well.
+> Instance access applies only to TiDB X instances.
-To invite a member to a project, take the following steps:
+To grant access to a TiDB X instance, take the following steps:
1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.
2. In the left navigation pane, click **Organization Settings** > **Users**.
-3. On the **Users** page, click the **By Project** tab, and then choose your project in the drop-down list.
-
-4. Click **Invite**.
-
-5. Enter the email address of the user to be invited, and then select a project role for the user.
+3. On the **Users** page, locate the row of the target member, click **...** in the row, and then click **Edit Role**.
> **Tip:**
>
- > If you want to invite multiple members at one time, you can enter multiple email addresses.
+ > If the user is not in your organization yet, click **Invite User** in the upper-right corner, and follow the steps in [Invite a user to your organization](#invite-a-user-to-your-organization) to grant the instance role to the user.
-6. Click **Confirm**. Then the new user is successfully added into the user list. At the same time, an email is sent to the invited email address with a verification link.
+4. On the **Edit Role** page, click **Add Role and Select Instance** in the **Instance access** section, and then grant roles and select the target TiDB X instance for the user.
-7. After receiving this email, the user needs to click the link in the email to verify the identity, and a new page shows.
-
-8. If the invited email address has not been signed up for a TiDB Cloud account, the user is directed to the sign-up page to create an account. If the email address has been signed up for a TiDB Cloud account, the user is directed to the sign-in page. After sign-in, the account joins the project automatically.
+5. Click **Save**.
-> **Note:**
->
-> The verification link in the email will expire in 24 hours. If your user doesn't receive the email, click **Resend**.
+### Remove instance access for a user
-### Modify project roles
+If you are in the `Organization Owner` or `Project Owner` role, you can remove instance access for a user.
-If you are in the `Organization Owner` role, you can modify project roles of all project members in your organization. If you are in the `Project Owner` role, you can modify project roles of all members in your project.
-
-To modify the project role of a member, take the following steps:
+To remove instance access for a user, take the following steps:
1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.
2. In the left navigation pane, click **Organization Settings** > **Users**.
-3. On the **Users** page, click the **By Project** tab, and then choose your project in the drop-down list.
+3. On the **Users** page, locate the row of the target member, click **...** in the row, and then click **Edit Role**.
-4. In the row of the target member, click the role in the **Role** column, and then choose a new role from the drop-down list.
+4. On the **Edit Role** dialog, locate the target instance, and then click the icon.
-### Remove a project member
+5. Click **Save**.
-If you are in the `Organization Owner` or `Project Owner` role, you can remove project members.
+## Modify roles of a user
-To remove a member from a project, take the following steps:
+To modify a role of a user in TiDB Cloud, take the following steps:
1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.
2. In the left navigation pane, click **Organization Settings** > **Users**.
-3. On the **Users** page, click the **By Project** tab, and then choose your project in the drop-down list.
+3. On the **Users** page, locate the row of the target user, click **...** in the row, and then click **Edit Role**.
+
+ - If you are in the `Organization Owner` role, you can modify organization roles, project roles, and instance roles of the target user.
+ - If you are in the `Project Owner` role, you can modify project roles and instance roles of the target user.
-4. In the row of the target member, click **...** > **Delete**.
+4. Click **Save**.
## Manage user profiles
diff --git a/tidb-cloud/premium/create-tidb-instance-premium.md b/tidb-cloud/premium/create-tidb-instance-premium.md
index 725ec26be4f8c..45a24609e82b9 100644
--- a/tidb-cloud/premium/create-tidb-instance-premium.md
+++ b/tidb-cloud/premium/create-tidb-instance-premium.md
@@ -9,7 +9,7 @@ This document describes how to create a {{{ .premium }}} instance in the [TiDB C
> **Note:**
>
-> - Currently, {{{ .premium }}} is only available upon request. To request {{{ .premium }}}, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com), and then click **Support Tickets** to go to the [Help Center](https://tidb.support.pingcap.com/servicedesk/customer/portals). Create a ticket, fill in "Apply for {{{ .premium }}}" in the **Description** in the **Description** field, and then click **Submit**.
+> - Currently, {{{ .premium }}} is only available upon request. To request {{{ .premium }}}, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com), and then click **Support Tickets** to go to the [Help Center](https://tidb.support.pingcap.com/servicedesk/customer/portals). Create a ticket, fill in "Apply for {{{ .premium }}}" in the **Description** field, and then click **Submit**.
> - To learn how to create a TiDB Cloud Dedicated cluster, see [Create a TiDB Cloud Dedicated Cluster](/tidb-cloud/create-tidb-cluster.md).
## Before you begin
@@ -41,8 +41,8 @@ If you have the `Organization Owner` role, you can create a {{{ .premium }}} ins
1. In the [TiDB Cloud console](https://tidbcloud.com/tidbs), navigate to the [**My TiDB**](https://tidbcloud.com/tidbs) page, and then click **Create Resource** in the upper-right corner.
2. On the **Create Resource** page, select **Premium** as your plan.
-3. Enter a name for your {{{ .premium }}} instance.
-4. Choose a cloud provider and a region where you want to host your instance.
+3. Enter a name for your {{{ .premium }}} instance, and then choose a cloud provider and a region where you want to host your instance.
+4. (Optional) To group this {{{ .premium }}} instance in a project for management, click **Group Your Instance in a Project**, and then select the target project for the instance. If there is no project in your organization, you can create one by clicking **Create a Project**.
5. In the **Capacity** area, set the maximum number of the Request Capacity Units (RCUs) for your instance.
RCUs represent the compute resources provisioned for your workload. TiDB Cloud automatically scales your instance within this range based on demand.
diff --git a/tidb-cloud/security-concepts.md b/tidb-cloud/security-concepts.md
index af84f2e91f765..c3ff894f034a4 100644
--- a/tidb-cloud/security-concepts.md
+++ b/tidb-cloud/security-concepts.md
@@ -107,56 +107,67 @@ This system ensures flexibility and precision in managing user access while alig
### Organization and projects
-TiDB Cloud manages users and resources with a hierarchical structure: organizations, projects, and clusters.
+TiDB Cloud manages users and resources with a hierarchical structure: organizations, projects, and resources.
**Organizations**
-- The top-level entity for managing resources, roles, and billing.
+- The top-level entity for managing users, roles, projects, resources, and billing.
- The organization owner has full permissions, including project creation and role assignment.
**Projects**
-- Subdivisions of an organization containing clusters and project-specific configurations.
+- Containers for grouping and managing TiDB Cloud resources.
-- Managed by project owners responsible for clusters within their scope.
+- In TiDB Cloud, there are three types of projects:
-**Clusters**
+ - **TiDB Dedicated project**: a project type for {{{ .dedicated }}} clusters only. Dedicated projects manage project-scoped settings such as networking, maintenance, alert subscriptions, integrations, and encryption-related access.
+ - **TiDB X project**: a logical container for {{{ .starter }}}, {{{ .essential }}}, and {{{ .premium }}} instances. TiDB X projects are used for grouping resources and applying project-level RBAC, but they do not carry Dedicated-only infrastructure settings.
+ - **TiDB X virtual project**: a virtual project for {{{ .starter }}}, {{{ .essential }}}, and {{{ .premium }}} instances that are not grouped in any TiDB X project. This project type is used only for API compatibility and does not provide any management capabilities.
-- Individual database instances within a project.
+**Resources**
+
+- A TiDB Cloud resource can be either a TiDB X instance (a service-oriented TiDB Cloud offering built on the [TiDB X architecture](/tidb-cloud/tidb-x-architecture.md)) or a TiDB Cloud Dedicated cluster.
### Example structure
```
- Your organization
- - Project 1
- - Cluster 1
- - Cluster 2
- - Project 2
- - Cluster 3
- - Cluster 4
- - Project 3
- - Cluster 5
- - Cluster 6
+ - TiDB X instances out of any project
+ - {{{ .starter }}} instance 1
+ - TiDB X project 1
+ - {{{ .starter }}} instance 2
+ - {{{ .essential }}} instance 3
+ - {{{ .premium }}} instance 4
+ - TiDB Dedicated project 1
+ - {{{ .dedicated }}} cluster 1
+ - {{{ .dedicated }}} cluster 2
```
### Key features
- **Granular permissions**:
- - Assign specific roles at both the organization and project levels for precise access control.
+ - Assign specific roles at the organization, project, and instance levels for precise access control.
+
+ - TiDB X instances can be accessed through either project roles or instance roles, while TiDB Cloud Dedicated clusters are managed through project-level access.
- - Ensure flexibility and security by carefully planning role assignments.
+- **Flexible project model**:
+ - TiDB X projects are optional, so TiDB X instances can be grouped in a project or kept at the organization level.
+
+ - TiDB Dedicated projects are required, so each Dedicated cluster must belong to a Dedicated project.
- **Billing management**:
- - Billing is consolidated at the organization level, with detailed breakdowns available for each project.
+ - Billing is consolidated at the organization level, with detailed breakdowns available for each project and resource.
### Identity and Access Management (IAM) Roles
-TiDB Cloud provides role-based access control to manage permissions across organizations and projects:
+TiDB Cloud provides role-based access control to manage permissions across organizations, projects, and instances:
- **[Organization-Level roles](/tidb-cloud/manage-user-access.md#organization-roles)**: Grant permissions to manage the entire organization, including billing and project creation.
-- **[Project-Level roles](/tidb-cloud/manage-user-access.md#project-roles)**: Assign permissions to manage specific projects, including clusters and configurations.
+- **[Project-Level roles](/tidb-cloud/manage-user-access.md#project-roles)**: Assign permissions to manage specific projects, including project-scoped resources and configurations.
+
+- **[Instance-Level roles](/tidb-cloud/manage-user-access.md#instance-roles)**: Grant fine-grained access to specific TiDB X instances.
## Network access control
@@ -255,4 +266,4 @@ Records detailed database operations, including executed SQL statements and user
- Use logs for compliance reporting and forensic analysis.
-For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md).
\ No newline at end of file
+For more information, see [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) and [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md).
diff --git a/tidb-cloud/sql-proxy-account.md b/tidb-cloud/sql-proxy-account.md
index 3585e1ef8f311..052c80e91a865 100644
--- a/tidb-cloud/sql-proxy-account.md
+++ b/tidb-cloud/sql-proxy-account.md
@@ -38,9 +38,9 @@ The SQL proxy account is automatically created during initialization of a {{{ .s
## How the SQL proxy account is deleted
-When a user is removed from [an organization](/tidb-cloud/manage-user-access.md#remove-an-organization-member) or [a project](/tidb-cloud/manage-user-access.md#remove-a-project-member), or their role changes to one that does not have access to the {{{ .starter }}} instance or {{{ .dedicated }}} cluster, the SQL proxy account is automatically deleted.
+When a user is removed from [an organization](/tidb-cloud/manage-user-access.md#remove-an-organization-member) or [a project](/tidb-cloud/manage-user-access.md#remove-project-access-for-a-user), or their role changes to one that does not have access to the {{{ .starter }}} instance or {{{ .dedicated }}} cluster, the SQL proxy account is automatically deleted.
-Note that if a SQL proxy account is manually deleted, it will be automatically recreated when the user log in to the TiDB Cloud console next time.
+Note that if a SQL proxy account is manually deleted, it will be automatically recreated when the user logs in to the TiDB Cloud console next time.
## SQL proxy account username
diff --git a/tidb-cloud/tidb-cloud-billing.md b/tidb-cloud/tidb-cloud-billing.md
index d8598f6509f72..78044eab7f69c 100644
--- a/tidb-cloud/tidb-cloud-billing.md
+++ b/tidb-cloud/tidb-cloud-billing.md
@@ -91,7 +91,7 @@ To view the billing details, perform the following steps:
On the **Billing** page, the **Bills** tab is displayed by default.
-The **Bills** tab shows the billing summary by project and by service. You can also see the usage details and download the data in CSV format.
+The **Bills** tab shows the billing summary by projects & instances and the billing summary by service. You can also see the usage details and download the data in CSV format.
> **Note:**
>
diff --git a/tidb-cloud/tidb-cloud-encrypt-cmek-aws.md b/tidb-cloud/tidb-cloud-encrypt-cmek-aws.md
index ef5bb7e85ace4..41ca4b0cdfcb8 100644
--- a/tidb-cloud/tidb-cloud-encrypt-cmek-aws.md
+++ b/tidb-cloud/tidb-cloud-encrypt-cmek-aws.md
@@ -35,12 +35,11 @@ If you are in the `Organization Owner` role of your organization, you can create
To create a CMEK-enabled project, take the following steps:
-1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.
-2. In the left navigation pane, click **Projects**.
-3. On the **Projects** page, click **Create New Project** in the upper-right corner.
-4. Fill in a project name.
-5. Choose to enable the CMEK capability of the project.
-6. Click **Confirm** to complete the project creation.
+1. In the [TiDB Cloud console](https://tidbcloud.com), navigate to the [**My TiDB**](https://tidbcloud.com/tidbs) page of your organization, and then click **Create Project**.
+2. In the displayed dialog, enter a project name.
+3. Select the **Create for Dedicated Cluster** option.
+4. Choose to enable the CMEK capability of the project.
+5. Click **Confirm** to complete the project creation.
diff --git a/tidb-cloud/tidb-cloud-encrypt-cmek-azure.md b/tidb-cloud/tidb-cloud-encrypt-cmek-azure.md
index bccef8b3f1ba6..2c48d5e19bd6c 100644
--- a/tidb-cloud/tidb-cloud-encrypt-cmek-azure.md
+++ b/tidb-cloud/tidb-cloud-encrypt-cmek-azure.md
@@ -25,12 +25,11 @@ If you want to encrypt your data using the encryption keys owned by your account
If you are in the `Organization Owner` role of your organization, you can create a CMEK-enabled project by performing the following steps:
-1. In the [TiDB Cloud console](https://tidbcloud.com), switch to your target organization using the combo box in the upper-left corner.
-2. In the left navigation pane, click **Projects**.
-3. On the **Projects** page, click **Create New Project** in the upper-right corner.
-4. Fill in a project name.
-5. Choose to enable the CMEK capability of the project.
-6. Click **Confirm** to complete the project creation.
+1. In the [TiDB Cloud console](https://tidbcloud.com), navigate to the [**My TiDB**](https://tidbcloud.com/tidbs) page of your organization, and then click **Create Project**.
+2. In the displayed dialog, enter a project name.
+3. Select the **Create for Dedicated Cluster** option.
+4. Choose to enable the CMEK capability of the project.
+5. Click **Confirm** to complete the project creation.
### Step 2. Complete the CMEK configuration of the project
diff --git a/tidb-cloud/tidb-cloud-glossary.md b/tidb-cloud/tidb-cloud-glossary.md
index 59aca5601b1a0..0d42903fa0d9e 100644
--- a/tidb-cloud/tidb-cloud-glossary.md
+++ b/tidb-cloud/tidb-cloud-glossary.md
@@ -29,6 +29,12 @@ Chat2Query is an AI-powered feature integrated into SQL Editor that assists user
In addition, TiDB Cloud provides a Chat2Query API for {{{ .starter }}} instances hosted on AWS. After it is enabled, TiDB Cloud will automatically create a system Data App called **Chat2Query** and a Chat2Data endpoint in Data Service. You can call this endpoint to let AI generate and execute SQL statements by providing instructions. For more information, see [Get started with Chat2Query API](/tidb-cloud/use-chat2query-api.md).
+### Cluster
+
+In TiDB Cloud, a cluster is a dedicated cloud deployment that includes explicit infrastructure details such as node topology, instance types, storage configuration, and scaling model.
+
+Among TiDB Cloud plans, only TiDB Cloud Dedicated clusters use this deployment model.
+
### Credit
TiDB Cloud offers a certain number of credits for Proof of Concept (PoC) users. One credit is equivalent to one U.S. dollar. You can use credits to pay fees before the credits become expired.
@@ -95,7 +101,7 @@ Refers to either a data instance (TiKV) or a compute instance (TiDB) or an analy
### organization
-An entity that you create to manage your TiDB Cloud accounts, including a management account with any number of multiple member accounts.
+A top level container to manage your TiDB Cloud accounts (including a management account with any number of multiple member accounts), [projects](#project), and [resources](#tidb-cloud-resource).
### organization members
@@ -109,7 +115,18 @@ A document that defines permissions applying to a role, user, or organization, s
### project
-Based on the projects created by the organization, resources such as personnel, instances, and networks can be managed separately according to projects, and resources between projects do not interfere with each other.
+In TiDB Cloud, you can use projects to group and manage your TiDB resources.
+
+- For {{{ .starter }}}, Essential, and Premium instances, projects are optional, which means you can either group these instances in a project or keep these instances at the organization level.
+- For {{{ .dedicated }}} clusters, projects are required.
+
+The function of a project varies by project type. Currently, there are three types of projects:
+
+- **TiDB Dedicated project**: This project type is used only for {{{ .dedicated }}} clusters. It helps you manage settings for {{{ .dedicated }}} clusters separately by project, such as RBAC, networks, maintenance, alert subscriptions, and encryption access.
+- **TiDB X project**: This project type is used only for TiDB X instances ({{{ .starter }}}, Essential, and Premium). It helps you manage RBAC for TiDB X instances by project. A TiDB X project is the default project type when you create a project on the [**My TiDB**](https://tidbcloud.com/tidbs) page.
+- **TiDB X virtual project**: This project is virtual and does not provide any management capabilities. It acts as a virtual container for TiDB X instances ({{{ .starter }}}, Essential, and Premium) that do not belong to any project, so these instances can be accessed through the TiDB Cloud API by using a project ID. Each organization has a unique virtual project ID. You can get this ID from the project view on the [**My TiDB**](https://tidbcloud.com/tidbs) page.
+
+For more information about the differences between these project types, see [Projects](/tidb-cloud/manage-user-access.md#projects).
### project members
@@ -164,18 +181,31 @@ For TiDB Cloud Dedicated and TiDB Self-Managed, a Request Unit (RU) is a resourc
### TiDB cluster
-The collection of [TiDB](https://docs.pingcap.com/tidb/stable/tidb-computing), [TiKV](https://docs.pingcap.com/tidb/stable/tidb-storage), [the Placement Driver](https://docs.pingcap.com/tidb/stable/tidb-scheduling) (PD), and [TiFlash](https://docs.pingcap.com/tidb/stable/tiflash-overview) nodes that form a functional working database.
+In TiDB Cloud, a cluster is a dedicated cloud deployment of TiDB that includes explicit infrastructure details such as node topology (where you can specify the number of [TiDB](/tidb-computing.md) nodes, [TiKV](/tidb-storage.md) nodes, and [TiFlash](/tiflash/tiflash-overview.md) nodes), storage configuration, and scaling model.
### TiDB node
The computing node that aggregates data from queries returned from transactional or analytical stores. Increasing the number of TiDB nodes will increase the number of concurrent queries that the {{{ .dedicated }}} cluster can handle.
+### TiDB Cloud resource
+
+A TiDB Cloud resource is a manageable TiDB Cloud deployment unit. It can be one of the following:
+
+- A TiDB X instance (a service-oriented TiDB Cloud offering built on the [TiDB X architecture](/tidb-cloud/tidb-x-architecture.md)), such as a {{{ .starter }}}, {{{ .essential }}}, or {{{ .premium }}} instance
+- A {{{ .dedicated }}} cluster
+
### TiDB X
A new distributed SQL architecture that makes cloud-native object storage the backbone of TiDB. By decoupling compute and storage, TiDB X enables TiDB to scale intelligently, adapting in real time to workload patterns, business cycles, and data characteristics.
The TiDB X architecture is now available in {{{ .starter }}} and Essential{{{ .starter }}}, Essential, and Premium. For more information, see [Introducing TiDB X: A New Foundation for Distributed SQL in the Era of AI](https://www.pingcap.com/blog/introducing-tidb-x-a-new-foundation-distributed-sql-ai-era/) and [PingCAP Launches TiDB X and New AI Capabilities at SCaiLE Summit 2025](https://www.pingcap.com/press-release/pingcap-launches-tidb-x-new-ai-capabilities/).
+### TiDB X instance
+
+A TiDB X instance is a service-oriented TiDB Cloud offering built on the [TiDB X architecture](/tidb-cloud/tidb-x-architecture.md). It does not require you to manage or understand the underlying cluster topology.
+
+Among TiDB Cloud plans, {{{ .starter }}}, {{{ .essential }}}, and {{{ .premium }}} are using the TiDB X architecture. Therefore, when "TiDB X instance" is mentioned, it refers to a {{{ .starter }}}, {{{ .essential }}}, or {{{ .premium }}} instance.
+
### TiFlash node
The analytical storage node that replicates data from TiKV in real time and supports real-time analytical workloads.
diff --git a/tidb-cloud/tidb-cloud-quickstart.md b/tidb-cloud/tidb-cloud-quickstart.md
index 4be51f636f082..962e86e1ba01e 100644
--- a/tidb-cloud/tidb-cloud-quickstart.md
+++ b/tidb-cloud/tidb-cloud-quickstart.md
@@ -30,7 +30,7 @@ Additionally, you can try out TiDB features on [TiDB Playground](https://play.ti
- To create a new {{{ .starter }}} instance on your own, follow these steps:
1. Click **Create Resource**.
- 2. On the **Create** page, **Starter** is selected by default. Select the cloud provider and target region for your {{{ .starter }}} instance, update the default instance name if necessary, and then click **Create**. Your {{{ .starter }}} instance will be created in approximately 30 seconds.
+ 2. On the **Create Resource** page, **Starter** is selected by default. Enter a name for the {{{ .starter }}} instance, select the cloud provider and target region, and then click **Create**. Your {{{ .starter }}} instance will be created in approximately 30 seconds.