DOC-1936: Document SR authorization enabled by default for Cloud

[micheleRP]

Summary

Schema Registry Authorization is now enabled fleet-wide on BYOC and Dedicated clusters via two LaunchDarkly flags (enable-schema-registry-acls-2, enable-console-schema-registry-impersonation). For Cloud customers, this means:

• schema_registry_enable_authorization is set to true automatically at cluster provisioning.
• The predefined Admin, Writer, and Reader roles are seeded with Schema Registry permissions (subject/* and registry ACL resource types).
• Account impersonation can be enabled independently for the Kafka API and the Schema Registry.

This PR updates the docs accordingly:

• modules/security/partials/predefined-roles.adoc — added a permissions matrix showing the SR operations granted to each predefined role.
• modules/security/pages/cloud-authentication.adoc — rewrote the Account impersonation section for per-subsystem toggles, removed the "contact Support" feature-flag callout, and softened the access-loss IMPORTANT note now that Reader/Writer roles include SR perms by default.
• modules/get-started/pages/whats-new-cloud.adoc — added two May 2026 entries.

Closes DOC-1936.

Related PR

Companion docs PR for the single-sourced Schema Registry Authorization page: redpanda-data/docs#1694

Preview pages

• What's New in Redpanda Cloud (updated)
• Authentication (updated)

Test plan

• Verify the Predefined roles section on https://cloud.redpanda.com/docs/security/authorization/rbac/rbac/#predefined-roles renders the SR permissions table.
• Verify the Account impersonation section on https://cloud.redpanda.com/docs/security/cloud-authentication/#account-impersonation describes per-subsystem toggles.
• Verify the May 2026 What's New entries on https://cloud.redpanda.com/docs/get-started/whats-new-cloud/.
• Confirm with engineering that the in-product Dataplane settings page exposes Kafka API and Schema Registry impersonation as separate toggles, and update wording if it differs.

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	4557d9c
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/69fe4d4256864700075a7fc6
😎 Deploy Preview	https://deploy-preview-581--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates Redpanda Cloud documentation to reflect two related feature expansions in May 2026. Schema Registry Authorization is now enabled by default on newly provisioned BYOC and Dedicated clusters, automatically granting predefined Admin, Writer, and Reader roles permissions for Schema Registry ACL resource types (subject and registry). Account impersonation has been extended to support Schema Registry independently of the Kafka API, allowing Cloud UI identities to be synchronized with both systems. The documentation updates include release notes announcing these features, revised guidance on predefined role permissions across both Kafka and Schema Registry, and updated configuration instructions directing administrators to enable each subsystem independently via Dataplane settings and then configure user permissions on the cluster Security page.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• redpanda-data/cloud-docs#390: Modifies Schema Registry Authorization documentation with overlapping nav/page/property includes and role/impersonation behavior references.
• redpanda-data/cloud-docs#370: Prior account impersonation documentation update that this PR extends to explicitly include Schema Registry impersonation and role permission details.

Suggested reviewers

• mattschumpert
• sago2k8
• Feediver1
• deniscoady

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: documenting that Schema Registry authorization is now enabled by default for Redpanda Cloud, which aligns with the PR's primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	PR description is comprehensive and well-structured, covering all required sections with clear context and actionable information.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch michele/DOC-1936-sr-authorization-cloud

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/security/pages/cloud-authentication.adoc`:
- Around line 138-140: The phrase "Admin and Writer users continue to have full
Kafka and Schema Registry access through the predefined roles" overstates Writer
permissions; update the copy so Admin is described as having full/admin access
while Writer is described as having predefined write permissions (e.g., topic
produce/write and subject write) but not full admin-equivalent rights. Locate
the sentence that begins "Admin and Writer users" and replace "full Kafka and
Schema Registry access" for Writer with wording like "predefined write
permissions for Kafka topics and appropriate Schema Registry subjects (not full
admin privileges)" and leave Admin described as having full access; ensure
subsequent lines referencing "Writer role" or "Reader users" remain consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 98e6a104-e3d7-4ac9-af8f-484d876b851e

📥 Commits

Reviewing files that changed from the base of the PR and between ae3deed and 4557d9c.

📒 Files selected for processing (3)

• modules/get-started/pages/whats-new-cloud.adoc
• modules/security/pages/cloud-authentication.adoc
• modules/security/partials/predefined-roles.adoc

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Writer role access is overstated as “full” and can mislead authorization expectations.

Line 138 should not describe Writer as having full Kafka and Schema Registry access. Writer permissions are predefined but not admin-equivalent, so this wording is materially inaccurate.

✏️ Proposed wording fix

-* *Admin and Writer users* continue to have full Kafka and Schema Registry access through the predefined roles.
+* *Admin users* continue to have full Kafka and Schema Registry access through the predefined Admin role.
+* *Writer users* continue to have Writer-level Kafka and Schema Registry permissions through the predefined Writer role.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	* *Admin and Writer users* continue to have full Kafka and Schema Registry access through the predefined roles.
	* *Reader users* keep read access to topics, consumer groups, and Schema Registry subjects through the predefined Reader role.
	* *Custom roles or users without role bindings* will lose access until you explicitly grant them permissions through ACLs or RBAC roles on the *Security* page.
	* *Admin users* continue to have full Kafka and Schema Registry access through the predefined Admin role.
	* *Writer users* continue to have Writer-level Kafka and Schema Registry permissions through the predefined Writer role.
	* *Reader users* keep read access to topics, consumer groups, and Schema Registry subjects through the predefined Reader role.
	* *Custom roles or users without role bindings* will lose access until you explicitly grant them permissions through ACLs or RBAC roles on the *Security* page.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/security/pages/cloud-authentication.adoc` around lines 138 - 140, The
phrase "Admin and Writer users continue to have full Kafka and Schema Registry
access through the predefined roles" overstates Writer permissions; update the
copy so Admin is described as having full/admin access while Writer is described
as having predefined write permissions (e.g., topic produce/write and subject
write) but not full admin-equivalent rights. Locate the sentence that begins
"Admin and Writer users" and replace "full Kafka and Schema Registry access" for
Writer with wording like "predefined write permissions for Kafka topics and
appropriate Schema Registry subjects (not full admin privileges)" and leave
Admin described as having full access; ensure subsequent lines referencing
"Writer role" or "Reader users" remain consistent.