chore: add user restrictions section

docs/self-managed/concepts/access-control/user-task-access-restrictions.md

@@ -0,0 +1,22 @@
+---
+id: user-task-access-restrictions
+title: "User task access restrictions"
+sidebar_label: "User task access restrictions"
+description: "Control the level of access a user or group has to perform tasks in the system via user task access restrictions."
+---
+
+:::caution
+User task access restrictions are enabled by default and can be disabled using environment variables. This feature is controlled in the required component, see [Identity feature flags](../../../../self-managed/identity/deployment/configuration-variables/#feature-flags).
+:::
+
+User task access restrictions allow you to control the level of access a [user](/self-managed/identity/user-guide/roles/add-assign-role.md) or
+[group](self-managed/identity/user-guide/groups/create-group.md) has to perform BPMN user tasks where they are candidates.
+
+### User task access restrictions
+
+[User task access restrictions](self-managed/tasklist-deployment/tasklist-authentication.md/#user-restrictions) are used in Tasklist to control task access for a
+user or [group](/self-managed/identity/user-guide/groups/create-group.md). The restrictions are
+related to the candidate users or groups set up on user task definitions.
+
+For example, if a task has a candidate group named `Team A` and a candidate user named `example`, only the
+users that belong to `Team A` and the user `example` will have access to the task.

docs/self-managed/identity/deployment/configuration-variables.md

@@ -90,6 +90,7 @@ Identity uses feature flag environment variables to enable and disable features;
 | ---------------------------- | --------------------------------------------- | ------------- |
 | RESOURCE_PERMISSIONS_ENABLED | Controls the resource authorizations feature. | false         |
 | MULTITENANCY_ENABLED         | Controls the multi tenancy feature.           | false         |
+| USER_RESTRICTIONS_ENABLED    | Controls the user task access restrictions feature in Tasklist. | true          |
 
 :::note
 Setting either of the feature flags to `true` requires a database connection. To configure a database

docs/self-managed/tasklist-deployment/tasklist-authentication.md

@@ -153,9 +153,9 @@ Take the `access_token` value from the response object and store it as your toke
 curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <TOKEN>" -d '{"query": "{tasks(query:{}){id name}}"}' http://localhost:8080/graphql
 ```
 
-### User restrictions
+### User task access restrictions
 
-When the **User Restrictions** feature is enabled, Tasklist applies additional security measures to filter tasks based on user identity and authorization. The tasks displayed are restricted based on the candidate groups, candidate users, and assignee associated with the logged-in user. The benefits of this resource are:
+To use this resource, the **User Task Access Restrictions** feature must be [enabled on Identity](/self-managed/concepts/access-control/user-task-access-restrictions.md). When it is active, Tasklist applies additional security measures to filter tasks based on user identity and authorization. The tasks displayed are restricted based on the candidate groups, candidate users, and assignee associated with the logged-in user. The benefits of this resource are:
 
 - Enhanced security: Users only see tasks for which they have the necessary permissions, improving security and preventing unauthorized access.
 - Tasklist customization: The Tasklist interface is tailored to display only relevant tasks for each user, providing a personalized and streamlined experience.

optimize_sidebars.js

@@ -1885,6 +1885,10 @@ module.exports = {
               "Resource authorizations",
               "self-managed/concepts/access-control/resource-authorizations/"
             ),
+            docsLink(
+              "User restrictions",
+              "self-managed/concepts/access-control/user-task-access-restrictions/"
+            ),
           ],
         },
         docsLink("Exporters", "self-managed/concepts/exporters/"),

sidebars.js

@@ -887,6 +887,7 @@ module.exports = {
           "Access control": [
             "self-managed/concepts/access-control/applications",
             "self-managed/concepts/access-control/resource-authorizations",
+            "self-managed/concepts/access-control/user-task-access-restrictions",
           ],
         },
         "self-managed/concepts/exporters",