docs: permissions for playbooks/connections/notification

Author: adityathebe

mission-control-chart

@@ -117,7 +117,10 @@ This notification above triggers the playbook `mc/echo-config` whenever a config
 
 #### Permissions
 
-To enable a notification to execute a playbook, the notification must have `playbook:run` permission on the playbook.
+To enable a notification to execute a playbook, the notification must have necessary permissions. i.e.
+
+- `playbook:run` permission on the playbook
+- `read` permission on the resource the playbook targets
 
 The example shows two notifications: `check-alerts` and `homelab-config-health-alerts` which belong to a permission group "config-notifications".
 The group has `playbook:run` permission, which both notifications inherit.

mission-control/docs/guide/notifications/index.mdx

@@ -77,9 +77,7 @@ The parameters to the playbooks are available in the [Context](reference/playboo
 ![Playbook Action Logs](/img/playbook-action-logs.png)
 
 
-### Runners
-
-## Approvals
+## Approval
 
 Playbooks can require approval before execution by configuring an `approval` block:
 
@@ -103,5 +101,34 @@ spec:
 | `approvers.[]people` | Login or id of a person| `People` | `false`  |
 | `approvers.[]teams` | Name or id of a team | `Team` | `false`  |
 
+## Permissions
+
+Playbook permissions control who can perform various actions on playbooks.
+
+```yaml title="playbook-permissions.yaml" file=<rootDir>/modules/mission-control/fixtures/permissions/allow-person-playbook.yaml
+```
+
+### Required Permissions
+
+To run a playbook, a principal (user, team, or service account) needs:
+1. The `playbook:run` permission on the playbook
+2. A `read` permission on the resource the playbook targets
+
+For example, to run a playbook that scales a Kubernetes deployment, the principal needs:
+- `playbook:run` permission on the scaling playbook
+- `read` permission on the target Kubernetes deployment resource
+
+### Permission Types
+
+| Permission | Description |
+|------------|-------------|
+| `playbook:run` | Run a playbook |
+| `playbook:approve` | Approve a playbook run |
+| `playbook:cancel` | Cancel a running playbook |
 
+### Permission Inheritance
 
+:::info
+When a playbook triggers another playbook, the permissions are evaluated using the playbook's identity, not the original user who initiated the first playbook. 
+This means the triggering playbook must have permission to run the target playbook and to read the resources.
+:::

mission-control/docs/guide/playbooks/index.mdx

@@ -93,3 +93,8 @@ spec:
 | properties   | Property fields                                       | map[string]string                              |              |
 | insecure_tls | Allow insecure tls                                    | bool                                           |              |
 
+## Permission
+
+To use a connection, a principal needs to have the `read` permission on the connection.
+
+```yaml title="connection-permission.yaml" file=<rootDir>/modules/mission-control/fixtures/permissions/playbook-connection.yaml