Update documentation for users, organization units, and roles

[Malith-19]

Purpose

• Users (manage-users.mdx): Add missing sections for listing and filtering users (pagination, filter query, include=display),
  listing a user's groups, and self-service profile management (GET/PUT /users/me, POST /users/me/update-credentials).
• Organization Units (organization-units.mdx): Add Update OU section (console + API), document optional branding/policy API fields
  (themeId, layoutId, logoUrl, tosUri, policyUri, cookiePolicyUri), add path-based API examples for get/update/delete, add List
  Users and List Groups sub-resource sections, and surface two previously undocumented error codes (OU-1013, OU-1014).
• Groups (manage-groups.mdx): Expand member types from users-only to all four supported types (user, app, agent, group) with
  a reference table. Fix the broken "see the Roles guide" link.
• Roles (roles.mdx): New guide covering the fully implemented but undocumented roles feature — CRUD operations, permissions model,
  assignment management with type filtering and include=display, and an error code reference.
• Sidebar (sidebars.ts): Register the new Roles page under the Users category.

Preview

• https://malith-19.github.io/thunder/docs/next

Related Issues

• [Docs] Improve the users section docs & OU documentation #2970

Related PRs

• N/A

Checklist

• Followed the contribution guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
  • Ran Vale and fixed all errors and warnings
• Tests provided. (Add links if there are any)
  • Unit Tests
  • Integration Tests
• Breaking changes. (Fill if applicable)
  • Breaking changes section filled.
  • breaking change label added.

Security checks

• Followed secure coding standards in WSO2 Secure Coding Guidelines
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.

Summary by CodeRabbit

• Documentation
  • New comprehensive guide for creating, viewing, updating, and deleting roles with API examples.
  • Expanded group management guide clarifying groups can now include users, applications, agents, and nested groups.
  • Enhanced user management documentation with filtering, user groups retrieval, and profile management capabilities.
  • Improved organization unit API documentation with extended examples and error codes.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR adds comprehensive documentation for role management, enhances API documentation across organization units and users guides, clarifies group membership types to include applications and agents, and integrates the new Roles guide into the sidebar navigation.

Changes

User Management Documentation Expansion

Layer / File(s)	Summary
Roles guide and navigation docs/content/guides/guides/users/manage-roles.mdx, docs/sidebars.ts	New comprehensive Roles guide documenting role CRUD operations (create, list, get, update, delete), role assignment management for users, groups, applications, and agents, error codes, and related guides. Sidebar configuration positions the guide in Guides → Users between Manage Groups and User Types.
Organization Units API documentation docs/content/guides/guides/organization-units.mdx	Adds optional branding/policy fields (themeId, layoutId, logoUrl, tosUri, policyUri, cookiePolicyUri) to create section with curl examples; documents OU system metadata (isReadOnly, createdAt, updatedAt) in view section; adds API endpoints to list users and groups within an OU by ID or hierarchical path with include=display support; adds filter error code OU-1013; provides delete examples by ID and path.
Group member type clarification docs/content/guides/guides/users/manage-groups.mdx	Expands group definition to include members of type user, app, agent, or group (beyond users only); clarifies Create a Group optional Members step to support all member types; documents member type field with enumerated values in Add Members section; updates Assign Roles reference to link to ../roles page.
Users guide expansion docs/content/guides/guides/users/manage-users.mdx	Adds List and Filter Users section documenting /users pagination (limit, offset), equality-based filtering, and include=display; adds Filter Error Responses documenting USR-1020 code; documents List Groups for a User endpoint; adds Manage Your Own Profile section covering /users/me viewing and attribute updates, and /users/me/update-credentials for secure credential management; adds Roles link to Related Guides.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• thunder-id/thunderid#1612: Both PRs update Docusaurus documentation and docs/sidebars.ts to manage guide structure and navigation within the Users and broader Guides section.

Suggested labels

Type/Docs

Suggested reviewers

• brionmario
• DonOmalVindula
• thiva-k

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: updating documentation for three key areas (users, organization units, and roles) that align with the actual file modifications.
Description check	✅ Passed	The description comprehensively covers the Purpose section with specific details about each file modified, but the Checklist and Security checks sections are present yet all items remain unchecked without explanation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/content/guides/guides/organization-units.mdx`:
- Line 277: Update the headings that fail Vale title-case checks by correcting
their casing to match the repository’s title-case pattern: replace each
occurrence of the heading text "By Organization Unit ID" (and the other three
headings flagged nearby) with the repository-standard Title Case form (ensure
words like "Organization", "Unit", and the acronym "ID" are capitalized
correctly) so the four headings pass Vale; locate and adjust the headings in the
document where that exact heading text appears.

In `@docs/content/guides/guides/users/roles.mdx`:
- Around line 231-242: The Error Codes table is missing the backend contract for
invalid assignment `type` filter (ROL-1016); update the "Error Codes" markdown
table under the "Error Codes" heading to add a row for `ROL-1016` with the
correct HTTP status (400) and a clear cause message such as "The specified
assignment type filter is invalid or unsupported" so the docs reflect the
backend error for invalid `type` filtering referenced earlier in the guide;
ensure the new row matches the table format used by the existing entries
(columns: Error Code, HTTP Status, Cause).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 96999725-6ab9-4d6e-bd64-b36c100b4bdc

📥 Commits

Reviewing files that changed from the base of the PR and between 7e33621 and 31e4a5e.

📒 Files selected for processing (5)

• docs/content/guides/guides/organization-units.mdx
• docs/content/guides/guides/users/manage-groups.mdx
• docs/content/guides/guides/users/manage-users.mdx
• docs/content/guides/guides/users/roles.mdx
• docs/sidebars.ts

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/sidebars.ts (1)

577-577: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace hardcoded brand literal in sidebar label.

Is this hardcoded brand name intentional? This should be derived from config instead of a raw string literal.

Suggested fix

-        {type: 'doc', id: 'community/contributing/overview', label: 'Contribute to ThunderID'},
+        {type: 'doc', id: 'community/contributing/overview', label: `Contribute to ${productConfig.project.name}`},

As per coding guidelines: "**/*.ts: Scan for hardcoded occurrences of the string literals Thunder or ThunderID... If it can be replaced, suggest reading the value from the app's config system ... rather than a raw string literal."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/sidebars.ts` at line 577, The sidebar entry uses a hardcoded label
'Contribute to ThunderID' — replace the raw string literal on the sidebar item
(the object with id 'community/contributing/overview' and its label property)
with a value read from the app config (e.g., use the central
config/getConfig()/siteConfig.brand or an exported getAppName() helper) and fall
back to the existing literal if the config value is missing; update the import
at the top of docs/sidebars.ts to pull the config helper and replace the label
assignment to use that config-driven value instead of the hardcoded 'Contribute
to ThunderID'.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/content/guides/guides/users/manage-users.mdx`:
- Around line 74-77: Update the table row for the `limit` parameter in the
Manage Users guide: change the Default column value for `limit` from 10 to 30 so
it matches the API contract; locate the markdown table containing the `limit`
and `offset` parameter rows in manage-users.mdx and edit the `limit` default
accordingly.

---

Outside diff comments:
In `@docs/sidebars.ts`:
- Line 577: The sidebar entry uses a hardcoded label 'Contribute to ThunderID' —
replace the raw string literal on the sidebar item (the object with id
'community/contributing/overview' and its label property) with a value read from
the app config (e.g., use the central config/getConfig()/siteConfig.brand or an
exported getAppName() helper) and fall back to the existing literal if the
config value is missing; update the import at the top of docs/sidebars.ts to
pull the config helper and replace the label assignment to use that
config-driven value instead of the hardcoded 'Contribute to ThunderID'.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0081ca0e-d774-4c59-8583-9133e4a2ef14

📥 Commits

Reviewing files that changed from the base of the PR and between 31e4a5e and 49d4bfd.

📒 Files selected for processing (5)

• docs/content/guides/guides/organization-units.mdx
• docs/content/guides/guides/users/manage-groups.mdx
• docs/content/guides/guides/users/manage-users.mdx
• docs/content/guides/guides/users/roles.mdx
• docs/sidebars.ts

✅ Files skipped from review due to trivial changes (2)

• docs/content/guides/guides/users/roles.mdx
• docs/content/guides/guides/organization-units.mdx

[coderabbitai]

🧹 Nitpick comments (1)

docs/sidebars.ts (1)

577-577: ⚡ Quick win

Replace hardcoded ThunderID brand literal with config-derived value.

Is this hardcoded brand name intentional? If not, avoid the raw string and read the product name from config (in React surfaces via useConfig, and in this file via the existing product config object), e.g.:
label: \Contribute to ${productConfig.project.name}``.

As per coding guidelines, "**/*.ts: Scan for hardcoded occurrences of the string literals Thunder or ThunderID in this file... If it can be replaced, suggest reading the value from the app's config system using the useConfig hook."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/sidebars.ts` at line 577, The sidebar entry uses a hardcoded brand
literal "ThunderID"; replace that raw string with the project name from the
existing product config instead of hardcoding — update the label for the doc
entry (the object with type 'doc' and id 'community/contributing/overview') to
build the label using the product config (e.g. via productConfig.project.name as
used elsewhere in this file) so the text reads "Contribute to <product name>"
dynamically; ensure you import or reference the existing productConfig symbol
already present in docs/sidebars.ts rather than adding a new hardcoded string.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/sidebars.ts`:
- Line 577: The sidebar entry uses a hardcoded brand literal "ThunderID";
replace that raw string with the project name from the existing product config
instead of hardcoding — update the label for the doc entry (the object with type
'doc' and id 'community/contributing/overview') to build the label using the
product config (e.g. via productConfig.project.name as used elsewhere in this
file) so the text reads "Contribute to <product name>" dynamically; ensure you
import or reference the existing productConfig symbol already present in
docs/sidebars.ts rather than adding a new hardcoded string.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 609c4a75-40d0-43f1-88e0-db3499323c29

📥 Commits

Reviewing files that changed from the base of the PR and between 1fc4ff9 and 7446080.

📒 Files selected for processing (5)

• docs/content/guides/guides/organization-units.mdx
• docs/content/guides/guides/users/manage-groups.mdx
• docs/content/guides/guides/users/manage-users.mdx
• docs/content/guides/guides/users/roles.mdx
• docs/sidebars.ts

✅ Files skipped from review due to trivial changes (4)

• docs/content/guides/guides/users/roles.mdx
• docs/content/guides/guides/users/manage-users.mdx
• docs/content/guides/guides/users/manage-groups.mdx
• docs/content/guides/guides/organization-units.mdx

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/content/guides/guides/users/manage-roles.mdx`:
- Line 94: The docs incorrectly mark the `permissions` field as required; update
the guide so `permissions` is optional to match the API contract for
CreateRoleRequest which only requires `name` and `ouId`. Locate the table row
referencing `permissions` in the manage-roles.mdx content and change the "Yes" /
required indicator to "No" or "Optional", and ensure any surrounding explanatory
text mentions that `permissions` may be omitted when creating a role per the
CreateRoleRequest schema (required: `name`, `ouId`).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b5c806b0-7bb7-45bf-b9cf-5951a2ccf072

📥 Commits

Reviewing files that changed from the base of the PR and between 7446080 and 667104f.

📒 Files selected for processing (5)

• docs/content/guides/guides/organization-units.mdx
• docs/content/guides/guides/users/manage-groups.mdx
• docs/content/guides/guides/users/manage-roles.mdx
• docs/content/guides/guides/users/manage-users.mdx
• docs/sidebars.ts

✅ Files skipped from review due to trivial changes (3)

• docs/content/guides/guides/organization-units.mdx
• docs/content/guides/guides/users/manage-groups.mdx
• docs/content/guides/guides/users/manage-users.mdx

[ThaminduDilshan]

Should this be in feature Docs? IIRC we have written current docs building experience around console try out. So listing and filtering should explain what's their in console.

API details will be there in API reference Docs.

Let's verify and modify this accordingly

[ThaminduDilshan]

Same as previous comment

[ThaminduDilshan]

IMO this shouldn't be here. We should have self service management documented in a different location/ page.

@himeshsiriwardana WDYT?

[ThaminduDilshan]

Let's verify this is needed for feature docs. Ideally they can refer API docs for the API paths.

Applicable for all sections with API cURL commands. Current feature docs experience is built around console IIRC

[ThaminduDilshan]

Better to have this in a separate catalog or API docs

[ThaminduDilshan]

Shall we also check guides/users/user-type-reference/. Following statement and customer user type seems to be incorrect for the latest version.

"ThunderID includes two default user types with pre-defined schemas. "