New feature: (API): Admin setup for user key creation and access

src/content/docs/apis/intro-apis/new-relic-api-keys.mdx

@@ -67,7 +67,7 @@ To get started with API keys:
 
       <th>
         <DNT>
-          **To view and manage**
+          **To manage**
         </DNT>
       </th>
 
@@ -160,12 +160,14 @@ To get started with API keys:
 
 ## View and manage API keys [#keys-ui]
 
-You can manage most API keys from the [API Keys UI page](https://one.newrelic.com/api-keys) located in the [user menu](/docs/accounts/accounts-billing/general-account-settings/intro-account-settings/#user-menu) when you click <DNT>**API keys**</DNT>.
-You can also [use NerdGraph to manage keys](/docs/apis/nerdgraph/examples/use-nerdgraph-manage-license-keys-user-keys)
+You can manage most API keys from the [API Keys UI page](https://one.newrelic.com/api-keys) or [NerdGraph](/docs/apis/nerdgraph/examples/use-nerdgraph-manage-license-keys-user-keys)
 
-During the key creation process, we temporarily provide you with the entire key. However, once the key is created, only the first 8 characters are displayed in the API Keys UI.
+The complete key is visible only during the key creation process. After the key is created, only the first 8 characters are displayed in the API Keys UI. To access the full key after creation:
+1. Go to the [API keys UI](https://one.newrelic.com/launcher/api-keys-ui.api-keys-launcher).
+2. From the <Icon name="fe-more-horizontal"/> menu, copy the key ID.
+3. [Query the key from NerdGraph](/docs/apis/nerdgraph/examples/use-nerdgraph-manage-license-keys-user-keys/#query-keys) using the ID.
 
-If you need to retrieve the full key after creation, click the ellipses in the API Keys UI, copy the key ID, and [use NerdGraph to query for the full key.](/docs/apis/nerdgraph/examples/use-nerdgraph-manage-license-keys-user-keys/#query-keys).
+To enable admin users to generate and view user keys for other users, refer [Admin setup for user key creation and access](/docs/apis/nerdgraph/examples/manage-user-keys).
 
 ## Recommendations for managing API keys [#security-practices]
 
@@ -475,7 +477,9 @@ To create or manage API keys, use the UI at [one.newrelic.com/launcher/api-keys-
 
     Even though they provide a user access to multiple accounts, user keys are linked to a single specific account: the account they were created from. The significance of this is that if an account is deleted, any user keys associated with that account will no longer work. (Also, for our REST APIs, calls are limited to the account associated with that user key.)
 
-    To prevent a user from viewing or managing user keys, assign them a role without those permissions: [original user model](/docs/accounts/original-accounts-billing/original-users-roles/users-roles-original-user-model#add-on) \| [newer user model](/docs/accounts/accounts-billing/new-relic-one-user-management/user-permissions).
+    To prevent a user from managing user keys, assign them a role without those permissions: [original user model](/docs/accounts/original-accounts-billing/original-users-roles/users-roles-original-user-model#add-on) \| [newer user model](/docs/accounts/accounts-billing/new-relic-one-user-management/user-permissions).
+
+    As an <DNT>**[Authentication Domain Manager](/docs/accounts/accounts-billing/new-relic-one-user-management/authentication-domains-saml-sso-scim-more)**</DNT> you can grant permssion to an admin user to create and manage user keys for other users. For more details, refer [Create user keys for other users](/docs/apis/nerdgraph/examples/manage-user-keys).
   </Collapser>
 </CollapserGroup>
 

src/content/docs/apis/nerdgraph/examples/manage-user-keys.mdx

@@ -0,0 +1,113 @@
+---
+title: Create user keys for other users
+tags:
+  - Admin setup for user key creation and access
+  - API keys
+  - API key management
+  - API key creation
+  - API key access
+  - API key security
+  - API key permissions
+  - User key management
+  - API key manager role
+translate:
+  - jp
+metaDescription: 'Role configuration for admins to create and access user keys using NerdGraph.'
+redirects:
+freshnessValidatedDate: never
+---
+Admin users create user keys for others using NerdGraph to support automation, ensure governance compliance, and facilitate provisioning processes. To view the full user key upon creation, admin users must be enrolled in a special role that permits reading the key only at creation time.
+
+As an <DNT>**[Authentication Domain Manager](/docs/accounts/accounts-billing/new-relic-one-user-management/authentication-domains-saml-sso-scim-more)**</DNT>, you can configure this role for the admin in the following two ways:
+
+<Tabs>
+  <TabsBar>
+    <TabsBarItem id="using-ui">Configure from the <DNT>**Access Management**</DNT> page</TabsBarItem>
+    <TabsBarItem id="using-nerdgraph">Configure using NerdGraph</TabsBarItem>
+  </TabsBar>
+  <TabsPages>
+    <TabsPageItem id="using-ui">
+      Configure the role for admin users from the <DNT>**Access Management**</DNT> page as follows:
+        1. Navigate to **[New Relic Administration](https://one.newrelic.com/admin-portal) > Access Management > Groups**.
+        2. For an existing admin group, from the <Icon name="fe-more-horizontal"/> menu, select <DNT>**Manage group access**</DNT>. Alternatively, click <DNT>**Create new group**</DNT> and follow the on-screen instructions to assign a name to the new group, and add admin users as members.
+        3. To grant permission for users in the group to read other users' keys on creation, under <DNT>**Administrative settings**</DNT>, select <DNT>**organization.read.other_users_api_keys**</DNT>.
+    </TabsPageItem>
+    <TabsPageItem id="using-nerdgraph">
+    You can use [NerdGraph API](/docs/apis/nerdgraph/get-started/introduction-new-relic-nerdgraph) to configure the role for admin users as follows. To understand how to manage user groups and its requirements, refer [NerdGraph tutorial: Manage user groups](/docs/apis/nerdgraph/examples/nerdgraph-manage-groups).
+
+    1. Go to <DNT>[one.newrelic.com > All capabilities > Apps > NerdGraph API explorer](https://one.newrelic.com/nerdgraph-graphiql)</DNT>.
+    2. To access <DNT>**Query Builder**</DNT>, submit your [user key](/docs/apis/intro-apis/new-relic-api-keys/#user-key). You can create a new key from the [API Key UI](https://one.newrelic.com/api-keys).
+    3. [Query for the existing user group](/docs/apis/nerdgraph/examples/nerdgraph-manage-groups/#query-groups) where admin users are already members, or [create a new group](/docs/apis/nerdgraph/examples/nerdgraph-manage-groups/#create-group). Save the group ID for later use.
+    4. If you have created a new group, [add admin users to the group](/docs/apis/nerdgraph/examples/nerdgraph-manage-groups/#add-users).
+    5. To fetch your organization ID, run the following query:
+        ```graphql
+        {
+          actor {
+            organization {
+              id
+              name
+            }
+          }
+        }
+        ```
+        Save the organization ID for later use.
+    6. To create a new custom role that enables admins to read other users' keys, run the following mutation with the fetched organization ID, permission ID: `[12822]`, and a role name:
+        ```graphql
+          mutation {
+            customRoleCreate(
+              container: {id: "<your-org-id>", type: "organization"}
+              name: "API Key Manager"
+              permissionIds: [12822]
+              scope: "organization"
+            ) {
+              id
+            }
+          }
+        ```
+        Save the generated role ID for later use.
+
+    7. To add the custom role to the group, run the following mutation with the group ID and the generated role ID:
+        ```graphql
+        mutation {
+          authorizationManagementGrantAccess(
+            grantAccessOptions: {
+              organizationAccessGrants: { roleId: "<role-id>"},
+              groupId: "<group-id>"
+            }
+          ) {
+            roles {
+              id
+              name
+            }
+          }
+        }
+        ```
+        You can [query existing roles](/docs/apis/nerdgraph/examples/nerdgraph-manage-groups/#query-roles) for the group to verify the role assignment.
+    </TabsPageItem>
+  </TabsPages>
+</Tabs>
+
+After configuring the group, the admin users within the group can create and read user keys for other users using NerdGraph. As an admin with enabled role, run the following mutation with an account ID, name for the key, and user ID of a user to create the key.
+```graphql
+mutation {
+  apiAccessCreateKeys(
+    keys: {user: {
+        accountId: <account-id>, 
+        name: "API Manager created user key", 
+        userId: <user-id-of-user-to-create-key-for>
+        }
+    }
+  ) {
+    createdKeys {
+      id
+      key
+      name
+      obfuscatedKey
+      type
+    }
+  }
+}
+```
+In the response you can read the full key. This key is fully readable only at the time of creation. Refer to the [recommendations](/docs/apis/intro-apis/new-relic-api-keys/#security-practices) for managing the API keys securely.
+
+

src/nav/telemetry-data-platform.yml

@@ -122,6 +122,8 @@ pages:
                 path: /docs/apis/nerdgraph/examples/nerdgraph-manage-users
               - title: Manage user groups
                 path: /docs/apis/nerdgraph/examples/nerdgraph-manage-groups
+              - title: Create user keys for other users
+                path: /docs/apis/nerdgraph/examples/manage-user-keys
               - title: Manage tags
                 path: /docs/apis/nerdgraph/examples/nerdgraph-tagging-api-tutorial
               - title: Workloads