Update security instructions for API-M web portals

[Rami2212]

Remove unsupported Management Console access control configuration

Summary

Removed the documentation for restricting access to the Management Console via [admin_console.control_access] configuration, as this feature is no longer supported at the product level.

Problem

The following configuration was documented under the Restricting access to web portals section of the Securing Web Portals page:

[admin_console.control_access]
enable = true
allow = ["IP1", "IP2", "IP3"]

This configuration is no longer functional at the product level, making the documentation misleading and potentially causing confusion for users who attempt to use it.

Changes

• Removed the bullet point describing how to restrict access to only the Management Console using [admin_console.control_access] in deployment.toml.
• Removed the associated note explaining the IP allowlist behavior for the Management Console.
• Updated the introductory sentence of the Restricting access to web portals section to remove the reference to the now-unsupported Management Console-only restriction option.

Affected Pages

Page	Version
Securing Web Portals	All

Type of Change

• Documentation removal (removing unsupported/incorrect content)

Additional Notes

The remaining access restriction options — controlling access to all web applications via [web_app.control_access] and restricting access to specific servlets via [[servlet_access_control_filter]] — are unaffected and remain documented as before.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Documentation Update: Web Portal Access Control

This PR updates the "Securing Web Portals" documentation by removing references to an unsupported configuration option for restricting Management Console access.

Changes Made

• Removed unsupported configuration: Deleted documentation for the [admin_console.control_access] configuration block, which is no longer functional at the product level
• Removed associated guidance: Removed explanatory notes regarding Management Console-specific IP allowlist behavior
• Updated section introduction: Revised the opening sentence of the "Restricting access to web portals" section to remove the "either/or" framing that previously referenced the Management Console-only access restriction option

What Remains Unchanged

The documentation continues to cover the two supported methods for controlling web application access:

• [web_app.control_access] - for restricting access across all web applications
• [[servlet_access_control_filter]] - for restricting access to specific servlets within web applications

Affected file: en/docs/install-and-setup/setup/security/securing-api-m-web-portals.md

Lines changed: +1/-18

Walkthrough

The pull request updates the security documentation for API and web portals by removing references to the standalone management console access-control configuration ([admin_console.control_access]). The section now focuses solely on the web application access-control configuration approach ([web_app.control_access]), and the introductory text is revised to reflect this consolidated guidance. The net change removes 17 lines while adding 1 line of documentation content.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is well-structured with clear problem statement, changes, and scope, but does not follow the repository's required template sections.	Align the description with the repository template by adding sections such as Purpose, Goals, Approach, Release note, and Documentation to ensure consistency with project standards.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: updating documentation for API-M web portal security by removing unsupported configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Removes outdated documentation from the “Securing Web portals” page that described restricting access to the Management Console via an unsupported [admin_console.control_access] configuration.

Changes:

• Removed the [admin_console.control_access] deployment.toml example and its explanatory note from “Restricting access to web portals”.
• Adjusted the introduction to the “Restricting access to web portals” section (but it still contains a misleading reference that needs follow-up).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This introductory sentence still says access can be restricted to the management console by binding it to selected IPs, but the management-console-only mechanism ([admin_console.control_access]) was removed in this PR. As written, it’s misleading because the only remaining options shown are global web-app access control and per-servlet filtering. Reword this sentence to describe the supported mechanisms (restrict all web apps or specific servlet URLs), without implying a management-console-only binding option.

Suggested change

	You can restrict access to the management console of the API-M runtime by binding the management console with selected IP addresses. Note that you can restrict access to all web portals as explained below.
	You can restrict access to the web portals of the API-M runtime either by allowing only selected IP addresses to access all web applications or by applying access control filters to specific servlet URLs, as explained below.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@en/docs/install-and-setup/setup/security/securing-api-m-web-portals.md`:
- Line 35: Reword the sentence that currently reads "You can restrict access to
the management console of the API-M runtime by binding the management console
with selected IP addresses." so it no longer implies a standalone
management-console-only IP-binding option; instead explicitly state that access
is controlled via the general web-portal IP-binding/configuration methods
described below (refer to the phrase "restrict access to all web portals" and
the subsequent configuration sections), e.g., replace the sentence with a clear
pointer that management console access is restricted using the same IP-binding
and portal configuration methods documented in the following sections.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e3014ae5-d86d-4aa6-91b5-8e78f798b18f

📥 Commits

Reviewing files that changed from the base of the PR and between bcd2881 and 852d922.

📒 Files selected for processing (1)

• en/docs/install-and-setup/setup/security/securing-api-m-web-portals.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Clarify Line 35 to avoid implying an unsupported console-only setting.

Line 35 still reads like there is a direct management-console IP-binding option. To align with the documented supported methods, rephrase to explicitly point to the configurations below.

Proposed wording update

-You can restrict access to the management console of the API-M runtime by binding the management console with selected IP addresses. Note that you can restrict access to all web portals as explained below.
+You can restrict access to API-M web portals, including management console endpoints, using the supported access-control configurations described below.

As per coding guidelines: "Provide concise, actionable feedback focused on correctness and best practices."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	You can restrict access to the management console of the API-M runtime by binding the management console with selected IP addresses. Note that you can restrict access to all web portals as explained below.
	You can restrict access to API-M web portals, including management console endpoints, using the supported access-control configurations described below.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@en/docs/install-and-setup/setup/security/securing-api-m-web-portals.md` at
line 35, Reword the sentence that currently reads "You can restrict access to
the management console of the API-M runtime by binding the management console
with selected IP addresses." so it no longer implies a standalone
management-console-only IP-binding option; instead explicitly state that access
is controlled via the general web-portal IP-binding/configuration methods
described below (refer to the phrase "restrict access to all web portals" and
the subsequent configuration sections), e.g., replace the sentence with a clear
pointer that management console access is restricted using the same IP-binding
and portal configuration methods documented in the following sections.