From 352f6ab432c7979a74b4a671e367271e8a52b683 Mon Sep 17 00:00:00 2001
From: netdatabot <43409846+netdatabot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 20:44:35 +0000
Subject: [PATCH] Ingest new documentation

---
 .../Secrets Management/Secrets Management.mdx | 20 ++++++++++++++--
 .../Dynamic Configuration Manager.mdx         | 24 +++++++++++++++++--
 2 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/docs/Collecting Metrics/Secrets Management/Secrets Management.mdx b/docs/Collecting Metrics/Secrets Management/Secrets Management.mdx
index 7b49f6d3ac..03139fea68 100644
--- a/docs/Collecting Metrics/Secrets Management/Secrets Management.mdx	
+++ b/docs/Collecting Metrics/Secrets Management/Secrets Management.mdx	
@@ -19,7 +19,7 @@ Netdata lets you reference secret values in collector configs instead of storing
 
 ### Jump To
 
-[Resolver Quick Reference](#resolver-quick-reference) • [Choosing a Resolver](#choosing-a-resolver) • [Environment Variables](#environment-variables) • [Files](#files) • [Commands](#commands) • [Secretstores](#secretstores) • [Supported Secretstore Backends](#supported-secretstore-backends) • [How It Works](#how-it-works) • [Troubleshooting](#troubleshooting)
+[Resolver Quick Reference](#resolver-quick-reference) • [Choosing a Resolver](#choosing-a-resolver) • [Environment Variables](#environment-variables) • [Files](#files) • [Commands](#commands) • [Encoding Values for URIs](#encoding-values-for-uris) • [Secretstores](#secretstores) • [Supported Secretstore Backends](#supported-secretstore-backends) • [How It Works](#how-it-works) • [Troubleshooting](#troubleshooting)
 
 
 ## Resolver Quick Reference
@@ -37,6 +37,7 @@ Netdata lets you reference secret values in collector configs instead of storing
 - Use `${cmd:...}` when you need dynamic secret retrieval via a trusted local command, such as 1Password CLI or a custom script.
 - Use `${store:...}` when your organization manages secrets centrally in a cloud provider or Vault and you want Netdata to pull from that source directly.
 - You can use different resolver types across different collectors, different jobs within the same collector, or even within the same configuration value. See [Mixing resolver types](#mixing-resolver-types).
+- When you embed a secret inside a URI or DSN, append `+urienc` to the reference scheme to percent-encode the resolved value. See [Encoding values for URIs](#encoding-values-for-uris).
 
 ## Environment Variables
 
@@ -82,6 +83,20 @@ jobs:
 - Netdata uses a 10-second timeout for command resolvers.
 - Netdata trims leading and trailing whitespace from stdout and ignores stderr.
 
+## Encoding Values for URIs
+
+When a resolved secret is embedded inside a URI or DSN, characters such as `/`, `:`, `@`, or `+` can break parsing. Append `+urienc` to the reference scheme to percent-encode the resolved value so it is safe in any URI component. It works with every resolver: `${env+urienc:...}`, `${file+urienc:...}`, `${cmd+urienc:...}`, and `${store+urienc:...}`.
+
+```yaml
+jobs:
+  - name: postgres_remote
+    dsn: "postgresql://postgres:${store+urienc:vault:vault_prod:secret/data/netdata/pg#password}@db.example.com:5432/postgres"
+```
+
+- Encoding is opt-in. Without `+urienc`, the resolved value is used exactly as stored.
+- Every character outside the RFC 3986 unreserved set (`A-Za-z0-9` and `-` `.` `_` `~`) is percent-encoded.
+- Use `+urienc` only for a value that is a single URI component, such as a password. Applying it to a plain field, or to a value that is already a complete URL, leaves stray percent-encoded text.
+
 ## Secretstores
 
 Use secretstores when you want Netdata collectors to fetch secrets from remote backends at runtime instead of storing them locally in collector configs.
@@ -160,7 +175,7 @@ jobs:
     dsn: "${env:MYSQL_USER}:${store:vault:vault_prod:secret/data/netdata/mysql#password}@tcp(127.0.0.1:3306)/"
 ```
 
-Different jobs within the same collector config file can also use different resolver types.
+Different jobs within the same collector config file can also use different resolver types. When a secretstore value is embedded inside a URI or DSN, append `+urienc` to the scheme (`${store+urienc:<kind>:<name>:<operand>}`) to percent-encode it. See [Encoding values for URIs](#encoding-values-for-uris).
 
 ## Supported Secretstore Backends
 
@@ -204,3 +219,4 @@ Representative error patterns:
 - `${file:relative/path}`: file path must be absolute
 - `${cmd:echo hello}`: command path must be absolute
 - `${cmd:/path/to/slow-command}`: command timed out after 10s
+- `${env+foo:VAR_NAME}`: unknown modifier 'foo'
diff --git a/docs/Netdata Agent/Configuration/Dynamic Configuration Manager.mdx b/docs/Netdata Agent/Configuration/Dynamic Configuration Manager.mdx
index d4834ced85..5feb3de1ba 100644
--- a/docs/Netdata Agent/Configuration/Dynamic Configuration Manager.mdx	
+++ b/docs/Netdata Agent/Configuration/Dynamic Configuration Manager.mdx	
@@ -14,7 +14,7 @@ slug: "/netdata-agent/configuration/dynamic-configuration-manager"
 
 :::important
 
-Netdata Cloud paid plan is required.
+Netdata Cloud paid plan is required for creating, editing, testing, enabling, disabling, or removing configurations. On Community plans, you can still list configurable items.
 
 :::
 
@@ -303,8 +303,28 @@ In Netdata, HTTP 412 is used to indicate that an authorization bearer token was
 
 For more information, see [Secure Your Netdata Agent with Bearer Token Protection](/docs/netdata-agent/configuration/securing-agents/bearer-token-protection).
 
+### Forbidden (HTTP 403) Error When Accessing Configuration Manager
+
+If you see **"forbidden"** (HTTP 403) when opening configuration details or creating, editing, testing, enabling, disabling, or removing configurations in the Configuration Manager, one of the following restrictions is blocking the action.
+
+:::important
+
+Only users with an **Admin** or **Manager** role on a **paid plan** can perform Dynamic Configuration actions beyond listing. Users without Dynamic Configuration permissions and all users on the Community plan will receive **"forbidden"** for those actions.
+
+:::
+
+**Common causes:**
+
+1. **Insufficient role** — Only Admin and Manager roles can perform Dynamic Configuration actions such as **View**, **Add**, **Update**, **Enable/Disable**, **Remove**, and **Test**. Troubleshooters, Observers, and Billing users can still use **List All**, but they will receive **"forbidden"** for actions beyond listing.
+2. **Community (free) plan limitation** — A paid plan is required for all Dynamic Configuration Manager actions except **List All**. Users on the Community plan will see **"forbidden"** when attempting any action beyond listing.
+
+**Resolution steps:**
+
+1. **Check your assigned role**: Go to **Space Settings → Users** and verify your role. If you are not an Admin or Manager, ask a Space Admin to upgrade your role. See the [Role-Based Access Model documentation](/docs/netdata-cloud/authentication-&-authorization/role-based-access-model) for the full permissions table.
+2. **Verify your subscription plan**: If you are on the Community plan, [upgrade to a paid plan](https://www.netdata.cloud/pricing/) or ask a Space Admin to do so. A paid plan is required for all Dynamic Configuration actions except **List All**.
+
 ---
 
 Experience the efficiency and power of the Dynamic Configuration Manager in Netdata today. Whether you're managing a handful of nodes or a vast infrastructure, this feature will make your monitoring and alerting tasks smoother and more intuitive.
 
-Developing with dynamic configuration? [Click here](https://learn.netdata.cloud/docs/developer-and-contributor-corner/dynamic-configuration/).
+[Read more](/docs/developer-and-contributor-corner/dynamic-configuration) on developing with dynamic configuration.