Chapter 1. User Access Configuration Guide for Role-based Access Control (RBAC)
1.1. What is User Access
The User Access feature is an implementation of role-based access control (RBAC) that controls user access to various services hosted at cloud.redhat.com. You configure the User Access feature to grant or deny user access to services hosted on cloud.redhat.com.
1.1.1. User Access and the Software as a Service (SaaS) access model
Red Hat customer accounts might have hundreds of authenticated users, yet not all users need the same level of access to the SaaS services available on cloud.redhat.com. With the User Access features, an org admin can manage user access to services hosted on cloud.redhat.com.
User Access does not manage OpenShift Cluster Manager permissions. For OpenShift Cluster Manager, all users in the organization can view information, but only an Organization Administrator and cluster owners can perform actions on clusters.
1.1.2. Who can use User Access
To view and manage User Access on cloud.redhat.com, you must be an Organization Administrator (org admin). This is because User Access requires user management capabilities that are designated from the Red Hat Customer Portal at access.redhat.com. Those capabilities belong solely to the org admin.
1.1.3. How to use User Access
The User Access feature is based on managing roles rather than by assigning permissions individually to specific users. In User Access, each role has a specific set of permissions. For example, a role might allow read permission for an application. Another role might allow write permission for an application.
You create groups that contain roles and, by extension, the permissions assigned to each role. You assign users to groups. This means each user in a group is assigned the permissions of the roles in that group.
By creating different groups and adding or removing roles for that group, you control the permissions allowed for that group. When you add one or more users to a group, those users can perform all actions that are allowed for that group.
Red Hat provides a Default access group for User Access. The Default access group contains all authenticated users in your organization. These users automatically inherit a selection of predefined roles.
Red Hat provides a set of predefined roles. Depending on the application, the predefined roles for each supported application might have different permissions that are tailored to the application.
220.127.116.11. The Default access group
The Default access group is provided by Red Hat on cloud.redhat.com. It contains a set of roles that are predefined in cloud.redhat.com. The Default access group also includes all authenticated users in your organization. One advantage of the Default access group is that it is automatically updated when new or modified predefined roles become available from cloud.redhat.com.
As an org admin, you can add roles to and remove roles from the Default access group. Changes you make to the Default access group affect all authenticated users in your organization.
When you manually modify the Default access group, its name changes to Custom default access, which indicates it was modified. Moreover, it is no longer automatically updated from cloud.redhat.com.
If you change and save the Default access group, its name changes to Custom default access. You cannot revert or undo the name change. From that point forward, an org admin is responsible for all updates and changes to the group. The Custom default access group is no longer managed or updated by cloud.redhat.com.
The Default access group or Custom default access group cannot be deleted. You can create new access groups that use predefined roles, custom roles, or a combination of both.
18.104.22.168. The User Access groups, roles, and permissions
User Access uses the following categories to determine the level of user access that an org admin can grant to the supported cloud.redhat.com services. The access provided to any authorized user depends on the group that the user belongs to and the roles assigned to that group.
- Group: A collection of users belonging to an account which provides the mapping of roles to users. An org admin can use groups to assign one or more roles to a group and to include one or more users in a group. You can create a group with no roles and no users.
- Roles: A set of permissions that provide access to a given service, such as Insights. The permissions to perform certain operations are assigned to specific roles. Roles are assigned to groups. For example, you might have a read role and a write role for a service. Adding both roles to a group grants all members of that group read and write permissions to that service.
- Permissions: A discrete action that can be requested of a service. Permissions are assigned to roles.
An org admin adds or deletes roles and users to groups. The group can be a new group created by an org admin or the group can be an existing group. By creating a group that has one or more specific roles and then adding users to that group, you control how that group and its members interact with the cloud.redhat.com services.
When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to. The user interface lists users in the Members tab.
22.214.171.124. Additive access
User access on cloud.redhat.com uses an additive model, which means that there are no deny roles. In other words, actions are only permitted. You control access by assigning the appropriate roles with the desired permissions to groups then adding users to those groups. The access permitted to any individual user is a sum of all roles assigned to all groups to which that user belongs.
126.96.36.199. Access structure
The following points are a summary of the user access structure for User Access:
- Group: A user can be a member of one or many groups.
- Role: A role can be added to one or many groups.
- Permissions: One or more permissions can be assigned to a role.
In its initial default configuration, all User Access account users inherit the roles that are provided in the Default access group.
Any user added to a group must be an authenticated user for the organization account on cloud.redhat.com.