Chapter 1. User Access Configuration Guide for Role-based Access Control (RBAC)
1.1. What is User Access
The User Access feature is an implementation of role-based access control (RBAC) that controls user access to various services hosted on the Red Hat Hybrid Cloud Console. You configure the User Access feature to grant user access to services hosted on Hybrid Cloud Console.
1.1.1. User Access and the Software as a Service (SaaS) access model
Red Hat customer accounts might have hundreds of authenticated users, yet not all users need the same level of access to the SaaS services available on Red Hat Hybrid Cloud Console. With the User Access features, an Organization Administrator can manage user access to services hosted on Red Hat Hybrid Cloud Console.
User Access does not manage OpenShift Cluster Manager permissions. For OpenShift Cluster Manager, all users in the organization can view information, but only an Organization Administrator and cluster owners can perform actions on clusters.
1.1.2. Who can use User Access
To initially view and manage User Access on Red Hat Hybrid Cloud Console, you must be an Organization Administrator. This is because User Access requires user management capabilities that are designated from the Red Hat Customer Portal at Customer Portal. Those capabilities belong solely to the Organization Administrator.
The User Access administrator role is a special role that the Organization Administrator can assign. This role allows users who are not Organization Administrator users to manage User Access on Red Hat Hybrid Cloud Console.
1.1.3. How to use User Access
The User Access feature is based on managing roles rather than by assigning permissions individually to specific users. In User Access, each role has a specific set of permissions. For example, a role might allow read permission for an application. Another role might allow write permission for an application.
You create groups that contain roles and, by extension, the permissions assigned to each role. You assign users to groups. This means each user in a group is assigned the permissions of the roles in that group.
By creating different groups and adding or removing roles for that group, you control the permissions allowed for that group. When you add one or more users to a group, those users can perform all actions that are allowed for that group.
Red Hat provides two default access groups for User Access:
- Default admin access group. The Default admin access group is limited to Organization Administrator users in your organization. You cannot change or modify the roles in the Default admin access group.
- Default access group. The Default access group contains all authenticated users in your organization. These users automatically inherit a selection of predefined roles.
Red Hat provides a set of predefined roles. Depending on the application, the predefined roles for each supported application might have different permissions that are tailored to the application.
184.108.40.206. The Default admin access group
The Default admin access group is provided by Red Hat on Red Hat Hybrid Cloud Console. It contains a set of roles that are assigned to all users who have an Organization Administrator role on your system. The roles in this group are predefined in Red Hat Hybrid Cloud Console.
The roles in the Default admin access group cannot be added to or modified. Because this group is provided by Red Hat, it is automatically updated when Red Hat assigns roles to the Default admin access group.
The benefit of the Default admin access group is that it allows roles to be assigned automatically to Organization Administrators.
See Section 4.1, “Predefined User Access roles” for the roles are included in the Default admin access group.
220.127.116.11. The Default access group
The Default access group is provided by Red Hat on Red Hat Hybrid Cloud Console. It contains a set of roles that are predefined in Red Hat Hybrid Cloud Console. The Default access group includes all authenticated users in your organization. One advantage of the Default access group is that it is automatically updated when Default access group roles are added in Red Hat Hybrid Cloud Console.
The Default access group contains a subset of all predefined roles. See Section 4.1, “Predefined User Access roles”.
As an Organization Administrator, you can add roles to and remove roles from the Default access group. Changes you make to the Default access group affect all authenticated users in your organization.
When you manually modify the Default access group, its name changes to Custom default access, which indicates it was modified. Moreover, it is no longer automatically updated from Red Hat Hybrid Cloud Console.
If you change and save the Default access group, its name changes to Custom default access. You cannot revert or undo the name change. From that point forward, an Organization Administrator is responsible for all updates and changes to the group. The Custom default access group is no longer managed or updated by Red Hat Hybrid Cloud Console.
The Default access group or Custom default access group cannot be deleted. You can create new access groups that use predefined roles, custom roles, or a combination of both.
18.104.22.168. The User Access groups, roles, and permissions
User Access uses the following categories to determine the level of user access that an Organization Administrator can grant to the supported Red Hat Hybrid Cloud Console services. The access provided to any authorized user depends on the group that the user belongs to and the roles assigned to that group.
- Group: A collection of users belonging to an account which provides the mapping of roles to users. An Organization Administrator can use groups to assign one or more roles to a group and to include one or more users in a group. You can create a group with no roles and no users.
- Roles: A set of permissions that provide access to a given service, such as Insights. The permissions to perform certain operations are assigned to specific roles. Roles are assigned to groups. For example, you might have a read role and a write role for a service. Adding both roles to a group grants all members of that group read and write permissions to that service.
- Permissions: A discrete action that can be requested of a service. Permissions are assigned to roles.
An Organization Administrator adds or deletes roles and users to groups. The group can be a new group created by an Organization Administrator or the group can be an existing group. By creating a group that has one or more specific roles and then adding users to that group, you control how that group and its members interact with the Red Hat Hybrid Cloud Console services.
When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to. The user interface lists users in the Members tab.
22.214.171.124. Additive access
User access on Red Hat Hybrid Cloud Console uses an additive model, which means that there are no deny roles. In other words, actions are only permitted. You control access by assigning the appropriate roles with the desired permissions to groups then adding users to those groups. The access permitted to any individual user is a sum of all roles assigned to all groups to which that user belongs.
126.96.36.199. Access structure
The following points are a summary of the user access structure for User Access:
- Group: A user can be a member of one or many groups.
- Role: A role can be added to one or many groups.
- Permissions: One or more permissions can be assigned to a role.
In its initial default configuration, all User Access account users inherit the roles that are provided in the Default access group.
Any user added to a group must be an authenticated user for the organization account on Red Hat Hybrid Cloud Console.