User Access Configuration Guide for Red Hat Insights

Red Hat Insights 2020-04

Red Hat Customer Content Services

Abstract

This guide is for Red Hat Insights users who want to use the user access feature to configure role-based access control (RBAC) in Red Hat Insights, cloud management services for Red Hat Linux (RHEL), and other services hosted at cloud.redhat.com.
Providing Feedback: If you have a suggestion to improve this documentation, or find an error, submit a Bugzilla report at http://bugzilla.redhat.com. Select the Cloud Software Services (cloud.redhat.com) product and use the Documentation component.

Chapter 1. What is user access

The user access feature is an implementation of role-based access control (RBAC) that controls user access to Red Hat Insights, cloud management services for Red Hat Enterprise Linux, and other services hosted at cloud.redhat.com. User access is supported on cloud.redhat.com.

1.1. Who can use user access

To view and manage user access on cloud.redhat.com, you must be the Organization Administrator (org admin). This is because user access requires user management capabilities that are designated from access.redhat.com and belong solely to the org admin.

1.2. How to use user access

The user access feature is based on managing roles rather than by assigning permissions individually to specific users. In user access, each role has a specific set of permissions. For example, a role might allow read permission for an application. Another role might allow write permission for an application.

You create groups that contain roles and, by extension, the permissions assigned to each role. You assign users to groups. This means each user in a group has the permissions of the roles in that group.

This might sound complicated, but by creating different groups and adding or removing roles for that group, you control the permissions allowed for that group. When you add users to a group, those users can perform all actions that are allowed for that group.

Red Hat provides a Default user access group for user access. This default group contains many of the roles provided with user access. The Default user access group also contains all authenticated users in your organization.

Red Hat provides a set of predefined roles. Depending on the application, the predefined roles for each supported application might have different permissions that are tailored to the application.

1.3. User access and the Software as a Service (SaaS) access model

Red Hat customer accounts might have hundreds of authenticated users, yet not all users need the same level of access to the SaaS services available on cloud.redhat.com. With the user access features, the org admin can manage user access to services hosted on cloud.redhat.com.

Some of the cloud.redhat.com services supported by user access to which your account is subscribed or entitled include the following:

  • Insights
  • Cloud Management Services for RHEL

    • Vulnerability
    • Compliance
    • Drift

      Note

      User access is available for other services hosted at cloud.redhat.com.

1.3.1. The Default user access group

The Default user access group is provided by Red Hat on cloud.redhat.com. It contains many of the predefined roles provided with user access. The Default user access group also includes all authenticated users in your organization.

As an org admin, you can add roles to and remove roles from the Default user access group. Changes you make to the Default user access group affect all authenticated users in your organization.

When you change the Default user access group, the system no longer updates it with new predefined roles that might be available through cloud.redhat.com. The group name changes to Custom default user access, which indicates it was modified.

The Default user access group or Custom default user access group cannot be deleted. You can create new groups that use roles provided by Red Hat on cloud.redhat.com.

Note

If you change and save the Default user access group, its name changes to Custom default user access. You cannot revert or undo the name change. From that point forward, the org admin is responsible for all updates and changes to the group. The Custom default user access group is no longer managed or updated by cloud.redhat.com.

1.3.2. The user access groups, roles, and permissions

Similar to RBAC, user access uses the following categories to determine the level of user access that the org admin permits to the supported cloud.redhat.com services. The access provided to any authorized user depends on the group that the user belongs to and the roles assigned to that group.

  • Group: A collection of users belonging to an account which provides the mapping of roles to users. The org admin can use groups to assign one or more roles to a group and to include one or more users in a group. You can create a group with no roles and no users.
  • Roles: A set of permissions that provide access to a given service, such as Insights. The permissions to perform certain operations are assigned to specific roles. Roles are assigned to groups. For example, you might have a read role and a write role for a service. Adding both roles to a group lets all members of that group read and write to that service.
  • Permissions: A discrete action that can be requested of a service. Permissions are assigned to roles.

The org admin adds or deletes roles and users to groups. The group can be a new group created by the org admin or the group can be an existing group. By creating a group that has one or more specific roles and then adding users to that group, you control how that group and its members interact with the cloud.redhat.com services.

When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to. The user interface lists users in the Members tab.

1.3.3. Additive access

User access on cloud.redhat.com uses an additive model, which means that there are no deny roles. In other words, actions are only permitted. You control access by assigning the appropriate roles with the desired permissions to groups then adding users to those groups. The access permitted to any individual user is a sum of all roles assigned to all groups to which that user belongs.

1.3.4. Access structure

The following points are a summary of the user access structure for user access:

  • Group: A user can be a member of one or many groups.
  • Role: A role can be added to one or many groups.
  • Permissions: One or more permissions can be assigned to a role.

In its initial default configuration, all user access account users inherit the roles that are provided in the Default user access group.

Note

Any user added to a group must be an authenticated user for the organization account on cloud.redhat.com.

Chapter 2. Procedures for configuring user access

As the Organization Administrator (org admin), you can use Settings to view, configure, and modify the user access groups, roles, and permissions.

2.1. Viewing roles and permissions

You can view the roles and permissions for user access at cloud.redhat.com.

Prerequisites

  • You must be the Organization Administrator (org admin).

Procedure

  1. Log in to your Red Hat organization account at cloud.redhat.com.
  2. Click the Settings icon (gear) to open the Settings page.
  3. On the Settings page, click on the User access tab to expand it.
  4. Click the Roles tab to display the user access roles. You can scroll through the list of all Roles.

    rbac roles
  5. In the table, click either the role Name or the role Permissions to see details about the permissions assigned to the role. For example, if you click on the Insights administrator role, you see the following information.

    rbac permissions detail

    The asterisks * indicate all resources and all operations are allowed in this role.

2.2. Managing group access with roles and members

You can manage group access by creating a user access group and adding roles and users to the group. The roles and their permissions determine the type of access granted to all members of the group.

The Member tab shows all users that you can add to the group. When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to.

Prerequisite

  • You must be the Organization Administrator (org admin).

Procedure

  1. Log in to your Red Hat organization account at cloud.redhat.com.
  2. Click the Settings icon (gear) to open the Settings page.
  3. On the Settings page, click the User access tab to expand it.
  4. Click the Groups tab to display the Groups page.
  5. Click Create group
  6. Follow the guided actions provided by the wizard to add users and roles.
  7. To grant additional group access, edit the group and add additional roles.

2.3. Restricting service access to a single user

You can create a new group that contains a single user and add a role to that group. The role you add provides the service access permissions you want that single user to have. If you add other users to the group, the added users will have the same group permissions.

The roles you add to the group must be from the predefined list of roles provided with user access. The current implementation of user access does not support creating new roles. For more information about predefined roles, see Chapter 3, Predefined user access roles.

Note

If you previously used RBAC to create roles that limit access to cost management resources, those roles appear in the list of available roles.

Any user you add to the new group also inherits the permissions of any other group that the user belongs to in addition to the permissions of the new group.

In this procedure you modify the Default user access group. When you modify the Default user access group its name changes to Custom default user access. You cannot restore the Default user access group. The Custom default user access group is not automatically updated with changes to the default roles pushed out by Red Hat.

Prerequisites

  • You must be the Organization Administrator (org admin).

Procedure

  1. Log in to your Red Hat organization account at cloud.redhat.com.
  2. Click the Settings icon (gear) to open the Settings page.
  3. On the Settings page, click the User access tab to expand it.
  4. Click the Groups tab to display the Groups page.
  5. Remove all roles from the Default user access group.

    Because all users in your organization belong to the Default user access group, you cannot add or remove single users in Default user access to create access control. By removing all roles, users do not inherit role permissions from Default user access.

  6. Save the changes to Default user access group. The name changes to Custom default user access.
  7. Create a new group that contains the users and roles for the allowed access permissions.

    For example, create a group Security Admin that contains the users who will have full access to Vulnerability services.

    1. Create a group Security Admin.
    2. Add one or several users to the group from the Members list.
    3. Add the Vulnerability administrator role.

      Each user you add to this group has full access to the Vulnerability service.

Note

If you want the org admin to have access, add the org admin user to the group.

2.4. Including the Org Admin in a group

You can include the Organization Administrator (org admin) in a group. You add the org admin user to a group if you want the org admin to have the roles assigned to that group. The org admin does not inherit all available roles for all cloud.redhat.com applications. Non-inherited roles must be assigned through group membership.

Note

This procedure assumes that you want to modify an existing group and add the org admin to the group. Alternatively, you can add the org admin to a group when you create a new group.

Prerequisites

Procedure

  1. Log in to your Red Hat organization account at cloud.redhat.com.
  2. Click the Settings icon (gear) to open the Settings page.
  3. On the Settings page, click the User access tab to expand it.
  4. Click the Groups tab to display the Groups page.
  5. Click the group Name to display details about the group.
  6. On the group details page, click the Members tab to display a list of authorized users who are a member of the group.
  7. Click the Add member tab.
  8. On the Add members to the group page that appears, find the org admin user name and click the check box next to the name.

    For example, if the org admin user name is smith-jones, find that name and click the check box next to smith-jones. You can add additional names.

  9. Verify the name list is complete and click the Add to group action.

Notification pop-ups appear when the action successfully completes.

2.5. Disabling group access

You can disable group access by removing roles from a user access group. Because the roles and their permissions determine the type of access granted to the group, removing roles disables group access for that role.

Prerequisite

  • You must be the Organization Administrator (org admin).

Procedure

  1. Log in to your Red Hat organization account at cloud.redhat.com.
  2. Click the Settings icon (gear) to open the Settings page.
  3. On the Settings page, click the User access tab to expand it.
  4. Click the Groups tab to display the Groups page.
  5. Click the Group Name that you want to modify.
  6. Click the Roles tab.
  7. Click the check box next to roles Name that you want to remove.

    You can click the check box at the top of the Name column to select all roles.

  8. Click the more action menu (three stacked dots) that is next to the Add role tab and click Remove from group.
  9. In the confirmation window that appears, click either Remove role or Cancel to complete the action.

Groups can contain no roles and no members and still be a valid group.

Chapter 3. Predefined user access roles

The following table lists the predefined roles provided with user access. For more information about viewing predefined roles, see Section 2.1, “Viewing roles and permissions”.

NOTE
Predefined roles are updated and modified by Red Hat. The table might not contain all currently available predefined roles.

Table 3.1. Predefined roles provided with user access

Role nameDescription

Approval Administrator

An Approval administrator role that grants create, read, update and destroy permissions

Approval Approver

An Approval approver role that grants read and create permissions

Approval User

An approval user role which grants permissions to read/create a request.

Catalog Administrator

A catalog administrator roles grants create,read,update, delete and order permissions

Catalog User

A catalog user roles grants read and order permissions

Compliance administrator

Perform any available operation against any Compliance resource.

Cost Administrator

A cost management administrator role that grants read and write permissions.

Cost Cloud Viewer

A cost management role that grants read permissions on cost reports related to cloud sources.

Cost OpenShift Viewer

A cost management role that grants read permissions on cost reports related to OpenShift sources.

Cost Price List Administrator

A cost management role that grants read and write permissions on price list rates.

Drift analysis administrator

Perform any available operation against any Drift Analysis resource.

Insights administrator

Perform any available operation against any Insights resource.

Patch administrator

Perform any available operation against any Patch resource.

Remediations user

Perform create, view, update, delete operations against any Remediations resource.

Vulnerability administrator

Perform any available operation against any Vulnerability resource.

Legal Notice

Copyright © 2020 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.