Chapter 1. What is User Access

The User Access feature is an implementation of role-based access control (RBAC) that controls user access to Red Hat Insights, cloud management services for Red Hat Enterprise Linux, and other services hosted at cloud.redhat.com. User access is supported on cloud.redhat.com.

1.1. Who can use User Access

To view and manage User Access on cloud.redhat.com, you must be the Organization Administrator (org admin). This is because User Access requires user management capabilities that are designated from access.redhat.com and belong solely to the org admin.

1.2. How to use User Access

The User Access feature is based on managing roles rather than by assigning permissions individually to specific users. In User Access, each role has a specific set of permissions. For example, a role might allow read permission for an application. Another role might allow write permission for an application.

You create groups that contain roles and, by extension, the permissions assigned to each role. You assign users to groups. This means each user in a group has the permissions of the roles in that group.

This might sound complicated, but by creating different groups and adding or removing roles for that group, you control the permissions allowed for that group. When you add users to a group, those users can perform all actions that are allowed for that group.

Red Hat provides a Default user access group for User Access. This default group contains many of the roles provided with User Access. The Default user access group also contains all authenticated users in your organization.

Red Hat provides a set of predefined roles. Depending on the application, the predefined roles for each supported application might have different permissions that are tailored to the application.

1.3. User Access and the Software as a Service (SaaS) access model

Red Hat customer accounts might have hundreds of authenticated users, yet not all users need the same level of access to the SaaS services available on cloud.redhat.com. With the User Access features, the org admin can manage user access to services hosted on cloud.redhat.com.

Some of the cloud.redhat.com services supported by User Access to which your account is subscribed or entitled include the following:

  • Red Hat Insights
  • Vulnerability
  • Compliance
  • Drift
  • Cost Management

    Note

    User access is available for other services hosted at cloud.redhat.com.

1.3.1. The Default user access group

The Default user access group is provided by Red Hat on cloud.redhat.com. It contains many of the predefined roles provided with User Access. The Default user access group also includes all authenticated users in your organization.

As an org admin, you can add roles to and remove roles from the Default user access group. Changes you make to the Default user access group affect all authenticated users in your organization.

When you change the Default user access group, the system no longer updates it with new predefined roles that might be available through cloud.redhat.com. The group name changes to Custom default user access, which indicates it was modified.

The Default user access group or Custom default user access group cannot be deleted. You can create new groups that use roles provided by Red Hat on cloud.redhat.com.

Note

If you change and save the Default user access group, its name changes to Custom default user access. You cannot revert or undo the name change. From that point forward, the org admin is responsible for all updates and changes to the group. The Custom default user access group is no longer managed or updated by cloud.redhat.com.

1.3.2. The User Access groups, roles, and permissions

Similar to RBAC, User Access uses the following categories to determine the level of user access that the org admin permits to the supported cloud.redhat.com services. The access provided to any authorized user depends on the group that the user belongs to and the roles assigned to that group.

  • Group: A collection of users belonging to an account which provides the mapping of roles to users. The org admin can use groups to assign one or more roles to a group and to include one or more users in a group. You can create a group with no roles and no users.
  • Roles: A set of permissions that provide access to a given service, such as Insights. The permissions to perform certain operations are assigned to specific roles. Roles are assigned to groups. For example, you might have a read role and a write role for a service. Adding both roles to a group lets all members of that group read and write to that service.
  • Permissions: A discrete action that can be requested of a service. Permissions are assigned to roles.

The org admin adds or deletes roles and users to groups. The group can be a new group created by the org admin or the group can be an existing group. By creating a group that has one or more specific roles and then adding users to that group, you control how that group and its members interact with the cloud.redhat.com services.

When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to. The user interface lists users in the Members tab.

1.3.3. Additive access

User access on cloud.redhat.com uses an additive model, which means that there are no deny roles. In other words, actions are only permitted. You control access by assigning the appropriate roles with the desired permissions to groups then adding users to those groups. The access permitted to any individual user is a sum of all roles assigned to all groups to which that user belongs.

1.3.4. Access structure

The following points are a summary of the user access structure for User Access:

  • Group: A user can be a member of one or many groups.
  • Role: A role can be added to one or many groups.
  • Permissions: One or more permissions can be assigned to a role.

In its initial default configuration, all User Access account users inherit the roles that are provided in the Default user access group.

Note

Any user added to a group must be an authenticated user for the organization account on cloud.redhat.com.