Chapter 2. Procedures for configuring User Access

As the Organization Administrator (org admin), you can click configuration gear (Settings) to view, configure, and modify the User Access groups, roles, and permissions.

2.1. Viewing roles and permissions

You can view the roles and permissions for User Access at cloud.redhat.com.

Prerequisites

  • You must be the Organization Administrator (org admin).

Procedure

  1. Log in to your Red Hat organization account at cloud.redhat.com.
  2. Click the Settings icon (gear) to open the Settings page.
  3. On the Settings page, click on the User access tab to expand it.
  4. Click the Roles tab to display the User Access roles. You can scroll through the list of all Roles.

    rbac roles
  5. In the table, click either the role Name or the role Permissions to see details about the permissions assigned to the role. For example, if you click on the Insights administrator role, you see the following information.

    rbac permissions detail

    The asterisks * indicate all resources and all operations are allowed in this role.

2.2. Managing group access with roles and members

You can manage group access by creating a User Access group and adding roles and users to the group. The roles and their permissions determine the type of access granted to all members of the group.

The Member tab shows all users that you can add to the group. When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to.

Prerequisite

  • You must be the Organization Administrator (org admin).

Procedure

  1. Log in to your Red Hat organization account at cloud.redhat.com.
  2. Click the Settings icon (gear) to open the Settings page.
  3. On the Settings page, click the User access tab to expand it.
  4. Click the Groups tab to display the Groups page.
  5. Click Create group
  6. Follow the guided actions provided by the wizard to add users and roles.
  7. To grant additional group access, edit the group and add additional roles.

2.3. Restricting service access to a single user

You can create a new group that contains a single user and add a role to that group. The role you add provides the service access permissions you want that single user to have. If you add other users to the group, the added users will have the same group permissions.

The roles you add to the group must be from the predefined list of roles provided with User Access. The current implementation of User Access does not support creating new roles. For more information about predefined roles, see Chapter 3, Predefined User Access roles.

Note

If you previously used RBAC to create roles that limit access to cost management resources, those roles appear in the list of available roles.

Any user you add to the new group also inherits the permissions of any other group that the user belongs to in addition to the permissions of the new group.

In this procedure you modify the Default user access group. When you modify the Default user access group its name changes to Custom default user access. You cannot restore the Default user access group. The Custom default user access group is not automatically updated with changes to the default roles pushed out by Red Hat.

Prerequisites

  • You must be the Organization Administrator (org admin).

Procedure

  1. Log in to your Red Hat organization account at cloud.redhat.com.
  2. Click the Settings icon (gear) to open the Settings page.
  3. On the Settings page, click the User access tab to expand it.
  4. Click the Groups tab to display the Groups page.
  5. Remove all roles from the Default user access group.

    Because all users in your organization belong to the Default user access group, you cannot add or remove single users in Default user access to create access control. By removing all roles, users do not inherit role permissions from Default user access.

  6. Save the changes to Default user access group. The name changes to Custom default user access.
  7. Create a new group that contains the users and roles for the allowed access permissions.

    For example, create a group Security Admin that contains the users who will have full access to Vulnerability services.

    1. Create a group Security Admin.
    2. Add one or several users to the group from the Members list.
    3. Add the Vulnerability administrator role.

      Each user you add to this group has full access to the Vulnerability service.

Note

If you want the org admin to have access, add the org admin user to the group.

2.4. Including the Org Admin in a group

You can include the Organization Administrator (org admin) in a group. You add the org admin user to a group if you want the org admin to have the roles assigned to that group. The org admin does not inherit all available roles for all cloud.redhat.com applications. Non-inherited roles must be assigned through group membership.

Note

This procedure assumes that you want to modify an existing group and add the org admin to the group. Alternatively, you can add the org admin to a group when you create a new group.

Prerequisites

Procedure

  1. Log in to your Red Hat organization account at cloud.redhat.com.
  2. Click the Settings icon (gear) to open the Settings page.
  3. On the Settings page, click the User access tab to expand it.
  4. Click the Groups tab to display the Groups page.
  5. Click the group Name to display details about the group.
  6. On the group details page, click the Members tab to display a list of authorized users who are a member of the group.
  7. Click the Add member tab.
  8. On the Add members to the group page that appears, find the org admin user name and click the check box next to the name.

    For example, if the org admin user name is smith-jones, find that name and click the check box next to smith-jones. You can add additional names.

  9. Verify the name list is complete and click the Add to group action.

Notification pop-ups appear when the action successfully completes.

2.5. Disabling group access

You can disable group access by removing roles from a User Access group. Because the roles and their permissions determine the type of access granted to the group, removing roles disables group access for that role.

Prerequisite

  • You must be the Organization Administrator (org admin).

Procedure

  1. Log in to your Red Hat organization account at cloud.redhat.com.
  2. Click the Settings icon (gear) to open the Settings page.
  3. On the Settings page, click the User access tab to expand it.
  4. Click the Groups tab to display the Groups page.
  5. Click the Group Name that you want to modify.
  6. Click the Roles tab.
  7. Click the check box next to roles Name that you want to remove.

    You can click the check box at the top of the Name column to select all roles.

  8. Click the more action menu (three stacked dots) that is next to the Add role tab and click Remove from group.
  9. In the confirmation window that appears, click either Remove role or Cancel to complete the action.

Groups can contain no roles and no members and still be a valid group.

2.6. Adding and modifying custom User Access roles

User Access provides a number of predefined roles that you can add to groups. (Predefined roles are also called default roles.) In addition to using the default roles, you can create and modify User Access roles.

Prerequisites

  • You must be the Organization Administrator (org admin).

Procedure

A guided wizard leads you through the steps for adding a role or modifying an existing role. You modify an existing role by making a copy of it. The following steps describe how to use the Create role wizard.

  1. Log in to cloud.redhat.com as a user who has org admin privileges.
  2. From the home page after you log in, click configuration gear (Settings) to open the Settings window.
  3. Click the User Access tab to expand the drop-down choices.
  4. Click the Roles tab. The Roles window appears.
  5. Click the Create role button. This starts the Create role wizard.

At this point in the wizard, you can create a role from scratch or copy an existing role.

2.6.1. Creating a role from scratch

Create a role from scratch when you want to create a role with specific permissions. For example, you can create a single role for your organization that provides read-only permissions across all resources for all applications. By adding and managing this role in your default access group, you can change default access to read-only.

Prerequisites

  • You must be the Organization Administrator (org admin).
  • You started the Create role wizard.

Procedure

  1. In the Create role wizard, click the Create a role from scratch button.
  2. Enter a Role name, which is required.
  3. Optionally, enter a Role description.
  4. Click the Next button. If the role name already exists, you must provide a different name before you can proceed.
  5. Use the Add permissions window to select the applications to include in your role. By default, permissions are listed by application.
  6. Optionally use the filter drop-down to to filter by Applications, Resources, or Operations.

    Tip

    Use the list at the top of the wizard page to view all the permissions added to the role. You can click a permission to delete it.

  7. Click the Next button to review details. You can click the Submit button to submit the role, the Back button to go back and make changes, or the Cancel button to cancel the action.

The role you created is available to add to a User Access group.

2.6.2. Copying an existing role

Copy an existing role when that role already contains many of the permissions you want to use and you need to change, add, or remove some permissions.

Prerequisites

  • You must be the Organization Administrator (org admin).
  • You started the Create role wizard.

Procedure

  1. In the Create role wizard, click the Copy an existing role button.
  2. Click the button next to the role you want to copy.
  3. Click the Next button.
  4. The Name and description window shows a copy of the Role name and the existing Role description filled in. Make changes as needed.
  5. Click the Next button. If the role name already exists, you must provide a different name before you can proceed.
  6. Use the Add permissions window to select the applications to include in your role. By default, permissions are listed by application.
  7. Optionally use the filter drop-down to to filter by Applications, Resources, or Operations.

    Tip

    Use the list at the top of the wizard page to view all the permissions added to the role. You can click a permission to delete it.

  8. Click the Next button to review details. You can click the Submit button to submit the role, the Back button to go back and make changes, or the Cancel button to cancel the action.

The role you created is available to add to a User Access group.

2.6.3. Creating an application-specific role

Use the filters provided by the Create role wizard to create a role for a specific application. When you create a role for a specific application, the filters display the allowed Resource type and Operation for the selected application.

You can create application-specific roles that include more than one application.

Prerequisites

  • You must be the Organization Administrator (org admin).
  • You started the Create role wizard.
  • You are at the Add permissions step in the wizard.

Procedure

  1. In the Add permissions window, click in the Filter by application field.
  2. Choose the application by typing the first few letters of application name. The wizard shows the matching permissions for that application.
  3. Optionally, use the navigation tools to scroll through the list of available applications and permissions.
  4. Click the check box next to the permissions that you want in the application-specific role.
  5. Click the Next button to review details. You can click the Submit button to submit the role, the Back button to go back and make changes, or the Cancel button to cancel the action.

2.6.4. Creating cost management application roles

You can create or a role that is specific to the cost management application. When you create a cost management role, you define cost management resource definitions for that role. Other application roles do not provide that choice.

Prerequisites

  • You must be the Organization Administrator (org admin).
  • You started the Create role wizard.

Procedure

This procedure describes how to create a cost management role from scratch that supports

  1. In the Create role window, click on the radio button Create a role from scratch.
  2. Enter a Role name (required) and a Role description (optional).
  3. Click the Next button to display the Add permissions window.
  4. Enter cost in the Filter by application field to display the cost management application and click on the cost-management check box.
  5. When the list of cost management appears, click on each the check box for each application permission to include in this role.
  6. Click on the Next button to display the Define Cost Management resources window.
  7. You will see a drop-down list of available Resource definitions for each application permission you added to the role. You must click on the check box for at least one resource in each permission.
  8. Click the Next button to review details. You can click the Submit button to submit the role, the Back button to go back and make changes, or the Cancel button to cancel the action.

2.6.4.1. Cost management example for creating a role from scratch

  1. Start the Create role wizard and click on Create a role from scratch.
  2. Enter AWS Org Unit Cost Viewer for Role name and then click the Submit button. A description is not required.
  3. Enter cost in the Filter by application field to display the cost management application and click on the cost-management check box.
  4. Click the check box on the line that contains aws.organizational_unit and then click the Next button to display a drop-down list of available Resource definitions for the permission.
  5. Click on the check box for at least one resource listed in the Resource definitions list and then click the Next button to review details.
  6. After you review the details for this role, which show the Permissions and Resource definitions, click the Submit button to submit the role.

2.6.5. Editing custom role names

You can change the name of a custom role from the main roles page or from the Permissions page.

Prerequisites

  • You must be the Organization Administrator (org admin).
  • One or more custom role must exist.

Procedure

  1. From the home page after you log in, click configuration gear (Settings) to open the Settings window.
  2. Click the User Access tab to expand the drop-down choices.
  3. Click the Roles tab. The Roles window appears. In the Roles window, a custom role has more options (more options) to the right of its name.
  4. Click more options (more options).
  5. Click on Edit to change the role name or description.
  6. Click on Delete to remove the custom role.

    Tip

    You can also click on the role name to open the Permissions window and then click on the more options (more options) to the right of the role name to access the Edit and Delete actions.

  7. A confirmation window appears. After you confirm that this action cannot be undone, the custom role is deleted.

2.6.6. Removing permissions from a custom role

You can delete permissions from a custom role.

Note

To add permissions to a custom role, you must create a new custom role. You cannot add permissions to an existing custom role.

Prerequisites

  • You must be the Organization Administrator (org admin).
  • One or more custom role must exist.

Procedure

  1. From the home page after you log in, click configuration gear (Settings) to open the Settings window.
  2. Click the User Access tab to expand the drop-down choices.
  3. Click the Roles tab. The Roles window appears. In the Roles window, a custom role has more options (more options) to the right of its name.
  4. Click on a custom role name to open the Permissions window.
  5. In the Permissions list, click the more options (more options) to the right of an application permission name and click Remove.
  6. A confirmation window appears. Click Remove permission.