Roles in OpenShift API Management
OpenShift API Management includes administrator and developer roles. These roles determine the actions a user can perform.
All OpenShift API Management users belong to the rhoam-developers group. Additionally, administrators are members of the dedicated-admins group and are granted the dedicated-admin role in OpenShift Dedicated. Administrators are managed using the dedicated-admins group in the OpenShift Dedicated cluster and have elevated privileges in OpenShift API Management.
An administrator has rights to view and modify resources in OpenShift API Management and can assign cluster roles to control who has various access levels and permissions in OpenShift API Management, Red Hat 3scale API Management, and Red Hat Single Sign-On. Administrators in OpenShift API Management manage users, and the API gateway, APIcast, which is the interface that handles calls to an API. The onboarding process creates an administrator with the highest level of access in OpenShift API Management and with admin privileges in 3scale.
As an administrator, you can perform the following tasks:
-
-
Manage users and permissions in the master realm.
-
Create realms.
-
Administer user-created realms.
-
-
-
Elevate permissions of developers to an administrator level.
-
Edit routes.
-
View pod logs in the 3scale namespace.
-
Create a product in the 3scale console.
-
Developers have access to the services in OpenShift API Management. With the developer role, you can use the Red Hat Single Sign-On instance to secure your applications and you have basic member access in 3scale. Developers, which are referred to as API providers in 3scale, make APIs accessible by adding them to OpenShift API Management, configuring their use, and publishing them.
As a developer, you can perform the following tasks:
-
-
Access the console.
-
Create realms.
-
-
-
Access the 3scale Admin Portal.
-
Access the 3scale Developer Portal.
-
An OpenShift API Management administrator can grant 3scale admin privileges to developers.
Granting 3scale administrator privileges to developers
As an administrator in OpenShift API Management, you also have admin privileges in 3scale. However, the developer role in OpenShift API Management only has member privileges in 3scale and limited access to 3scale features.
An administrator must explicitly grant 3scale admin permissions to OpenShift API Management developers.
-
You are an administrator in OpenShift API Management.
-
You have a developer you want to grant
adminprivileges to in 3scale.
-
Log in to the Red Hat 3scale API Management console Admin Portal.
-
Click Dashboard.
-
In the Dashboard drop-down menu, click Accounts Settings.
-
In the menu, click Users > Listing. The Users page is displayed.
-
Choose a user.
-
Click Edit for the user whose permission you would like to modify. The Edit User page opens.
-
In the ADMINISTRATIVE section of the Edit User page, choose Admin (full access) to grant
adminprivileges to the selected user. -
Click Update User.
-
Navigate to the Users page. In the menu, click Users > Listing.
-
On the Users page, find the user whose permissions you modified.
-
In the Role column, ensure admin is displayed in the row of the chosen user.
Removing a user from OpenShift API Management from your cluster
To completely remove a user from Red Hat OpenShift API Management, you must remove them from the allowed group in your OpenShift identity provider (IDP)and then delete the user custom resource (CR).
-
You have added an identity provider (IDP) to your cluster.
-
You have the IDP user name for the user whose privileges you are revoking.
-
You are logged in to the OpenShift Cluster Manager console using the OpenShift Cluster Manager account that you used to create the cluster or the administrator user.
-
You can enter the following command to identify all users:
oc get users -
Enter the following command to delete a specific user.
oc delete user <username> -
Delete the desired user from the configured IDP.
-
Delete the user CR.
-
In OpenShift Cluster Manager, delete references to the user in the Access Control section. Ensure the user is removed from both the Cluster Roles and Access and the Roles and Access section.
