Chapter 3. Overview of user permissions

By default, all OpenShift users have access to Red Hat OpenShift Data Science. In addition, users in the OpenShift Dedicated administrator group (by default, dedicated-admins), automatically have administrator access in OpenShift Data Science.

Alternatively, you can create specialized user groups to restrict access to OpenShift Data Science for users and administrators. Therefore, you must decide if you want to restrict access to your OpenShift Data Science deployment using specialized user groups, as opposed to allowing all OpenShift users access.

If you decide to restrict access, and you already have user groups defined in your configured identity provider, you can add these user groups to your OpenShift Data Science deployment. If you decide to use specialized user groups without adding these groups from an identity provider, you must create the groups in OpenShift Data Science and then add the appropriate users to them.

The user groups configured in OpenShift Dedicated, cluster-admins and dedicated-admins, are separate to any specialized OpenShift Data Science user groups. There are some operations relevant to OpenShift Data Science that require the cluster-admins or dedicated-admins role. Those operations include:

  • Adding users to the OpenShift Data Science user and administrator groups, if you are using specialized groups.
  • Removing users from the OpenShift Data Science user and administrator groups, if you are using specialized groups.
  • Managing custom environment and storage configuration for users in OpenShift Dedicated, such as Jupyter notebook resources, ConfigMaps, and persistent volume claims (PVCs).

Although users of OpenShift Data Science and its components are authenticated through OpenShift, session management is separate from authentication. This means that logging out of OpenShift Dedicated or OpenShift Data Science does not affect a logged in Jupyter session running on those platforms. This means that when a user’s permissions change, that user must log out of all current sessions in order for the changes to take effect.