Chapter 2. Procedures for configuring User Access

As an Organization Administrator or User Access administrator, you can click img configuration gear > Identity & Access Management to view, configure, and modify the User Access groups, roles, and permissions.

2.1. Creating a User Access administrator

The User Access administrator is a special role that the Organization Administrator assigns to a group. All users in this group can perform User Access administration roles, such as adding, modifying, or deleting groups and roles. The User Access administrator role does not inherit the roles defined in the Default Admin Access group.

The User Access administrator role cannot create or modify a User Access administrator group. Only the Organization Administrator can create, modify, or delete a group that is assigned the User Access administrator role.

Note

The User Access administrator role does not grant permission to view and approve customer Access Requests.

By having the User Access administrator role, users who are not the Organization Administrator can perform many of the Organization Administrator functions for managing the User Access features. The User Access administrator role does not inherit the roles of the Default admin access group. The roles in that group are restricted to the Organization Administrator.

Prerequisites

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Groups.
  2. Click Create group.

  3. Follow the guided actions provided by the wizard to create the group and add users and roles.

    1. Name the group with a recognizable name: User Access Admin.
    2. Provide a meaningful description: User Access Organization Administrator permissions
    3. Click the Next button to add roles.
    4. Search for the User Access administrator role and click the selection box to add this role to the group. Optionally, select additional roles.

    5. Click the Next button to add members to the group.

      Note

      Any member you add must be an active member of the organization account.

    6. After you select the members for the group, click the Next button to review the details.
    7. You can click the Back button to go back and make changes, or the Cancel button to cancel the action.
  4. Click the Submit button to complete the Create group wizard. The new group will appear in the Groups tab.

2.2. Viewing roles and permissions

You can view the roles and permissions for User Access at the Red Hat Hybrid Cloud Console. For a list of predefined roles provided by Red Hat, see section Predefined User Access roles.

Note

You cannot modify a predefined role.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Roles. User Access roles are displayed. You can scroll through the list of all Roles.

  2. In the table, click either the role Name or the role Permissions to see details about the permissions assigned to the role. For example, if you click on the Cost Price List Viewer role, you see the following information.

    rbac cost viewer permissions detail
Note

An asterisk * indicates a wildcard permission. A wildcard permission grants access to all resource types and allows all operations for the applications in a role.

2.3. Viewing user permissions

You can view a user’s permissions and other access-related information from the user details page.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Users to view a list of users in your organization.
  2. Click a Username to view more details about that user.

  3. On the user details page, you can view:

    • If the user is an Organization Administrator in your organization
    • The user’s email address
    • The user’s username on the Hybrid Cloud Console (also known as a Red Hat login)

    • A list of roles associated with the user. To view more details about each role:

      • Click the count in the Groups column to show the groups with this role assigned.
      • Click the count in the Permissions column to show permissions the role provides.
Note

If you are not an Organization Administrator, you can view your own permissions for different services by navigating to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > My User Access.

2.4. Managing group access with roles and members

You can manage group access by creating a group and adding roles and users to the group. The roles and their permissions determine the type of access granted to all members of the group.

The Members tab shows all users that you can add to the group. When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.

  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.

    Note

    Only the Organization Administrator can assign the User Access administrator role to a group.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Groups to open the Groups page.
  2. Click Create group.
  3. Follow the guided actions provided by the wizard to add users and roles.
  4. To grant additional group access, edit the group and add additional roles.

2.4.1. Adding a role to a group

Add a role to an existing group to provide additional permissions to all members of that group. You can view user details to add roles to a group that the user belongs to.

Note

You can add a role to a group from the Users page, or by editing a group from the Groups page. These steps show you how to edit the group from the user details page.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Users to open the Users list.
  2. Click the Username for a user to open the user details page.

  3. Click the count in the Groups column for a role. This shows the groups the user is a member of that have this role assigned.

    Note

    You can view the permissions a role provides by clicking the count in the Permissions column.

  4. Click Add role to this group next to the group name to add additional role(s) to the group. This opens the Add roles dialog.
  5. Select the checkbox for each role(s) you want to add to the group. (Only roles not yet associated with the group are listed.) Click Add to group.
  6. Reload the user details page to see the roles you added to the group.

The group now has these additional permissions in the console.

2.4.2. Adding a user to a group

Add a user to an existing group to provide that user with the permissions granted by the roles assigned to that group.

This can be useful when a new team member joins your organization and you want to provide them with all necessary permissions for their work.

Note

You can add a user to a group from the Users page, or by editing a group from the Groups page. These steps show you how to add a user to a group from the user details page.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Users to open the Users list.
  2. Click the username for the user you want to edit.
  3. On the user details page, click Add user to a group. A dialog opens showing a list of groups the user is not a member of.
  4. Select the checkbox for one or more groups to add the user to and click Add to group.
  5. Reload the user details page to see the roles you added.

The user now has the permissions granted by the group(s) they were added to.

2.5. Restricting service access to a single user

You can create a new group that contains a single user and add a role to that group. The role you add provides the service access permissions you want that single user to have. If you add other users to the group, the added users will have the same group permissions.

The roles you add to the group can be from the predefined list of roles provided with User Access, from custom roles created by an Organization Administrator, or a combination of both.

For more information about predefined roles, see section Predefined User Access roles.

When you add a user to a new group, the user acquires the permissions of the new group and also inherits the permissions of all other groups they belong to. The permissions of the new group are added to their existing permissions.

Important

In this procedure you modify the Default access group. Once modified, the Default access group name changes to Custom default access. The Custom default access group is no longer updated with changes pushed out by Red Hat from the Red Hat Hybrid Cloud Console.

Tip

You can restore the Default access group, which removes the Custom default access group and any changes you made. See Restoring the Default access group.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Groups. The Groups page is displayed.

  2. Remove all roles from the Default access group.

    Because all users in your organization belong to the Default access group, you cannot add or remove single users in Default access to create access control. By removing all roles, users do not inherit role permissions from Default access.

    1. Select the checkbox above the roles list to select all roles in the group.
    2. Click the more options icon (⋮) > Remove.
    3. Click Remove roles to confirm.
  3. Save the changes to Default access group. The name changes to Custom default access.

  4. Create a new group that contains the users and roles for the allowed access permissions.

    For example, create a group Security Admin that contains the users who will have full access to vulnerability service.

    1. Create a group Security Admin.
    2. Add one or several users to the group from the Members list.

    3. Add the Vulnerability administrator role.

      Each user you add to this group has full access to the vulnerability service.

Note

If you want an Organization Administrator to have access, add the Organization Administrator user to the group.

2.6. Including an Organization Administrator in a group

You can include an Organization Administrator in a group. You add an Organization Administrator user to a group if you want an Organization Administrator to have the roles assigned to that group. An Organization Administrator does not inherit all available roles for all Red Hat Hybrid Cloud Console applications. Any roles not inherited by means of the Default access group or the Default admin access group must be assigned through group membership.

Note

This procedure assumes that you want to modify an existing group and add an Organization Administrator to the group. Alternatively, you can add an Organization Administrator to a group when you create a new group.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.
  • Create a group if one does not exist. For more information, see Managing group access with roles and members.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Groups. The Groups page displays.
  2. Click the group Name to display details about the group.
  3. On the group details page, click the Members tab to display a list of authorized users who are a member of the group.
  4. Click the Add member tab.

  5. On the Add members to the group page that appears, find the Organization Administrator user name and click the check box next to the name.

    For example, if the Organization Administrator user name is smith-jones, find that name and click the check box next to smith-jones. You can add additional names.

  6. Verify the name list is complete and click the Add to group action.

Notification pop-ups appear when the action successfully completes.

2.7. Disabling group access

You can disable group access by removing roles from a group. Because the roles and their permissions determine the type of access granted to the group, removing roles disables group access for that role.

Prerequisite

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Groups. The Groups page is displayed.
  2. Click the Group Name that you want to modify.
  3. Click the Roles tab.

  4. Click the check box next to roles Name that you want to remove.

    You can click the check box at the top of the Name column to select all roles.

  5. Click the more options menu icon img more options that is next to the Add role tab, and then click Remove from group.
  6. In the confirmation window that appears, click either Remove role or Cancel to complete the action.
Note

Groups can contain no roles and no members and still be a valid group.

2.8. Granular permissions for User Access

Granular permissions allow an Organization Administrator to define role permissions for one or more applications. Many of the predefined roles provide wildcard permissions, which is equivalent to a super user role with full access to all actions.

By defining granular permissions, you can create (or modify) roles with limited permissions, such as read-only, or read and update but not delete.

As an example, compare the predefined roles of Cost Administrator and Cost Price List Viewer.

RoleApplicationResourceOperation

Cost Administrator

cost-management

* (all)

* (all)

Cost Price List Viewer

cost-management

cost_model

read

By creating a new role, you can define the applications, resources, and operations that are specific to that role.

2.8.1. Adding custom User Access roles

User Access provides a number of predefined roles that you can add to groups. In addition to using the predefined roles, you can create and manage custom User Access roles with granular permissions for one or more applications.

For a list of predefined roles provided by Red Hat, see section Predefined User Access roles.

Note

You cannot modify a predefined role.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.

Procedure

A guided wizard leads you through the steps for adding a role.

The following steps describe how to use the Create role wizard.

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Roles. The Roles window appears.
  2. Click the Create role button. This starts the Create role wizard.

At this point in the wizard, you can create a role from scratch or copy an existing role.

2.8.2. Creating a role from scratch

Create a role from scratch when you want to create a role with specific granular permissions. For example, you can create a single role for your organization that provides read-only permissions across all resources for all available applications. By adding and managing this role in your default access group, you can change default access to read-only.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.
  • You started the Create role wizard.

Procedure

  1. In the Create role wizard, click the Create a role from scratch button.
  2. Enter a Role name, which is required.
  3. Optionally, enter a Role description.
  4. Click the Next button. If the role name already exists, you must provide a different name before you can proceed.
  5. Use the Add permissions window to select the application permissions to include in your role. By default, permissions are listed by application.

  6. Optionally use the filter drop-down to to filter by Applications, Resources, or Operations.

    Tip

    Use the list at the top of the wizard page to view all the permissions added to the role. You can click a permission to delete it.

  7. Click the Next button to review details. You can click the Submit button to submit the role, the Back button to go back and make changes, or the Cancel button to cancel the action.

The role you created is available to add to a User Access group.

2.8.3. Copying an existing role

Copy an existing role when that role already contains many of the permissions you want to use and you need to change, add, or remove some permissions.

An existing role can be one of the predefined roles provided by Red Hat or it can be a previously created custom role. For a list of predefined roles provided by Red Hat, see section Predefined User Access roles.

Note

You cannot modify a predefined role.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.
  • You started the Create role wizard.

Procedure

  1. In the Create role wizard, click the Copy an existing role button.
  2. Click the button next to the role you want to copy.
  3. Click the Next button.
  4. The Name and description window shows a copy of the Role name and the existing Role description filled in. Make changes as needed.
  5. Click the Next button. If the role name already exists, you must provide a different name before you can proceed.

  6. Use the Add permissions window to select the application permissions to include in your role. By default, permissions are listed by application.

    Tip

    Custom roles only support granular permissions. Wildcard permissions, such as approval:*:* are not copied into a custom role.

  7. Optionally use the filter drop-down to to filter by Applications, Resources, or Operations.

    Tip

    Use the list at the top of the wizard page to view all the permissions added to the role. You can click a permission to delete it.

  8. Click the Next button to review details. You can click the Submit button to submit the role, the Back button to go back and make changes, or the Cancel button to cancel the action.

The role you created is available to add to a User Access group.

2.8.4. Creating an application-specific role

Use the filters provided by the Create role wizard to create a role for a specific application. When you create a role for a specific application, the filters display the allowed Resource type and Operation for the selected application.

You can create application-specific roles that include more than one application.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.
  • You started the Create role wizard.
  • You are at the Add permissions step in the wizard.

Procedure

  1. In the Add permissions window, click in the Filter by application field.
  2. Choose the application by typing the first few letters of application name. The wizard shows the matching permissions for that application.
  3. Optionally, use the navigation tools to scroll through the list of available applications and permissions.
  4. Click the check box next to the permissions that you want in the application-specific role.
  5. Click the Next button to review details. You can click the Submit button to submit the role, the Back button to go back and make changes, or the Cancel button to cancel the action.

2.8.5. Creating cost management application roles

You can create a role that is specific to the cost management application. When you create a cost management role, you define cost management resource definitions for that role. Other application roles do not provide that choice.

Prerequisites

  • Cost management operator is installed and configured.
  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.
  • A minimum of one cloud integration is configured for cost management.
  • You started the Create role wizard.

Procedure

This procedure describes how to create roles with cost management permissions from scratch.

  1. In the Create role window, click on the radio button Create a role from scratch.
  2. Enter a Role name (required) and a Role description (optional).
  3. Click the Next button to display the Add permissions window.
  4. Enter cost in the Filter by application field to display the cost management application and click on the cost-management check box.
  5. When the Add permissions window appears, click on the check box for each cost management permission to include in this role.
  6. Click on the Next button to display the Define Cost Management resources window.
  7. You will see a drop-down list of available Resource definitions for each application permission you added to the role. You must click on the check box for at least one resource in each cost management permission.
  8. Click the Next button to review details. You can click the Submit button to submit the role, the Back button to go back and make changes, or the Cancel button to cancel the action.

2.8.5.1. Cost management example for creating a role from scratch

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.
  • A minimum of one cloud integration is configured for cost management.
  • You started the Create role wizard.

Procedure

  1. Start the Create role wizard and click on Create a role from scratch.
  2. Enter AWS Org Unit Cost Viewer for Role name and then click the Submit button. A description is not required.
  3. Enter cost in the Filter by application field to display the cost management application and click on the cost-management check box.
  4. Click the check box on the line that contains aws.organizational_unit and then click the Next button to display a drop-down list of available Resource definitions for the permission.
  5. Click on the check box for at least one resource listed in the Resource definitions list and then click the Next button to review details.
  6. After you review the details for this role, which show the Permissions and Resource definitions, click the Submit button to submit the role.

2.8.6. Editing custom role names

You can change the name of a custom role from the main roles page or from the Permissions page.

Prerequisites

  • * You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.
  • One or more custom role must exist.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Roles. The Roles window appears. In the Roles window, a custom role has img more options (more options) to the right of its name.
  2. Click img more options (more options).
  3. Click on Edit to change the role name or description.

  4. Click on Delete to remove the custom role.

    Tip

    You can also click on the role name to open the Permissions window and then click on the img more options (more options) to the right of the role name to access the Edit and Delete actions.

  5. A confirmation window appears. After you confirm that this action cannot be undone, the custom role is deleted.

2.8.7. Removing permissions from a custom role

You can remove permissions from a custom role.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.
  • One or more custom role must exist.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Roles. The Roles window appears. In the Roles window, a custom role has img more options (more options) to the right of its name.
  2. Click on a custom role name to open the Permissions window.
  3. In the Permissions list, click the img more options (more options) to the right of an application permission name and click Remove.
  4. A confirmation window appears. Click Remove permission.

2.8.8. Restoring the Default access group

You can restore the Default access group to its state as provided by Red Hat services. When you do so, the Custom default access group is removed along with any changes made to that group.

There is no way to recover the Custom default access group when you restore the Default access group.

Reasons to restore the Default access group:

  • You made changes to the Default access group that were not intended.
  • You want to start over with the Default access group.
  • You want to remove the Custom default access group.
  • You want to pick up changes to the the Default access group pushed out by Red Hat services and abandon the Custom default access group.
Note

One of the default groups, either the Default access group or the Custom default access group, always exists on your system.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  • If you are not an Organization Administrator, you must be a member of a group that has the User Access administrator role assigned to it.
  • The Custom default access group must exist.

Procedure

  1. Navigate to the Red Hat Hybrid Cloud Console > Settings > Identity & Access Management > User Access > Groups. The Groups page is displayed.
  2. Click Custom default access on the Groups page.
  3. Click Restore to default and accept the caution message.
    Default access appears on the Groups page.