Roles and permissions
When you add a user or a group to your Cloud Pak, you must specify the role that they have. The predefined roles and permissions that are defined by the Platform UI can be viewed in Predefined roles and permissions.
Automation foundation uses a ClusterRole
resource with get
, list
, and watch
permissions for the storage classes in your cluster.
- Cluster role for storage classes
- User roles defined by IBM® Automation foundation
- Extensions for the high-level roles
- Troubleshooting
Cluster role for storage classes
The cluster role is used to automatically find usable storage classes in the cluster. Following is an example of the ClusterRole
resource definition:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ibm-automation-core.v1.3.12-7c5b8bb854
rules:
- verbs:
- get
- list
- watch
apiGroups:
- storage.k8s.io
resources:
- storageclasses
User roles defined by IBM® Automation foundation
Automation foundation creates only the user roles, the default permissions for these roles are not defined. A Cloud Pak that is deployed in an OpenShift cluster is required to extend these predefined roles and add their own permissions to these roles.
Automation foundation creates the following high-level roles.
Role | Default permissions | Service contributing permissions | Service creating the role |
---|---|---|---|
Automation Administrator | No default permissions defined | IBM Cloud Paks for Automation | Automation foundation |
Automation Analyst | No default permissions defined | IBM Cloud Paks for Automation | Automation foundation |
Automation Developer | No default permissions defined | IBM Cloud Paks for Automation | Automation foundation |
Automation Operator | No default permissions defined | IBM Cloud Paks for Automation | Automation foundation |
Extensions for the high-level roles
OpenShift ConfigMaps are used to deploy the Platform UI extensions that create the Cloud Pak permissions and a separate set of ConfigMaps to extend the Automation foundation base roles.
An example of Cloud Pak permissions is the following yaml snippet.
apiVersion: v1
kind: ConfigMap
metadata:
name: <your-cloudpak>-permission-extns
labels:
icpdata_addon: "true"
icpdata_addon_version: "1.0"
data:
extensions: |
[
{
"extension_point_id": "zen_permissions",
"extension_name": "<your-permission-name-1>",
"display_name": "<your-permission-display-name-1>",
"match_permissions": "",
"match_instance_id": "",
"match_instance_role": "",
"meta": {},
"details": {
"key": "<your-permission-name-1>",
"category": "<your-cloudpak>",
"description": [
"<your-permission-description-1>"
]
}
},
{
"extension_point_id": "zen_permissions",
"extension_name": "<your-permission-name-2>",
"display_name": "<your-permission-display-name-2>",
"match_permissions": "",
"match_instance_id": "",
"match_instance_role": "",
"meta": {},
"details": {
"key": "<your-permission-name-2>",
"category": "<your-cloudpak>",
"description": [
"<your-permission-description-2>"
]
}
}
]
You can extend the Automation foundation roles with these permissions by using a yaml file as shown in the following snippet.
apiVersion: v1
kind: ConfigMap
metadata:
name: <your-cloudpak>-role-extns
labels:
icpdata_addon: "true"
icpdata_addon_version: "1.0"
data:
extensions: |
[
{
"extension_point_id": "zen_user_roles",
"extension_name": "iaf-automation-admin",
"display_name": "Automation Administrator",
"details": {
"description": "Automation Administrator",
"permissions": ["<your-permission-name-1>", "<your-permission-name-2>"]
}
},
{
"extension_point_id": "zen_user_roles",
"extension_name": "iaf-automation-developer",
"display_name": "Automation Developer",
"details": {
"description": "Automation Developer",
"permissions": ["<your-permission-name-1>"]
}
},
{
"extension_point_id": "zen_user_roles",
"extension_name": "iaf-automation-analyst",
"display_name": "Automation Analyst",
"details": {
"description": "Automation Analyst",
"permissions": ["<your-permission-name-1>"]
}
}
]
Note:
- New permissions take effect the next time the user logs in.
- If the user is already logged in to the Platform UI, then they must log out and log in to pick up the changes.
- If an existing user still doesn’t have the required permission, then remove the role from their account and readd it back.
Troubleshooting
Changes not reflected
Debug issues after you apply a ConfigMap by using the following steps:
- Run
oc get pods
in the namespace where you keep the Platform UI tenant. You see azen-watcher
pod. - Run
oc logs <zen-watcher-pod>
to see what is causing the error. - Address the problem in one of the following ways:
- Edit the ConfigMap.
- Enter
oc delete configmap <configmap-yaml>
and reapply the ConfigMap that caused the problem.