RBAC for IBM Cloud Pak for Multicloud Management components
IBM Cloud Pak® for Multicloud Management supports several roles. Your role determines the actions that you can perform.
For more information about roles that are available in your cluster, see Role-based access control.
The following tables provide information about the role-based access control (RBAC) for IBM Cloud Pak for Multicloud Management components:
- RBAC for IBM Cloud Pak for Multicloud Management
- RBAC for IBM Cloud Pak for Multicloud Management Kubernetes CustomResourceDefinition (CRD)
- RBAC for Managed services
RBAC for IBM Cloud Pak for Multicloud Management
Update the role-template parameter to list the role for a user in a policy document, view the IBM Cloud Pak for Multicloud Management policy example.
Your assigned role determines the page that you can view in the console. A Cluster Administrator has full access. The following table defines which roles can view certain pages. View access is indicated by the X.
| Topic page | Administrator | Operator | Editor | Viewer |
|---|---|---|---|---|
| Overview | X | X | X | X |
| Topology | X | X | X | |
| Applications | X | X | X | |
| Search | X | X | X | X |
| Clusters | X | X | X | |
| Policies | ||||
| Metering (common service) | X | X | X | X |
| Monitoring (common service) | X | X | X | X |
| Helm Releases | X | X | X | X |
| Event Management | X | X | X | X |
| Local Cluster | ||||
| Add-ons |
RBAC for IBM Cloud Pak for Multicloud Management Kubernetes CustomResourceDefinition (CRD)
Cluster Administrators can view, modify, add, and delete. See more in the following CRD RBAC table, where X defines full access and a blank table entry defines a disabled CRD:
| CRD | Administrator | Operator | Editor | Viewer |
|---|---|---|---|---|
| cluster.clusterregistry.k8s.io | X | view, modify | view, modify | view |
| policies.policy.mcm.ibm.com | ||||
| placementpolicies.mcm.ibm.com | X | view, modify, add | view, modify, add | view |
| placementbindings.mcm.ibm.com | X | view, modify, add | view, modify, add | view |
RBAC for Managed services
For detailed information on roles and namespaces, see the following topics:
User role permissions
| Action | Cluster administrator | Administrator | Editor | Operator | Viewer |
|---|---|---|---|---|---|
| Create Data Type | Yes | Yes | Yes | No | No |
| Update Data Type | Yes | Yes | Yes | No | No |
| Delete Data Type | Yes | Yes | Yes | No | No |
| Create Data Object | Yes | Yes | Yes | Yes | No |
| Update Data Object | Yes | Yes | Yes | Yes | No |
| Delete Data Object | Yes | Yes | Yes | Yes | No |
| Create Cloud Connection | Yes | Yes | No | No | No |
| Test Cloud Connection | Yes | Yes | Yes | Yes | No |
| Update Cloud Connection | Yes | Yes | No | No | No |
| Delete Cloud Connection | Yes | Yes | No | No | No |
| Deploy Advanced Content Runtime | Yes | Yes | No | No | No |
| Create/Duplicate Templates | Yes | Yes | Yes | No | No |
| Edit Templates | Yes | Yes | Yes | No | No |
| Deploy Templates | Yes | Yes | Yes | Yes | No |
| Delete Templates | Yes | Yes | Yes | No | No |
| Import template | Yes | Yes | Yes | No | No |
| Plan/Apply Templates | Yes | Yes | Yes | Yes | No |
| Start/Stop/Taint Resources | Yes | Yes | Yes | Yes | No |
| Reset Virtual Machine | Yes | Yes | Yes | Yes | No |
| Destroy Template Instance | Yes | Yes | Yes | Yes | No |
| Delete Template Instances | Yes | Yes | Yes | Yes | No |
| Download the tfstate for a template instance | Yes | Yes | Yes | No | No |
| Create/Duplicate Services | Yes | Yes | Yes | No | No |
| Assign access to services | Yes | Yes | Yes | No | No |
| Add Service Version | Yes | Yes | Yes | No | No |
| Edit Service Version | Yes | Yes | Yes | No | No |
| Publish Service Version | Yes | Yes | Yes | No | No |
| Deploy Service Version | Yes | Yes | Yes | Yes | No |
| Move Services | Yes | Yes | Yes | No | No |
| Rename Service | Yes | Yes | Yes | No | No |
| Delete Services | Yes | Yes | Yes | No | No |
| Delete Service Version | Yes | Yes | Yes | No | No |
| Rename Service Instance | Yes | Yes | Yes | Yes | No |
| Terminate Service Instance | Yes | Yes | Yes | Yes | No |
| Retire Service Version | Yes | Yes | Yes | No | No |
| Import Service | Yes | Yes | Yes | No | No |
| Push to Git Service Version | Yes | Yes | Yes | No | No |
| Create/Delete Service Categories | Yes | Yes | Yes | No | No |
| Delete Service Instances | Yes | Yes | Yes | Yes | No |
| Create Applications | Yes | Yes | Yes | No | No |
| Import Applications | Yes | Yes | Yes | No | No |
| Edit Applications | Yes | Yes | Yes | No | No |
| Assign access to Applications | Yes | Yes | Yes | No | No |
| View Applications | Yes | Yes | Yes | Yes | Yes |
| Publish Applications | Yes | Yes | Yes | No | No |
| Retire Applications | Yes | Yes | Yes | No | No |
| Deploy Applications | Yes | Yes | Yes | Yes | No |
| Change category to Applications | Yes | Yes | Yes | No | No |
| Delete Applications | Yes | Yes | Yes | No | No |
| Create/Delete Application Categories | Yes | Yes | Yes | No | No |
| Create/Delete/Edit Mail Configuration | Yes | Yes | No | No | No |
| Test Mail Configuration | Yes | Yes | Yes | Yes | No |
| Create Snapshots | Yes | Yes | Yes | Yes | No |
| Delete Snapshots | Yes | Yes | Yes | Yes | No |
| Revert Snapshots | Yes | Yes | Yes | Yes | No |
| Retrieve the current number of deployed virtual machines | Yes | No | No | No | No |
| Retrieve the maximum number of virtual machines for each month | Yes | No | No | No | No |
| Download the managed virtual machines report | Yes | No | No | No | No |
| Retrieve all IaaS resource settings API | Yes | Yes | Yes | Yes | Yes |
| Retrieve a specific IaaS resource settings API | Yes | Yes | Yes | Yes | Yes |
| Create IaaS resource settings API | Yes | Yes | No | No | No |
| Update IaaS resource settings API | Yes | Yes | No | No | No |
| Delete IaaS resource settings API | Yes | Yes | No | No | No |
| Download the execution plan for a template instance API | Yes | Yes | Yes | No | No |
| Create/Delete/Edit Terraform versions | Yes | Yes | No | No | No |
| View Terraform versions | Yes | Yes | Yes | Yes | Yes |
| Create/Delete/Edit Ansible Automation | Yes | Yes | No | No | No |
| Test Ansible Automation | Yes | Yes | Yes | Yes | No |
Notes:
- The Account Administrator role of IBM Cloud Pak® for Multicloud Management has the same authorizations of the Administrator role in Managed services.
- The Auditor role of IBM Cloud Pak® for Multicloud Management is not supported in Managed services.
Namespace separation
| Object | Separated |
|---|---|
| Content Runtime | Namespace or set Globally visible |
| Cloud Connection | Namespace or set Globally visible |
| Templates | Namespace or set Globally visible |
| Services | Namespace or set Globally visible |
| Template Instances | Visible in namespace |
| Service Instances | Visible in namespace |
| Shared Parameters Data Type | Globally visible |
| Shared Parameters Data Objects | Namespace or set Globally visible |
| Email Configuration | Namespace or set Globally visible |
Notes:
- A service can be associated to multiple namespaces.
- Users can view the service if they have access to at least one namespace.
- Users can create/update/delete the service if they have access to all the associated namespaces.
- The Helm template visibility is governed by the access that is defined for your user ID. For more information, see Create teams.