Role-based access control on Synthetic tests
IBM Cloud Pak® for Multicloud Management uses role-based access control (RBAC) to manage different levels of access to resources, including Synthetic tests. Your role determines the actions that you can do. Based on the role that is assigned to a user or user group, the level of access to Synthetic tests on the cluster is defined.
User groups, resource groups, and roles
Each console user must be assigned with at least one user group and one role. A user group can be also assigned with a role, and then the role for the users in the group can be higher than the group role or the user role. Synthetic check the highest role across teams for a user and do the role mapping for later access control.
User groups can be associated with resource groups. If a user group is associated with the Synthetic resource group, then all users in the group can gain access to Synthetic resources. Otherwise, only admin roles have access to Synthetic resources.
For more information, see Managing roles, Managing teams, and Managing resource groups.
Role-based access rules for Synthetic resources
The role-based access rules for Synthetic resources differ in the following scenarios:
-
A Synthetic test is associated with an application, and a user group or a team has access to the application.
-
A Synthetic test is associated with an application, but a user group or a team does not have access to the application.
-
A Synthetic test is not associated with an application.
-
A declarative Synthetic test is created through yaml files when you deploy an application.
-
Global variables.
IBM Cloud Pak® for Multicloud Management has seven roles: Cluster Administrator, Account Administrator, Administrator, Editor, Operator, Auditor, and Viewer. To simplify the access rules, these roles are mapped to four roles.
| IBM Cloud Pak® for Multicloud Management roles | Mapped roles |
|---|---|
| ClusterAdministrator | Admin |
| AccountAdministrator | Admin |
| Administrator | Admin |
| Operator | Operator |
| Editor | Editor |
| Viewer | Viewer |
| Auditor | Viewer |
For detailed access rules in different scenarios, see the following tables.
Synthetic tests that are associated with an application
If a user group or a team has access to the test application, see the following rules.
| Action | Admin | Operator | Editor | Viewer |
|---|---|---|---|---|
| read | v | v | v | v |
| create | v | v | x | x |
| update/start/stop | v | v | v | x |
| delete | v | v | x | x |
Notes:
- The Operator role can delete only the synthetic tests that are created by itself.
vmeans being able to do the action andxmeans being not able to do the action.
If a user group or a team does not have access to the test application, RBAC_ENABLED is set to true, and a synthetic test is associated with an application, Synthetic check the environment variable RBAC_GLOBAL_VIEW_ENABLED to decide the read access for Viewer role.
By default, the value of the environment variable RBAC_GLOBAL_VIEW_ENABLED is false. In this case, the Viewer role cannot read synthetic tests when the team has no access to the test application. See the following rules.
| Action | Admin | Operator | Editor | Viewer |
|---|---|---|---|---|
| read | v | v | v | x |
| create | v | x | x | x |
| update/start/stop | v | x | x | x |
| delete | v | x | x | x |
To give the Viewer role the read access to synthetic tests, change the environment variable RBAC_GLOBAL_VIEW_ENABLED to true. See the following rules.
| Action | Admin | Operator | Editor | Viewer |
|---|---|---|---|---|
| read | v | v | v | v |
| create | v | x | x | x |
| update/start/stop | v | x | x | x |
| delete | v | x | x | x |
Synthetic tests that are not associated with an application
See the following rules.
| Action | Admin | Operator | Editor | Viewer |
|---|---|---|---|---|
| read | v | v | v | v |
| create | v | v | v | x |
| update/start/stop | v | v | v | x |
| delete | v | v | v | x |
Note: The Operator and Editor roles can delete only the synthetic tests that are created by themself.
Declarative Synthetic tests
The declarative synthetic tests can be created, updated, or deleted only through yaml files when you deploy applications. These tests can be read only on the console. See the following rules.
| Action | Admin | Operator | Editor | Viewer |
|---|---|---|---|---|
| read | v | v | v | v |
| create | x | x | x | x |
| update/start/stop | x | x | x | x |
| delete | x | x | x | x |
Global variables
See the following rules.
| Action | Admin | Operator | Editor | Viewer |
|---|---|---|---|---|
| read | v | v | v | v |
| create | v | x | x | x |
| update | v | x | x | x |
| delete | v | x | x | x |