Installation roles and personas

Some planning and installation tasks can be completed only by a Red Hat® OpenShift® cluster administrator, while other tasks can be completed by a project administrator. Learn which role is set to complete each task, based on the installation method that you prefer.

Administrative roles

IBM Guardium® Insights relies on a separation of roles and duties. By doing so, the installation workflow proceeds with as few restrictions as possible.

Two administrative roles are identified and associated with a different level of permissions:
  • OpenShift Cluster administrator
  • Project administrator
The following table describes the types of installation tasks that are associated with each administrative role, depending on the installation method that is used.
User roles in Red Hat OpenShift.
Role Express installation method tasks Specialized installation method tasks
Red Hat OpenShift cluster administrator Red Hat OpenShift cluster administrator
  • If IBM Guardium Insights foundational services is not already installed, create the IBM Guardium Insights foundational services project (namespace ibm-common-services) and associated operator groups. The IBM Guardium Insights for Data platform operator and all Guardium Insights service operators are installed in this namespace.
  • Create a project for each instance of Guardium Insights on a single cluster. For example, for a single instance, cpd-instance.
  • Create the catalog source for IBM Guardium Insights foundational services, the Guardium Insights operator, and any services that you plan to install.
  • Install the IBM Guardium Insights foundational services.
  • Create the operator subscriptions for the IBM Guardium Insights for Data platform operator and any services that you plan to install.
  • Configure the namespaces by defining namespace quotas and Limit Ranges and granting Guardium Insights Admins access to specific instance namespaces.
  • Install and configure the workload storage.
  • Create any custom security context constraints (SCC) that are required for the additional services that you plan to install.
  • Change the node settings that are required for the additional services that you plan to install.
  • Change the node tuning and machine pool configurations for kernel settings and cri-o settings (such as pids-limit, ulimit) that are required for the additional services that you plan to install.
  • Set up the image content source policy and any secrets to pull images from the private container registry.
  • Handle encryption and auditing as well as other operations such as adding nodes, replacing nodes and others.
  • If IBM Guardium Insights foundational services is not already installed, create the IBM Guardium Insights foundational services project (namespace ibm-common-services). Create the associated operator group.
  • Create a dedicated project (for example, cpd-operator) where the IBM Guardium Insights for Data platform operator and all Guardium Insights service operators will be installed. Create the associated operator group.
  • Create a project for each instance of Guardium Insights on a single cluster. For example, for a single instance, cpd-instance.
  • Create the catalog source for IBM Guardium Insights foundational services, the Guardium Insights operator, and any services that you plan to install.
  • Install the IBM Guardium Insights foundational services.
  • Create the operator subscriptions for the IBM Guardium Insights for Data platform operator and any services that you plan to install.
  • Configure the namespaces by defining namespace quotas and Limit Ranges and granting Guardium Insights Admins access to specific instance namespaces.
  • Install and configure the workload storage.
  • Create any custom security context constraints (SCC) that are required for the additional services that you plan to install.
  • Change the node settings that are required for the additional services that you plan to install.
  • Change the node tuning and machine pool configurations for kernel settings and cri-o settings (such as pids-limit, ulimit) that are required for the additional services that you plan to install.
  • Set up the image content source policy and any secrets to pull images from the private container registry.
  • Handle encryption and auditing as well as other operations such as adding nodes, replacing nodes and others.
Project administrator Project administrator for the specified project
  • Create an operand request to grant permission to the IBM Guardium Insights for Data platform operator and the IBM Guardium Insights foundational services operator to manage the project where Guardium Insights will be installed. (For example, the cpd-instance project.)
  • Install Guardium Insights by creating a custom resource in the appropriate project. (For example, in the cpd-instance project.)
  • Optionally integrate with the IAM service.
  • Optionally create a custom route to the platform.
  • Secure communication ports.
  • Set up the web client.
  • Install additional services.
  • Create an operand request to grant permission to the IBM Guardium Insights for Data platform operator and the IBM Guardium Insights foundational services operator to manage the project where Guardium Insights will be installed. (For example, the cpd-instance project)
  • Update the IBM NamespaceScope operator in the cpd-operator project to watch the project where Guardium Insights will be installed. (For example, the cpd-instance project.)
  • Install Guardium Insights by creating a custom resource in the appropriate project. (For example, in the cpd-instance project.)
  • Optionally integrate with the IAM service.
  • Optionally create a custom route to the platform.
  • Secure communication ports.
  • Set up the web client.
  • Install additional services.