Managing user roles, permissions, resource groups, and secrets
IBM Hybrid Cloud Mesh (Mesh) provides Resource Based Access Control (RBAC) of system resource definitions such as clouds, identities, applications, and gateways. An RBAC system enforces authorization policies and manages abstract role definitions that describe the set of permissions that a role grants.
Creating roles with permissions
When you create a role, you can add multiple permissions to the role. For example, to grant
permission to a user to manage the authorization-related resources, create a role called
RBAC-manager
.
- You can assign one or more roles to a user. Similarly, you can assign a role to one or more users.
- A user with only assigned roles has permissions in the system.
- A user with administrator role can add users, create roles, and manage user access.
When you assign a role to a user, it gives the user all the permissions that are contained in that role.
For more information about how to add users and create roles with permissions, see Adding users.
Default roles
You can't modify the permissions for the following default roles:
- Admin
- A user with the Admin role has permissions to Create, Read, Update, Delete, and Admin all the resources in the system. The Admin role is typically used in POCs where you don't need Access Control.
- RBACManager
- A user with the RBACManager role has permissions to Create, Read, Update, Delete, and Admin the Identities and Roles in the system. You can't create a new role with these specific permissions.
- CloudOps
- A user with the CloudOps role has permissions to Create, Read, Update, Delete, and Admin the
Default_Infrastructure_Group
, and permission to read theDefault_Application_Group
. - DevOps
- A user with the DevOps role has permissions to Create, Read, Update, Delete, and Admin the
Default_Application_Group
, and permission to read theDefault_Infrastructure_Group
.
Creating resource groups
Resource groups enable administrators to create group of resources and grant permission to all the resources in the group. Resource groups provide a more scalable approach than managing hundreds or thousands of individual permissions. If a set of resources is placed in a resource group, the administrator can give access to users for all those resources in a single command.
The following are the types of resource groups:
- Infrastructure resource group
- A group of related deployment environments, partitions, gateways, and other infrastructure resources.
- Applications resource group
- A group of related applications, services, deployments, instances, service-endpoints, and policies.
The two default resource groups that are called the
Default_Application_Group
has the resource ID default-app
, and the
Default_Infrastructure_Group
has the resource ID default-infra
.
When you create an individual resource without specifying the resource group, it is added to one of
the default resource groups. The default resource group to which it is added depends on whether the
resource is an infrastructure-related resource or an application-related resource.
To create a resource group, complete the following steps on the Mesh console home page:
- Click .
- Click Create resource group. Enter the name of the resource group, and choose the resource group type that you want to create.
- Click Create.
To create resource groups from the CLI, see Creating resource groups by using the CLI.
Creating roles with resource groups
After you group your resources into resource groups, you can create roles that have specific types of access to all the resources in those groups.
Registering a secret
Before you register a secret, you must configure the
secrets manager, and set the secrets manager type to external
or
internal
. By default, the secrets manager type is set to internal
.
For more information about how to configure the secrets manager, see Managing secrets by using the CLI.
- Click .
- Click Register secrets and specify the details of the secret that you
want to create.
- Enter the name of the secret, and select the secret type.
- Enter the API key or Access key details.
- Click Register.
Creating resource groups by using the CLI
You can create resource groups that contain resources that a specific group can access.
For example, run a command like this to create an Application resource group that is called Group_A that contains the resources that are accessible to Group_A:
cat << EOM | palmctl create resource-group -f-
name: Group_A
description: app resources owned by Group_A
type: application
EOM
If you want to create an Infrastructure resource group, set the
type
field to infrastructure
.
You can see all your resource groups by running the following command:
palmctl get resource-groups
When you create resources, you can add them to the resource group that you already created.
For example, run a command like this to create an application and add it to the resource group Group_A:
cat << EOM | palmctl create application -f -
name: my-app
description: A sample application
app_identity: app.my.domain.example
resource_group_id: <resource_id of the resource group>
EOM
<resource_id of the resource group>
is the
resource_id
of Group_A.
The users with access to Group_A have access to the application automatically.
Querying resources
When you query for a specific resource, you might receive one of the following responses:
- The current state of that resource.
- A
no permission
error, which indicates that you don't have sufficient permission to access the resource.
When querying for a list of resources, you might receive one of the following responses:
- An empty list, if no resources that are matching the query.
- A list of resources that match the query and to which you have access.
- A
no permission
error, which indicates that you don't have sufficient permission to access any of the matching resources.