Managing user roles, permissions, resource groups, and secrets

IBM Hybrid Cloud Mesh (Mesh) provides Resource Based Access Control (RBAC) of system resource definitions such as clouds, identities, applications, and gateways. An RBAC system enforces authorization policies and manages abstract role definitions that describe the set of permissions that a role grants.

Creating roles with permissions

When you create a role, you can add multiple permissions to the role. For example, to grant permission to a user to manage the authorization-related resources, create a role called RBAC-manager.

  • You can assign one or more roles to a user. Similarly, you can assign a role to one or more users.
  • A user with only assigned roles has permissions in the system.
  • A user with administrator role can add users, create roles, and manage user access.

When you assign a role to a user, it gives the user all the permissions that are contained in that role.

For more information about how to add users and create roles with permissions, see Adding users.

Default roles

You can't modify the permissions for the following default roles:

Admin
A user with the Admin role has permissions to Create, Read, Update, Delete, and Admin all the resources in the system. The Admin role is typically used in POCs where you don't need Access Control.
RBACManager
A user with the RBACManager role has permissions to Create, Read, Update, Delete, and Admin the Identities and Roles in the system. You can't create a new role with these specific permissions.
CloudOps
A user with the CloudOps role has permissions to Create, Read, Update, Delete, and Admin the Default_Infrastructure_Group, and permission to read the Default_Application_Group.
DevOps
A user with the DevOps role has permissions to Create, Read, Update, Delete, and Admin the Default_Application_Group, and permission to read the Default_Infrastructure_Group.
Note: The CloudOps and DevOps roles are typically used if you are using only the default resource groups.

Creating resource groups

Resource groups enable administrators to create group of resources and grant permission to all the resources in the group. Resource groups provide a more scalable approach than managing hundreds or thousands of individual permissions. If a set of resources is placed in a resource group, the administrator can give access to users for all those resources in a single command.

The following are the types of resource groups:

Infrastructure resource group
A group of related deployment environments, partitions, gateways, and other infrastructure resources.
Applications resource group
A group of related applications, services, deployments, instances, service-endpoints, and policies.

The two default resource groups that are called the Default_Application_Group has the resource ID default-app, and the Default_Infrastructure_Group has the resource ID default-infra. When you create an individual resource without specifying the resource group, it is added to one of the default resource groups. The default resource group to which it is added depends on whether the resource is an infrastructure-related resource or an application-related resource.

To create a resource group, complete the following steps on the Mesh console home page:

  1. Click Manage > Resource Groups.
  2. Click Create resource group. Enter the name of the resource group, and choose the resource group type that you want to create.
  3. Click Create.

To create resource groups from the CLI, see Creating resource groups by using the CLI.

Creating roles with resource groups

After you group your resources into resource groups, you can create roles that have specific types of access to all the resources in those groups.

Registering a secret

Before you register a secret, you must configure the secrets manager, and set the secrets manager type to external or internal. By default, the secrets manager type is set to internal. For more information about how to configure the secrets manager, see Managing secrets by using the CLI.

To register a secret, complete the following steps on the Mesh console home page:
  1. Click Manage > Secrets.
  2. Click Register secrets and specify the details of the secret that you want to create.
    1. Enter the name of the secret, and select the secret type.
    2. Enter the API key or Access key details.
  3. Click Register.

Creating resource groups by using the CLI

You can create resource groups that contain resources that a specific group can access.

For example, run a command like this to create an Application resource group that is called Group_A that contains the resources that are accessible to Group_A:

cat << EOM | palmctl create resource-group -f-
name: Group_A
description: app resources owned by Group_A
type: application
EOM

If you want to create an Infrastructure resource group, set the type field to infrastructure.

Note: You can add a resource to only one resource group.

You can see all your resource groups by running the following command:

palmctl get resource-groups

When you create resources, you can add them to the resource group that you already created.

For example, run a command like this to create an application and add it to the resource group Group_A:

cat << EOM | palmctl create application -f -
name: my-app
description: A sample application
app_identity: app.my.domain.example
resource_group_id: <resource_id of the resource group>
EOM

<resource_id of the resource group> is the resource_id of Group_A.

The users with access to Group_A have access to the application automatically.

Querying resources

When you query for a specific resource, you might receive one of the following responses:

  • The current state of that resource.
  • A no permission error, which indicates that you don't have sufficient permission to access the resource.

When querying for a list of resources, you might receive one of the following responses:

  • An empty list, if no resources that are matching the query.
  • A list of resources that match the query and to which you have access.
  • A no permission error, which indicates that you don't have sufficient permission to access any of the matching resources.