Roles and permissions

Learn about the roles and permissions that are needed for deploying IBM® Netcool® Operations Insight® on Red Hat® OpenShift®. Different roles are needed for different deployment types.

Roles

All roles apply to the OwnNamespace mode. All roles are deployed in one namespace for OwnNamespace mode. For SingleNamespace mode, there is an operator namespace and an operand namespace, which are listed in the following table. Roles are deployed in one or both namespaces for SingleNamespace mode.
Role Deployment type Namespaces for SingleNamespace mode
cloud-native-postgresql.v1.18.1 All Operator
cloud-native-postgresql.v1.18.1-postgresql-operator--5cd8974cf7 All Operator and operand
edb-license-role All Operator
noi.v1.10.0 All Operator
noi.v1.10.0-noi-operator-6b78fb7965 All Operator and operand
postgresql-operator-controller-manager-1-18-1-service-cert All Operator
<release_name>-noi-postgres-cluster All Operand
<release_name>-proxy Full cloud and geo-redundant cloud deployments Operand
<release_name>-cassandra-role Geo-redundant deployments Operand
<release_name>-geored-ui-health-role

Geo-redundant deployments

This role can be disabled for separation of duties.

Operand
nasm-app-disco-role Cloud  
<release_name>-topology-netdisco-get-role

Cloud

This role is applied if the Network Discovery observer is enabled.

 

Role examples

cloud-native-postgresql.v1.18.1

The cloud-native-postgresql.v1.18.1 role applies to all deployment types in OwnNamespace or SingleNamespace mode. In SingleNamespace mode, this role applies to the operator namespace.

Example:
kind: Role
    name: cloud-native-postgresql.v1.18.1

rules:
- apiGroups:
  - operators.coreos.com
  resourceNames:
  - cloud-native-postgresql.v1.18.1
  resources:
  - operatorconditions
  verbs:
  - get
  - update
  - patch
cloud-native-postgresql.v1.18.1-postgresql-operator--5cd8974cf7

The cloud-native-postgresql.v1.18.1-postgresql-operator--5cd8974cf7 role applies to all deployment types in OwnNamespace or SingleNamespace mode. In SingleNamespace mode, this role applies to the operator namespace and operand namespace.

Example:
  kind: Role
    name: cloud-native-postgresql.v1.18.1-postgresql-operator--5cd8974cf7
  rules:
  - apiGroups:
    - ""
    resources:
    - configmaps
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - ""
    resources:
    - configmaps/status
    verbs:
    - get
    - patch
    - update
  - apiGroups:
    - ""
    resources:
    - events
    verbs:
    - create
    - patch
  - apiGroups:
    - ""
    resources:
    - persistentvolumeclaims
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - watch
  - apiGroups:
    - ""
    resources:
    - pods
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - watch
  - apiGroups:
    - ""
    resources:
    - pods/exec
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - watch
  - apiGroups:
    - ""
    resources:
    - pods/status
    verbs:
    - get
  - apiGroups:
    - ""
    resources:
    - secrets
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - ""
    resources:
    - secrets/status
    verbs:
    - get
    - patch
    - update
  - apiGroups:
    - ""
    resources:
    - serviceaccounts
    verbs:
    - create
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - ""
    resources:
    - services
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - admissionregistration.k8s.io
    resources:
    - mutatingwebhookconfigurations
    verbs:
    - get
    - list
    - update
  - apiGroups:
    - admissionregistration.k8s.io
    resources:
    - validatingwebhookconfigurations
    verbs:
    - get
    - list
    - update
  - apiGroups:
    - apiextensions.k8s.io
    resources:
    - customresourcedefinitions
    verbs:
    - get
    - list
    - update
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - batch
    resources:
    - jobs
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - watch
  - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    verbs:
    - create
    - get
    - update
  - apiGroups:
    - monitoring.coreos.com
    resources:
    - podmonitors
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - watch
  - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - backups
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - backups/status
    verbs:
    - get
    - patch
    - update
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - clusters
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - clusters/finalizers
    verbs:
    - update
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - clusters/status
    verbs:
    - get
    - patch
    - update
    - watch
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - poolers
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - poolers/finalizers
    verbs:
    - update
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - poolers/status
    verbs:
    - get
    - patch
    - update
    - watch
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - scheduledbackups
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - scheduledbackups/status
    verbs:
    - get
    - patch
    - update
  - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - rolebindings
    verbs:
    - create
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - roles
    verbs:
    - create
    - get
    - list
    - patch
    - update
    - watch
edb-license-role

The edb-license-role role applies to all deployment types in OwnNamespace or SingleNamespace mode. In SingleNamespace mode, this role applies to the operator namespace.

Example:
  kind: Role
    name: edb-license-role
  rules:
  - apiGroups:
    - ""
    resources:
    - pods
    - secrets
    verbs:
    - create
    - update
    - patch
    - get
    - list
    - delete
    - watch
noi.v1.10.0

The noi.v1.10.0 role applies to all deployment types in OwnNamespace or SingleNamespace mode. In SingleNamespace mode, this role applies to the operator namespace.

Example:
  kind: Role
    name: noi.v1.10.0

  rules:
  - apiGroups:
    - operators.coreos.com
    resourceNames:
    - noi.v1.10.0
    resources:
    - operatorconditions
    verbs:
    - get
    - update
    - patch
noi.v1.10.0-noi-operator-6b78fb7965

The noi.v1.10.0-noi-operator-6b78fb7965 role applies to all deployment types in OwnNamespace or SingleNamespace mode. In SingleNamespace mode, this role applies to the operator namespace and operand namespace.

Example:
  kind: Role
    name: noi.v1.10.0-noi-operator-6b78fb7965
  rules:
  - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - roles
    - rolebindings
    - clusterroles
    - clusterrolebindings
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - ""
    resources:
    - pods
    - services
    - services/finalizers
    - endpoints
    - persistentvolumeclaims
    - events
    - configmaps
    - secrets
    - role
    - rolebinding
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - ""
    - extensions
    resources:
    - deployments
    - configmaps
    - ingresses
    - services
    - serviceaccounts
    - persistentvolumeclaims
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - ""
    resources:
    - namespaces
    verbs:
    - get
  - apiGroups:
    - apps
    resources:
    - deployments
    - deployments/status
    - deployments/finalizers
    - daemonsets
    - replicasets
    - statefulsets
    - statefulsets/status
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - batch
    resources:
    - jobs
    - cronjobs
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - route.openshift.io
    resources:
    - routes
    - routes/custom-host
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - noi.ibm.com
    resources:
    - nois
    - nois/status
    - nois/finalizers
    - noiformations
    - noiformations/status
    - noiformations/finalizers
    - noihybrids
    - noihybrids/status
    - noihybrids/finalizers
    - noiconnectionlayers
    - noiconnectionlayers/status
    - noiconnectionlayers/finalizers
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - cem.ibm.com
    resources:
    - cemformations
    - cemformations/status
    - cemformations/finalizers
    - cemserviceinstances
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - monitoring.coreos.com
    resources:
    - servicemonitors
    verbs:
    - get
    - create
  - apiGroups:
    - networking.k8s.io
    resources:
    - networkpolicies
    - ingresses
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - asm.ibm.com
    resources:
    - asms
    - asmformations
    - asmformations/status
    - asmformations/finalizers
    - appdiscoes
    - appdiscoes/status
    - appdiscoes/finalizers
    verbs:
    - get
    - list
    - patch
    - update
    - delete
    - create
    - watch
  - apiGroups:
    - ""
    resources:
    - configmaps/status
    - endpoints
    verbs:
    - get
    - update
    - patch
  - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
  - apiGroups:
    - operators.coreos.com
    resources:
    - subscriptions
    - subscriptions/status
    - subscriptions/finalizers
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - postgresql.k8s.enterprisedb.io
    resources:
    - clusters
    - clusters/status
    - clusters/finalizers
    - backups
    - backups/status
    - scheduledbackups
    - scheduledbackups/status
    verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
postgresql-operator-controller-manager-1-18-1-service-cert

The postgresql-operator-controller-manager-1-18-1-service-cert role applies to all deployment types in OwnNamespace or SingleNamespace mode. In SingleNamespace mode, this role applies to the operator namespace.

Example:
  kind: Role
    name: postgresql-operator-controller-manager-1-18-1-service-cert

  rules:
  - apiGroups:
    - ""
    resourceNames:
    - postgresql-operator-controller-manager-1-18-1-service-cert
    resources:
    - secrets
    verbs:
    - get
<release_name>-noi-postgres-cluster

The <release_name>-noi-postgres-cluster role applies to all deployment types in OwnNamespace or SingleNamespace mode. In SingleNamespace mode, this role applies to the operand namespace.

Example:
  kind: Role
    name: noi.v1.10.0

  rules:
  - apiGroups:
    - operators.coreos.com
    resourceNames:
    - noi.v1.10.0
    resources:
    - operatorconditions
    verbs:
    - get
    - update
    - patch
<release_name>-proxy

The <release_name>-proxy role applies to full cloud and geo-redundant cloud deployment types in OwnNamespace or SingleNamespace mode. In SingleNamespace mode, this role applies to the operand namespace.

Example:
  kind: Role
    name: evtmanager -proxy
  rules:
  - apiGroups:
    - ""
    resources:
    - configmaps
    verbs:
    - update
    - patch
    - watch
    - list
    - get

<release_name>-cassandra-role

The <release_name>-cassandra-role role applies to geo-redundant deployments in OwnNamespace or SingleNamespace mode. In SingleNamespace mode, this role applies to the operand namespace.

Example:
kind: Role
  name: evtmanager-cassandra-role
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  - pods
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - update
  - delete
<release_name>-geored-ui-health-role

The <release_name>-geored-ui-health-role role applies to geo-redundant deployments in OwnNamespace or SingleNamespace mode. In SingleNamespace mode, this role applies to the operand namespace. Disable this role for separation of duties.

Example:
kind: Role
  name: evtmanager-geored-ui-health-role

rules:
- apiGroups:
  - apps
  resourceNames:
  - evtmanager-webgui-primary
  resources:
  - statefulsets/status
  verbs:
  - get
- apiGroups:
  - apps
  resourceNames:
  - evtmanager-ibm-hdm-common-ui-uiserver
  resources:
  - deployments/status
  verbs:
  - get
nasm-app-disco-role

The nasm-app-disco-role role applies to cloud deployments in OwnNamespace mode. This role is only deployed if the Advanced Agile Discovery extension is enabled. for more information, see Installing extensions.

Example:
kind: Role
  name: nasm-app-disco-role
rules:
- apiGroups:
  - asm.ibm.com
  resources:
  - appdiscoes
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - asm.ibm.com
  resources:
  - appdiscoes/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - configmaps
  - secrets
  - services
  - pods
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - configmaps/status
  - endpoints
  verbs:
  - get
  - update
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  - ingresses
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - batch
  resources:
  - jobs
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - route.openshift.io
  resources:
  - routes
  - routes/custom-host
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
<release_name>-topology-netdisco-get-role

The <release_name>-topology-netdisco-get-role role applies to cloud deployments.

Example:
kind: Role
  name: evtmanager-topology-netdisco-get-role
rules:
- apiGroups:
  - ""
  resources:
  - services
  - endpoints
  - pods
  verbs:
  - get
  - list