Role-based access control (RBAC)

RBAC related questions and answers for IBM Storage Fusion HCI System.

  1. Users of which identity providers can be authenticated with IBM Storage Fusion HCI System?
    Any identity provider that can be configured with OpenShift® can be used to authenticate to IBM Storage Fusion HCI System. Labs has tested only with htpasswd and LDAP.

  2. Which OpenShift roles are authorized to access IBM Storage Fusion HCI System user interface?
    Any user with clusteradmin or view roles can access IBM Storage Fusion HCI System.

  3. Does IBM Storage Fusion HCI System support all types of user roles?
    IBM Storage Fusion HCI System only supports two user roles - clusteradmin & view. For more information about IBM Storage Fusion HCI System RBAC, see User management.

  4. What happens when a user with an invalid role tries to login to IBM Storage Fusion HCI System interface?
    The user will not get authenticated to IBM Storage Fusion HCI System.

  5. How do we configure an identity provider to OpenShift?
    For the procedure to configure an identity provider, see configure identity provider information in User management.

  6. Does the IBM Storage Fusion HCI System user interface have multi-factor authentication (MFA) for sign in?
    IBM Storage Fusion HCI System uses SSO through Red Hat® OpenShift Data Foundation authentication. Red Hat OpenShift Data Foundation can also be configured to enforce MFA. IBM Spectrum Fusion supports all of the OAuth authenticators that OpenShift supports.
  7. How does SSO work between IBM Storage Fusion HCI System and other integrated applications?
    • Red Hat OpenShift:

      Yes, SSO is configured for IBM Storage Fusion HCI System and Red HatOpenShift. It works for Kubeadmin. For identity providers, there is a RFE raised against OpenShift team for enabling SSO login for identity providers.

    • IBM Spectrum Scale:

      Yes, SSO is configured for IBM Storage Fusion HCI System and IBM Spectrum Scale.

    • IBM Spectrum Protect Plus user interface:

      For IBM Spectrum Protect Plus, you need separate user credentials to login. For more information, see Logging into IBM Spectrum Protect Plus.

  8. How does authorization and authentication work in OpenShift?
    For more information about authorization and authentication, see https://docs.openshift.com/container-platform/4.12/authentication/understanding-authentication.html.

  9. Who are the primary personas/roles to whom Fusion is targeted?
    There are two primary personas:
    1. The team that is setting up and managing the OpenShift infrastructure.
    2. The application team that works on developing and deploying applications to OpenShift.