Merge pull request #77370 from fmcdonal/OSDOCS-10209

OSDOCS-10209: ROSA "Approved Access" (was Lockbox)

Author: adellape

_topic_maps/_topic_map_rosa.yml

@@ -315,6 +315,8 @@ Topics:
   File: index
 - Name: Managing your cluster resources
   File: managing-cluster-resources
+- Name: Approved Access
+  File: approved-access
 - Name: Getting support
   File: getting-support
   Distros: openshift-rosa

modules/support-reviewing-an-access-request-from-an-email-notification.adoc

@@ -0,0 +1,32 @@
+// Module included in the following assemblies:
+//
+// * serverless/serverless-support.adoc
+// * support/getting-support.adoc
+// * service_mesh/v2x/ossm-troubleshooting-istio.adoc
+// * osd_architecture/osd-support.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="support-reviewing-an-access-request-from-an-email-notification_{context}"]
+= Reviewing an access request from an email notification
+
+Cluster owners will receive an email notification when Red{nbsp}Hat Site Reliability Engineering (SRE) request access to their cluster with a link to review the request in the {hybrid-console-second}.
+
+ifndef::openshift-rosa,openshift-dedicated[]
+.Prerequisites
+* You have access to the cluster as a user with the `cluster-admin` role.
+endif::openshift-rosa,openshift-dedicated[]
+
+
+.Procedure
+
+. Click the link within the email to bring you to the {hybrid-console-second}.
+
+. In the *Access Request Details* dialog, click *Approve* or *Deny* under *Decision*.
++
+[NOTE]
+====
+Denying an access request requires you to complete the *Justification* field. In this case, SRE can not directly act on the resources related to the incident. Customers can still use the link:https://access.redhat.com/support/cases/#/case/list[*Customer Support*] to help investigate and resolve any issues.
+====
+
+. Click *Save*.
+

modules/support-reviewing-an-access-request-from-the-hybrid-console.adoc

@@ -0,0 +1,35 @@
+// Module included in the following assemblies:
+//
+// * support/getting-support.adoc
+// * osd_architecture/osd-support.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="support-reviewing-an-access-request-from-the-hybrid-cloud-console_{context}"]
+= Reviewing an access request from the {hybrid-console-second}
+
+Review access requests for your {product-rosa} clusters from the {hybrid-console-second}.
+
+ifndef::openshift-rosa,openshift-dedicated[]
+.Prerequisites
+* You have access to the cluster as a user with the `Cluster Owner` role.
+endif::openshift-rosa,openshift-dedicated[]
+
+
+.Procedure
+
+. Navigate to {cluster-manager-url} and select *Clusters*.
+
+. Click the cluster name to review the *Access Request*.
+
+. Select the *Access Requests* tab to list all *states*.
+
+. Select *Open* under *Actions* for the *Pending* state.
+
+. In the *Access Request Details* dialog, click *Approve* or *Deny* under *Decision*.
++
+[NOTE]
+====
+Denying an access request requires you to complete the *Justification* field. In this case, SRE can not directly act on the resources related to the incident. Customers can still use the link:https://access.redhat.com/support/cases/#/case/list[*Customer Support*] to help investigate and resolve any issues.
+====
+
+. Click *Save*.

modules/support-submitting-a-case-enable-approved-access.adoc

@@ -0,0 +1,44 @@
+// Module included in the following assemblies:
+//
+// * support/getting-support.adoc
+// * osd_architecture/osd-support.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="support-submitting-a-case-enable-approved-access_{context}"]
+= Enabling Approved Access for ROSA clusters by submitting a support case
+
+{product-rosa} _Approved Access_ is not enabled by default. To enable _Approved Access_ for your {product-rosa} clusters, you should create a support ticket.
+
+.Procedure
+
+. Log in to the link:https://access.redhat.com/support/cases/#/case/list[*Customer Support*] page of the Red{nbsp}Hat Customer Portal.
+
+. Click *Get support*.
+
+. On the *Cases* tab of the *Customer support* page:
+
+.. Optional: Change the pre-filled account and owner details if needed.
+
+.. Select the *Configuration* category and click *Continue*.
+
+. Enter the following information:
+
+.. In the *Product* field, select *{product-title}* or *{product-title} {hcp-capital}*.
+.. In the *Problem statement* field, enter *Enable ROSA Access Protection*.
+.. Click *See more options*.
+
+. Select *OpenShift Cluster ID* from the drop-down list.
+
+. Fill the remaining mandatory fields in the form:
+
+.. What are you experiencing? What are you expecting to happen?
+... Fill with *Approved Access*.
+
+.. Define the value or impact to you or the business.
+... Fill with *Approved Access*.
+.. Click *Continue*.
+
+. Select *Severity* as *4(Low)* and click *Continue*.
+
+. Preview the case details and click *Submit*.
+

rosa_release_notes/rosa-release-notes.adoc

@@ -18,6 +18,10 @@ toc::[]
 
 * **ROSA CLI update.** The ROSA CLI (`rosa`) was updated to a new version. For information about what has changed in this release, see the link:https://github.com/openshift/rosa/releases/tag/v1.2.41[ROSA CLI release notes]. For more information about the ROSA CLI (`rosa`), see xref:../cli_reference/rosa_cli/rosa-get-started-cli.adoc#rosa-about_rosa-getting-started-cli[About the ROSA CLI].
 
+* **Approved Access for ROSA clusters.** Red{nbsp}Hat Site Reliability Engineering (SRE) managing and proactively supporting ROSA Clusters will typically not require access to customer Data as part of the normal operations. In the unlikely event should Red{nbsp}Hat SRE (Site Reliability Engineer) need access to customer data, the _Approved Access_ functionality provides an interface for customers to review and _approve_ or _deny_ access requests.
++
+Access requests to customer data on ROSA clusters and the corresponding cloud accounts can be created by Red{nbsp}Hat SRE either in response to a customer-initiated support ticket or in response to alerts received by a Red{nbsp}Hat SRE, as part of the standard incident response process. For more information, see xref:../support/approved-access.adoc#approved-access[Approved Access]. This is applicable to ROSA and Red{nbsp}Hat OpenShift Service on AWS (classic architecture).
+
 * **Permission boundaries for the installer role policy.** You can apply a policy as a _permissions boundary_ on the ROSA installer role. The combination of policy and boundary policy limits the maximum permissions for the Amazon Web Services(AWS) Identity and Access Management (IAM) entity role. ROSA includes a set of three prepared permission boundary policy files, with which you can restrict permissions for the installer role since changing the installer policy itself is not supported. For more information, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-aws-requirements-attaching-boundary-policy_rosa-sts-about-iam-resources[Permission boundaries for the installer role]. This is applicable only to Red{nbsp}Hat OpenShift Service on AWS (classic architecture).
 
 * **Cluster delete protection.** You can now enable the cluster delete protection option, which helps to prevent you from accidentally deleting a cluster. For more information on using the cluster delete protection option with the ROSA CLI, see xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-edit-cluster_rosa-managing-objects-cli[edit cluster]. For more information on using the cluster delete protection option in the UI, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-using-defaults-ocm_rosa-sts-creating-a-cluster-quickly[Creating a cluster with the default options using OpenShift Cluster Manager].

support/approved-access.adoc

@@ -0,0 +1,31 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="approved-access"]
+= Approved Access
+include::_attributes/common-attributes.adoc[]
+ifdef::openshift-dedicated[]
+include::_attributes/attributes-openshift-dedicated.adoc[]
+endif::[]
+:context: approved-access
+
+toc::[]
+
+Red{nbsp}Hat Site Reliability Engineering (SRE) typically does not require access to systems containing customer data as part of normal operations to manage and support {product-title} clusters. In the unlikely event that SRE needs access to systems containing customer data, you can use the _Approved Access_ interface to review and _approve_ or _deny_ access to these systems.
+
+Access requests to customer data on {product-rosa} clusters and the corresponding cloud accounts can be created by SRE either in response to a customer-initiated support ticket or in response to alerts received by SRE as part of the standard incident response process.
+
+When _Approved Access_ is enabled and an SRE creates an access request, _cluster owners_ receive an email notification informing them of a new access request. The email notification contains a link allowing the cluster owner to quickly approve or deny the access request. You must respond in a timely manner otherwise there is a risk to your SLA for {product-rosa}.
+
+* If customers require additional users that are not the cluster owner to receive the email, they can link:https://docs.openshift.com/rosa/observability/logging/sd-accessing-the-service-logs.html#adding-cluster-notification-contacts_sd-accessing-the-service-logs[add additional cluster contacts].
+* Pending access requests are available in the {hybrid-console-second} on the clusters list or *Access Requests* tab on the cluster overview for the specific cluster.
+
+[NOTE]
+====
+Denying an access request requires you to complete the *Justification* field. In this case, SRE can not directly act on the resources related to the incident. Customers can still use the link:https://access.redhat.com/support/cases/#/case/list[*Customer Support*] to help investigate and resolve any issues.
+====
+// Approved access
+
+include::modules/support-submitting-a-case-enable-approved-access.adoc[leveloffset=+1]
+include::modules/support-reviewing-an-access-request-from-an-email-notification.adoc[leveloffset=+1]
+include::modules/support-reviewing-an-access-request-from-the-hybrid-console.adoc[leveloffset=+1]
+
+