Merge pull request #65765 from bhardesty/osdocs-3159-dedicated-admin

OSDOCS-3159: Update dedicated-admin privs and add additional resources

Author: mburke5678

modules/rosa-sdpolicy-security.adoc

@@ -30,6 +30,7 @@ In addition to normal users, {product-title} provides access to an {product-titl
 - Can add and manage `NetworkPolicy` objects.
 - Are able to view information about specific nodes and PVs in the cluster, including scheduler information.
 - Can access the reserved `dedicated-admin` project on the cluster, which allows for the creation of service accounts with elevated privileges and also gives the ability to update default limits and quotas for projects on the cluster.
+- Can install Operators from OperatorHub and perform all verbs in all `*.operators.coreos.com` API groups.
 
 [id="rosa-sdpolicy-cluster-admin-role_{context}"]
 == Cluster administration role

modules/sdpolicy-security.adoc

@@ -30,6 +30,7 @@ In addition to normal users, {product-title} provides access to an {product-titl
 * Can add and manage `NetworkPolicy` objects.
 * Are able to view information about specific nodes and PVs in the cluster, including scheduler information.
 * Can access the reserved `dedicated-admin` project on the cluster, which allows for the creation of service accounts with elevated privileges and also gives the ability to update default limits and quotas for projects on the cluster.
+* Can install Operators from OperatorHub (`\*` verbs in all `*.operators.coreos.com` API groups).
 
 [id="cluster-admin-role_{context}"]
 == Cluster administration role

osd_getting_started/osd-getting-started.adoc

@@ -49,6 +49,12 @@ include::modules/config-idp.adoc[leveloffset=+1]
 * For detailed steps to configure each of the supported identity provider types, see xref:../osd_install_access_delete_cluster/config-identity-providers.adoc#config-identity-providers[Configuring identity providers].
 
 include::modules/osd-grant-admin-privileges.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../osd_architecture/osd_policy/osd-service-definition.html#cluster-admin-user_osd-service-definition[Cluster administrator user]
+
 include::modules/access-cluster.adoc[leveloffset=+1]
 include::modules/deploy-app.adoc[leveloffset=+1]
 include::modules/scaling-cluster.adoc[leveloffset=+1]

osd_install_access_delete_cluster/config-identity-providers.adoc

@@ -15,4 +15,10 @@ include::modules/config-google-idp.adoc[leveloffset=+1]
 include::modules/config-ldap-idp.adoc[leveloffset=+1]
 include::modules/config-openid-idp.adoc[leveloffset=+1]
 include::modules/config-htpasswd-idp.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../osd_architecture/osd_policy/osd-service-definition.html#cluster-admin-user_osd-service-definition[Cluster administrator user]
+
 include::modules/access-cluster.adoc[leveloffset=+1]

rosa_getting_started/rosa-getting-started.adoc

@@ -61,6 +61,13 @@ include::modules/rosa-getting-started-configure-an-idp.adoc[leveloffset=+2]
 
 include::modules/rosa-getting-started-grant-user-access.adoc[leveloffset=+2]
 include::modules/rosa-getting-started-grant-admin-privileges.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-cluster-admin-role_rosa-service-definition[Cluster administration role]
+* xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.html#rosa-sdpolicy-customer-admin-user_rosa-service-definition[Cluster administrator user]
+
 include::modules/rosa-getting-started-access-cluster-web-console.adoc[leveloffset=+1]
 include::modules/deploy-app.adoc[leveloffset=+1]
 include::modules/rosa-getting-started-revoking-admin-privileges-and-user-access.adoc[leveloffset=+1]

rosa_getting_started/rosa-quickstart-guide-ui.adoc

@@ -118,6 +118,11 @@ include::modules/rosa-getting-started-grant-user-access.adoc[leveloffset=+2]
 [discrete]
 include::modules/rosa-getting-started-grant-admin-privileges.adoc[leveloffset=+2]
 
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-cluster-admin-role_rosa-service-definition[Cluster administration role]
+* xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.html#rosa-sdpolicy-customer-admin-user_rosa-service-definition[Cluster administrator user]
 
 //This content is pulled from rosa-getting-started-access-cluster-web-console.adoc
 include::modules/rosa-getting-started-access-cluster-web-console.adoc[leveloffset=+1]

rosa_install_access_delete_clusters/rosa-sts-accessing-cluster.adoc

@@ -13,8 +13,19 @@ This document describes how to access a cluster and set up an IDP using the ROSA
 include::modules/rosa-accessing-your-cluster-quick.adoc[leveloffset=+1]
 include::modules/rosa-accessing-your-cluster.adoc[leveloffset=+1]
 include::modules/rosa-create-cluster-admins.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-cluster-admin-role_rosa-service-definition[Cluster administration role]
+
 include::modules/rosa-create-dedicated-cluster-admins.adoc[leveloffset=+1]
 
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.html#rosa-sdpolicy-customer-admin-user_rosa-service-definition[Cluster administrator user]
+
 [role="_additional-resources"]
 == Additional resources
 * xref:../rosa_install_access_delete_clusters/rosa-sts-config-identity-providers.adoc#rosa-sts-config-identity-providers[Configuring identity providers using {cluster-manager-first} console]