RHIDP-3973 configuring policy administrators

themr0c · themr0c · commit 364984eb30a0 · 2024-10-16T16:57:10.000+02:00
Signed-off-by: Fabrice Flore-Thébault &lt;ffloreth@redhat.com&gt;
diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc
@@ -1,14 +1,15 @@
 [id='proc-enabling-rbac_{context}']
-= Enabling Role-Based Access Control (RBAC)
+= Enabling and giving access to the Role-Based Access Control (RBAC) feature
 
 The Role-Based Access Control (RBAC) feature is disabled by default.
 Enable the RBAC plugin to start using RBAC features.
 
 .Prerequisites
 * You have link:{linkadminguide}#assembly-add-custom-app-file-openshift_admin-rhdh[added a custom {product-short} application configuration], and have sufficient permissions to modify it.
+* You have link:{authentication-book-title}[enabled an authentication provider].
 
 .Procedure
-* The RBAC plugin is installed but disabled by default.
+. The RBAC plugin is installed but disabled by default.
 To enable the  `./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac` plugin, edit your `dynamic-plugins.yaml` with following content.
 +
 .`dynamic-plugins.yaml` fragment
@@ -20,3 +21,31 @@ plugins:
 ----
 +
 See link:{installing-and-viewing-dynamic-plugins-url}[{installing-and-viewing-dynamic-plugins-title}].
+
+. Declare policy administrators to allow a certain limited number of authenticated users to configure RBAC policies by using the REST API or the Web UI, rather than editing the CSV file.
+The actual policies are defined in a separate CSV file and referenced in the app-config-rhdh ConfigMap.
++
+To declare users such as __<your_policy_administrator_name>_ as policy administrators, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following lines to the `app-config-rhdh.yaml` content:
++
+.`app-config.yaml` fragment
+[source,yaml,subs=+quotes]
+----
+permission:
+  enabled: true
+  rbac:
+    admin:
+      users:
+        - name: user:default/__<your_policy_administrator_name>__
+----
+
+.Verification
+. Sign out from the existing {product} session and log in again using the declared policy administrator account.
+. Navigate to the Catalog page in RHDH.
+The Create button is not visible.
+You are not allowed to create new components.
+. Navigate to the API page.
+The Register button is not visible.
+
+.Next steps
+* With RBAC enabled, most features are disabled by default.
+Explicitly enable permissions to resources in {product-short}.
