RHIDP-4896 Determining the permission policy and role configuration source

Signed-off-by: Fabrice Flore-Thébault <[email protected]>

Author: themr0c

assemblies/assembly-configuring-authorization-in-rhdh.adoc

@@ -11,25 +11,25 @@ Role-Based Access Control (RBAC) is a security concept that controls access to r
 You define roles with specific permissions, and then assign the roles to users and groups.
 
 RBAC on {product-short} is built on top of the Permissions framework, which defines RBAC policies in code.
-Rather than defining policies in code,
-the {product-short} RBAC feature allows you
-to define policies in a declarative fashion using a simple CSV based format.
+Rather than defining policies in code, the {product-short} RBAC feature allows you to define policies in a declarative fashion using a simple CSV based format.
 You can define the policies by using {product-short} web interface or REST API, rather than editing the CSV directly.
 
-To apply RBAC in {product-short}:
+To define authorizations in {product-short}:
 
-. The {product-short} administrator sets up the RBAC feature:
-.. Enable the RBAC feature
-.. Configure Policy Administrators
+. The {product-short} administrator enables and gives access to the RBAC feature.
 
-. The {product-short} policy administrator configures your RBAC policies:
-.. Define roles with specific permissions
-.. Assign the roles to users and groups
+. You define your roles and policies by combining following methods:
 
+* The {product-short} policy administrator uses the {product-short} web interface or REST API.
+* The {product-short} administrator edits the main {product-short} configuration file.
+* The {product-short} administrator edits external files.
 
 include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1]
 
 
+include::modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc[leveloffset=+1]
+
+
 include::assembly-managing-authorizations-by-using-the-rhdh-web-ui.adoc[leveloffset=+1]
 
 

modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc

@@ -0,0 +1,35 @@
+[id='proc-determining-policy-and-role-source']
+= Determining permission policy and role configuration source
+
+You can configure {product} policy and roles by using different sources.
+To maintain data consistency, {product-short} associates each permission policy and role with one unique source.
+You can only use this source to change the resource.
+
+The available sources are:
+
+Configuration file::
+
+
+Configure roles and policies in the {product-short} `app-config.yaml` configuration file, for instance to xref:enabling-and-giving-access-to-rbac[declare your policy administrators].
++
+The Configuration file pertains to the default `role:default/rbac_admin` role provided by the RBAC plugin.
+The default role has limited permissions to create, read, update, and delete permission policies or roles, and to read catalog entities.
++
+[NOTE]
+====
+In case the default permissions are insufficient for your administrative requirements, you can create a custom admin role with required permission policies.
+====
+
+REST API::
+Configure roles and policies xref:managing-authorizations-by-using-the-seb-ui[by using the {product-short} Web UI] or xref:managing-authorizations-by-using-the-rest-api[by using the REST API].
+
+CSV file::
+Configure roles and policies by using external CSV files.
+
+Legacy::
+The legacy source applies to policies and roles defined before RBAC backend plugin version `2.1.3`, and is the least restrictive among the source location options.
++
+IMPORTANT: Replace the permissions and roles using the legacy source by permissions using the REST API or the CSV file sources.
+
+.Procedure
+* To determine the source of a role or policy, use a `GET` request.