redhat-developer · Gerry-Forde · Nov 4, 2024 · Oct 16, 2024 · Oct 16, 2024 · Oct 16, 2024
diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc
@@ -4,13 +4,13 @@
 include::modules/authorization/con-rbac-overview.adoc[leveloffset=+1]
 
 
-include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1]
+include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1]
 
 
-include::modules/authorization/con-rbac-config-permission-policies.adoc[leveloffset=+2]
+include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1]
 
 
-include::modules/authorization/con-rbac-config-permission-policies-admin.adoc[leveloffset=+3]
+include::modules/authorization/con-rbac-config-permission-policies.adoc[leveloffset=+2]
 
 
 include::modules/authorization/con-rbac-config-permission-policies-external-file.adoc[leveloffset=+3]

diff --git a/modules/authorization/con-rbac-config-permission-policies-admin.adoc b/modules/authorization/con-rbac-config-permission-policies-admin.adoc
diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc
@@ -0,0 +1,53 @@
+[id='enabling-and-giving-access-to-rbac']
+= Enabling and giving access to the Role-Based Access Control (RBAC) feature
+
+The Role-Based Access Control (RBAC) feature is disabled by default.
+Enable the RBAC plugin and declare policy administrators to start using RBAC features.
+
+The permission policies for users and groups in the {product-short} are managed by permission policy administrators. Only permission policy administrators can access the Role-Based Access Control REST API.
+
+.Prerequisites
+* You have link:{linkadminguide}#assembly-add-custom-app-file-openshift_admin-rhdh[added a custom {product-short} application configuration], and have sufficient permissions to modify it.
+* You have link:{authentication-book-title}[enabled an authentication provider].
+
+.Procedure
+. The RBAC plugin is installed but disabled by default.
+To enable the  `./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac` plugin, edit your `dynamic-plugins.yaml` with following content.
++
+.`dynamic-plugins.yaml` fragment
+[source,yaml]
+----
+plugins:
+  - package: ./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac
+    disabled: false
+----
++
+See link:{installing-and-viewing-dynamic-plugins-url}[{installing-and-viewing-dynamic-plugins-title}].
+
+. Declare policy administrators to allow a certain limited number of authenticated users to configure RBAC policies by using the REST API or the Web UI, rather than editing the CSV file.
+The permissions can be defined in a separate CSV file that is referenced in the app-config-rhdh ConfigMap, or they can be created via REST API or Web UI.
++
+To declare users such as _<your_policy_administrator_name>_ as policy administrators, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following lines to the `app-config-rhdh.yaml` content:
++
+.`app-config.yaml` fragment
+[source,yaml,subs=+quotes]
+----
+permission:
+  enabled: true
+  rbac:
+    admin:
+      users:
+        - name: user:default/__<your_policy_administrator_name>__
+----
+
+.Verification
+. Sign out from the existing {product} session and log in again using the declared policy administrator account.
+. With RBAC enabled, most features are disabled by default.
+.. Navigate to the Catalog page in {product-very-short}.
+The Create button is not visible.
+You cannot create new components.
+.. Navigate to the API page.
+The Register button is not visible.
+
+.Next steps
+* Explicitly enable permissions to resources in {product-short}.