diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 70d970f799..73e4daada3 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -16,20 +16,22 @@ the {product-short} RBAC feature allows you to define policies in a declarative fashion using a simple CSV based format. You can define the policies by using {product-short} web interface or REST API, rather than editing the CSV directly. -To apply RBAC in {product-short}: +To define authorizations in {product-short}: -. The {product-short} administrator sets up the RBAC feature: -.. Enable the RBAC feature -.. Configure Policy Administrators +. The {product-short} administrator enables and gives access to the RBAC feature. -. The {product-short} policy administrator configures your RBAC policies: -.. Define roles with specific permissions -.. Assign the roles to users and groups +. You define your roles and policies by combining the following methods: +* The {product-short} policy administrator uses the {product-short} web interface or REST API. +* The {product-short} administrator edits the main {product-short} configuration file. +* The {product-short} administrator edits external files. include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1] +include::modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc[leveloffset=+1] + + include::assembly-managing-authorizations-by-using-the-rhdh-web-ui.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc b/modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc new file mode 100644 index 0000000000..ec1e41b73e --- /dev/null +++ b/modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc @@ -0,0 +1,33 @@ +[id='proc-determining-policy-and-role-source'] += Determining permission policy and role configuration source + +You can configure {product} policy and roles by using different sources. +To maintain data consistency, {product-short} associates each permission policy and role with one unique source. +You can only use this source to change the resource. + +The available sources are: + +Configuration file:: +Configure roles and policies in the {product-short} `app-config.yaml` configuration file, for instance to xref:enabling-and-giving-access-to-rbac[declare your policy administrators]. ++ +The Configuration file pertains to the default `role:default/rbac_admin` role provided by the RBAC plugin. +The default role has limited permissions to create, read, update, delete permission policies or roles, and to read catalog entities. ++ +[NOTE] +==== +In case the default permissions are insufficient for your administrative requirements, you can create a custom admin role with the required permission policies. +==== + +REST API:: +Configure roles and policies xref:managing-authorizations-by-using-the-web-ui[by using the {product-short} Web UI] or by using the REST API. + +CSV file:: +Configure roles and policies by using external CSV files. + +Legacy:: +The legacy source applies to policies and roles defined before RBAC backend plugin version `2.1.3`, and is the least restrictive among the source location options. ++ +IMPORTANT: Replace the permissions and roles using the legacy source with the permissions using the REST API or the CSV file sources. + +.Procedure +* To determine the source of a role or policy, use a `GET` request.