[release-1.3] RHIDP-3972 RHIDP-3973 Enabling and giving access to the Role-Based Access Control (RBAC) feature (redhat-developer#671)

Co-authored-by: Dominika Zemanovicova <[email protected]>
Co-authored-by: jmagak <[email protected]>
Co-authored-by: Heena Manwani <[email protected]>
Co-authored-by: Fabrice Flore-Thébault <[email protected]>

Author: 5 people

assemblies/assembly-configuring-authorization-in-rhdh.adoc

@@ -4,13 +4,13 @@
 include::modules/authorization/con-rbac-overview.adoc[leveloffset=+1]
 
 
-include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1]
+include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1]
 
 
-include::modules/authorization/con-rbac-config-permission-policies.adoc[leveloffset=+2]
+include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1]
 
 
-include::modules/authorization/con-rbac-config-permission-policies-admin.adoc[leveloffset=+3]
+include::modules/authorization/con-rbac-config-permission-policies.adoc[leveloffset=+2]
 
 
 include::modules/authorization/con-rbac-config-permission-policies-external-file.adoc[leveloffset=+3]

modules/authorization/con-rbac-config-permission-policies-admin.adoc

@@ -0,0 +1,53 @@
+[id='enabling-and-giving-access-to-rbac']
+= Enabling and giving access to the Role-Based Access Control (RBAC) feature
+
+The Role-Based Access Control (RBAC) feature is disabled by default.
+Enable the RBAC plugin and declare policy administrators to start using RBAC features.
+
+The permission policies for users and groups in the {product-short} are managed by permission policy administrators. Only permission policy administrators can access the Role-Based Access Control REST API.
+
+.Prerequisites
+* You have link:{linkadminguide}#assembly-add-custom-app-file-openshift_admin-rhdh[added a custom {product-short} application configuration], and have sufficient permissions to modify it.
+* You have link:{authentication-book-title}[enabled an authentication provider].
+
+.Procedure
+. The RBAC plugin is installed but disabled by default.
+To enable the  `./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac` plugin, edit your `dynamic-plugins.yaml` with the following content.
++
+.`dynamic-plugins.yaml` fragment
+[source,yaml]
+----
+plugins:
+  - package: ./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac
+    disabled: false
+----
++
+See link:{installing-and-viewing-dynamic-plugins-url}[{installing-and-viewing-dynamic-plugins-title}].
+
+. Declare policy administrators to enable a select number of authenticated users to configure RBAC policies through the REST API or Web UI, instead of modifying the CSV file directly.
+The permissions can be specified in a separate CSV file referenced in the `app-config-rhdh` ConfigMap, or permissions can be created using the REST API or Web UI.
++
+To declare users such as _<your_policy_administrator_name>_ as policy administrators, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following code to the `app-config-rhdh.yaml` content:
++
+.`app-config.yaml` fragment
+[source,yaml,subs=+quotes]
+----
+permission:
+  enabled: true
+  rbac:
+    admin:
+      users:
+        - name: user:default/__<your_policy_administrator_name>__
+----
+
+.Verification
+. Sign out from the existing {product} session and log in again using the declared policy administrator account.
+. With RBAC enabled, most features are disabled by default.
+.. Navigate to the *Catalog* page in {product-very-short}.
+The *Create* button is not visible.
+You cannot create new components.
+.. Navigate to the API page.
+The *Register* button is not visible.
+
+.Next steps
+* Explicitly enable permissions to resources in {product-short}.