RHIDP-4896 Determining the permission policy configuration source (redhat-developer#705)

themr0c · jmagak · web-flow · commit 00dc6f76d0d0 · 2024-11-22T15:11:03.000+01:00
Co-authored-by: jmagak &lt;124673476+jmagak@users.noreply.github.com&gt;
diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc
@@ -16,20 +16,22 @@ the {product-short} RBAC feature allows you
 to define policies in a declarative fashion using a simple CSV based format.
 You can define the policies by using {product-short} web interface or REST API, rather than editing the CSV directly.
 
-To apply RBAC in {product-short}:
+To define authorizations in {product-short}:
 
-. The {product-short} administrator sets up the RBAC feature:
-.. Enable the RBAC feature
-.. Configure Policy Administrators
+. The {product-short} administrator enables and gives access to the RBAC feature.
 
-. The {product-short} policy administrator configures your RBAC policies:
-.. Define roles with specific permissions
-.. Assign the roles to users and groups
+. You define your roles and policies by combining the following methods:
 
+* The {product-short} policy administrator uses the {product-short} web interface or REST API.
+* The {product-short} administrator edits the main {product-short} configuration file.
+* The {product-short} administrator edits external files.
 
 include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1]
 
 
+include::modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc[leveloffset=+1]
+
+
 include::assembly-managing-authorizations-by-using-the-rhdh-web-ui.adoc[leveloffset=+1]
 
 
diff --git a/modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc b/modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc
@@ -0,0 +1,33 @@
+[id='proc-determining-policy-and-role-source']
+= Determining permission policy and role configuration source
+
+You can configure {product} policy and roles by using different sources.
+To maintain data consistency, {product-short} associates each permission policy and role with one unique source.
+You can only use this source to change the resource.
+
+The available sources are:
+
+Configuration file::
+Configure roles and policies in the {product-short} `app-config.yaml` configuration file, for instance to xref:enabling-and-giving-access-to-rbac[declare your policy administrators].
++
+The Configuration file pertains to the default `role:default/rbac_admin` role provided by the RBAC plugin.
+The default role has limited permissions to create, read, update, delete permission policies or roles, and to read catalog entities.
++
+[NOTE]
+====
+In case the default permissions are insufficient for your administrative requirements, you can create a custom admin role with the required permission policies.
+====
+
+REST API::
+Configure roles and policies xref:managing-authorizations-by-using-the-web-ui[by using the {product-short} Web UI] or by using the REST API.
+
+CSV file::
+Configure roles and policies by using external CSV files.
+
+Legacy::
+The legacy source applies to policies and roles defined before RBAC backend plugin version `2.1.3`, and is the least restrictive among the source location options.
++
+IMPORTANT: Replace the permissions and roles using the legacy source with the permissions using the REST API or the CSV file sources.
+
+.Procedure
+* To determine the source of a role or policy, use a `GET` request.
