From a01dc187480b55c7d3737c6b529bb6f6c1b005db Mon Sep 17 00:00:00 2001 From: Heena Manwani Date: Wed, 16 Apr 2025 19:58:08 +0530 Subject: [PATCH] RHIDP-6570: Document the permission support to RBAC plugin --- ...bly-configuring-authorization-in-rhdh.adoc | 1 + .../proc-delegating-rbac-access.adoc | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 modules/authorization/proc-delegating-rbac-access.adoc diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 8db4efc46e..5cd1939bab 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -43,6 +43,7 @@ include::assembly-managing-authorizations-by-using-external-files.adoc[leveloffs include::assembly-configuring-guest-access-with-rbac-ui.adoc[leveloffset=+1] +include::modules/authorization/proc-delegating-rbac-access.adoc[leveloffset=+1] include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-delegating-rbac-access.adoc b/modules/authorization/proc-delegating-rbac-access.adoc new file mode 100644 index 0000000000..b3ee2d957c --- /dev/null +++ b/modules/authorization/proc-delegating-rbac-access.adoc @@ -0,0 +1,35 @@ +[id='proc-delegating-rbac-access_{context}'] += Delegating role-based access controls (RBAC) access in {product} + +An enterprise customer requires the ability to delegate role-based access control (RBAC) responsibilities to individual team leads. In this scenario, you, as the administrator, can provide access to the RBAC plugin specifically to designated users, such as team leads. Each team lead is then able to manage permissions exclusively for users within their respective team or department, without visibility into or control over permissions outside their assigned scope. + +The expected results of delegating RBAC access are as follows: + +* Team leads can manage RBAC settings for their teams independently. +* Visibility of other users' or teams' permissions is restricted. +* Administrators retain overarching control while delegating team-specific access. + +.Prerequisites +* Your {product-very-short} instance is up and running with RBAC plugin installed and configured. +* You have administrative access to {product-very-short}. + +.Procedure +. In your {product-very-short} instance, navigate to the *Administration -> RBAC* page. +. Create a new role designated for team leads. ++ +For more information about creating a role, see xref:proc-rbac-ui-create-role_title-authorization[Creating a role in the {product} Web UI]. + +. Add the appropriate users or groups to the newly created role. +. Define the necessary permissions for the role based on the tasks the team leads are expected to manage. For example, you can allow team leads to access the RBAC UI and save permission changes for added users or groups. +. Apply access conditions to scope the role’s visibility and control to specific users or groups. For example, you can limit each team lead’s access to only their team. +. Save the changes. + +.Verification +Log in as a team lead and verify the following: + +* The RBAC UI is accessible. +* Only the assigned users or group is visible. +* Permissions outside the scoped team are not viewable or editable. + + +