Managing RBAC in Red Hat Advanced Cluster Security for Kubernetes 3.0.62 and older - Managing user access | Operating | Red Hat Advanced Cluster Security for Kubernetes 3.65

System roles
- Viewing system roles permissions
Custom roles
Configuring minimum access role
Managing access for specific users or groups
Resource definitions

Red Hat Advanced Cluster Security for Kubernetes (RHACS) comes with role-based access control (RBAC) that you can use to configure roles and grant various levels of access to Red Hat Advanced Cluster Security for Kubernetes for different users.

In Red Hat Advanced Cluster Security for Kubernetes 3.63, a scoped access control feature has been added. If you are using Red Hat Advanced Cluster Security for Kubernetes 3.63 or newer, see Managing access control in Red Hat Advanced Cluster Security for Kubernetes 3.63 and newer.

In Red Hat Advanced Cluster Security for Kubernetes 3.0.62 and older, different roles govern access to Red Hat Advanced Cluster Security for Kubernetes resources to prevent unwanted access.

Roles are a collection of rules, which are a group of read and write permissions that a user can perform on a set of resources.
Resources are the functionalities of Red Hat Advanced Cluster Security for Kubernetes for which you can set view (read) and modify (write) permissions. See the Resource definitions section to understand the access level that each permission grants.

System roles

Red Hat Advanced Cluster Security for Kubernetes includes some default system roles that you can apply on users. You can also create custom roles as required.

System role Description

System role	Description
Admin	This role is targeted for administrators. It has `read` and `write` permissions for all resources.
Analyst	This role is targeted for a user who cannot make any changes, but can view everything. It has read-only permissions for all resources.
Continuous Integration	This role is targeted for CI (Continuous Integration) systems and has read-only access to check images and deployment YAML against your policies.
None	This role has no read and write permissions. You can set this role as the minimum access role for all users.
Sensor Creator	Red Hat Advanced Cluster Security for Kubernetes uses this role to automate new cluster setups. You require this role to run the command `roxctl sensor generate` in a new secured cluster.

Admin

This role is targeted for administrators. It has read and write permissions for all resources.

Analyst

This role is targeted for a user who cannot make any changes, but can view everything. It has read-only permissions for all resources.

Continuous Integration

This role is targeted for CI (Continuous Integration) systems and has read-only access to check images and deployment YAML against your policies.

None

This role has no read and write permissions. You can set this role as the minimum access role for all users.

Sensor Creator

Red Hat Advanced Cluster Security for Kubernetes uses this role to automate new cluster setups. You require this role to run the command roxctl sensor generate in a new secured cluster.

Viewing system roles permissions

You can view the permissions for the default system roles.

Procedure

On the RHACS portal, navigate to Platform Configuration → Access control.
Click on the Roles and Permissions tab.
Click on one of the roles to view its associated permissions for each resource.

You cannot modify read and write permissions for the default system roles.

Custom roles

Red Hat Advanced Cluster Security for Kubernetes also allows you to create custom roles. You can create a custom role with one or more permissions and then grant that custom role to users. Creating custom roles enables you to enforce the principle of least privilege (PoLP). You can use these roles to give users or system accounts only those permissions that are essential to performing their intended functions.

Creating a custom role

You can create new roles from the Access Control view.

Prerequisites

You must have the Admin role, or read and write permissions for the AuthProvider and Role resources to create, modify, and delete custom roles.

Procedure

On the RHACS portal, navigate to Platform Configuration → Access control.
Click the Roles and Permissions tab.
From the StackRox Roles panel, click Add New Role.
Enter a name for the role in Role Name.

For each resource, under the Edit role column, select one of the permissions from No access, Read access, Read and Write access.

If you are configuring a role for users, you must grant read-only permissions for the following resources:
- Alert
- Cluster
- Deployment
- Image
- NetworkPolicy
- NetworkGraph
- Policy
- Secret
These permissions are pre-selected when you create a new role.
If you do not grant these permissions, users will experience issues viewing pages in the RHACS portal.

Click Save.

Modifying a custom role

From the Access Control view, you can modify permissions for the custom roles that you have created.

Prerequisites

You must have the Admin role, or read and write permissions for the AuthProvider and Role resources to create, modify, and delete custom roles.

Procedure

On the RHACS portal, navigate to Platform Configuration → Access control.
Click on the Roles and Permissions tab.
From the StackRox Roles panel, select the name of the role you want to modify.
Click Edit on the role details panel.
Modify permissions as required, and then click Save to save the changes.

You cannot modify read and write permissions for the default system roles.

Deleting a custom role

From the Access Control view, you can delete the custom roles that you have created.

Prerequisites

You must have the Admin role, or read and write permissions for the AuthProvider and Role resources to create, modify, and delete custom roles.

Procedure

On the RHACS portal, navigate to Platform Configuration → Access control.
Click on the Roles and Permissions tab.
From the StackRox Roles panel, hover over the name of the role you want to delete and click the Delete icon.

You cannot modify read and write permissions for the default system roles.
When you delete a custom role that has users assigned to it, all associated users transfer to the configured minimum access role.

Configuring minimum access role

You can configure a minimum access role that applies to all new users when they log in to the RHACS portal. To set a minimum access role, you must first configure an authentication provider.

The minimum access role is granted to all users who sign in with the authentication provider you configure.
Set the minimum access role to None if you want to define permissions entirely by using specific rules.

Prerequisites

You must have the Admin role, or read and write permissions for the AuthProvider and Role resources to create, modify, and delete custom roles.

Procedure

On the RHACS portal, navigate to Platform Configuration → Access control.
Under Auth Providers, select the authentication provider for which you want to configure the minimum access role.
Click Edit Provider.
Under section 2 Assign StackRox roles to your <auth_provider> users, select one of the roles from Minimum access role.
Click Save.

Managing access for specific users or groups

In addition to setting up a Minimum access role, you can create rules that govern access to Red Hat Advanced Cluster Security for Kubernetes resources. You can create and apply these rules based on the metadata keys and values you set up in your authentication provider.

The metadata keys are always dependent upon the configurations in your authentication provider. For example:

Allowed metadata keys for OpenID Connect (OIDC) are only:
- name
- email
- uid
- groups
However, for Security Assertion Markup Language (SAML) based authentication providers, there are no restrictions and you can define custom attributes as metadata keys.

Prerequisites

You must have the Admin role, or read and write permissions for the AuthProvider and Role resources to create, modify, and delete custom roles.

Procedure

On the RHACS portal, navigate to Platform Configuration → Access control.
Under Auth Providers, select the authentication provider for which you want to configure user roles.
Click Edit Provider.
Under section 2 Assign StackRox roles to your <auth_provider> users, click on Add New Rule.
Click on the Key to which this role applies.
Select a Value for the key.
Select the Role you want to assign to users matching the specified key and value.
Click Save.

You can add more than one rule using these steps.
When you select a Value, only users who accessed the system before using that value appear as an option. You can type in custom values for users who did not log in yet.
If a user matches to more than one of the defined rules, the user gets permissions from every matching rule.

Resource definitions

Red Hat Advanced Cluster Security for Kubernetes includes multiple resources. The following table lists the resources and describes the actions that users can perform with the read or write permission.

Resource Read permission Write permission

Resource	Read permission	Write permission
APIToken	List existing API tokens.	Create new API tokens or revoke existing tokens.
Alert	View existing policy violations.	Resolve or edit policy violations.
AllComments	N/A	Delete comments from other users. All users can edit and delete their own comments by default. To add and remove comments or tags, you need a role with `write` permission for the resource you are modifying.
AuthPlugin	View existing Authentication plug-ins	Modify these configurations. (Local administrator only.)
AuthProvider	View existing configurations for single sign-on.	Modify these configurations.
BackupPlugins	View existing integrations with automated backup systems such as AWS S3.	Modify these configurations.
CVE	Internal use only	Internal use only
Cluster	View existing secured clusters.	Add new secured clusters and modify or delete existing clusters.
Compliance	View compliance standards and results.	N/A
ComplianceRunSchedule	View scheduled compliance runs.	Create, modify, or delete scheduled compliance runs.
ComplianceRuns	View recent compliance runs and their completion status.	Trigger compliance runs.
Config	View options for data retention, security notices, and other related configurations.	Modify these configurations.
DebugLogs	View the current logging verbosity level in Red Hat Advanced Cluster Security for Kubernetes components.	Modify the logging level.
Deployment	View deployments (workloads) in secured clusters.	N/A
Detection	Check build-time policies against images or deployment YAML.	N/A
Group	View the existing RBAC rules that match user metadata to Red Hat Advanced Cluster Security for Kubernetes roles.	Create, modify, or delete configured RBAC rules.
Image	View images, their components, and their vulnerabilities.	N/A
ImageComponent	Internal use only	Internal use only
ImageIntegration	List existing image registry integrations.	Create, edit, or delete image registry integrations.
ImbuedLogs	Internal use only	Internal use only
Indicator	View process activity in deployments.	N/A
K8sRole	View roles for Kubernetes role-based access control in secured clusters.	N/A
K8sRoleBinding	View role bindings for Kubernetes role-based access control in secured clusters.	N/A
K8sSubject	View users and groups for Kubernetes role-based access control in secured clusters.	N/A
Licenses	View the status of the existing license for Red Hat Advanced Cluster Security for Kubernetes.	Upload a new license key.
Namespace	View existing Kubernetes namespaces in secured clusters.	N/A
NetworkGraph	View active and allowed network connections in secured clusters.	N/A
NetworkPolicy	View existing network policies in secured clusters and simulate changes.	Apply network policy changes in secured clusters.
Node	View existing Kubernetes nodes in secured clusters.	N/A
Notifier	View existing integrations for notification systems like email, Jira, or webhooks.	Create, modify, or delete these integrations.
Policy	View existing system policies.	Create, modify, or delete system policies.
ProbeUpload	Read manifests for the uploaded probe files.	Upload support packages to Central.
ProcessWhitelist	View process baselines.	Add or remove processes from baselines.
Risk	View Risk results.	N/A
Role	View existing Red Hat Advanced Cluster Security for Kubernetes RBAC roles and their permissions.	Add, modify, or delete roles and their permissions.
ScannerBundle	Download the scanner bundle.	N/A
ScannerDefinitions	List existing image scanner integrations.	Create, modify, or delete image scanner integrations.
Secret	View metadata about secrets in secured clusters.	N/A
SensorUpgradeConfig	Check the status of automatic upgrades.	Disable or enable automatic upgrades for secured clusters.
ServiceAccount	List Kubernetes service accounts in secured clusters.	N/A
ServiceIdentity	View metadata about Red Hat Advanced Cluster Security for Kubernetes service-to-service authentication.	Revoke or reissue service-to-service authentication credentials.
User	View users that have accessed your Red Hat Advanced Cluster Security for Kubernetes instance, including the metadata that the authentication provider provides about them.	N/A

APIToken

List existing API tokens.

Create new API tokens or revoke existing tokens.

Alert

View existing policy violations.

Resolve or edit policy violations.

AllComments

N/A

Delete comments from other users. All users can edit and delete their own comments by default. To add and remove comments or tags, you need a role with write permission for the resource you are modifying.

AuthPlugin

View existing Authentication plug-ins

Modify these configurations. (Local administrator only.)

AuthProvider

View existing configurations for single sign-on.

Modify these configurations.

BackupPlugins

View existing integrations with automated backup systems such as AWS S3.

Modify these configurations.

CVE

Internal use only

Cluster

View existing secured clusters.

Add new secured clusters and modify or delete existing clusters.

Compliance

View compliance standards and results.

N/A

ComplianceRunSchedule

View scheduled compliance runs.

Create, modify, or delete scheduled compliance runs.

ComplianceRuns

View recent compliance runs and their completion status.

Trigger compliance runs.

Config

View options for data retention, security notices, and other related configurations.

Modify these configurations.

DebugLogs

View the current logging verbosity level in Red Hat Advanced Cluster Security for Kubernetes components.

Modify the logging level.

Deployment

View deployments (workloads) in secured clusters.

N/A

Detection

Check build-time policies against images or deployment YAML.

N/A

Group

View the existing RBAC rules that match user metadata to Red Hat Advanced Cluster Security for Kubernetes roles.

Create, modify, or delete configured RBAC rules.

Image

View images, their components, and their vulnerabilities.

N/A

ImageComponent

Internal use only

ImageIntegration

List existing image registry integrations.

Create, edit, or delete image registry integrations.

ImbuedLogs

Internal use only

Indicator

View process activity in deployments.

N/A

K8sRole

View roles for Kubernetes role-based access control in secured clusters.

N/A

K8sRoleBinding

View role bindings for Kubernetes role-based access control in secured clusters.

N/A

K8sSubject

View users and groups for Kubernetes role-based access control in secured clusters.

N/A

Licenses

View the status of the existing license for Red Hat Advanced Cluster Security for Kubernetes.

Upload a new license key.

Namespace

View existing Kubernetes namespaces in secured clusters.

N/A

NetworkGraph

View active and allowed network connections in secured clusters.

N/A

NetworkPolicy

View existing network policies in secured clusters and simulate changes.

Apply network policy changes in secured clusters.

Node

View existing Kubernetes nodes in secured clusters.

N/A

Notifier

View existing integrations for notification systems like email, Jira, or webhooks.

Create, modify, or delete these integrations.

Policy

View existing system policies.

Create, modify, or delete system policies.

ProbeUpload

Read manifests for the uploaded probe files.

Upload support packages to Central.

ProcessWhitelist

View process baselines.

Add or remove processes from baselines.

Risk

View Risk results.

N/A

Role

View existing Red Hat Advanced Cluster Security for Kubernetes RBAC roles and their permissions.

Add, modify, or delete roles and their permissions.

ScannerBundle

Download the scanner bundle.

N/A

ScannerDefinitions

List existing image scanner integrations.

Create, modify, or delete image scanner integrations.

Secret

View metadata about secrets in secured clusters.

N/A

SensorUpgradeConfig

Check the status of automatic upgrades.

Disable or enable automatic upgrades for secured clusters.

ServiceAccount

List Kubernetes service accounts in secured clusters.

N/A

ServiceIdentity

View metadata about Red Hat Advanced Cluster Security for Kubernetes service-to-service authentication.

Revoke or reissue service-to-service authentication credentials.

User

View users that have accessed your Red Hat Advanced Cluster Security for Kubernetes instance, including the metadata that the authentication provider provides about them.

N/A