Skip to content

Latest commit

 

History

History
 
 

access-mgmt-registry

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

Managing account access in OpenShift Service Registry

As a Service Registry instance owner or instance administrator, or as an organization administrator in the Red Hat Customer Portal, you can manage the level of access that other user accounts and service accounts have to your Service Registry instance. You can grant or remove access to your Service Registry instance for specific user accounts in your organization based on user roles. You can also allow other users or service accounts to manage the level of access to your instance for you.

Service Registry instance owners or instance administrators can manage access for only the Service Registry instances that they create or for instances that the owner has allowed them to access and change. Organization administrators can manage access for all Service Registry instances.

Access management in OpenShift Service Registry

OpenShift Service Registry uses Role-Based Access Control (RBAC) to manage how other user accounts and service accounts access the Service Registry instances that you create and the artifacts that they contain. You can manage access for only the Service Registry instances that you create or for instances that the owner has allowed you to access and change.

An account in OpenShift Service Registry is either a user account or a service account. A user account enables users in your organization to access your Service Registry instances. A service account enables client applications or tools to connect securely to your Service Registry instances.

User roles in OpenShift Service Registry

The Service Registry web console provides an Access tab on the Service Registry instance page. Service Registry instance owners, instance administrators, and organization administrators can use this tab to manage the following user roles:

Administrator

Users with the Administrator role can perform the following tasks in this Service Registry instance:

  • View or write schema and API artifacts

  • Configure user roles for access

  • Configure Service Registry settings

  • Configure global rules for artifact compatibility and validity

  • Import or export Service Registry data

Manager

Users with the Manager role can perform the following tasks in this Service Registry instance:

  • View or write schema and API artifacts

  • Configure content rules at the artifact level

Viewer

Users with the Viewer role can view schema and API artifacts in this Service Registry instance.

Important
The owner of a Service Registry instance has the Administrator role for that instance by default, and can assign roles in the same organization. Other user accounts or service accounts in the organization have no access to that instance by default.

You can use the web console, or the OpenShift Application Services CLI (rhoas) commands, to manage user roles. The core Service Registry REST API also provides Admin API endpoints for managing user roles.

Viewing user roles in a Service Registry instance

You can view the user roles assigned to your Service Registry instances to manage how other user accounts or service accounts interact with the instance and the artifacts that it contains. You can view user roles and accounts only for instances that you create or for instances that the owner has assigned you access to.

Prerequisites
Procedure
  1. In the Service Registry web console, click the name of the Service Registry instance that you want to view roles and accounts for.

  2. Click the Access tab to view the roles and accounts assigned for this instance:

    1. To view specific accounts, click Account, enter the user account or service account name, and click the search button.

    2. To view accounts with a specific role, click Role, click Filter by role, and select the role you want (for example, Administrator), and then click the search button.

  3. When you are finished, click Clear all filters.

Assigning user roles in a Service Registry instance

In OpenShift Service Registry, you can assign user roles for your Service Registry instances to manage how other user accounts or service accounts interact with the instance and the artifacts that it contains. You can assign user roles only for instances that you create or for instances that the owner has assigned you access to.

Prerequisites
Procedure
  1. In the Service Registry web console, click the name of the Service Registry instance that you want to assign roles for.

  2. Click the Access tab to view the accounts and roles assigned for this instance.

  3. Click Grant access to assign roles to accounts.

  4. In the Account field, select or enter the service account or user account name that you want to assign the role to:

    • A service account enables your application or tool to connect securely to your instance.

    • A user account enables users in your organization to access instances.

      Note
      If you don’t see users in the list, ask your organization administrator to grant access to view other user accounts. For more information, see Allowing users to view other user accounts.
  5. Select the Role that you want to assign to your account, for example, Manager for write access to this instance.

  6. Click Save.

Editing or removing user roles in a Service Registry instance

You can edit or remove the user roles assigned in your Service Registry instances to manage how other user accounts or service accounts interact with the instance and the artifacts that it contains. You can edit or remove user roles only for the instances that you create or for instances that the owner has assigned you access to.

Prerequisites
Procedure
  1. In the Service Registry web console, click the name of the Service Registry instance that you want to remove a user role for.

  2. Click the Access tab to view the accounts and roles assigned for this instance.

  3. Click the options menu (three vertical dots) next to the assigned Role name:

    1. To change to a different role, click Edit, select the new user role, for example, Viewer for read-only access, and then click Save.

    2. To remove the currently assigned role, click Remove, and then click Remove again to confirm.

Allowing users to view other user accounts

As an organization administrator, you can use Role-Based Access Control (RBAC) in the Application Services Hybrid Cloud Console to allow users to view other users in an organization.

You set up access by assigning a predefined role called User Access principal viewer to a user group. By assigning the role, users in the group can do the following tasks:

  • View and select other users when changing owners and managing access to Service Registry instances in the Service Registry web console.

  • Specify user names when managing Service Registry instances using the rhoas CLI for OpenShift Service Registry.

Prerequisites
Note
If you want to add the User Access principal viewer role to a single user, create a new group for that user only.
Procedure
  1. In the toolbar of the Service Registry web console, select the gear icon.

  2. Click Identity & Access Management > User Access > Groups.

  3. Click the name of the user group.

  4. From the Roles tab, click Add role, and select User Access principal viewer.

  5. Click Add to group.

    The role is also added to the list of selected roles on the Roles tab.