`manage show-minimum-rbac`

Show the minimum role-based access control (RBAC) for the components that you plan to install.

Extended description

If you don't want to give an instance administrator the default admin role on the projects that are associated with an instance of IBM® Software Hub, you can use the show-minimum-rbac command to show the minimum role-based access control (RBAC) for the components that you plan to install.

The show-minimum-rbac command provides an alternative method for authorizing an user to act as an instance administrator. However, this method is recommended only if you are not willing to grant the roles described in Authorizing a user to act as an IBM Software Hub instance administrator.

Important: The show-minimum-rbac method requires substantial planning and maintenance:

You must run this command based on the services that you plan to install in an instance. For example:
- Instance 1 will include IBM Knowledge Catalog, Data Privacy, AI Factsheets, Watson Studio, and SPSS Modeler
- Instance 2 will include IBM Knowledge Catalog, Data Privacy, Watson Studio, RStudio® Server Runtimes
In this scenario, the minimum RBAC requirements for each instance are different because the services that you plan to install in the instances are different.
You must run this command based on the version of IBM Software Hub that you are installing. A service might introduce a new resource at any time, so you must run the command based on the version that you want to install to ensure that the instance administrator has sufficient permissions on the instance.
When you want to upgrade an instance, you must re-run the command based on the version that you want to upgrade to.

Restriction: Not all services provide their minimum RBAC requirements. If a service that you plan to install does not provide this information, you must work with IBM Software Support to obtain this information.

This command generates the following YAML files:

${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml

This YAML file defines the minimum privileges that an instance administrator must have to create, modify, and view the Kubernetes and Red Hat® OpenShift® Container Platform resources that are associated with an instance of IBM Software Hub.

You can use this file to create the ${ROLE_NAME}-cpd-instance-admin role.

${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml

This YAML file defines the minimum privileges that am instance administrator must have to install, modify, and view the custom resources that are associated with an instance of IBM Software Hub.

The list of custom resources in the YAML file depends on the components that you plan to install in the instance.

You can use this file to create the ${ROLE_NAME}-cpd-instance-crs role.

nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml

This YAML file defines the minimum privileges that the NamespaceScope operator must have to manage the projects associated with an instance of IBM Software Hub.

The role does not contain any wildcard characters.

The role must be applied to all projects that are associated with the instance.

The list of resources depends on the components that you plan to install in the instance.

You can use this file to create the nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} role.

The YAML files are saved to the work directory.

For more information on using these commands to create roles in the appropriate projects, see:

Syntax

cpd-cli manage show-minimum-rbac \
--components=<comma-separated-list-of-component-names> \
--release=<version> \
[--role_name=<role-name>] \
[--cpd_operator_ns=<project-name>]

Arguments

The show-minimum-rbac command has no arguments.

Options

Option	Description
`--components`	A comma-separated list of the components that you want to install or upgrade. Status Required. Syntax `--components=<comma-separated-list-of-component-names>` Default value There is no default value. The list depends on which components you want to install or upgrade. Valid values For the list of components, see Component IDs. You can specify individual components or a comma-separated list of components.
`--cpd_operator_ns`	The project where you want to install the operators for this instance of IBM Software Hub. Status Optional. Use this option if you need to generate the role for the `NamespaceScope` operator. Syntax `--cpd_operator_ns=<project-name>` Default value There is no default value. Valid values The project where you want to install the operators for this instance of IBM Software Hub.
`--release`	The release that you want to install or upgrade to. Status Required. Syntax `--release=<version>` Default value No default. You must specify the release. Valid values 5.2.0 5.2.1 5.2.2
`--role_name`	The unique name to use to identify the role. The value is used as a prefix for the YAML files and for the roles defined in the YAML files. Status Optional. Use this option if you need to generate roles for different components or roles for different instances of IBM Software Hub. Syntax `--role_name=<role-name>` Default value `minimum-privileges` Valid values A unique identifier for the role. The name must meet the following requirements: Start with an alphanumeric character Contain only alphanumeric characters and dashes (-) Be a maximum of 20 characters

Examples

Note: The following example uses the recommended installation environment variables.

It is strongly recommended that you use a script to create environment variables with the correct values for your environment. For details, see Setting up installation environment variables.

Create the YAML files that define the minimum role-based access control for the specified components at the specified release

cpd-cli manage show-minimum-rbac \
--components=${COMPONENTS} \
--release=${VERSION} \
--role_name=${ROLE_NAME}