Roles and permissions

When you add a user or a group to your Cloud Pak, you must specify the role that they have. The predefined roles and permissions that are defined by the Platform UI can be viewed in Predefined roles and permissions.

Automation foundation uses a ClusterRole resource with get, list, and watch permissions for the storage classes in your cluster.

Cluster role for storage classes
User roles defined by IBM® Automation foundation
Extensions for the high-level roles
Troubleshooting

Cluster role for storage classes

The cluster role is used to automatically find usable storage classes in the cluster. Following is an example of the ClusterRole resource definition:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ibm-automation-core.v1.3.12-7c5b8bb854
rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - storage.k8s.io
    resources:
      - storageclasses

User roles defined by IBM® Automation foundation

Automation foundation creates only the user roles, the default permissions for these roles are not defined. A Cloud Pak that is deployed in an OpenShift cluster is required to extend these predefined roles and add their own permissions to these roles.

Automation foundation creates the following high-level roles.

Role	Default permissions	Service contributing permissions	Service creating the role
Automation Administrator	No default permissions defined	IBM Cloud Paks for Automation	Automation foundation
Automation Analyst	No default permissions defined	IBM Cloud Paks for Automation	Automation foundation
Automation Developer	No default permissions defined	IBM Cloud Paks for Automation	Automation foundation
Automation Operator	No default permissions defined	IBM Cloud Paks for Automation	Automation foundation

Extensions for the high-level roles

OpenShift ConfigMaps are used to deploy the Platform UI extensions that create the Cloud Pak permissions and a separate set of ConfigMaps to extend the Automation foundation base roles.

An example of Cloud Pak permissions is the following yaml snippet.

apiVersion: v1
kind: ConfigMap
metadata:
  name: <your-cloudpak>-permission-extns
  labels:
    icpdata_addon: "true"
    icpdata_addon_version: "1.0"
data:
  extensions: |
    [
      {
        "extension_point_id": "zen_permissions",
        "extension_name": "<your-permission-name-1>",
        "display_name": "<your-permission-display-name-1>",
        "match_permissions": "",
        "match_instance_id": "",
        "match_instance_role": "",
        "meta": {},
        "details": {
          "key": "<your-permission-name-1>",
          "category": "<your-cloudpak>",
          "description": [
            "<your-permission-description-1>"
          ]
        }
      },
      {
        "extension_point_id": "zen_permissions",
        "extension_name": "<your-permission-name-2>",
        "display_name": "<your-permission-display-name-2>",
        "match_permissions": "",
        "match_instance_id": "",
        "match_instance_role": "",
        "meta": {},
        "details": {
          "key": "<your-permission-name-2>",
          "category": "<your-cloudpak>",
          "description": [
            "<your-permission-description-2>"
          ]
        }
      }
    ]

You can extend the Automation foundation roles with these permissions by using a yaml file as shown in the following snippet.

apiVersion: v1
kind: ConfigMap
metadata:
  name: <your-cloudpak>-role-extns
  labels:
    icpdata_addon: "true"
    icpdata_addon_version: "1.0"
data:
  extensions: |
    [
      {
        "extension_point_id": "zen_user_roles",
        "extension_name": "iaf-automation-admin",
        "display_name": "Automation Administrator",
        "details": {
          "description": "Automation Administrator",
          "permissions": ["<your-permission-name-1>", "<your-permission-name-2>"]
        }
      },
      {
        "extension_point_id": "zen_user_roles",
        "extension_name": "iaf-automation-developer",
        "display_name": "Automation Developer",
        "details": {
          "description": "Automation Developer",
          "permissions": ["<your-permission-name-1>"]
        }
      },
      {
        "extension_point_id": "zen_user_roles",
        "extension_name": "iaf-automation-analyst",
        "display_name": "Automation Analyst",
        "details": {
          "description": "Automation Analyst",
          "permissions": ["<your-permission-name-1>"]
        }
      }
    ]

Note:

New permissions take effect the next time the user logs in.
If the user is already logged in to the Platform UI, then they must log out and log in to pick up the changes.
If an existing user still doesn’t have the required permission, then remove the role from their account and readd it back.

Troubleshooting

Changes not reflected

Debug issues after you apply a ConfigMap by using the following steps:

Run oc get pods in the namespace where you keep the Platform UI tenant. You see a zen-watcher pod.
Run oc logs <zen-watcher-pod> to see what is causing the error.
Address the problem in one of the following ways:
- Edit the ConfigMap.
- Enter oc delete configmap <configmap-yaml> and reapply the ConfigMap that caused the problem.