Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. Delegating role-based access controls (RBAC) access in Red Hat Developer Hub

An enterprise customer requires the ability to delegate role-based access control (RBAC) responsibilities to other individuals in the organization. In this scenario, you, as the administrator, can provide access to the RBAC plugin specifically to designated users, such as team leads. Each team lead is then able to manage permissions exclusively for users within their respective team or department, without visibility into or control over permissions outside their assigned scope. This approach allows team leads to manage access and permissions for their own teams independently, while administrators maintain global oversight.

In Red Hat Developer Hub, you can delegate RBAC access using the multitenancy feature of the RBAC plugin, specifically the IS_OWNER conditional rule. You can either use the web UI or the RBAC backend API, depending on your preferred workflow and level of automation:

  • Use the web UI to create roles, assign users or groups, define permissions, and apply ownership conditions through an intuitive interface.
  • Use the API for a more flexible and automatable approach, where you can programmatically manage roles, permissions, and ownership conditions using authenticated curl requests.

By delegating RBAC access through either method, you can expect the following outcomes:

  • Team leads can manage RBAC settings for their teams independently.
  • Visibility of other users' or teams' permissions is restricted.
  • Administrators retain overarching control while delegating team-specific access.

Prerequisites

  • Your RHDH instance is running with the RBAC plugin installed and configured.
  • You have administrative access to RHDH.

You can delegate the RBAC access in Red Hat Developer Hub by using the web UI.

Procedure

  1. Log in to your RHDH instance with administrator credentials.
  2. Navigate to Administration RBAC.
  3. Click Create Role and define a new role for team leads, such as role:default/team_lead.
  4. In the Members section, add the user or group, such as user:default/team_lead.

  5. Grant permissions required by team leads, such as:

    • policy.entity.create to allow policy creation.
    • catalog-entity:read to allow catalog access.

  6. Apply conditions to limit access as follows:

    • Use the IS_OWNER rule to ensure team leads can only manage resources they own.
  7. Click Save to create the role and apply changes.

Verification

  • Log in as a team lead.

  • Verify the following:

    • RBAC UI is accessible.
    • Only users or roles related to their team are visible.
    • No access to roles or permissions outside their scope is granted.

You can delegate the RBAC access in Red Hat Developer Hub by using the RBAC backend API.

Prerequisites

  • You have API access using curl or another tool.

Procedure

  1. Create a new role designated for team leads using the RBAC backend API:

    Example of creating a new role for the team lead using the RBAC backend API

    curl -X POST 'http://localhost:7007/api/permission/roles' \
--header "Authorization: Bearer $ADMIN_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "memberReferences": ["user:default/team_lead"],
  "name": "role:default/team_lead",
  "metadata": {
    "description": "This is an example team lead role"
  }
}'
    Copy to Clipboard Toggle word wrap

  2. Allow team leads to read catalog entities and create permissions in the RBAC plugin using the following API request:

    Example of granting the team lead role permission to create RBAC policies and read catalog entities

    curl -X POST 'http://localhost:7007/api/permission/policies' \
--header "Authorization: Bearer $ADMIN_TOKEN" \
--header "Content-Type: application/json" \
--data '[
  {
    "entityReference": "role:default/team_lead",
    "permission": "policy.entity.create",
    "policy": "create",
    "effect": "allow"
  },
  {
    "entityReference": "role:default/team_lead",
    "permission": "catalog-entity",
    "policy": "read",
    "effect": "allow"
  }
]'
    Copy to Clipboard Toggle word wrap

  3. To ensure team leads can only manage what they own, use the IS_OWNER conditional rule as follows:

    Example curl of applying a conditional access policy using the IS_OWNER rule for the team lead role

    curl -X POST 'http://localhost:7007/api/permission/roles/conditions' \
--header "Authorization: Bearer $ADMIN_TOKEN" \
--header "Content-Type: application/json" \
--data '{
 "result": "CONDITIONAL",
 "pluginId": "permission",
 "resourceType": "policy-entity",
 "conditions": {
   "rule": "IS_OWNER",
   "resourceType": "policy-entity",
   "params": {
     "owners": [
       "user:default/team_lead"
     ]
   }
 },
 "roleEntityRef": "role:default/team_lead",
 "permissionMapping": [
   "read",
   "update",
   "delete"
 ]
}'
    Copy to Clipboard Toggle word wrap

    The previous example of conditional policy limits visibility and control to only owned roles and policies.

  4. Log in to RHDH as team lead and verify the following:

    1. Use the following request and verify that you do not see any roles:

      Example curl to retrieve roles visible to the team lead

      curl -X GET 'http://localhost:7007/api/permission/roles' \
--header "Authorization: Bearer $TEAM_LEAD_TOKEN"
      Copy to Clipboard Toggle word wrap

    2. Use the following request to create a new role for their team:

      Example curl of team lead creating a new role for their team with ownership assigned

      curl -X POST 'http://localhost:7007/api/permission/roles' \
--header "Authorization: Bearer $TEAM_LEAD_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "memberReferences": ["user:default/team_member"],
  "name": "role:default/team_a",
  "metadata": {
    "description": "This is an example team_a role",
    "owner": "user:default/team_lead"
  }
}'
      Copy to Clipboard Toggle word wrap

      Note

      You can set the ownership during creation, but you can also update the ownership at any time.

    3. Use the following request to assign a permission policy to the new role:

      Example curl for granting read access to catalog entities for the new role

      curl -X POST 'http://localhost:7007/api/permission/policies' \
--header "Authorization: Bearer $ADMIN_TOKEN" \
--header "Content-Type: application/json" \
--data '[
  {
    "entityReference": "role:default/team_a",
    "permission": "catalog-entity",
    "policy": "read",
    "effect": "allow"
  }
]'
      Copy to Clipboard Toggle word wrap

    4. Use the following request to verify that only team-owned roles and policies are visible:

      Example curl to retrieve roles and permission policies visible to the team lead

      curl -X GET 'http://localhost:7007/api/permission/roles' \
--header "Authorization: Bearer $TEAM_LEAD_TOKEN"

curl -X GET 'http://localhost:7007/api/permission/policies' \
--header "Authorization: Bearer $TEAM_LEAD_TOKEN"
      Copy to Clipboard Toggle word wrap

Verification

  • Log in as a team lead and verify the following:

    • The RBAC UI is accessible.
    • Only the assigned users or group is visible.
    • Permissions outside the scoped team are not viewable or editable.
  • Log in as an administrator and verify that you retain full visibility and control.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat