Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 7. Delegating role-based access controls (RBAC) access in Red Hat Developer Hub

An enterprise customer requires the ability to delegate role-based access control (RBAC) responsibilities to other individuals in the organization. In this scenario, you, as the administrator, can provide access to the RBAC plugin specifically to designated users, such as team leads. Each team lead is then able to manage permissions exclusively for users within their respective team or department, without visibility into or control over permissions outside their assigned scope. This approach allows team leads to manage access and permissions for their own teams independently, while administrators maintain global oversight.

In Red Hat Developer Hub, you can delegate RBAC access using the multitenancy feature of the RBAC plugin, specifically the IS_OWNER conditional rule. You can either use the web UI or the RBAC backend API, depending on your preferred workflow and level of automation:

  • Use the web UI to create roles, assign users or groups, define permissions, and apply ownership conditions through an intuitive interface.
  • Use the API for a more flexible and automatable approach, where you can programmatically manage roles, permissions, and ownership conditions using authenticated curl requests.

By delegating RBAC access through either method, you can expect the following outcomes:

  • Team leads can manage RBAC settings for their teams independently.
  • Visibility of other users' or teams' permissions is restricted.
  • Administrators retain overarching control while delegating team-specific access.

Prerequisites

  • Your RHDH instance is running with the RBAC plugin installed and configured.
  • You have administrative access to RHDH.

7.1. Delegating RBAC access in Red Hat Developer Hub by using the web UI

You can delegate the RBAC access in Red Hat Developer Hub by using the web UI.

Procedure

  1. Log in to your RHDH instance with administrator credentials.
  2. Navigate to Administration RBAC.
  3. Click Create Role and define a new role for team leads, such as role:default/team_lead.
  4. In the Members section, add the user or group, such as user:default/team_lead.

  5. Grant permissions required by team leads, such as:

    • policy.entity.create to allow policy creation.
    • catalog-entity:read to allow catalog access.

  6. Apply conditions to limit access as follows:

    • Use the IS_OWNER rule to ensure team leads can only manage resources they own.
  7. Click Save to create the role and apply changes.

Verification

  • Log in as a team lead.

  • Verify the following:

    • RBAC UI is accessible.
    • Only users or roles related to their team are visible.
    • No access to roles or permissions outside their scope is granted.

7.2. Delegating RBAC access in Red Hat Developer Hub by using API

You can delegate the RBAC access in Red Hat Developer Hub by using the RBAC backend API.

Prerequisites

  • You have API access using curl or another tool.

Procedure

  1. Create a new role designated for team leads using the RBAC backend API:

    Example of creating a new role for the team lead using the RBAC backend API

    curl -X POST 'http://localhost:7007/api/permission/roles' \
--header "Authorization: Bearer $ADMIN_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "memberReferences": ["user:default/team_lead"],
  "name": "role:default/team_lead",
  "metadata": {
    "description": "This is an example team lead role"
  }
}'
    Copy to Clipboard

  2. Allow team leads to read catalog entities and create permissions in the RBAC plugin using the following API request:

    Example of granting the team lead role permission to create RBAC policies and read catalog entities

    curl -X POST 'http://localhost:7007/api/permission/policies' \
--header "Authorization: Bearer $ADMIN_TOKEN" \
--header "Content-Type: application/json" \
--data '[
  {
    "entityReference": "role:default/team_lead",
    "permission": "policy.entity.create",
    "policy": "create",
    "effect": "allow"
  },
  {
    "entityReference": "role:default/team_lead",
    "permission": "catalog-entity",
    "policy": "read",
    "effect": "allow"
  }
]'
    Copy to Clipboard

  3. To ensure team leads can only manage what they own, use the IS_OWNER conditional rule as follows:

    Example curl of applying a conditional access policy using the IS_OWNER rule for the team lead role

    curl -X POST 'http://localhost:7007/api/permission/roles/conditions' \
--header "Authorization: Bearer $ADMIN_TOKEN" \
--header "Content-Type: application/json" \
--data '{
 "result": "CONDITIONAL",
 "pluginId": "permission",
 "resourceType": "policy-entity",
 "conditions": {
   "rule": "IS_OWNER",
   "resourceType": "policy-entity",
   "params": {
     "owners": [
       "user:default/team_lead"
     ]
   }
 },
 "roleEntityRef": "role:default/team_lead",
 "permissionMapping": [
   "read",
   "update",
   "delete"
 ]
}'
    Copy to Clipboard

    The previous example of conditional policy limits visibility and control to only owned roles and policies.

  4. Log in to RHDH as team lead and verify the following:

    1. Use the following request and verify that you do not see any roles:

      Example curl to retrieve roles visible to the team lead

      curl -X GET 'http://localhost:7007/api/permission/roles' \
--header "Authorization: Bearer $TEAM_LEAD_TOKEN"
      Copy to Clipboard

    2. Use the following request to create a new role for their team:

      Example curl of team lead creating a new role for their team with ownership assigned

      curl -X POST 'http://localhost:7007/api/permission/roles' \
--header "Authorization: Bearer $TEAM_LEAD_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "memberReferences": ["user:default/team_member"],
  "name": "role:default/team_a",
  "metadata": {
    "description": "This is an example team_a role",
    "owner": "user:default/team_lead"
  }
}'
      Copy to Clipboard

      Note

      You can set the ownership during creation, but you can also update the ownership at any time.

    3. Use the following request to assign a permission policy to the new role:

      Example curl for granting read access to catalog entities for the new role

      curl -X POST 'http://localhost:7007/api/permission/policies' \
--header "Authorization: Bearer $ADMIN_TOKEN" \
--header "Content-Type: application/json" \
--data '[
  {
    "entityReference": "role:default/team_a",
    "permission": "catalog-entity",
    "policy": "read",
    "effect": "allow"
  }
]'
      Copy to Clipboard

    4. Use the following request to verify that only team-owned roles and policies are visible:

      Example curl to retrieve roles and permission policies visible to the team lead

      curl -X GET 'http://localhost:7007/api/permission/roles' \
--header "Authorization: Bearer $TEAM_LEAD_TOKEN"

curl -X GET 'http://localhost:7007/api/permission/policies' \
--header "Authorization: Bearer $TEAM_LEAD_TOKEN"
      Copy to Clipboard

Verification

  • Log in as a team lead and verify the following:

    • The RBAC UI is accessible.
    • Only the assigned users or group is visible.
    • Permissions outside the scoped team are not viewable or editable.
  • Log in as an administrator and verify that you retain full visibility and control.
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat