Solving the Puzzle of RBAC with Red Hat Customer Portal

You've just created a Red Hat Customer Portal account to provision a Red Hat OpenShift cluster. If you're new to Red Hat Customer Portal, then you probably have a lot of questions, like what other Red Hat portals do you have access to? How do you manage your registered clusters? What exactly is an Organization Administrator? Are there other team members who need privileged access? In this blog, we address all of these questions, and more, to help you navigate the Red Hat Customer Portal and its role-based access control (RBAC) system, and how it all connects to the Red Hat Hybrid Cloud Console (HCC) and OpenShift Cluster Manager (OCM).

Customer Portal

Your Red Hat Customer Portal account is a critical connection point to important information about your organization's subscriptions, products, and support. It's also the overarching account to other Red Hat portals such as Developer Hub, Hybrid Cloud Console, and more.

Organization Administrator

A Red Hat Organization Administrator, also known as an org admin, is the root user of the Red Hat Customer Portal. It has all possible permissions and is the only role that can manage users and their respective access to the organization's Red Hat account. By default, every org admin is also the admin for other portals, such as the Hybrid Cloud Console. An org admin can create and manage users one at a time, several at a time, or through bulk uploads, and can assign any roles to any user. For additional information on managing users, read common user management questions.

Once a user is added to the Customer Portal, it exists on any Red Hat hosted website that uses Red Hat single sign-on authentication. A Customer Portal login ID can be configured for two-factor authentication as well as a third party identity provider. This configuration applies to any Red Hat website that uses Red Hat single sign-on authentication (sso.redhat.com), including the Customer Portal at access.redhat.com and the Hybrid Cloud Console (console.redhat.com). You can also integrate your application with the Customer Portal using APIs. To determine the feasibility of integrating your specific third party identity provider, you will need to reach out to your Red Hat account team.

It is crucial to ensure that each user is granted the minimum required roles complying with the best practice of least privileged access. For example, an OpenShift cluster site reliability engineer who needs to create support cases would require the Manage Support Cases role, and a team lead may need the Manage Your Subscriptions role to manage subscriptions, but neither requires the permissions of the Organization Administrator role.

As a best practice of applying least privileges, the org admin role must be used with discretion, restricted to a few people in the organization at most. Aside from org admin, there are several roles and permissions that can be assigned to Customer Portal accounts. Have transparent conversations with stakeholders within your organization about designating org admins and other roles to each user.

Hybrid Cloud Console

The Red Hat Hybrid Cloud Console (HCC) is utilized to access a comprehensive set of services from a single interface. The HCC contains two default groups maintained by Red Hat with predefined roles:

• Default admin access group: All Red Hat Portal Organization Administrators are added to this group by default. Users and roles are not customizable.
• Default access group: This group contains all authenticated users in your organization. It can be modified by adding or removing roles. Upon modification, the group is automatically renamed to Custom default access and is no longer maintained by Red Hat. You can restore the default access group after a custom group has been created. 

To reduce administrative complexity, it's recommended that you create additional custom groups with any combination of roles. This allows users to be added or removed from the groups while keeping role permissions intact, allowing for better RBAC management compared to modifying an individual user's role. A list of predefined roles which are not modifiable can be viewed here.

User access roles are additive. There are no roles that deny access, only roles that allow. For more information, read these additional learning resources, which include step-by-step instructions and documentation on user access configuration.

User Access administrator

The User Access administrator is a special role that only an org admin can assign to a group within HCC. It allows a user to perform actions such as adding, modifying, or deleting groups and roles. The User Access administrator role cannot create or modify a User Access administrator group.

It may be worthwhile to consider assigning the User Access administrator role to production cluster admin team leads to ensure there is no unintended access to production environments.

Service accounts can be used to programmatically interact with the Hybrid Cloud Console API, and can be created and managed by org admins or User Access administrators. Similar to user accounts, service accounts can be assigned to user groups to grant them specific roles and permissions as necessary.

Openshift Cluster Manager

The OpenShift Cluster Manager (OCM) is a service managed by Red Hat that allows you to operate and upgrade Red Hat OpenShift clusters. The HCC also provides an RBAC interface to assign roles such as OCM Cluster Provisioner, which allows a user with that role to create and manage clusters in OCM. It may be sufficient for some team members to have only the OCM Cluster Viewer role instead of additional OCM roles that would allow them to modify clusters.

Roles specific to OCM provide precise access to clusters. These roles are managed through HCC, and it's recommended to create custom groups to manage these roles. For additional information on managing clusters in OCM, read the official documentation.

Tying it all together

Now that we've provided an overview of RBAC for the various Red Hat portals, we have a recommendation on how to administer your organization's RBAC policies.

The most common question is who should be an org admin. This is easy to get wrong! In some companies, leadership or sales teams involved in managing subscriptions are assigned org admin. However, these are permissions inherited from Customer Portal, so there may be unintended consequences because org admins are also added to the default admin access group in the HCC. An org admin can manage all OpenShift clusters, create or delete clusters, and give themselves permission to log into existing clusters as any user (including as a user with the cluster-admin role).

When managing systems through Hybrid Cloud Console, it's crucial to determine the minimum and specific users that require all the permissions an org admin inherits.

In the event that the only org admin leaves the company, this knowledge base article provides guidance on how to recover from this scenario and assign a new org admin.

We've provided an overview of RBAC for the Red Hat Customer Portal and Hybrid Cloud Console and highlighted the implications of these inherited permissions. Understanding best practices around RBAC for your organization, and specifically the role of an org admin, and applying the principle of least privileges, allows your organization to effectively administer its Red Hat accounts.