Granting Access to Projects and Namespaces

Organizations and teams are reflected as OpenShift groups. For each and every organization, there is a group with the same name; and for each and every team, there is a group with the same name, but prefixed with the name of the parent organization and glued together witn +. For example: acme+accounting would be a valid team name in APPUiO Cloud for the Accounting team within the ACME organization.

On APPUiO Cloud, the RoleBinding object named admin grants the group named equal to the Organization owning the Project or Namespace admin privileges. This differs from the default behavior in OpenShift, where the default admin RoleBinding only grants the creator of a Project admin privileges.

In addition, the RoleBinding named namespace-owner gives the group named equal to the Organization of the Namespace object permissions to view, edit and delete objects within the namespace.

Finally, the RoleBindings monitoring-edit, monitoring-edit-probe and alert-routing-edit grant the group named equal to the Organization owning the Project or Namespace privileges to create, modify and delete user workload monitoring configurations.

Any of the RoleBindings can be changed or deleted and replaced by something else.

Access can be granted to any OpenShift Group. This includes that namespace owned by organization A can be managed by members of organization B or only a team of organization B.

See Fine grained access control examples for more detailed examples.