Granting Access to Projects and Namespaces

In the Managing Projects and Namespaces page it’s explained how to create projects and namespaces. This page explains in detail how to manage users, groups, and teams within those projects, assigning rights and entitlements.

The contents of this page rely on knowledge provided by the official OpenShift documentation about Role-Base Access Control (RBAC), highlighting the differences in APPUiO Cloud.

Organizations and Teams in APPUiO Cloud

Organizations and teams are reflected as OpenShift groups. For each and every organization, there is a group with the same name; and for each and every team, there is a group with the same name, but prefixed with the name of the parent organization and glued together witn +. For example: acme+accounting would be a valid team name in APPUiO Cloud for the Accounting team within the ACME organization.

OpenShift groups don’t have any notion of hierarchy! From the point of view of OpenShift, they all belong to the same flat structure.

Granting Privileges

On APPUiO Cloud, the RoleBinding object named admin grants the group named equal to the Organization owning the Project or Namespace admin privileges. This differs from the default behavior in OpenShift, where the default admin RoleBinding only grants the creator of a Project admin privileges.

In addition, the RoleBinding named namespace-owner gives the group named equal to the Organization of the Namespace object permissions to view, edit and delete objects within the namespace.

Finally, the RoleBindings monitoring-edit, monitoring-edit-probe and alert-routing-edit grant the group named equal to the Organization owning the Project or Namespace privileges to create, modify and delete user workload monitoring configurations.

Any of the RoleBindings can be changed or deleted and replaced by something else.

Modifications to RoleBindings can prevent users from accessing their projects; in other words, you might end up locked out of your project!

Access can be granted to any OpenShift Group. This includes that namespace owned by organization A can be managed by members of organization B or only a team of organization B.


See Fine grained access control examples for more detailed examples.