After configuring access to your Event Endpoint Management instance, you can specify roles for your users to determine their permissions.
Event Endpoint Management supports the following roles:
viewer: Assigns users viewer access to the Event Endpoint Management UI and shared resourcesauthor: Assigns users viewer access to the Event Endpoint Management UI and shared resources. This role also gives them permissions to create and share their own resources.
Note: You must assign at least one of these roles to each user as the first role.
Setting up roles for Local authorization
Along with configuring the user credentials, you must define user mappings through the secret <custom-resource-name>-ibm-eem-user-roles to define the roles for each local user.
The following example shows a user mappings file:
{
"mappings": [
{
"id": "author1",
"roles": [
"author"
]
},
{
"id": "viewer1",
"roles": [
"viewer"
]
}
]
}
Where the id is the username specified for the user.
Using OpenShift Container Platform web console
- Log in to the OpenShift Container Platform web console using your login credentials.
- Expand Workloads in the navigation on the left and click Secrets. This lists the secrets available in this project (namespace).
- To edit the secret
<custom-resource-name>-ibm-eem-user-roleswith your role mappings, go to Actions and click Edit Secret. -
Edit the mappings, for example:
{ "mappings": [ { "id": "author1", "roles": [ "author" ] }, { "id": "viewer1", "roles": [ "viewer" ] } ] } - Click Save.
Using the CLI
- Log in to your Kubernetes cluster as a cluster administrator by setting your
kubectlcontext. -
Create a JSON file called
myroles.jsonthat contains the user role mappings for your Event Endpoint Management instance, for example:{ "mappings": [ { "id": "author1", "roles": [ "author" ] }, { "id": "viewer1", "roles": [ "viewer" ] } ] } -
Obtain the Base64-encoded string representing the file content. For example, you can run the following command to obtain the string:
cat myroles.json | base64 -
Patch the
<custom-resource-name>-ibm-eem-user-rolessecret with the local user credentials by running the following command:kubectl patch secret <custom-resource-name>-ibm-eem-user-roles --type='json' -p='[{"op" : "replace" ,"path" : "/data/user-mapping.json" ,"value" : "<your-base64-value>"}]'where:
- <custom-resource-name> is the name of your Event Endpoint Management instance.
- <your-base64-value> is the Base64-encoded string returned from the previous command.
for example:
kubectl patch secret quick-start-manager-ibm-eem-user-roles --type='json' -p='[{"op" : "replace" ,"path" : "/data/user-mapping.json" ,"value" : "ewogICJtYXBwaW5ncyI6IFsKICAgIHsKICAgICAgImlkIjogImF1dGhvcjEiLAogICAgICAicm9sZXMiOiBbCiAgICAgICAgImF1dGhvciIKICAgICAgXQogICAgfSwKICAgIHsKICAgICAgImlkIjogInZpZXdlcjEiLAogICAgICAicm9sZXMiOiBbCiAgICAgICAgInZpZXdlciIKICAgICAgXQogICAgfQogIF0KfQo="}]'Note: Alternatively, edit the secret directly and replace the Base64 value associated with
data.user-mapping.json. To edit the secret directly, run the following command:oc edit secret/<custom-resource-name>-ibm-eem-user-roles -o json - Important: For security reasons, delete the local file you created.
Setting up roles for OIDC based authorization
You must provide user mappings through the secret <custom-resource-name>-ibm-eem-user-roles to match the OIDC Identification Provider’s user subjects.
The following example shows a user mappings file:
{
"mappings": [
{
"id": "<user_subject_1>",
"roles": [
"author"
]
},
{
"id": "<user_subject_2>",
"roles": [
"viewer"
]
}
]
}
For more information about retrieving the user subjects, see managing access section.
Setting up OIDC based authorization with a custom role identifier
Custom role identifiers can be used as the id in the user mappings JSON stored in the <custom-resource-name>-ibm-eem-user-roles secret.
Following on from the example in managing access, the following is an example of user mappings:
{
"mappings": [
{
"id": "org-admin",
"roles": [
"author"
]
},
{
"id": "org-viewer",
"roles": [
"viewer"
]
}
]
}
Where org-admin and org-viewer are the custom identifiers, inferred from the OIDC provider token, used to assign user permissions in Event Endpoint Management.