This topic describes how Tanzu Platform uses role bindings to allow you to assign roles to users and give them access to the appropriate resources.
Tanzu Platform supports configurable identity providers (IdP) for user authentication. Authenticated users can log in to Tanzu Platform, but until an administrator assigns them a role, they cannot view data or perform actions.
When you add a Cloud Foundry Foundation in Tanzu Platform, Cloud Foundry users with certain roles are automatically synched to Tanzu Platform. These users can log into Tanzu Platform and view the Cloud Foundry resources and data based on the scope and their assigned role. For more details, see Access to Tanzu Platform for Cloud Foundry users
Assigning roles using role bindings
To assign roles in Tanzu platform you must configure a role binding, which assigns a Tanzu Platform role to a user or group within a specific scope. Assigning roles to users requires administrator privileges.
-
Role binding: A combination of a user or user group with an assigned role and a scope. The scope limits the effect of the role to the specified scope, for example a Project or a Space, and all of its sub-scopes. In other words, the scope defines the set of resources and their data that a user can access within a scope, and the role defines the user’s level of access and the actions that they are permitted to perform.
-
Who can create role bindings: a user with an administrator role in a scope can create, update, and delete role bindings in that scope or any sub-scopes.
For example, if a user has administrator role in a Project, they can create role bindings in that Project or in its sub-scopes. This includes the application Spaces and cluster groups in that Project and the clusters within those cluster groups.
For how to create, edit, and delete role bindings, see Assign users to resources in Tanzu Platform.
The role bindings for scopes specific to Cloud Foundry are not managed by Tanzu Platform. Tanzu Platform continuously synchronizes role bindings from Cloud Foundry instances. Consequently, for scopes specific to Cloud Foundry, you should update role bindings or create new role bindings in the appropriate Cloud Foundry instance, not in Tanzu Platform. For more information, see Access to Tanzu Platform for Cloud Foundry users.
Supported identities for role bindings
You can can assign a role binding to one of the following:
-
User ID: This is the email ID of a user which exists in the IdP. After a role binding is created for a user and they log in for the first time, the first name and the last name of the user is stored in the Tanzu Platform and is visible in the role binding UI. If the user hasn’t logged in yet, then only the user ID is visible in the role binding UI.
While creating a role binding, the current version of Tanzu Platform cannot verify its validity. You must take care when entering it.
-
Group name: This is the name of a group that exists in the IdP. When a role binding is defined with a group name for the identity, all of the users who are mapped to the group in the IdP can access Tanzu Platform with the role and scope mapped to group in the role binding. This means you can avoid creating a role binding for each individual user. Member users can see role binding for the group.
Supported scope types for role bindings
The following table provides a short description of the scope types you can assign a user to in Tanzu Platform.
You can adjust the level of access you provide a user at a scope by assigning them a role, see Supported roles for role bindings later in this topic.
Note: You cannot assign scopes that are specific to Cloud Foundry to users directly in Tanzu Platform. When you create a role binding, Cloud Foundry scopes do not appear as options. Assign users that require access to specific Cloud Foundry scopes through the appropriate Cloud Foundry instance. Role bindings that are set in the Cloud Foundry instance are synched to Tanzu Platform. For more information, see Access to Tanzu Platform for Cloud Foundry users.
| Scope Type | Description |
|---|---|
| Global | Grants access to all areas of Tanzu Platform |
| Project | Grants access to a specific Project in Tanzu Platform. For Kubernetes, this includes all cluster groups, clusters and Spaces associated with the Project. For Cloud Foundry, this includes all Cloud Foundry foundations, Orgs, and Spaces associated with the Project. |
| Cloud Foundry Foundation | Grants access to the topology and metrics from a specific Cloud Foundry foundation on Tanzu Platform. |
| Cloud Foundry Space | Grants access to application and foundation details from a specific Cloud Foundry Space on Tanzu Platform. |
| Kubernetes cluster group | Grants access to a specific cluster group in Tanzu Platform. This includes all clusters associated with the cluster group. |
| Kubernetes cluster | Grants access to a specific cluster attached to Tanzu Platform. |
| Application Space | Grants access to a specific Kubernetes Space in Tanzu Platform |
The following diagram shows the hierarchy of scopes.
Supported roles for role bindings
The following table provides a short description of the roles you can assign a user at each scope in Tanzu Platform. For the full list of permissions that each role provides at each scope, see RBAC reference.
The functionality available to you in Tanzu Platform is dependent upon your access permissions, the selected Project context, and the resources you have added into Tanzu Platform management. For example, some functionality is enabled only for administrators, and some functionality is enabled only when All Projects is selected.
- When All Projects is selected, the functionality available is that which applies collectively to all of the projects in your organization.
- When a specific Project is selected, the functionality available is that which applies an individual Project.
- If you are associated with with a role that has permissions for an administrator, then you see the full set of functionality that is exposed for that role.
- If you are associated with a role that has permissions for an app developer, then you will have access to the functionality that is exposed for that role.
| Role | Scopes | Description |
|---|---|---|
| Administrator | Available at all scopes | This role provides the user with permission to perform all operations available in Tanzu Platform. A user with the administrator role at global scope is the highest level of permission. |
| Operator | Available at all scopes |
With the operator role, users can perform all actions available to the administrator role, except
for managing infrastructure and role bindings. This role doesn't allow the user to:
|
| Viewer | Available at all scopes | This role allows user to view all data available in a scope |
| Self-service developer | Available only at the Project scope | This role allows users to create new spaces to deploy applications and perform builds in the Project. A side-effect of creating a Space is that a role binding is created for the user in the new Space with the administrator role. This permits the user to deploy their applications into their Space. |
There is a built-in role binding defined in the product which users can use to log in:
| User | Scope | Role |
|---|---|---|
tanzu_platform_admin | Global | Administrator |
Inheritance of roles across scopes
-
If a user is assigned a role at a scope, the user inherits the same role in all the scopes below it.
-
If a user is assigned a role at a scope, you can assign the user additional roles at a lower scope to give the user more permission at the lower scope.
-
Roles and permissions are cumulative. If a user is assigned a privileged role at a higher scope, you cannot revoke these privileges at a lower scope by assigning a role with less privileges.
For example, if you give a user Administrator role at Global scope, they also have Administrator role at lower scopes such as Project. If you also give the user the Self-Service Developer role at a Project scope, they will still have Administrator privileges at the Project scope, which is inherited from the role given at the Global scope.
Content feedback and comments