Manage user roles through the Container Cloud web UI¶

If you are assigned the global-admin role, you can manage the IAM*RoleBinding objects through the Container Cloud web UI. The possibility to manage project role bindings using the operator role will become available in one of the following Container Cloud releases.

To add or remove a role binding using the Container Cloud web UI:

Log in to the Container Cloud web UI as global-admin.
In the left-side navigation panel, click Users to open the active users list and view the number and types of bindings for each user. Click on a user name to open the details page with the user Role Bindings.

Select from the following options:

To add a new binding:

Click Create Role Binding.

In the window that opens, configure the following fields:

Parameter	Description
Role	`global-admin` Manage all types of role bindings for all users `management-admin` ^{Since 2.25.0 (17.0.0, 16.0.0, 14.1.0)} Have full access to the management cluster `bm-pool-operator` Manage bare metal hosts of a particular namespace `operator` Manage Container Cloud API and Ceph-related objects in a particular project, create clusters and machines, have full access to Kubernetes clusters and StackLight APIs deployed by anyone in this project Manage role bindings in the current namespace for users who require the `bm-pool-operator`, `operator`, or `user` role `user` Manage infrastructure of a particular project with access to live statuses of the project cluster machines to monitor cluster health `cluster-admin` Have admin access to Kubernetes clusters and StackLight components of a particular cluster and project `stacklight-admin` Have admin access to the StackLight components of a particular Kubernetes cluster deployed in a particular project to monitor the cluster health.
Binding type	Global Bind a role globally, not limited to a specific project or cluster. By default, `global-admin` has the global binding type. You can bind any role globally. For example, you can change the default project binding of the `operator` role to apply this role globally, to all existing and new projects. Project Bind a role to a specific project. If selected, also define the Project name that the binding is assigned to. By default, the following IAM roles have the project binding type: `bm-pool-operator`, `operator`, and `user`. You can bind any role to a project except the `global-admin` one. Cluster Bind a role to a specific cluster. If selected, also define the Project and Cluster name that the binding is assigned to. You can bind only the `cluster-admin` and `stacklight-admin` roles to a cluster.

Parameter

Description

Role

global-admin
Manage all types of role bindings for all users
management-admin ^{Since 2.25.0 (17.0.0, 16.0.0, 14.1.0)}
Have full access to the management cluster
bm-pool-operator
Manage bare metal hosts of a particular namespace
operator
- Manage Container Cloud API and Ceph-related objects in a particular project, create clusters and machines, have full access to Kubernetes clusters and StackLight APIs deployed by anyone in this project
- Manage role bindings in the current namespace for users who require the bm-pool-operator, operator, or user role
user
Manage infrastructure of a particular project with access to live statuses of the project cluster machines to monitor cluster health
cluster-admin
Have admin access to Kubernetes clusters and StackLight components of a particular cluster and project
stacklight-admin
Have admin access to the StackLight components of a particular Kubernetes cluster deployed in a particular project to monitor the cluster health.

Binding type

Global
Bind a role globally, not limited to a specific project or cluster. By default, global-admin has the global binding type.

You can bind any role globally. For example, you can change the default project binding of the operator role to apply this role globally, to all existing and new projects.
Project
Bind a role to a specific project. If selected, also define the Project name that the binding is assigned to.

By default, the following IAM roles have the project binding type: bm-pool-operator, operator, and user. You can bind any role to a project except the global-admin one.
Cluster
Bind a role to a specific cluster. If selected, also define the Project and Cluster name that the binding is assigned to. You can bind only the cluster-admin and stacklight-admin roles to a cluster.

To remove a binding, click the Delete action icon located in the last column of the required role binding.

Bindings that have the external flag set to true will be synced back from Keycloak during the next user-controller reconciliation. Therefore, manage such bindings through Keycloak.