.. _c3_rbac_manage_roles_ui: ########################################## Manage |rbac| roles with |c3-short| ########################################## .. meta:: :title: Confluent Control Center Manage RBAC Roles :description: This document describes conveniently managing RBAC role assignments for users in Confluent Control Center. Add and delete role assignments (bindings) at the cluster scope and resource scope levels. :keywords: Confluent Control Center, RBAC, role-based access control, manage RBAC roles in UI, add role assignment, delete role assignment, role bindings, view role assignments, transactional ID, topic, cluster, subject, consumer group, connector Manage |rbac| role assignments (role bindings) for users and groups to a cluster scope and resource scopes in the |c3-short| UI. You can add and delete role assignments. Role assignments cannot be edited; you must delete an assignment and add it again for any necessary changes. Role assignments in |cp| |rbac| operate on an allow model only. Deny role assignments are not supported. Only predefined (built-in) roles are supported; custom roles are not supported. .. _c3_rbac_roles_manage_prereqs: Prerequisites ############# - |rbac| is :ref:`enabled ` for |c3-short| and all |cp| components in your environment. Refer to the :ref:`c3_rbac_prereqs` in the |c3-short| |rbac| configuration documentation. - You are assigned an :ref:`appropriate role ` to manage |rbac| role assignments in |c3-short|. .. _c3_rbac_reqd_manage_roles_ui: Role permissions required for managing roles ############################################ If you have the appropriate role permissions, you can administer |rbac| role assignments in the |c3-short| UI rather than using the :confluent-cli:`Confluent CLI|index.html`. The following predefined |rbac| roles can manage roles or view roles for other users in |cp|: - ``SystemAdmin`` - ``UserAdmin`` - ``ResourceOwner`` (for their respective resources only) - ``SecurityAdmin`` (can view but not manage the Cluster and Resource roles. Add and remove buttons are not visible.) .. important:: If a principal is a |ak| ``super.user`` but does not have a role assignment, they cannot view or assign roles using the |c3-short| UI. The ``super.user`` can still use the CLI to assign roles. For more information on ``super.user`` access and use, see :ref:`c3-rbac-troubleshoot-role-assignments`. For complete descriptions of each role, review the :ref:`Roles page ` in the UI and the :ref:`RBAC predefined-roles ` documentation. When |rbac| is enabled for |c3-short|, and you have the proper role permissions, the **View my role assignments** and the **Manage role assignments** options appear on the |c3-short| Administration menu: .. figure:: ../../images/c3-admin-menu-rbac-roles.png :scale: 80% :alt: Control Center Administration menu role assignments Control Center Administration menu role assignments options If you do not have a role that allows managing |rbac| role assignments, the **Manage role assignments** option does not appear in the Administration menu. .. _c3_rbac_roles_page_manage: ========== Roles page ========== To access the Roles page, click the **Manage role assignments** option from the |c3-short| **Administration** menu. Use this page to view the available |rbac| roles and their descriptions. .. note:: There are no actions to take on this page; it is for informational purposes only. .. figure:: ../../images/c3-rbac-manage-roles-view.png :width: 740px :alt: Confluent Platform RBAC roles and descriptions Confluent Platform RBAC roles and descriptions .. tip:: Click the **RBAC role descriptions** link to access the :ref:`RBAC predefined-roles ` documentation. .. _c3_rbac_manage_roles_page: ============================ Manage Role Assignments page ============================ To access the Assignments page: #. From the |c3-short| **Administration** menu, click the **Manage role assignments** option. #. Click the **Assignments** tab. Use this page to: - View the clusters for which you can manage permissions. - Search for clusters by name and ID. - View existing cluster-level assignments. - Filter the cluster view by cluster type: |kconnect|, |ak|, |ksqldb|, |sr|. .. note:: If there is only one type of cluster for which you are authorized to manage role assignments, the **Cluster type** (All clusters) list does not appear. Only the cluster types that you have role permissions to manage appear in the list. - Drill into a cluster to access the Cluster roles and Resource roles pages where you can :ref:`add ` and :ref:`delete role assignments ` for Groups and Users. .. figure:: ../../images/c3-rbac-manage-cluster-assign.png :width: 600px :alt: Confluent Platform Cluster Role Assignments page Confluent Platform Cluster Role Assignments page .. _c3_rbac_add_role_assignments: Add a role assignment ##################### Add a role assignment (role binding) using the |C3-short| UI. You must have an :ref:`appropriate role ` to add a role assignment. To use the CLI to add a role assignment, see :confluent-cli:`confluent iam rbac role-binding create|command-reference/iam/rbac/role-binding/confluent_iam_rbac_role-binding_create.html`. You can add up to a limit of 1,000 role bindings. For more information, see :ref:`rbac-limitations`. .. _c3_rbac_add_role_assign_form: ======================== Add role assignment form ======================== Complete this form to add a role assignment to a cluster or its resources. All fields are required. Some additional fields appear for the resource scope. In addition to assigning roles for a cluster, you can add a role assignment to the following cluster resources, depending on the cluster type: - |ak-tm| cluster resources: - Consumer Groups - Topics - Transactional IDs .. tip:: For more information about Transactional IDs, see this `Confluent blog post `__ and this `stack overflow article `__. - |sr| cluster resources: - Subjects - |kconnect| cluster resources: - Connectors The following figure shows the Add role assignment form for a Connect cluster: .. figure:: ../../images/c3-rbac-add-role-assign-connect-cluster.png :scale: 60% :alt: Confluent Platform Add role assignment Connect cluster Confluent Platform Add role assignment to Connect cluster .. _c3_rbac_add_role_assign_form_fields: Fields ====== Principal type LDAP/AD Group or User. Principal name Principal name or ID. You can select an existing principal or create a new principal. .. important:: The list of principals is pre-populated with those available from your LDAP/AD environment. If you create a principal rather than select an existing principal, ensure you create a corresponding principal in your LDAP/AD environment. Role List of available roles depending on the scope context (cluster or cluster resource). Define a scope Cluster ID or Resource ID. View only. Pattern type Literal or Prefixed. For Prefixed, you do not need to enter an asterisk as it is prepended for you. For a Literal pattern, only a full wildcard is allowed. For example, if you are searching for topics with a certain prefix followed by a wildcard, you must use Prefixed and not Literal. Select or enter resource ID Applicable to Resource scopes only (Consumer Group, Topics, Transactional ID, Subject, and Connector). .. important:: If a user already has permissions granted to certain prefixes or literal patterns, the list is pre-populated with options for you to select. If you create a resource ID rather than select an existing one from the list, ensure you create a corresponding resource in |cp|. .. _c3_rbac_add_cluster_role_assign: ===================================== Add a role assignment (cluster scope) ===================================== Follow these steps to add a role assignment (role binding) at the cluster scope level. .. login include .. include:: includes/c3-login.rst #. From the |c3-short| **Administration** menu, click **Manage role assignments**. #. Click the **Assignments** tab. The :ref:`Assignments ` page appears. #. In the **Cluster ID** column, click the underlined link for the cluster name that you want to add role assignments to. Any tabs appropriate for the cluster type appear, open to the Cluster tab by default. #. Click **+ Add role assignment**. The :ref:`Add role assignment form ` appears. #. Specify a **Principal type** of either **Group** or **User**. #. Specify a **Principal name** or **ID**. .. tip:: Type some characters to search for a principal. #. Select a role from the **Role** list. .. note: The **Cluster ID** in the **Define a scope** pane is grayed out and displays the Cluster ID. #. Click **Save**. The top banner displays the ``Successfully created role assignment`` message. .. _c3_rbac_add_resource_role_assign: ====================================== Add a role assignment (resource scope) ====================================== Follow these steps to add a role assignment (role binding) at the resource scope level. .. login include .. include:: includes/c3-login.rst #. From the |c3-short| **Administration** menu, click **Manage role assignments**. #. Click the **Assignments** tab. #. In the **Cluster ID** column, click the underlined link for the cluster name that you want to add role assignments to. Any tabs appropriate for the cluster type appear, open to the Cluster tab by default. #. Navigate to the appropriate cluster resource tab: - Consumer Group, Topic, or Transactional ID (|ak| clusters) - Subject (|sr| clusters) - Connector (|kconnect| clusters) #. Click **+ Add role assignment**. The :ref:`Add role assignment form ` appears. #. Specify a **Principal type** of either **Group** or **User**. #. Specify a **Principal name** or **ID**. .. tip:: Type some characters to search for a principal. #. Select a role from the **Role** list. #. Complete the fields in the **Define a scope** pane: .. note: The **Cluster ID** is grayed out and displays the Cluster ID. - Select the **Pattern type** of either **Prefixed** or **Literal**. For Prefixed, you do not need to enter an asterisk as it is prepended for you. For a Literal pattern, only a full wildcard is allowed. For example, if you are searching for topics with a certain prefix followed by a wildcard, you must use Prefixed and not Literal. - Type the **Resource ID** of the resource you are assigning a role to. .. tip:: If you are assigning a role to a topic that does not exist yet, you can create a topic on the fly by clicking the **Create new topic** link. #. Click **Save**. The top banner displays the ``Successfully created role assignment`` message. .. _c3_rbac_delete_role_assignments: Delete a role assignment ######################## Delete a role assignment (role binding) using the |C3-short| UI. You can delete only one role assignment at a time. You must have an :ref:`appropriate role ` to delete a role assignment. Deleting a role assignment removes access to a cluster or its resources for a user or group. To use the CLI to delete a role assignment, see :confluent-cli:`confluent iam rbac role-binding list|command-reference/iam/rbac/role-binding/confluent_iam_rbac_role-binding_list.html`. .. _c3_rbac_delete_cluster_resource_role_assign: ============================================== Delete a role assignment (cluster or resource) ============================================== Follow these steps to delete a role assignment (role binding) at the cluster or resource scope level. .. login include .. include:: includes/c3-login.rst #. From the |c3-short| **Administration** menu, click **Manage role assignments**. #. Click the **Assignments** tab. The :ref:`Assignments ` page appears. #. In the **Cluster ID** column, click the underlined cluster link for the cluster name that you want to remove access from. #. If applicable, navigate to the appropriate resource scope page for a cluster, such as: - Consumer Group, Topic, or Transactional ID for a |ak| cluster. - Subject for a |sr| cluster. - Connector for a |kconnect| cluster. #. Depending on which scope: - (Cluster) Select the role assignment to delete in the **Principal name** column. .. figure:: ../../images/c3-rbac-delete-cluster-role-assign.png :width: 600px :alt: Cluster scope delete role assignment Cluster scope delete role assignment - (Resource) Select the role assignment to delete in the **Resource ID** column. .. figure:: ../../images/c3-rbac-delete-resource-role-assign.png :width: 600px :alt: Resource scope delete role assignment Resource scope delete role assignment #. Click the trash icon. You are prompted to confirm deleting the role assignment. #. Type or copy and paste the Cluster or Resource ID into the text box and click **Delete**. The top banner displays ``Successfully deleted role assignment.`` .. figure:: ../../images/c3-rbac-delete-role-assign-success.png :scale: 80% .. _c3-rbac-troubleshoot-role-assignments: Troubleshoot role assignments ############################# **Issue:** User can add a role assignment successfully in |c3-short| but cannot view the newly added role assignment. **Reason and remedy:** The user most likely is a broker ``super.user`` who also has a ``ResourceOwner`` role. So that user has permissions to create a role assignment but does not have permissions to view or manage the roles. The broker ``super.user`` should be used to bootstrap the initial ``UserAdmin`` and ``SystemAdmin`` roles and users, and not used thereafter.