Roles, Users, and Permissions in MTV for mta-documentation repo

migtools · Aug 7, 2024 · de9756b · de9756b
1 parent 17c648d
commit de9756b
Showing 1 changed file with 38 additions and 8 deletions.
diff --git a/docs/topics/mta-7-installing-web-console-on-openshift.adoc b/docs/topics/mta-7-installing-web-console-on-openshift.adoc
@@ -161,7 +161,7 @@ The most commonly used CR settings are listed in this table:
 |====
 +
 .Example YAML file
-[sample,YAML]
+[source,YAML]
 ----
 kind: Tackle
 apiVersion: tackle.konveyor.io/v1alpha1
@@ -266,14 +266,10 @@ The amount of memory available for running pods on this node is 28.9 GiB. This a
 
 
 == Red Hat Single Sign-On
-{ProductShortName} delegates authentication and authorization to a
-https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6[Red
-Hat Single Sign-On] (RHSSO) instance managed by the {ProductShortName} operator. Aside from controlling the full lifecycle of the managed RHSSO instance, the {ProductShortName} operator also manages the configuration of a dedicated
-https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/configuring_realms[realm] that contains all the roles and permissions that {ProductShortName} requires.
+{ProductShortName} delegates authentication and authorization to a https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6[Red Hat Single Sign-On] (RHSSO) instance managed by the {ProductShortName} operator. Aside from controlling the full lifecycle of the managed RHSSO instance, the {ProductShortName} operator also manages the configuration of a dedicated https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/configuring_realms[realm] that contains all the roles and permissions that {ProductShortName} requires.
 
 If an advanced configuration is required in the {ProductShortName} managed RHSSO instance, such as https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/user-storage-federation#adding_a_provider[adding
-a provider for User Federation] or https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/identity_broker[integrating
-identity providers], users can log into the RHSSO https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/configuring_realms#using_the_admin_console[Admin
+a provider for User Federation] or https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/identity_broker[integrating identity providers], users can log into the RHSSO https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/configuring_realms#using_the_admin_console[Admin
 Console] through the `/auth/admin` subpath in the `{LC_PSN}-ui` route. The admin credentials to access the {ProductShortName} managed RHSSO instance can be retrieved from the `credential-mta-rhsso` secret available in the namespace in which the {WebName} was installed.
 
 A dedicated route for the {ProductShortName} managed RHSSO instance can be created by setting the `rhsso_external_access` parameter to `True` in the *Tackle CR* that manages the {ProductShortName} instance.
@@ -282,7 +278,41 @@ For more information, see
 https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/red_hat_single_sign_on_features_and_concepts[Red
 Hat Single Sign-On features and concepts].
 
-=== Roles and Permissions
+Roles, Personas, Users, and Permissions
+
+{ProductShortName} makes use of three roles, each of which corresponds to a persona:
+
+.Roles and personas
+[cols="50%,50%", options="header"]
+|====
+|Role
+|Persona
+
+|`tackle-admin`
+|Administrator
+
+|`tackle-architect`
+|Architect
+
+|`tackle-migrator`
+|Migrator
+|====
+
+The roles are already defined in your RHSSO instance. You do not need to create them.
+
+If you are an {ProductShortName} administrator, you can create users in your RHSSO and assign each user one or more roles, one role per persona.
+
+=== Roles and Personas
+
+Although a user can have more than one role, each role corresponds to a specific persona:
+
+* Administrator: An administrator has all the permissions that architects and migrators have, along with access to some application-wide configuration parameters that other users can consume but cannot change or view. Examples: Git credentials, Maven `settings.xml` files.
+
+* Architect: A technical lead for the migration project that can create and modify applications and information related to them. An architect cannot modify or delete sensitive information, but can consume it. Example: Associate an existing credential to the repository of a specific application.
+
+* Migrator: A developer who can analyze applications, but not create, modify, or delete them.
+
+==== Roles and permissions
 
 The following table contains the roles and permissions (scopes) that {ProductShortName} seeds the managed RHSSO instance with: