diff --git a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc index 07b90ecd276..434b38208b4 100644 --- a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc +++ b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc @@ -1,15 +1,17 @@ :_mod-docs-content-type: PROCEDURE [id="proc-installing-and-configuring-scorecard_{context}"] -= Installing and configuring Scorecard to view metrics += Configure RBAC for Scorecards -To enable users to view Scorecard metrics, you need to grant read access using Role-Based Access Control (RBAC). You can configure these permissions either through the RBAC CSV file or the RBAC UI, depending on how you manage access in your environment. +To view Scorecard metrics in {product-very-short}, you must grant read access using Role-Based Access Control (RBAC). Configure these permissions using the RBAC CSV file or the RBAC Web UI, depending on how you manage access in your environment. .Prerequisite - * You have {authorization-book-link}#enabling-and-giving-access-to-rbac[enabled RBAC, have a policy administrator role in {product-very-short}, and have added `scorecard` to plugins with permission]. + * You have {authorization-book-link}#enabling-and-giving-access-to-rbac[enabled RBAC and assigned a policy administrator role]. + * You have added `scorecard` to the list of authorized plugins under your `permission.rbac.pluginsWithPermission` configuration. .Procedure -Grant the required permissions by using one of the following methods: + +. Grant the required permissions by using one of the following methods: * To use the RBAC CSV file, add the following policy to your CSV file to allow users to view metrics: + @@ -23,11 +25,46 @@ p, role:default/scorecard-viewer, catalog.entity.read, read, allow See {authorization-book-link}#ref-rbac-permission-policies_title-authorization[Permission policies reference]. * To use the RBAC Web UI, complete the following steps: -.. In the {product} menu, navigate to *Administration > RBAC*. -.. Select or create the *Role* that requires Scorecard access. -.. In the *Add permission policies* section, select *Scorecard* from the plugins dropdown. +.. In the {product} navigation menu, go to *Administration > RBAC*. +.. Select or create the *Role* for Scorecard access. +.. In the *Add permission policies* section, select *Scorecard* from the plugins list. .. Expand the *Scorecard* entry, select *policy* with the following details, and click *Next*: *** *Name*: `scorecard.metric.read` *** *Permission*: `read` + -image::rhdh/scorecard-create-role.png[The RBAC UI showing the scorecard.metric.read permission selected for a role.] \ No newline at end of file +image::rhdh/scorecard-create-role.png[The RBAC UI showing the scorecard.metric.read permission selected for a role.] + +. Optional: Restrict access to specific metrics. You must use only one of the following methods to apply a conditional policy: + +* Web UI: +... In your {product-very-short} navigation menu, go to *Administration* > *RBAC*. +... In the *Add permission policies* step, select the following: +** *Name*: `scorecard.metrics.read` +** *Permission*: `Read` +... Click *Use advanced customized permissions to allow access to specific parts of the selected resource type* under *Actions* . +... Select the `HAS_METRIC_ID` rule and specify the plugin IDs, using commas to separate multiple IDs. + +* External configuration file: +.. Define the conditional policy in the `rbac-conditional-policies.yaml` file as described in {authorization-book-link}#managing-authorizations-by-using-external-files[Defining conditional policies]: ++ +[source,yaml,subs="+attributes,+quotes"] +---- +result: CONDITIONAL +roleEntityRef: "role:default/scorecard-viewer" +pluginId: scorecard +resourceType: scorecard-metric +permissionMapping: + - read +conditions: + rule: HAS_METRIC_ID + resourceType: scorecard-metric + params: + metricIds: [__] +---- ++ +where: + +`metricIds`:: Enter the metric ID for user access, such as `github.open_prs`. + +This policy allows users to read only the specified metrics and restricts access to all other metrics. +