From 899965a27c5bef427fa50d501a5a57884d4937f3 Mon Sep 17 00:00:00 2001 From: Priyanka Abel Date: Mon, 9 Feb 2026 14:01:05 +0530 Subject: [PATCH 1/5] Conditional permissions for Scorecards --- ...-installing-and-configuring-scorecard.adoc | 40 ++++++++++++++++--- 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc index 07b90ecd276..b8ed0aa234e 100644 --- a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc +++ b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc @@ -3,13 +3,15 @@ [id="proc-installing-and-configuring-scorecard_{context}"] = Installing and configuring Scorecard to view metrics -To enable users to view Scorecard metrics, you need to grant read access using Role-Based Access Control (RBAC). You can configure these permissions either through the RBAC CSV file or the RBAC UI, depending on how you manage access in your environment. +To view Scorecard metrics in {product-very-short}, you need to grant read access using Role-Based Access Control (RBAC). Configure these permissions using the RBAC CSV file or the RBAC UI, depending on how you manage access in your environment. .Prerequisite - * You have {authorization-book-link}#enabling-and-giving-access-to-rbac[enabled RBAC, have a policy administrator role in {product-very-short}, and have added `scorecard` to plugins with permission]. + * You have {authorization-book-link}#enabling-and-giving-access-to-rbac[enabled RBAC and assigned a policy administrator role]. + * You have added `scorecard` to the list of plugins with permissions. .Procedure -Grant the required permissions by using one of the following methods: + +. Grant the required permissions by using one of the following methods: * To use the RBAC CSV file, add the following policy to your CSV file to allow users to view metrics: + @@ -24,10 +26,36 @@ See {authorization-book-link}#ref-rbac-permission-policies_title-authorization[P * To use the RBAC Web UI, complete the following steps: .. In the {product} menu, navigate to *Administration > RBAC*. -.. Select or create the *Role* that requires Scorecard access. -.. In the *Add permission policies* section, select *Scorecard* from the plugins dropdown. +.. Select or create the *Role* for Scorecard access. +.. In the *Add permission policies* section, select *Scorecard* from the plugins list. .. Expand the *Scorecard* entry, select *policy* with the following details, and click *Next*: *** *Name*: `scorecard.metric.read` *** *Permission*: `read` + -image::rhdh/scorecard-create-role.png[The RBAC UI showing the scorecard.metric.read permission selected for a role.] \ No newline at end of file +image::rhdh/scorecard-create-role.png[The RBAC UI showing the scorecard.metric.read permission selecrted for a role.] + +. Optional: Restrict access to specific metrics using a conditional policy: + +** {audit-log-book-link}#managing-authorizations-by-using-the-web-ui[Using the Web UI]. +** Define conditional policies in an `rbac-conditional-policies.yaml` file: ++ +[source,yaml] +---- +result: CONDITIONAL +roleEntityRef: "role:default/scorecard-viewer" +pluginId: scorecard +resourceType: scorecard-metric +permissionMapping: + - read +conditions: + rule: HAS_METRIC_ID + resourceType: scorecard-metric + params: + metricIds: [__] +---- ++ +where: +`metricIds`:: Enter the metric ID for user access, such as `github.open_prs`. + +This policy allows users to read only the specific metrics while restricting access to other available metrics. + From bfcbfd102beba5dca8a12b55047bf98ace0a84de Mon Sep 17 00:00:00 2001 From: Priyanka Abel Date: Tue, 10 Feb 2026 15:09:28 +0530 Subject: [PATCH 2/5] Incorporated Dominika's comments --- ...-installing-and-configuring-scorecard.adoc | 24 ++++++++++++------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc index b8ed0aa234e..d42e2c0f931 100644 --- a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc +++ b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc @@ -1,13 +1,13 @@ :_mod-docs-content-type: PROCEDURE [id="proc-installing-and-configuring-scorecard_{context}"] -= Installing and configuring Scorecard to view metrics += Configuring Scorecard and conditional permissions -To view Scorecard metrics in {product-very-short}, you need to grant read access using Role-Based Access Control (RBAC). Configure these permissions using the RBAC CSV file or the RBAC UI, depending on how you manage access in your environment. +To view Scorecard metrics in {product-very-short}, you must grant read access using Role-Based Access Control (RBAC). Configure these permissions using the RBAC CSV file or the RBAC Web UI, depending on how you manage access in your environment. .Prerequisite * You have {authorization-book-link}#enabling-and-giving-access-to-rbac[enabled RBAC and assigned a policy administrator role]. - * You have added `scorecard` to the list of plugins with permissions. + * You have added `scorecard` to the list of authorized plugins in your configuration. .Procedure @@ -25,7 +25,7 @@ p, role:default/scorecard-viewer, catalog.entity.read, read, allow See {authorization-book-link}#ref-rbac-permission-policies_title-authorization[Permission policies reference]. * To use the RBAC Web UI, complete the following steps: -.. In the {product} menu, navigate to *Administration > RBAC*. +.. In the {product} navigation menu, go to *Administration > RBAC*. .. Select or create the *Role* for Scorecard access. .. In the *Add permission policies* section, select *Scorecard* from the plugins list. .. Expand the *Scorecard* entry, select *policy* with the following details, and click *Next*: @@ -34,10 +34,18 @@ See {authorization-book-link}#ref-rbac-permission-policies_title-authorization[P + image::rhdh/scorecard-create-role.png[The RBAC UI showing the scorecard.metric.read permission selecrted for a role.] -. Optional: Restrict access to specific metrics using a conditional policy: +. Optional: Restrict access to specific metrics. You must use only one of the following methods to apply a conditional policy: -** {audit-log-book-link}#managing-authorizations-by-using-the-web-ui[Using the Web UI]. -** Define conditional policies in an `rbac-conditional-policies.yaml` file: +** Web UI: +... In your {product-very-short} navigation menu, go to *Administration* > *RBAC*. +... In the *Add permission policies* step, select the following: +**** *Name*: `scorecard.metrics.read` +**** *Permission*: `Read` +... Click *Use advanced customized permissions to allow access to specific parts of the selected resource type* under *Actions* . +... Select the `HAS_METRIC_ID` rule and specify the plugin IDs, using commas to separate multiple IDs. + +** External configuration file: +.... Define the conditional policy in the `rbac-conditional-policies.yaml` file as described in {authorization-book-link}#managing-authorizations-by-using-external-files[Defining conditional policies]: + [source,yaml] ---- @@ -57,5 +65,5 @@ conditions: where: `metricIds`:: Enter the metric ID for user access, such as `github.open_prs`. -This policy allows users to read only the specific metrics while restricting access to other available metrics. +This policy allows users to read only the specified metrics and restricts access to all other metrics. From a4e2d24d4d9aac2d9cc676de6b9141b422d5ee77 Mon Sep 17 00:00:00 2001 From: Priyanka Abel Date: Mon, 16 Feb 2026 11:58:00 +0530 Subject: [PATCH 3/5] Added title suggestion --- .../scorecards/proc-installing-and-configuring-scorecard.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc index d42e2c0f931..debfa9da367 100644 --- a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc +++ b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc @@ -1,7 +1,7 @@ :_mod-docs-content-type: PROCEDURE [id="proc-installing-and-configuring-scorecard_{context}"] -= Configuring Scorecard and conditional permissions += Configuring RBAC for Scorecards To view Scorecard metrics in {product-very-short}, you must grant read access using Role-Based Access Control (RBAC). Configure these permissions using the RBAC CSV file or the RBAC Web UI, depending on how you manage access in your environment. From 1b25f2db75220795b330f6a2aa0ece0031f098d8 Mon Sep 17 00:00:00 2001 From: Priyanka Abel Date: Mon, 16 Feb 2026 18:31:17 +0530 Subject: [PATCH 4/5] Incorporated Dominika's comment --- .../scorecards/proc-installing-and-configuring-scorecard.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc index debfa9da367..339f8c72a35 100644 --- a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc +++ b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc @@ -7,7 +7,7 @@ To view Scorecard metrics in {product-very-short}, you must grant read access us .Prerequisite * You have {authorization-book-link}#enabling-and-giving-access-to-rbac[enabled RBAC and assigned a policy administrator role]. - * You have added `scorecard` to the list of authorized plugins in your configuration. + * You have added `scorecard` to the list of authorized plugins under `permission.rbac.pluginsWithPermission` in your configuration. .Procedure From 6e21dd7e658c0de19eece4aa5544305251f23fa2 Mon Sep 17 00:00:00 2001 From: Priyanka Abel Date: Mon, 16 Feb 2026 20:48:24 +0530 Subject: [PATCH 5/5] Incorporated Judy's comments --- ...-installing-and-configuring-scorecard.adoc | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc index 339f8c72a35..434b38208b4 100644 --- a/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc +++ b/modules/observe/scorecards/proc-installing-and-configuring-scorecard.adoc @@ -1,13 +1,13 @@ :_mod-docs-content-type: PROCEDURE [id="proc-installing-and-configuring-scorecard_{context}"] -= Configuring RBAC for Scorecards += Configure RBAC for Scorecards To view Scorecard metrics in {product-very-short}, you must grant read access using Role-Based Access Control (RBAC). Configure these permissions using the RBAC CSV file or the RBAC Web UI, depending on how you manage access in your environment. .Prerequisite * You have {authorization-book-link}#enabling-and-giving-access-to-rbac[enabled RBAC and assigned a policy administrator role]. - * You have added `scorecard` to the list of authorized plugins under `permission.rbac.pluginsWithPermission` in your configuration. + * You have added `scorecard` to the list of authorized plugins under your `permission.rbac.pluginsWithPermission` configuration. .Procedure @@ -32,22 +32,22 @@ See {authorization-book-link}#ref-rbac-permission-policies_title-authorization[P *** *Name*: `scorecard.metric.read` *** *Permission*: `read` + -image::rhdh/scorecard-create-role.png[The RBAC UI showing the scorecard.metric.read permission selecrted for a role.] +image::rhdh/scorecard-create-role.png[The RBAC UI showing the scorecard.metric.read permission selected for a role.] . Optional: Restrict access to specific metrics. You must use only one of the following methods to apply a conditional policy: -** Web UI: +* Web UI: ... In your {product-very-short} navigation menu, go to *Administration* > *RBAC*. ... In the *Add permission policies* step, select the following: -**** *Name*: `scorecard.metrics.read` -**** *Permission*: `Read` +** *Name*: `scorecard.metrics.read` +** *Permission*: `Read` ... Click *Use advanced customized permissions to allow access to specific parts of the selected resource type* under *Actions* . ... Select the `HAS_METRIC_ID` rule and specify the plugin IDs, using commas to separate multiple IDs. -** External configuration file: -.... Define the conditional policy in the `rbac-conditional-policies.yaml` file as described in {authorization-book-link}#managing-authorizations-by-using-external-files[Defining conditional policies]: +* External configuration file: +.. Define the conditional policy in the `rbac-conditional-policies.yaml` file as described in {authorization-book-link}#managing-authorizations-by-using-external-files[Defining conditional policies]: + -[source,yaml] +[source,yaml,subs="+attributes,+quotes"] ---- result: CONDITIONAL roleEntityRef: "role:default/scorecard-viewer" @@ -63,6 +63,7 @@ conditions: ---- + where: + `metricIds`:: Enter the metric ID for user access, such as `github.open_prs`. This policy allows users to read only the specified metrics and restricts access to all other metrics.