New Feature

Starting with Release 2.7.2, Kloudfuse manages RBAC through the User Interface. It no longer supports policy configuration at script level.
Follow these Upgrade Instructions to fully migrate your existing KloudFuse RBAC configuration to release 2.7.2.

2.7.2.png Use the Admin tab to perform the various RBAC workflows and configurations through the UI:

User Management
Folder Management
Group Management
Policy Management
Policy Config Management

The Admin tab

Manage Users

This section covers topics related to managing users in Kloudfuse.

Users must have unique emails.
You must have at least one user with Admin role. Be sure to specify this user either through the htpasswd file (see Adding users or changing password), or keep the default Admin user that installs with Kloudfuse).

User management actions can be performed only by users with Admin privileges.
Kloudfuse fully provisions users on their initial (first) login.

User Management interface

To manage users, follow these steps:

Click the Admin tab.
Select User Management from the menu.
The User Management interface appears. It contains the following:
1. Search bar to locate specific users
2. List of users, including their Name, Login, Email, and Role.

Proceed to make changes, as described in Assign Roles, Assign Names, and Delete a User.

Assign Roles

There are three possible roles for users: Admin (can change roles and permissions), Editor (can make some changes), and Viewer (can only view data, but cannot make any changes).

By default, Kloudfuse assigns the Editor role to all users. Each organization can configure their own choice of default role for new users.

To change the user’s role, follow these steps:

Hover your pointer over the Role you plan to change.
Here, we are changing the role of user7, who is currently and Editor.
When the Edit (pencil) icon appears, click on it.
Begin editing the role assigned to the user
The User Management interface changes to show the detail of the specific user.
User Management: detail of one user
In the Role section, click Change Role.
When the Role menu appears, select a new role.
Here, we are change the role from Editor to Admin.

Changing the role from Editor to Admin
Click Save.

You should see a notification that Kloudfuse changed the role successfully.

The User Management interface now lists user7 as Admin.

user 7 has an Admin role

Assign Names

When a user first signs into Kloudfuse, they don’t automatically have their name added to the system.

To assign the name, follow these steps:

Hover your pointer over the role of the user to whom you plan to assign a name.
Here, we are changing the name of user7.
When the Edit (pencil) icon appears, click on it.
Edit user
The User Management interface changes to show the detail of the specific user.
User Management: detail of the user
In the Name section, click the Edit (pencil) icon.
In the Enter name field, enter the name of the user.

Edit Name
Click Save.

You should see a notification that Kloudfuse changed the name successfully.

The User Management interface now lists user7 as Pippi Longstocking.

user7 is named Pippi Longstocking

Delete a User

Admins can also delete users from the Kloudfuse system.

Follow these theps

Hover your pointer over the role of the user you plan to delete from the system.
When the Delete (trashcan) icon appears, click it.
Here, we are deleting user15.
Deleting a user
Kloudfuse prompts you to confirm deleting a user.
You can click Delete to confirm, or Cancel to stop deleting the user.

Confirm or cancel deleting the user

You should see a notification that Kloudfuse deleted the user successfully.

The User Management interface no longer lists user15.

Manage Folders

In Kloudfuse, Folder Management controls access to Dashboards and Alerts.

You can Create a Folder, Update Folder Name, Change Folder Permissions, Add Folder Permissions, Delete Folder Permissions, and Delete Folders.

Using folders, you can also isolate specific dashboards and alerts from being changed by both editors and viewers. See Limit Editor Access.

Create a Folder

Click the Add New Folder button.
Add new folder.
The Create Folder interface appears.
In the Create Folder interface, enter the Folder name, and click Create New Folder.
Here, we create a folder named MyFirstFolder.
Name and create a new folder
Kloudfuse notifies you that you successfully added a new folder.

The new folder now appears in the Folder Management interface.

New folder appears in the Folder Management interface

Update Folder Name

Hover your pointer over the Folder Name that you plan to change.
When the Edit (pencil) icon appears, click on it.
Edit folder
The Update Folder interface appears.
In the Folder Name field, change the name.
Here, we update the name of the folder to forecast.

Change Folder Name
Click Update Folder.

Change Folder Permissions

Hierarchy of permissions
Kloudfuse applies the highest permission a user has to access a resource. To prevent a user from accessing a folder or dashboard, consider their role in the organization, folder permissions, and dashboard permissions.

You cannot override organization administrator permissions; they can access all resources.
User’s permissions on a folder apply to all dashboards and subfolders.
An explicitly set lower permission level is ineffective if a more permissive rule applies higher in folder/dashboard hierarchy.

Hover your pointer over the Folder Name field of the folder you plan to change
When the Permission Settings (gear) icon appears, click it.
Here, we change the permissions for folder forecast.
Change Permission Settings
The Folder Settings of forecast interface appears.
Folder settings include assignments by Role (these correspond to Grafana roles), by individual User (if present), and by Group (if present).
Folder Settings
For example, to give users with Viewer role permissions to change the folder contents, set that permission to Editor.
To add more permissions to the same folder, see Add Folder Permissions.
To delete permissions, see Delete Folder Permissions.
When you complete adding or changing folder permissions, close the Folder Settings interface.

Add Folder Permissions

To add additional permissions to the folder, click the Add Permission to Folder button in the Folder Settings interface.
The interface shows options for defining the new permission where you can specify the level of the permission (at User, Group, or Role level), search, and choose the permission level (Admin, Edit, View).
Defining a new permission
Here, we grant Edit permissions to the favorite_people group.

Adding a new group permission
Click Save.
Kloudfuse notifies you that you successfully added the group (or user, or role) to the folder.
The Folder Settings interface displays the entity that has new permissions to the folder.
Here, because favorite_people is the first group with permissions to the folder, the interface has a new Groups section.

New Group permission added to the folder.
When you complete adding or changing folder permissions, close the Folder Settings interface.

Delete Folder Permissions

The Role for Admins is fixed, and you cannot delete it.
Hover your pointer at the right-hand of the line, and click the Lock icon. Note that nothing happens.
Cannot delete Admin role
You can remove the other two roles, Editor and Viewer.
Hover your pointer at the right-hand side of the line, and click the Delete (cross) icon.
In both cases, Kloudfuse notifies you that it successfully removed these roles.

Can delete Editor role

Can delete Viewer role
Similarly, you can remove the folder permissions for both Users and Groups.
When you finish deleting folder permissions, close the Folder Settings interface.

Delete a Folder

The Folder Management interface provides an option for deleting a folder.

Kloudfuse does not allow users to delete Folders that contain Alerts.
However, you can delete Folders with Dashboards, or empty Folders.

To delete a folder, follow these steps:

Hover your pointer over
When the Delete (trashcan) icon appears, click it.

Delete a Folder
Kloudfuse prompts you to confirm deleting a folder.
You can click Delete to confirm, or Cancel to stop deleting the folder.

Confirm deleting a folder

You should see a notification that Kloudfuse deleted the folder successfully.

The Folder Management interface no longer lists My1stFolder.

Limit Editor Access

It is possible for a user with Editor role to create dashboards and alerts that only they and users with Admin role can change. All other users with Edit role can only view these dashboards and alerts.

To accomplish this, follow these steps:

Create a new folder.
Here, we create the folder Limited Access.
See Create Folder.
Create a new folder, named “Limited Access”
Kloudfuse adds the new folder to the Folder Management interface.
Hover your pointer over the name field of the Limited Access folder, and click the Configuration (gear) icon.
In the Change Settings for Limited Access interface, change the Editor role permissions on the folder to Viewer.

Change Editor permission to Viewer
Create new dashboards and alerts in your folder.
If you move existing dashboards and alerts into the new folder, they keep their own access permissions, and may still be edited by other users with Editor role.
Have another user with Editor role sign into the system, and attempt to open the configuration of the folder.
They should see an error.

Error because user should not be able to access configuration for the folder
Similarly, when they review Dashboards and Alerts in the Limited Access folder, they cannot edit or delete them.

Manage Groups

This section discusses topics related to managing groups in Kloudfuse.

Groups must have unique names.

Group Management interface

To manage groups, follow these steps.

Click the Admin tab.
Select Group Management from the menu.
The Group Management interface appears. It contains the following:
1. Search bar to locate specific groups
2. Add New Group button
3. List of existing groups, including the group Name, Email, and the number of Members.

Proceed to make changes, as described in Find a Group, Create a New Group, Assign Group Members, Change a Member’s Permissions, Update Group Email, and Delete a Group.

Find a Group

In large organizations, it may be hard to find an existing group.

Kloudfuse enables easy find through our Search function.

In Group Management, click the Search bar.
Start typing the key word, and Kloudfuse automatically filters the list of potential matches.
Here, we are looking the group we created in Create a New Group, favorite_people.
When you find the group you plan to change, hover over the Members field, and select the Edit (pencil) icon to start making the planned changes.
Searching for a group name

Create a New Group

Admin users can create new groups.

To create a new group, follow these steps:

Click the Add New Group button.
The New Group interface appears.

New Group interface
Create a new group by specifying these fields:
- Name
  Enter the name of the new group.
- Email
  Enter the email associated with the group.
Click Create.
Here, we created a new group with name favorite_people, and email heros
Creating a new group
You should see a notification that Kloudfuse successfully created the new group.
The New Group detail interface appears.
Group Management detail for a newly created group

You can assign group members and their permissions, update the group email, or exist.

Assign Group Members

Group members can have one of two roles within the group, an Admin or a Member:

Admin
This member can manage the group.
Member
This member cannot change group parameters or permissions of other members.

To assign members to a group, follow these steps:

Click the Add Member button in the Group Management detail interface for the group you plan to change.
This could be a new group that you just created, or a group that existed for some time.
The Members section expands so you can select or find an existing user, assign their role withing the group, and review their permissions.
Adding user to group
To select a user from the User menu, click the down-arrow, and click on a user in the list.
Alternatively, search for the user by username, or search …
You can change the role within the group before adding the user. By default, all users have Member group role; you can change it to Admin.
Here, we add user7 as Member.

Choosing users to add to group, and assign group role
Click Save.
Kloudfuse confirms that you successfully added a new member to the group, and updates the list of members.

First user added to the group
Proceed to add more users to the group.
Notice that the number in the Members field increases with each new member of the group.
Membership numbers increases

Change a Member’s Permission

By default, each new person that you add to a group has a Member permission level. You can easily change the permission to Admin, or change an Admin to Member.

To change the Permission of a group member, follow these steps:

Select the group where you want to make a change.
If you are struggling to locate the correct group, see Find a Group.
In the Members section of the Group Management detail interface of the group, click the Permission field, and select a different permission.
Here, we change the permission for user5 from Member to Admin.

Changing a group member’s permission
Kloudfuse notifies you that the permission is successfully updated.
The Members section of the Group Management detail interface shows the changed permission.
Here, user5 is now an Admin.

Group member with new permission, changed from Member to Admin

Update Group Email

To change the Email of an existing group, follow these steps:

Select the group where you want to make a change.
If you are struggling to locate the correct group, see Find a Group.
In the Settings section of the Group Management detail interface of the group, click the Email field, and enter a new email.
Here, we change the email for group favorite_people from heroes@kloudfuse.com to favorites@kloudfuse.com.

Delete a Group

As organizational needs change, we recommend that you delete groups that no longer serve a business need.

To delete a group, follow these steps:

Hover your pointer over the Members field of the group you plan to delete from the system.
When the Delete (trashcan) icon appears, click it.
Here, we are deleting the group test2.

Delete a group
Kloudfuse prompts you to confirm deleting the group.
You can click Delete to confirm, or Cancel to stop deleting the group.

Confirm or cancel deleting the group

You should see a notification that Kloudfuse deleted the group successfully.

The Group Management interface no longer lists the group test2.

Manage Policies

Policies are filters that determine the access that users and group have to various assets and artifacts of their organization.

Policies must have unique names.

When a user has multiple policies due to membership in multiple groups, these policy filters apply as a union (in other words, it uses the OR logical operator).

2.7.3.png Users who don’t have an explicitly assigned policy get the default access, specified in Default Policy.

To manage policies, follow these steps:

Click the Admin tab.
Select Policy Management.
The Policy Management interface appears.
It has the following components:
- Search bar to locate specific policies
- List of policies, including the Policy Name, Type, and Scope.

Policy Management

Proceed to make changes, as described in Change a Policy, Add a New Policy, and Delete a Policy.

Change a Policy

To change an existing policy, follow these steps:

Hover Hover your pointer over the Scope field of the policy you plan to change.
When the Edit (pencil) icon appears, click on it.
Changing a policy
The Edit Policy interface appears.
You can change the Name of the policy, its Type, and its Key (the Operator / Value) tuple.
You can build the key using logical operators, or regex expressions.
You can also delete the existing key, and add another key as a filter.
Here, we are changing the namespace_only policy by swapping the operator = (equal) to =~ (regex similar to).
Click Save Policy.
Kloudfuse confirms that you successfully changed the policy.

Note the changes in the policy as it appears on the Policy Management interface.

Changes to the policy

Add a New Policy

To add a new policy, follow these steps:

In that Admin tab, select Policy Management.
The Policy Management interface appears.
It has the following components:
- Search bar to locate specific policies
- List of policies, including the Policy Name, Type, and Scope.
Click the Add New Policy button.
The Add Policy interface appears.
In the interface, specify these fields:
- Name
  Choose a meaningful and descriptive name for your new policy
- Type
  The options are Custom (default), All, or None.
  You can build custom policies using the Key/Operator/Value specification.
Here, we specify a custom policy test1 with Key kube_namespace, Operator = (equals), and Value octel.

Adding a Policy
[Optional] You can use multiple filters to define your custom policies. Click the Add Filter button and proceed.
After you finish defining your new policy, click Save Policy.

Kloudfuse confirms that you successfully created a new policy.

Note that the new policy appears on the Policy Management interface.

New policy in list of policies

Delete a Policy

To delete an existing policy from your RBAC configuration, follow these steps:

Hover your pointer over the Scope field of the policy you plan to delete from the system.
When the Delete (trashcan) icon appears, click it.
Deleting a policy
Kloudfuse prompts you to confirm deleting the policy.
You can click Delete to confirm, or Cancel to stop deleting the policy.

Confirm or cancel deleting the policy

You should see a notification that Kloudfuse deleted the policy successfully.

The Group Management interface no longer lists the policy test1.

Manage Policy Configuration

Policy configuration in Kloudfuse consists of assigning existing policies to user groups, or removing this assignment.

If a user belongs to more than one group, Kloudfuse combines the filters as a union, or a logical OR operator.

For example,

Group A has a policy that allows its members to see data in Namespace A.
Group B has a policy that allows its members to see data in Namespace B.
User belongs both to Group A and Group B. They can therefore see data in both namespaces.

This section discusses topics related to managing policy configurations in Kloudfuse.

This section describes how to add or delete a policy configuration.

Add a New Policy Configuration

To add a new policy configuration, follow these steps:

In that Admin tab, select Policy Config Management.
The Policy Config Management interface appears.

Policy Config Management interface
Click the Add New Policy Config button.
The interface for creating a new policy configuration appears.
New policy fields
Select an existing Policy and a Group where you plan to apply it.
Here, we choose to apply the policy rbac_service_only to the group test group.
Adding a new policy configuration
Click Save.
You should see a notification that Kloudfuse added the new policy configuration successfully.

The new policy configuration now appears in the interface.

New policy configuration added to the list

Delete a Policy Configuration

To delete a policy configuration, follow these steps:

Hover over the Group Name filed.
When the Delete (trashcan) icon appears, click it.

Deleting a policy configuration
Kloudfuse prompts you to confirm deleting the policy configuration.
You can click Delete to confirm, or Cancel to stop deleting the policy configuration.

External

RBAC: Using the Admin Tab