Uploaded image for project: 'RH Developer Hub Planning'
  1. RH Developer Hub Planning
  2. RHDHPLAN-366

[RBAC] Support default role and permissions

Create Doc EPIC from R...Prepare for Z ReleasePrepare Test Plan (Y R...XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • RBAC Plugin
    • False
    • Hide

      None

      Show
      None
    • False

      Feature Overview (aka. Goal Summary)

      Support defining defaultRole  via RBAC `app-config.yaml`.

      This feature partially addresses these requirements:

      1. When using Backstage's Sign-In without Users in the Catalog feature, the @backstage-community/plugin-rbac-backend cannot evaluate permissions for users not present in the catalog
      2. Avoid 'all-employee' groups being required mentioned in wildcard support request: https://issues.redhat.com/browse/RHIDP-6493 

      This request comes from community (https://github.com/backstage/community-plugins/issues/5358) and contributions have already been made for it:

      1. default role: https://github.com/backstage/community-plugins/pull/4350
      2. default permissions: https://github.com/backstage/community-plugins/pull/3908 

      Goals (aka. expected user outcomes)

      The goal is to support defining defaultRole via configuration file for all authenticated users.

      Requirements (aka. Acceptance Criteria):

      • As an admin, I want to be able to define a default role directly within the `app-config.yaml` file, so that I don't have to manually create all users group and assign all users to it

      Customer Considerations (Optional)

      The RBAC plugin currently requires explicit role assignment for every user or group to receive permissions. For large organizations, this creates a significant administrative burden when you want to provide baseline permissions to all authenticated users.

      Currently, to provide baseline permissions to all users in a Backstage instance, you must:

      1. Create a group containing all users, or
      2. Use the admin users configuration (which grants unlimited access), or
      3. Manually assign every individual user to a role

      For organizations with large user bases, none of these approaches are scalable or maintainable:

      • Group-based approach: Requires maintaining group membership for every user
      • Admin Users: Provides unlimited access, which is too permissive for baseline permissions
      • Individual assignment: Not feasible for large user counts

      Documentation Considerations

      • As a platform engineer, I want to be able to find information on how to configure default role and permissions via configuration file.

              Unassigned Unassigned
              rh-ee-dzemanov Dominika Zemanovicova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: