Grant user access in OpenShift
Access to the OpenShift platform is self-serve and is available to IDIR users and members of the bcgov organization in GitHub. The platform provides platform and namespace-level access control. Access to the platform requires certain prerequisites and mechanisms to grant access.
Existing bcgov organization members can invite other users to the organization. Every team member may not need access to OpenShift. Consider the security principle of least privilege before requesting platform access and when granting namespace-level access.
On this page
Prerequisites
If you want to grant a new user access to OpenShift they must have the following:
- A GitHub account (ideally with a complete profile)
- Two-factor authentication enabled on their GitHub account
Additionally, the namespace where you are adding the new user must have already have been provisioned through the new project provisioning process and must have one or more administrative users.
Add users
You can add users in one of the following primary roles:
admin
A project manager who can view any resource in the namespace and modify any resource in the namespace except for quota. Anadmin
user can delete the namespaceedit
A user that can modify most objects in a namespace, but can't view or modify roles or bindings. Anedit
user can create and delete applications in the namespaceview
A user who can't make any modifications, but can see most objects in a namespace
To add another user with edit role to the namespace who can create and delete applications, use the oc adm policy
command. You must be in the namespace when you run this command.
oc adm policy add-role-to-user edit <collaborator>
Replace <collaborator>
with the name of the user as displayed by the oc whoami
command when run by that user.
To remove a user from a namespace, run:
oc adm policy remove-role-from-user edit <collaborator>
To get a list of the users who have access to a namespace, and in what role, a project manager can run:
oc get rolebindings
For more information on adding users, you can watch Using Just Ask! to gain access into the BCGov or BCDevops GitHub Organizations or use the Just Ask! tool.
Request platform access
Note: This process only gives you platform access, not namespace access.
The product owner or a project administrator associated with namespace provisioning makes a request through the Just Ask! tool.
Grant namespace access
Technical leads grant namespace access. For more information, see Using RBAC to define and apply permissions.
Follow these best practices when you grant namespace access to a user:
- For GitHub IDs, enter the username as
mygithubid@github
- For IDIR IDs, enter just the government email address that is associated with the IDIR account, such as
john.doe@gov.bc.ca
- All usernames on our platform are lowercase. For example, the username
TheBestDev@github
won't work, butthebestdev@github
does work - Grant the least privileges needed to do the work. Keep the number of users with administrator access low. Edit is sufficient for most developers
Related links:
- BC Government organizations in GitHub
- Provision a new project set
- Using Just Ask! to gain access into the BCGov or BCDevops GitHub Organizations
- Add someone to the BC Government GitHub Org
- Using RBAC to define and apply permissions