Grant user access in OpenShift
Access to the OpenShift platform is self-serve and is available to IDIR users and members of the bcgov organization in GitHub. The platform provides platform and namespace-level access control. Access to the platform requires certain prerequisites and mechanisms to grant access.
Existing bcgov organization members can invite other users to the organization. Every team member may not need access to OpenShift. Consider the security principle of least privilege before requesting platform access and when granting namespace-level access.
On this page
If you want to grant a new user access to OpenShift they must have the following:
- A GitHub account (ideally with a complete profile)
- Two-factor authentication enabled on their GitHub account
Additionally, the namespace where you are adding the new user must have already have been provisioned through the new project provisioning process and must have one or more administrative users.
You can add users in one of the following primary roles:
adminA project manager who can view any resource in the namespace and modify any resource in the namespace except for quota. An
adminuser can delete the namespace
editA user that can modify most objects in a namespace, but can't view or modify roles or bindings. An
edituser can create and delete applications in the namespace
viewA user who can't make any modifications, but can see most objects in a namespace
To add another user with edit role to the namespace who can create and delete applications, use the
oc adm policy command. You must be in the namespace when you run this command.
oc adm policy add-role-to-user edit <collaborator>
<collaborator> with the name of the user as displayed by the
oc whoami command when run by that user.
To remove a user from a namespace, run:
oc adm policy remove-role-from-user edit <collaborator>
To get a list of the users who have access to a namespace, and in what role, a project manager can run:
oc get rolebindings
For more information on adding users, you can watch Using Just Ask! to gain access into the BCGov or BCDevops GitHub Organizations or use the Just Ask! tool.
Request platform access
Note: This process only gives you platform access, not namespace access.
The product owner or a project administrator associated with namespace provisioning makes a request through the Just Ask! tool.
Grant namespace access
Technical leads grant namespace access. For more information, see Using RBAC to define and apply permissions.
Follow these best practices when you grant namespace access to a user:
- For GitHub IDs, enter the username as
- For IDIR IDs, enter just the government email address that is associated with the IDIR account, such as
- All usernames on our platform are lowercase. For example, the username
TheBestDev@githubwon't work, but
- Grant the least privileges needed to do the work. Keep the number of users with administrator access low. Edit is sufficient for most developers
- BC Government organizations in GitHub
- Provision a new project set
- Using Just Ask! to gain access into the BCGov or BCDevops GitHub Organizations
- Add someone to the BC Government GitHub Org
- Using RBAC to define and apply permissions