Skip to main content

A role can be associated with multiple policies, and the role inherits the permissions granted by all the attached policies. If any policy explicitly denies a certain operation, that operation will be denied for the role.

Example of Granting permissions to users

In this example, we will see how SuperAdmin can enable RBAC and create roles to grant access of operations to other users.

1. Authentication

Login with super-admin credentials: Login to RainMaker with the credentials of the super-admin user created at the time of RainMaker deployment. Use Postman or any other API testing tool to log in. 

POST: http://<base_url>/v1/login2

Request body

{
    "user_name": "<user_name>",
    "password":"<password>"
}

2. Enable RBAC: Enable RBAC with deployment settings API.

Specify allow_same_role_level as true if you want to allow users to attach roles to other users having the same role level as the current user's role level. 

PUT: http://<base_url>/v1/admin/deployment_settings/config/rbac

Request body

{ 
    "rbac_enabled": true, 
    "allow_same_role_level": <true/false>
}

RBAC configurations might take 5-10 minutes to reflect.

3. Create policy

Create required policies according to the operations you want to grant.

POST: http://<base_url>/v1/admin/policy

Request body

{
    "policy_name": "<policy_name>",
    "policy_json": {<policy_json>}
}

4. Create Role

Create roles that you want to assign to users. It is expected that you specify the correct role level according to your requirement. For example, if you want the Service Manager user to create Developer users, you should create roles with role_level such that the Service Manager role is higher than the Developer role in the role hierarchy.

POST: http://<base_url>/v1/admin/role

Request body

{
    "role_name": "<role_name>",
    "policies": [
    "<policy1_name>",
    "<policy2_name>"
    ],
    "role_level": <role_level>
}

5. Assign roles to the user

If the user already exists, attach roles to the existing user. Specify the unique user_id of the user in the request body. To fetch the user_id of the user to attach the role, the user can log in to RainMaker with user credentials and trigger GET /user API. After you have the user_id, attach the role to the user.

PUT: http://<base_url>/v1/admin/user_role
Query Params: user_id=<user_id>&operation=add

Request body

{ "roles": [
    "<role1_name>",
    "<role2_name>"
    ]
}

If the user does not exist, create a new user.

POST: /admin/user2

Request body

{
    "user_name": "<user_email/phone_no>",
    "roles": [
    "<role1_name>",
    "<role2_name>"
    ]
}

After all the above steps are completed, users will be able to access only those admin and platform management APIs for which access is granted using the attached roles.