Skip to main content

In this example, we will create three roles- ProductManagerRole, ServiceEngineerRole and DeveloperRole, then assign these roles to three different users.

Here, ProductManagerRole is at the top level of role hierarchy followed by ServiceEngineerRole and DeveloperRole.

In this role hierarchy setup, the Product Manager user has the authority to assign the ServiceEngineerRole and DeveloperRole to other users. However, the Product Manager user does not have the privilege to assign the Product Manager role to any user.

The ServiceEngineerRole is permitted to assign the DeveloperRole to other users, but it does not have the capability to assign the ServiceEngineerRole or ProductManagerRole to any user.

On the other hand, the Developer user lacks User Operation access, which means they are unable to assign any role, no matter what is the role level, to other users.

To summarize:

Product Manager user: Can assign ServiceEngineerRole and DeveloperRole, but not Product Manager role. ServiceEngineerRole: Can assign DeveloperRole, but not ServiceEngineerRole or ProductManagerRole. Developer user: Does not have User Operation access, so they cannot assign any role to other users.

Here are the steps for creating role hierarchy:

1. Authentication.

Login with super-admin credentials: Login to RainMaker with the credentials of the super-admin user created at the time of RainMaker deployment. Use Postman or any other API testing tool to log in. 

    POST: <base_url>/v1/login2

Request body

{
    "user_name": "<user_name>",
    "password":"<password>"
}

2. Enable RBAC: Enable RBAC with deployment settings API.

Here we dont want to allow users to attach roles with same role level to be attached to Specify allow_same_role_level as true if you want to allow users to attach roles to other users having the same role level as the current user's role level.

PUT: /v1/admin/deployment_settings/config/rbac

Request body

{ 
    "rbac_enabled": true, 
    "allow_same_role_level": <true/false> 
}

RBAC configurations might take 5-10 minutes to reflect.

3. Create required policies.

POST: /admin/policy

Request body

{
    "policy_name": "<policy_name>",
    "policy_json": <policy_json>
}
  • Create OTA Access Policy:

    Policy Name: OTAImageFullAccessPolicy | Policy JSON:OTA Image Full Access Policy JSON

  • Create policy for OTA job access:

    Policy Name: OTAJobFullAccessPolicy | Policy JSON: OTA Job Full Access Policy JSON

  • Create policy for User Create Access:

    Policy Name: UserOperationAccessPolicy |     Policy JSON: User operation Policy JSON

4. Create roles

Create roles that you want to assign to users. It is expected that you specify the correct role level according to your needs. For example, if you want the Service Manager user to create Developer users, you should create roles with role_level such that the Service Manager role is higher than the Developer role in the role hierarchy, i.e, role_level value is lower for Service Manger role than role_level value for Developer Role.

POST: /admin/role

Request body

    {
        "role_name": "<role_name>",
        "policies": [
        "<policy1_name>",
        "<policy2_name>",
        ],
        "role_level": "<role_level>"
    }

i. Create Product manager role. Attach OTA image, OTA job, User create and Node access policy to this user. Assign Role level 10 to this user.

{ 
    "role_name": "ProductManagerRole",
    "policies": [
        "OTAImageFullAccessPolicy",
        "OTAJobFullAccessPolicy",
        "UserOperationAccessPolicy",
        "UserDeleteAccessPolicy",
        "NodeAccessPolicy"
    ],
    "role_level": 10
}

ii. Create service engineer role. Attach User operation and Read all policies to this role. As this role comes below Product Manager role, assign higher role level value for this role. Here, we are adding role level 15 to the role.

{
    "role_name": "ServiceEngineerRole",
    "policies": [
        "ReadAllPolicy",
        "UserOperationAccessPolicy",
    ],
    "role_level": 15
}

iii. Create Developer role. Attach OTA Job and NodeAccess Policies. This role comes below Service engineer in the role hierarchy, hence add role level greater than 15. 

{
    "role_name": "DeveloperRole",
    "policies": [
        "OTAJobFullAccessPolicy",
        "NodeAccessPolicy",
    ],
    "role_level": 20
}

5. Assign roles to the user:

Attach roles to the user. Here, we assume that we are assigning roles to already existing users.

User can get his user_id by calling GET /user API after logging in.

Use below User API to attach roles to required users.

PUT: /admin/user_role

User below user role api to attach roles

PUT: /admin/user_role
Query Params: user_id=<user_id>&operation=add

Request body

{ 
    "roles": [
        "<role1_name>",
        "<role2_name>"
    ]
}

i. Update Product Manger User Role to attach : ProductManagerRole

ii. Update Service Engineer User Role to attach: ServiceEngineerRole

iii. Update Developer User Role to attach: DeveloperRole

Once above steps are completed, users will be able to access the APIs that are assigned to them with Roles. Also, users will be able to assign roles to other users, if the highest role level of roles assigned to them is lower than the role to be attached.