From faa5df5400ecac52d5460a93eaed40fddd7c5253 Mon Sep 17 00:00:00 2001 From: Andrew Taylor Date: Fri, 6 Mar 2020 16:42:41 -0500 Subject: [PATCH] Added information about the dedicated-admin role --- .../dedicated-managing-service-accounts.adoc | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/modules/dedicated-managing-service-accounts.adoc b/modules/dedicated-managing-service-accounts.adoc index 195fae708b..684a220552 100644 --- a/modules/dedicated-managing-service-accounts.adoc +++ b/modules/dedicated-managing-service-accounts.adoc @@ -9,6 +9,24 @@ Service accounts are API objects that exist within each project. To manage service accounts, you can use the `oc` command with the `sa` or `serviceaccount` object type or use the web console. +The *dedicated-admin* service creates the *dedicated-admins* group. This group is +granted the roles at the cluster or individual project level. Users can be +assigned to this group and group membership defines who has OpenShift Dedicated +administrator access. However, by design, service accounts cannot be added to +regular groups. + +Instead, the dedicated-admin service creates a special project for this purpose +named *dedicated-admin*. The service account group for this project is granted +OpenShift Dedicated *admin* roles, granting OpenShift Dedicated administrator +access to all service accounts within the *dedicated-admin* project. These service +accounts can then be used to perform any actions that require OpenShift +Dedicated administrator access. + +Users that are members of the *dedicated-admins* group, and thus have been granted +the *dedicated-admin* role, have `edit` access to the *dedicated-admin* project. This +allows these users to manage the service accounts in this project and create new +ones as needed. + To get a list of existing service accounts in the current project, run: ----