// Module included in the following assemblies: // * observability/logging/logging-6.2/log6x-loki-6.2.adoc :_mod-docs-content-type: REFERENCE [id="loki-rbac-rules-permissions_{context}"] = Authorizing LokiStack rules RBAC permissions Administrators can allow users to create and manage their own alerting and recording rules by binding cluster roles to usernames. Cluster roles are defined as `ClusterRole` objects that contain necessary role-based access control (RBAC) permissions for users. The following cluster roles for alerting and recording rules are available for LokiStack: [options="header"] |=== |Rule name |Description |`alertingrules.loki.grafana.com-v1-admin` |Users with this role have administrative-level access to manage alerting rules. This cluster role grants permissions to create, read, update, delete, list, and watch `AlertingRule` resources within the `loki.grafana.com/v1` API group. |`alertingrules.loki.grafana.com-v1-crdview` |Users with this role can view the definitions of Custom Resource Definitions (CRDs) related to `AlertingRule` resources within the `loki.grafana.com/v1` API group, but do not have permissions for modifying or managing these resources. |`alertingrules.loki.grafana.com-v1-edit` |Users with this role have permission to create, update, and delete `AlertingRule` resources. |`alertingrules.loki.grafana.com-v1-view` |Users with this role can read `AlertingRule` resources within the `loki.grafana.com/v1` API group. They can inspect configurations, labels, and annotations for existing alerting rules but cannot make any modifications to them. |`recordingrules.loki.grafana.com-v1-admin` |Users with this role have administrative-level access to manage recording rules. This cluster role grants permissions to create, read, update, delete, list, and watch `RecordingRule` resources within the `loki.grafana.com/v1` API group. |`recordingrules.loki.grafana.com-v1-crdview` |Users with this role can view the definitions of Custom Resource Definitions (CRDs) related to `RecordingRule` resources within the `loki.grafana.com/v1` API group, but do not have permissions for modifying or managing these resources. |`recordingrules.loki.grafana.com-v1-edit` |Users with this role have permission to create, update, and delete `RecordingRule` resources. |`recordingrules.loki.grafana.com-v1-view` |Users with this role can read `RecordingRule` resources within the `loki.grafana.com/v1` API group. They can inspect configurations, labels, and annotations for existing alerting rules but cannot make any modifications to them. |=== [id="loki-rbac-rules-permissions-examples_{context}"] == Examples To apply cluster roles for a user, you must bind an existing cluster role to a specific username. Cluster roles can be cluster or namespace scoped, depending on which type of role binding you use. When a `RoleBinding` object is used, as when using the `oc adm policy add-role-to-user` command, the cluster role only applies to the specified namespace. When a `ClusterRoleBinding` object is used, as when using the `oc adm policy add-cluster-role-to-user` command, the cluster role applies to all namespaces in the cluster. The following example command gives the specified user create, read, update and delete (CRUD) permissions for alerting rules in a specific namespace in the cluster: .Example cluster role binding command for alerting rule CRUD permissions in a specific namespace [source,terminal] ---- $ oc adm policy add-role-to-user alertingrules.loki.grafana.com-v1-admin -n ---- The following command gives the specified user administrator permissions for alerting rules in all namespaces: .Example cluster role binding command for administrator permissions [source,terminal] ---- $ oc adm policy add-cluster-role-to-user alertingrules.loki.grafana.com-v1-admin ----