// Module included in the following assemblies: // // * authentication/using-rbac.adoc // * post_installation_configuration/preparing-for-users.adoc :_mod-docs-content-type: PROCEDURE [id="adding-roles_{context}"] = Adding roles to users You can use the `oc adm` administrator CLI to manage the roles and bindings. Binding, or adding, a role to users or groups gives the user or group the access that is granted by the role. You can add and remove roles to and from users and groups using `oc adm policy` commands. You can bind any of the default cluster roles to local users or groups in your project. .Procedure . Add a role to a user in a specific project: + [source,terminal] ---- $ oc adm policy add-role-to-user -n ---- + For example, you can add the `admin` role to the `alice` user in `joe` project by running: + [source,terminal] ---- $ oc adm policy add-role-to-user admin alice -n joe ---- + [TIP] ==== You can alternatively apply the following YAML to add the role to the user: [source,yaml] ---- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: admin-0 namespace: joe roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: alice ---- ==== . View the local role bindings and verify the addition in the output: + [source,terminal] ---- $ oc describe rolebinding.rbac -n ---- + For example, to view the local role bindings for the `joe` project: + [source,terminal] ---- $ oc describe rolebinding.rbac -n joe ---- + .Example output [source,terminal] ---- Name: admin Labels: Annotations: Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User kube:admin Name: admin-0 Labels: Annotations: Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User alice <1> Name: system:deployers Labels: Annotations: openshift.io/description: Allows deploymentconfigs in this namespace to rollout pods in this namespace. It is auto-managed by a controller; remove subjects to disa... Role: Kind: ClusterRole Name: system:deployer Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount deployer joe Name: system:image-builders Labels: Annotations: openshift.io/description: Allows builds in this namespace to push images to this namespace. It is auto-managed by a controller; remove subjects to disable. Role: Kind: ClusterRole Name: system:image-builder Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount builder joe Name: system:image-pullers Labels: Annotations: openshift.io/description: Allows all pods in this namespace to pull images from this namespace. It is auto-managed by a controller; remove subjects to disable. Role: Kind: ClusterRole Name: system:image-puller Subjects: Kind Name Namespace ---- ---- --------- Group system:serviceaccounts:joe ---- <1> The `alice` user has been added to the `admins` `RoleBinding`.