openshift-docs/extensions/ce/user-access-resources.adoc

:_mod-docs-content-type: ASSEMBLY
[id="user-access-resources"]
= User access to extension resources
include::_attributes/common-attributes.adoc[]
:context: user-access-resources

toc::[]

After a cluster extension has been installed and is being managed by {olmv1-first}, the extension can often provide `CustomResourceDefinition` objects (CRDs) that expose new API resources on the cluster. Cluster administrators typically have full management access to these resources by default, whereas non-cluster administrator users, or _regular users_, might lack sufficient permissions.

{olmv1} does not automatically configure or manage role-based access control (RBAC) for regular users to interact with the APIs provided by installed extensions. Cluster administrators must define the required RBAC policy to create, view, or edit these custom resources (CRs) for such users.

[NOTE]
====
The RBAC permissions described for user access to extension resources are different from the permissions that must be added to a service account to enable {olmv1}-based initial installation of a cluster extension itself. For more on RBAC requirements while installing an extension, see "Cluster extension permissions" in "Managing extensions".
====

[role="_additional-resources"]
.Additional resources
* xref:../../extensions/ce/managing-ce.adoc#olmv1-cluster-extension-permissions_managing-ce["Managing extensions" -> "Cluster extension permissions"]

include::modules/olmv1-default-cluster-roles-users.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources
* link:https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] (Kubernetes documentation)

include::modules/olmv1-finding-ce-resources.adoc[leveloffset=+1]

include::modules/olmv1-granting-user-access-binding.adoc[leveloffset=+1]

include::modules/olmv1-granting-user-access-aggregated.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources
* link:https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles[Aggregated ClusterRoles] (Kubernetes documentation)