openshift-docs/modules/log6x-loki-rbac-rules-perms.adoc

// Module included in the following assemblies:
// * observability/logging/logging-6.2/log6x-loki-6.2.adoc


:_mod-docs-content-type: REFERENCE
[id="loki-rbac-rules-permissions_{context}"]
= Authorizing LokiStack rules RBAC permissions

Administrators can allow users to create and manage their own alerting and recording rules by binding cluster roles to usernames.
Cluster roles are defined as `ClusterRole` objects that contain necessary role-based access control (RBAC) permissions for users.

The following cluster roles for alerting and recording rules are available for LokiStack:

[options="header"]
|===
|Rule name |Description

|`alertingrules.loki.grafana.com-v1-admin`
|Users with this role have administrative-level access to manage alerting rules. This cluster role grants permissions to create, read, update, delete, list, and watch `AlertingRule` resources within the `loki.grafana.com/v1` API group.

|`alertingrules.loki.grafana.com-v1-crdview`
|Users with this role can view the definitions of Custom Resource Definitions (CRDs) related to `AlertingRule` resources within the `loki.grafana.com/v1` API group, but do not have permissions for modifying or managing these resources.

|`alertingrules.loki.grafana.com-v1-edit`
|Users with this role have permission to create, update, and delete `AlertingRule` resources.

|`alertingrules.loki.grafana.com-v1-view`
|Users with this role can read `AlertingRule` resources within the `loki.grafana.com/v1` API group. They can inspect configurations, labels, and annotations for existing alerting rules but cannot make any modifications to them.

|`recordingrules.loki.grafana.com-v1-admin`
|Users with this role have administrative-level access to manage recording rules. This cluster role grants permissions to create, read, update, delete, list, and watch `RecordingRule` resources within the `loki.grafana.com/v1` API group.

|`recordingrules.loki.grafana.com-v1-crdview`
|Users with this role can view the definitions of Custom Resource Definitions (CRDs) related to `RecordingRule` resources within the `loki.grafana.com/v1` API group, but do not have permissions for modifying or managing these resources.

|`recordingrules.loki.grafana.com-v1-edit`
|Users with this role have permission to create, update, and delete `RecordingRule` resources.

|`recordingrules.loki.grafana.com-v1-view`
|Users with this role can read `RecordingRule` resources within the `loki.grafana.com/v1` API group. They can inspect configurations, labels, and annotations for existing alerting rules but cannot make any modifications to them.

|===

[id="loki-rbac-rules-permissions-examples_{context}"]
== Examples

To apply cluster roles for a user, you must bind an existing cluster role to a specific username.

Cluster roles can be cluster or namespace scoped, depending on which type of role binding you use.
When a `RoleBinding` object is used, as when using the `oc adm policy add-role-to-user` command, the cluster role only applies to the specified namespace.
When a `ClusterRoleBinding` object is used, as when using the `oc adm policy add-cluster-role-to-user` command, the cluster role applies to all namespaces in the cluster.

The following example command gives the specified user create, read, update and delete (CRUD) permissions for alerting rules in a specific namespace in the cluster:

.Example cluster role binding command for alerting rule CRUD permissions in a specific namespace
[source,terminal]
----
$ oc adm policy add-role-to-user alertingrules.loki.grafana.com-v1-admin -n <namespace> <username>
----

The following command gives the specified user administrator permissions for alerting rules in all namespaces:

.Example cluster role binding command for administrator permissions
[source,terminal]
----
$ oc adm policy add-cluster-role-to-user alertingrules.loki.grafana.com-v1-admin <username>
----