diff --git a/content/rancher/v2.x/en/concepts/global-configuration/_index.md b/content/rancher/v2.x/en/concepts/global-configuration/_index.md index bbb6fc2c781..76869cbf670 100644 --- a/content/rancher/v2.x/en/concepts/global-configuration/_index.md +++ b/content/rancher/v2.x/en/concepts/global-configuration/_index.md @@ -196,7 +196,7 @@ _Project roles_ are roles that can be used to grant users access to a project. T ##### Custom Project Roles -Rancher lets you assign _custom project roles_ to a user instead of the typical `Owner`, `Member`, or `Read Only` roles. These roles can be either a built-in custom project roles or one defined by a Rancher administrator. They are convenient for defining narrow or specialized access for a user within a project. See the table below for a list of built-in custom project roles. +Rancher lets you assign _custom project roles_ to a user instead of the typical `Owner`, `Member`, or `Read Only` roles. These roles can be either a built-in custom project role or one defined by a Rancher administrator. They are convenient for defining narrow or specialized access for a user within a project. See the table below for a list of built-in custom project roles. ##### Project Role Reference diff --git a/content/rancher/v2.x/en/tasks/global-configuration/roles/_index.md b/content/rancher/v2.x/en/tasks/global-configuration/roles/_index.md index 2d70b68e98a..b76f0e84954 100644 --- a/content/rancher/v2.x/en/tasks/global-configuration/roles/_index.md +++ b/content/rancher/v2.x/en/tasks/global-configuration/roles/_index.md @@ -23,35 +23,46 @@ While Rancher comes out-of-the-box with a set of default user roles, you can als 3. **Name** the role. -4. Assign the role a **Context**. Context determines the scope of permissions assigned to the user. The contexts are: +4. Choose whether to set the role to a status of [locked]({{< baseurl >}}/rancher/v2.x/en/concepts/global-configuration/#locked-roles). + + Locked roles cannot be assigned to users. + + For example, if you want to test a role before widespread implementation, you should lock the role. + +5. Assign the role a **Context**. Context determines the scope of role assigned to the user. The contexts are: - **All** - The user can use their assigned permissions regardless of context. The user's permissions are valid in all clusters and projects. + The user can use their assigned role regardless of context. The user's role are valid in all clusters and projects. - **Cluster** - The user can use their assigned permissions within a selected cluster. + The user can use their assigned role within a selected cluster. - **Project** - The user can use their assigned permissions within a selected project. + The user can use their assigned role within a selected project. -5. Use the **Grant Resources** options to assign individual [Kubernetes API endpoints](https://kubernetes.io/docs/reference/) to the role. +6. Use the **Grant Resources** options to assign individual [Kubernetes API endpoints](https://kubernetes.io/docs/reference/) to the role. You can also choose the individual cURL methods (`Create`, `Delete`, `Get`, etc.) available for use with each endpoint you assign. -6. Use the **Inherit from a Role** options to assign individual Rancher roles to your custom roles. +7. Use the **Inherit from a Role** options to assign individual Rancher roles to your custom roles. -7. Click **Create**. +8. Click **Create**. + +## Locking/Unlocking Roles + +If you want to prevent a role from being assigned to users, you can set it to a status of `locked`. For more information about what this status means, see [Locked Roles]({{< baseurl >}}/rancher/v2.x/en/concepts/global-configuration/#locked-roles). + +You can lock roles in two contexts: + +- When you're [adding a custom role](#adding-a-custom-role). +- When you editing an existing role (see below). -Locking/Unlocking Roles +1. From the **Global** view, select **Security** > **Roles**. -When creating a role , "Locked" field is preselected to "No" which means the role is unlocked and is available to be assigned to users. - -Users can choose to lock roles by choosing "Yes" for "Locked" field when creating Roles. When roles are locked , they will be not be available in the -set of roles that can be assigned to users. - -Existing roles can also be locked/unlocked by editing the role and setting the locked field to "Yes/No". +2. From the role that you want to lock (or unlock), select **Vertical Ellipsis (...)** > **Edit**. +3. From the **Locked** option, choose the **Yes** or **No** radio button. Then click **Save**. \ No newline at end of file