From b430d9cbfc97bcc97b20176bde50df896127e411 Mon Sep 17 00:00:00 2001 From: Prachi Damle Date: Mon, 5 Oct 2020 14:44:49 -0700 Subject: [PATCH] Edit CIS RBAC --- content/rancher/v2.x/en/cis-scans/rbac/_index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/rancher/v2.x/en/cis-scans/rbac/_index.md b/content/rancher/v2.x/en/cis-scans/rbac/_index.md index 7919567f081..d3800df3559 100644 --- a/content/rancher/v2.x/en/cis-scans/rbac/_index.md +++ b/content/rancher/v2.x/en/cis-scans/rbac/_index.md @@ -38,8 +38,8 @@ The rancher-cis-benchmark creates three `ClusterRoles` and adds the CIS Benchmar | `cis-edit`| `edit` | Ability to CRUD clusterscanbenchmarks, clusterscanprofiles, clusterscans, clusterscanreports CR | `cis-view` | `view `| Ability to List(R) clusterscanbenchmarks, clusterscanprofiles, clusterscans, clusterscanreports CR -Rancher will continue to use cluster-owner, cluster-member, project-owner, project-member, etc as role names, but these default k8s roles will determine access to the CIS feature. +By default only cluster-owner role will have ability to manage and use `rancher-cis-benchmark` feature. -By default only cluster-owner role will have ability to use `rancher-cis-benchmark` feature. +The other Rancher roles (cluster-member, project-owner, project-member) do not have default permissions to manage and use rancher-cis-benchmark resources. -But the above ClusterRoles can be granted to cluster-member, project-owner, project-member users if a cluster-owner wants to share access. +But if a cluster-owner wants to delegate access to other users, they can do so by creating ClusterRoleBindings between these users and the CIS ClusterRoles manually.