From babbecfa18a6b1470bfefadec481a60e0b28096a Mon Sep 17 00:00:00 2001
From: Catherine Luse <catherine.luse@rancher.com>
Date: Mon, 30 Dec 2019 17:01:11 -0700
Subject: [PATCH] Describe required permissions to deploy catalog apps

---
 content/rancher/v2.x/en/catalog/_index.md              | 10 ++++++++++
 content/rancher/v2.x/en/catalog/apps/_index.md         |  7 +++++++
 .../v2.x/en/catalog/multi-cluster-apps/_index.md       |  7 +++++++
 3 files changed, 24 insertions(+)

diff --git a/content/rancher/v2.x/en/catalog/_index.md b/content/rancher/v2.x/en/catalog/_index.md
index b0874d88278..447d3a2f4be 100644
--- a/content/rancher/v2.x/en/catalog/_index.md
+++ b/content/rancher/v2.x/en/catalog/_index.md
@@ -17,6 +17,7 @@ Rancher improves on Helm catalogs and charts. All native Helm charts can work wi
 
 This section covers the following topics:
 
+- [Prerequisites](#prerequisites)
 - [Catalog scopes](#catalog-scopes)
 - [Enabling built-in global catalogs](#enabling-built-in-global-catalogs)
 - [Adding custom global catalogs](#adding-custom-global-catalogs)
@@ -29,6 +30,15 @@ This section covers the following topics:
   - [Global DNS](#global-dns)
   - [Chart compatibility with Rancher](#chart-compatibility-with-rancher)
 
+# Prerequisites
+
+When Rancher deploys a catalog app, it launches an ephemeral instance of a Helm service account that has the permissions of the user deploying the catalog app. Therefore, a user cannot gain more access to the cluster through Helm or a catalog application than they otherwise would have.
+
+To launch a catalog app or a multi-cluster app, you should have at least one of the following permissions:
+
+- A [project-member role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster, which gives you the ability to create, read, update, and delete the workloads
+- A [cluster owner role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) for the cluster that include the target project
+
 # Catalog Scopes
 
 Within Rancher, you can manage catalogs at three different scopes. Global catalogs are shared across all clusters and project. There are some use cases where you might not want to share catalogs across between different clusters or even projects in the same cluster. By leveraging cluster and project scoped catalogs, you will be able to provide applications for specific teams without needing to share them with all clusters and/or projects.
diff --git a/content/rancher/v2.x/en/catalog/apps/_index.md b/content/rancher/v2.x/en/catalog/apps/_index.md
index c6f8f101bc8..04d509449fc 100644
--- a/content/rancher/v2.x/en/catalog/apps/_index.md
+++ b/content/rancher/v2.x/en/catalog/apps/_index.md
@@ -7,6 +7,13 @@ Within a project, when you want to deploy applications from catalogs, the applic
 
 If your application is using ingresses, you can program the ingress hostname to an external DNS by setting up a [Global DNS entry]({{< baseurl >}}/rancher/v2.x/en/catalog/globaldns/).
 
+## Prerequisites
+
+To create a multi-cluster app in Rancher, you must have at least one of the following permissions:
+
+- A [project-member role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster, which gives you the ability to create, read, update, and delete the workloads
+- A [cluster owner role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) for the cluster that include the target project
+
 ## Launching Catalog Applications
 
 After you've either enabled the [built-in global catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/built-in/) or [added your own custom catalog]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/adding), you can start launching catalog applications.
diff --git a/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md b/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md
index 62936ccb55a..55865bf2437 100644
--- a/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md
+++ b/content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md
@@ -10,6 +10,13 @@ Any Helm charts from a [global catalog]({{< baseurl >}}/rancher/v2.x/en/catalog/
 
 After creating a multi-cluster application, you can program a [Global DNS entry]({{< baseurl >}}/rancher/v2.x/en/catalog/globaldns/) to make it easier to access the application.
 
+# Prerequisites
+
+To create a multi-cluster app in Rancher, you must have at least one of the following permissions:
+
+- A [project-member role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster(s), which gives you the ability to create, read, update, and delete the workloads
+- A [cluster owner role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) for the clusters(s) that include the target project(s)
+
 ## Launching a Multi-Cluster App
 
 1. From the **Global** view, choose **Apps** in the navigation bar. Click **Launch**.