public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-05 20:53:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e25b8bc34fe7cfb43d5e5b1b644d5235f3449ea3
rancher-docs/versioned_docs/version-2.6/admin-settings/rbac/locked-roles/locked-roles.md
T
Billy Tat 07355d1446 Remove unneeded intermediate folders
2022-08-17 10:23:03 -07:00

40 lines
1.9 KiB
Markdown
Raw Blame History

---
title: Locked Roles
weight: 1129
---
You can set roles to a status of `locked`. Locking roles prevent them from being assigned to users in the future.
Locked roles:
- Cannot be assigned to users that don't already have it assigned.
- Are not listed in the **Member Roles** drop-down when you are adding a user to a cluster or project.
- Do not affect users assigned the role before you lock the role. These users retain access that the role provides.
**Example:** let's say your organization creates an internal policy that users assigned to a cluster are prohibited from creating new projects. It's your job to enforce this policy.
To enforce it, before you add new users to the cluster, you should lock the following roles: `Cluster Owner`, `Cluster Member`, and `Create Projects`. Then you could create a new custom role that includes the same permissions as a __Cluster Member__, except the ability to create projects. Then, you use this new custom role when adding users to a cluster.
Roles can be locked by the following users:
- Any user assigned the `Administrator` global permission.
- Any user assigned the `Custom Users` permission, along with the `Manage Roles` role.
## Locking/Unlocking Roles
If you want to prevent a role from being assigned to users, you can set it to a status of `locked`.
You can lock roles in two contexts:
- When you're [adding a custom role]({{<baseurl>}}/rancher/v2.6/en/admin-settings/rbac/default-custom-roles/).
- When you editing an existing role (see below).
Cluster roles and project/namespace roles can be locked, but global roles cannot.
1. In the upper left corner, click **☰ > Users & Authentication**.
1. In the left navigation bar, click **Roles**.
1. Go to the **Cluster** tab or the **Project/Namespaces** tab.
1. From the role that you want to lock (or unlock), select **⋮ > Edit Config**.
1. From the **Locked** option, choose the **Yes** or **No** radio button. Then click **Save**.
Reference in New Issue View Git Blame Copy Permalink