diff --git a/docs/08.integration/12.rancher_sso_rbac.md b/docs/08.integration/12.rancher_sso_rbac.md index 305b4134..46e6616e 100644 --- a/docs/08.integration/12.rancher_sso_rbac.md +++ b/docs/08.integration/12.rancher_sso_rbac.md @@ -59,7 +59,7 @@ It is important to note that this integration supports roles in Global, Cluster, ### Definitions and Expectations with Global, Cluster, and Project/Namespace Roles -* Cluster resource with * verb on Rancher Global Role +* Cluster resource with * verb on Rancher Cluster Role + Mapped to NeuVector fedAdmin role on NeuVector fed-master cluster (This means users cannot map a Rancher Global role to a NeuVector admin role if NeuVector is on a master cluster) + Mapped to NeuVector admin role on NeuVector fed-managed cluster @@ -108,7 +108,7 @@ It is important to note that this integration supports roles in Global, Cluster, #### Use Case 2 * Create a FedAdmin user. Always remember to login in as a FedAdmin to a master cluster. If you are not on a federated domain, the roles will be downgraded to Reader or Admin. - + Create a global role with the following parameters. By using a global role it is also accessible by the other downstream clusters: + + Create a cluster role with the following parameters. By using a global role it is also accessible by the other downstream clusters: ```yaml Verb: * Resource: All permissions @@ -127,6 +127,7 @@ It is important to note that this integration supports roles in Global, Cluster, :::note To switch between FedAdmin and FedReader, just change the verbs from * to `get`. `get` is just the read permission, i.e., FedReader in this use case. +You should use the Cluster role to divide access scenarios based on the RBAC verbs and resources allowed by NeuVector. The Global role should be used strictly if you want to propagate to more clusters. Users must create Cluster roles to propagate the Global role to all downstream clusters. :::