Skip to content

Granting admin rights

Granting admin rights to users#

Granting cluster-admin rights#

Cluster admin rights are not automatically granted users that you add to the cluster. If there are users that you want to grant this level of privilege to, you will need to manually grant it to each user. Let's start off with granting it to ourselves using the GitHub username we just created for the cluster. There are two ways to do this; either from the ROSA CLI or the OCM web UI.

  1. Via rosa CLI

    1. Assuming you are the user who created the cluster, you can grant cluster-admin to a user (or our GitHub user) by running

      rosa grant user cluster-admin --user <idp_user_name> --cluster=<cluster-name>
    2. Verify that we were added as a cluster-admin by running

      rosa list users --cluster=<cluster-name>

      You should see your GitHub ID of the user listed.

      $ rosa list users --cluster=my-rosa-cluster
      ID           GROUPS
      rosa-user    cluster-admins
    3. Logout and log back into the cluster to see a new perspective with the “Administrator Panel”. (You might need to try an Incognito/Private window)


    4. You can also test this by running the following command. Only a cluster-admin user can run this without errors.

      oc get all -n openshift-apiserver
  2. Via OCM UI

    1. Log into OCM from
    2. Select your cluster
    3. Click on the “Access Control” tab


    4. Towards the bottom in the “Cluster Administrative Users” section click on “Add User”


    5. On the pop-up screen enter the person's user ID (in our example the GitHub ID)

    6. Select whether you want to grant them cluster-admin or dedicated-admin


Granting dedicated-admin#

ROSA has a concept of an admin user that can complete most administrative tasks but is slightly limited to prevent anything damaging. It is called a “dedicated-admin” role. It is best practice to use dedicated-admin when elevated privileges are needed. You can read more about it here.

  1. Enter the following command to promote your user to a dedicated-admin

    rosa grant user dedicated-admin --user <idp_user_name> --cluster=<cluster-name>
  2. Enter the following command to verify that your user now has dedicated-admin access

    oc get groups dedicated-admins
  3. You can also grant dedicated-admin rights via the OCM UI as described in the cluster-admin section, but just select the “dedicated-admins” radio button instead.