This portal is to open public enhancement requests against the products and services belonging to IBM Sustainability Software. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
Hi - Thank you for your feedback
MAS operates across a group of namespaces and will not touch other namespaces and can happily co-exist with workloads in other namespaces. We don't give cluster admin rights to the application, or use cluster-level secrets. A limited ClusterRole is granted to the MAS Core which is what allows a MAS admin to install/manage MAS applications via the MAS admin dashboard without any access to OCP itself. It can only operate within the confines of the MAS namespaces and the MAS applications however. Without this role much of the MAS admin-dashboard (and admin APIs) cannot function.
Each step/stage of a MAS install is a separate ansible role that can be used in isolation, as part of a playbook, via a Tekton task/pipeline, or via the MAS CLI.
In any organization that wants to divide roles to the level of who creates the namespaces, who creates the subscription, who creates the operand, etc etc there's nothing in MAS's design that prevents them doing that today in the same way they do with any other operator-based application they manage. Our automation and documentation efforts thus far have been targeting less experienced/advanced use-cases where the goal is to provide as light a touch with OpenShift as possible to the Maximo customer, and perhaps as a result leaves the impression that this is the only way MAS can be managed.
I can acknowledge that we should:
Improve the documentation around what permissions are needed to run the MAS install, update, upgrade CLI commands
Improve the documentation around what permissions are needed to run the various MAS ansible roles
Improve the documentation around what exactly the MAS CLI-based install/update/upgrade does to a cluster (for MAS and it's dependencies)
Consider providing a "disable MAS admin powers" option such that MAS no longer has cluster admin powers, at the cost that the MAS admin-dashboard can not be used. This would allow advanced users who wish to work with MAS directly via OpenShift/Kubernetes APIs to do so without having to set up the "delegated MAS administration" part of the product that is geared towards customers that don't want to work with MAS at the OpenShift layer.