3horizons
diff --git a/‎deploy/helm/rhdh/README.md‎
Lines changed: 35 additions & 0 deletions b/‎deploy/helm/rhdh/README.md‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎deploy/helm/rhdh/rbac-policies-configmap.yaml‎
Lines changed: 45 additions & 0 deletions b/‎deploy/helm/rhdh/rbac-policies-configmap.yaml‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎deploy/helm/rhdh/values-aks-dev.yaml‎
Lines changed: 29 additions & 1 deletion b/‎deploy/helm/rhdh/values-aks-dev.yaml‎
Lines changed: 29 additions & 1 deletion
@@ -0,0 +1,35 @@
+# RHDH Helm Configuration (AKS Dev)
+
+This folder is the source of truth for RHDH RBAC and app configuration used in AKS dev deployments.
+
+## Files
+
+- `values-aks-dev.yaml`: RHDH Helm values (auth, permissions, plugins, catalog, branding)
+- `rbac-policies-configmap.yaml`: File-based RBAC policies (`rbac-policies.csv`)
+
+## Important RBAC Behavior
+
+RHDH roles loaded from `rbac-policies.csv` are configuration-managed.
+
+- You can view them in the RBAC UI.
+- Editing those roles in UI is blocked by design.
+- To change role permissions or user/group mapping, edit `rbac-policies-configmap.yaml`.
+
+If RBAC UI shows `source does not match originating role ... CONFIGURATION`, update this file instead of using UI edit.
+
+## Apply Changes
+
+1. Apply RBAC ConfigMap:
+
+```bash
+kubectl apply -f deploy/helm/rhdh/rbac-policies-configmap.yaml
+```
+
+1. Apply updated RHDH values through your Helm/GitOps flow.
+
+2. Restart RHDH deployment if needed to refresh loaded configuration:
+
+```bash
+kubectl -n rhdh rollout restart deploy/rhdh-developer-hub
+kubectl -n rhdh rollout status deploy/rhdh-developer-hub --timeout=300s
+```
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rbac-policies
+  namespace: rhdh
+data:
+  rbac-policies.csv: |
+    p, role:default/admin, catalog-entity, read, allow
+    p, role:default/admin, catalog-entity, update, allow
+    p, role:default/admin, catalog-entity, delete, allow
+    p, role:default/admin, catalog.entity.create, create, allow
+    p, role:default/admin, catalog.location.read, read, allow
+    p, role:default/admin, catalog.location.create, create, allow
+    p, role:default/admin, catalog.location.delete, delete, allow
+    p, role:default/admin, scaffolder-template, read, allow
+    p, role:default/admin, scaffolder-action, use, allow
+    p, role:default/admin, scaffolder.task.create, create, allow
+    p, role:default/admin, scaffolder.task.read, read, allow
+    p, role:default/admin, scaffolder.task.cancel, use, allow
+    p, role:default/admin, scaffolder.template.management, use, allow
+    p, role:default/admin, bulk-import, read, allow
+    p, role:default/admin, bulk-import, create, allow
+    p, role:default/admin, bulk-import, delete, allow
+    p, role:default/admin, policy-entity, read, allow
+    p, role:default/admin, policy-entity, create, allow
+    p, role:default/admin, policy-entity, update, allow
+    p, role:default/admin, policy-entity, delete, allow
+    p, role:default/admin, kubernetes.proxy, use, allow
+    p, role:default/admin, notification.entity, read, allow
+    p, role:default/admin, notification.entity, create, allow
+    p, role:default/admin, notification.entity, update, allow
+    p, role:default/developer, catalog-entity, read, allow
+    p, role:default/developer, catalog.entity.create, create, allow
+    p, role:default/developer, catalog.location.read, read, allow
+    p, role:default/developer, catalog.location.create, create, allow
+    p, role:default/developer, scaffolder-template, read, allow
+    p, role:default/developer, scaffolder-action, use, allow
+    p, role:default/developer, scaffolder.task.create, create, allow
+    p, role:default/developer, scaffolder.task.read, read, allow
+    p, role:default/developer, kubernetes.proxy, use, allow
+    p, role:default/developer, notification.entity, read, allow
+    p, role:default/developer, notification.entity, update, allow
+    g, user:default/paulanunes85, role:default/admin
+    g, group:default/platform-team, role:default/admin
+    g, group:default/platform-engineering, role:default/admin
@@ -214,8 +214,36 @@ upstream:
           - type: url
             target: https://github.com/3horizons/agentic-devops-platform/blob/main/backstage/catalog-info.yaml
 
+      argocd:
+        appLocatorMethods:
+          - type: config
+            instances:
+              - name: local
+                url: https://argocd.3horizons.ai
+
       permission:
-        enabled: false
+        enabled: true
+        rbac:
+          admin:
+            users:
+              - name: user:default/paulanunes85
+            superAdminRole: true
+          policies-csv-file: /opt/app-root/src/rbac-policies.csv
+          pluginsWithPermission:
+            - catalog
+            - scaffolder
+            - permission
+            - kubernetes
+            - bulk-import
+            - notification
+          policyFileReload: true
+
+      dynamicPlugins:
+        frontend:
+          default.main-menu-items:
+            menuItems:
+              default.create:
+                title: Create
 
   postgresql:
     enabled: false