# Perform bulk user access management

> Grant or revoke access for multiple users at once.

To modify permissions for a set of users at once, use the `rbac` command group of the upc-cli. Each run of `rbac` can assign or revoke one role or one user type to many users in a single organization or project.

`rbac` supports the following operations:

| Operation       | Description                                                                                                                            |
| --------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| `rbac assign`   | Assigns one role or one user type (`Owner` / `User`) to one or many users at the organization or project level.                        |
| `rbac unassign` | Removes every role belonging to a suite (`Asset Manager` or `Automation`) from one or many users at the organization or project level. |

## Before you start

To manage acces, you need:

* The ID of the target organization (a UUID-formatted string, like `00000000-0000-0000-0000-000000000000`). Find it with the [`orgs list` command](/cloud/virtual-private-cloud/admin/upc-cli/run-upc-cli.md#example---list-organizations) or in the organization properties in the Dashboard (go to **Administration** > **Settings**).
* The e-mails or user IDs of the users to update.
  * If the tool runs in the single-user mode (with the `--user` parameter), specity the e-mail or ID in the command line.
  * If the tool runs in the multi-user mode (with the `--file` parameter), it reads these e-mails or IDs from a .txt file. The file contains one e-mail or user ID per line. You can include both e-mails and IDs for different users in the same file. The file's encoding must be `utf-8`.
* No explicit authentication is required - the tool runs in-cluster and calls relevant APIs directly. Anyone who can execute `kubectl run` in the solution namespace can change feature flags; treat `kubectl` access as the only access boundary.
* The commands on this page work in a Unix-based shell (Linux, MacOS, WSL on Windows, Git Bash on Windows). If you need to run them in a Windows shell:
  * Use PowerShell 7.3 or newer, not Windows PowerShell 5.x.
  * Replace line continuation characters (`\`) with backticks (`` ` ``).

## Use cases

The examples in this section use the single-user form of the `rbac` command. To run the tool in the multi-user mode, with a file containing user e-mails or IDs, refer to [Running rbac on multiple users at once](#running-rbac-on-multiple-users-at-once).

### Assign an organization user type

To  assign a user type run the following command:

* Replace the `<email-or-id>` string with the e-mail or user ID of the target user.
* Replace the `<organizationID>` string with the organization's ID.
* Set the `--usertype` parameter to the required user type, either `Owner` or `User`.

```shell
kubectl run -it upc-cli --rm \
  --image=uccmpprivatecloud.azurecr.io/docker/upc-cli:latest \
  -n asset-solutions \
  --restart=Never \
  --overrides='{"spec":{"imagePullSecrets":[{"name":"acr-unity-registry"}]}}' \
  -- \
  --fqdn http://mini-usf:8080 \
  --path-prefix="" \
  --no-auth \
  rbac assign \
  --user <email-or-id> \
  --org <organizationId> \
  --usertype Owner
```

### Assign a project user type

To  assign a user type run the following command:

* Replace the `<email-or-id>` string with the e-mail or user ID of the target user.
* Replace the `<projectId>` string with the project's ID.
* Set the `--usertype` parameter to the required user type, either `Owner` or `User`.

```shell
kubectl run -it upc-cli --rm \
  --image=uccmpprivatecloud.azurecr.io/docker/upc-cli:latest \
  -n asset-solutions \
  --restart=Never \
  --overrides='{"spec":{"imagePullSecrets":[{"name":"acr-unity-registry"}]}}' \
  -- \
  --fqdn http://mini-usf:8080 \
  --path-prefix="" \
  --no-auth \
  rbac assign \
  --user <email-or-id> \
  --project <projectId> \
  --usertype Owner
```

### Assign an organization-level role

To  assign an organization-level role run the following command:

* Replace the `<email-or-id>` string with the e-mail or user ID of the target user.
* Replace the `<organizationID>` string with the organization's ID.
* Set the `--role` parameter to the required organization-level role, such as Asset Manager Admin, Automation User, or Automation Developer.

```shell
kubectl run -it upc-cli --rm \
  --image=uccmpprivatecloud.azurecr.io/docker/upc-cli:latest \
  -n asset-solutions \
  --restart=Never \
  --overrides='{"spec":{"imagePullSecrets":[{"name":"acr-unity-registry"}]}}' \
  -- \
  --fqdn http://mini-usf:8080 \
  --path-prefix="" \
  --no-auth \
  rbac assign \
  --user <email-or-id> \
  --org <organizationId> \
  --role "Asset Manager Admin"
```

### Assign a project-level role

To  assign an project-level role run the following command:

* Replace the `<email-or-id>` string with the e-mail or user ID of the target user.
* Replace the `<projectId>` string with the project's ID.
* Set the `--role` parameter to the required project-level role, such as Asset Manager Admin, Automation User, or Automation Developer.

```shell
kubectl run -it upc-cli --rm \
  --image=uccmpprivatecloud.azurecr.io/docker/upc-cli:latest \
  -n asset-solutions \
  --restart=Never \
  --overrides='{"spec":{"imagePullSecrets":[{"name":"acr-unity-registry"}]}}' \
  -- \
  --fqdn http://mini-usf:8080 \
  --path-prefix="" \
  --no-auth \
  rbac assign \
  --user <email-or-id> \
  --project <projectId> \
  --role "Asset Manager Viewer"
```

### Revoke all roles from a specific suite

`rbac unassign` removes assignments for every role belonging to a suite: either `amc` (Asset Manager) or `automation` (Pipeline Automation).

To  revoke all Asset Manager roles from a single user at the organization level, run the following command:

* Replace the `<email-or-id>` string with the e-mail or user ID of the target user.
* Replace the `<organizationID>` string with the organization's ID.

```shell
kubectl run -it upc-cli --rm \
  --image=uccmpprivatecloud.azurecr.io/docker/upc-cli:latest \
  -n asset-solutions \
  --restart=Never \
  --overrides='{"spec":{"imagePullSecrets":[{"name":"acr-unity-registry"}]}}' \
  -- \
  --fqdn http://mini-usf:8080 \
  --path-prefix="" \
  --no-auth \
  rbac unassign \
  --user <email-or-id> \
  --org <organizationId> \
  --suite amc
```

> **Note:**
>
> This command doesn't recursively remove role assignments from projects in the organization; it applies only to role assignments at the organization level.

#### Project level

To  revoke all Asset Manager roles from a single user at the project level, run the following command:

* Replace the `<email-or-id>` string with the e-mail or user ID of the target user.
* Replace the `<projectId>` string with the project's ID.

```shell
kubectl run -it upc-cli --rm \
  --image=uccmpprivatecloud.azurecr.io/docker/upc-cli:latest \
  -n asset-solutions \
  --restart=Never \
  --overrides='{"spec":{"imagePullSecrets":[{"name":"acr-unity-registry"}]}}' \
  -- \
  --fqdn http://mini-usf:8080 \
  --path-prefix="" \
  --no-auth \
  rbac unassign \
  --user <email-or-id> \
  --project <projectId> \
  --suite automation
```

The tool fetches the user's current roles, removes those belonging to the named suite, and submits the remaining set.

Roles outside the suite (for example, Pipeline Automation roles when you unassign the `amc` suite) aren't affected.

## Running rbac on multiple users at once

If you need to perform an `rbac assign/unassign` operation on multiple users, you can supply their names to the tool with a text file.

The file needs to be inside the pod's filesystem. `kubectl run` can't mount workstation files, so a workstation-local file is not visible to the tool unless you make it available first. This section describes how to handle this situation.

The file must:

* Have .txt extension.
* Use `utf-8` encoding.
* Contain one e-mail or user ID per line.

An example of file content:

```text
alice@example.com
bob@example.com
carol@example.com
```

### First method: Multiple single-user invocations without a file

For small batches, call the tool once for each user with a loop.

For example, on a Unix-based shell (Linux, MacOS, WSL on Windows, Git Bash on Windows):

```shell
for EMAIL in alice@example.com bob@example.com carol@example.com ; do
  kubectl run -it upc-cli --rm \
    --image=uccmpprivatecloud.azurecr.io/docker/upc-cli:latest \
    -n asset-solutions \
    --restart=Never \
    --overrides='{"spec":{"imagePullSecrets":[{"name":"acr-unity-registry"}]}}' \
    -- \
    --fqdn http://mini-usf:8080 \
    --path-prefix="" \
    --no-auth \
    rbac assign \
    --user "$EMAIL" \
    --org <organizationId> \
    --usertype Owner
done
```

### Second method: Stage the .txt file as a ConfigMap and mount it into the pod

When the batch is too large for a loop:

1. Ship the file with a ConfigMa.
2. Extend `--overrides` to mount the file. Replace `<organizationId>` with the required organization's ID:

```shell
kubectl create configmap upc-cli-input -n asset-solutions --from-file users.txt

kubectl run -it upc-cli --rm \
  --image=uccmpprivatecloud.azurecr.io/docker/upc-cli:latest \
  -n asset-solutions --restart=Never \
  --overrides='{
    "spec": {
      "imagePullSecrets": [{"name": "acr-unity-registry"}],
      "containers": [{
        "name": "upc-cli",
        "image": "uccmpprivatecloud.azurecr.io/docker/upc-cli:latest",
        "args": ["--path-prefix","","--fqdn","http://mini-usf:8080","--no-auth",
                 "rbac","assign","--file","/input/users.txt","--org","<organizationId>","--usertype","Owner"],
        "volumeMounts": [{"name":"input","mountPath":"/input"}]
      }],
      "volumes": [{"name":"input","configMap":{"name":"upc-cli-input"}}]
    }
  }'
```

When the operation is complete, delete the ConfigMap:

```shell
kubectl delete configmap upc-cli-input -n asset-solutions
```

## The tool output

On success, upc-cli prints a JSON summary listing the resolved user IDs and the API responses for each user.

For example:

```json
{
  "assignedRoleId": "e5411482-bf96-4166-a1e5-07726894b8b5",
  "users": [
    "80711ff6-57c3-4a56-88bc-9c5827b3fbf4",
    "41fba0fd-4e1b-4954-9e05-6488c356b242"
  ],
  "results": [
    {
      "status": 200
    },
    {
      "status": 200
    }
  ]
}
```

Unresolved users appear as a warning line on stderr before the JSON summary. They don't abort the run:

```text
⚠️  Could not resolve user 'nosuchuser@example.com' to an id; skipping.
```

## Parameter summary for `rbac assign` and `rbac unassign`

| Parameter                | Required                                                          | Notes                                                                                                                                                                               |
| ------------------------ | ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--user <email-or-uuid>` | Either `--user` or `--file`                                       | Single-user mode                                                                                                                                                                    |
| `--file <path>`          | Either `--user` or `--file`                                       | Should point to a .txt file. This file should contain one e-mail or user ID per line (the same file can contain both e-mails and IDs for different users) and use `utf-8` encoding. |
| `--org <organizationId>` | Either `--org` or `--project`                                     | For organization-level operations                                                                                                                                                   |
| `--project <projectId>`  | Either `--org` or `--project`                                     | For project-level operations                                                                                                                                                        |
| `--usertype <name>`      | Either `--usertype` or `--role` (for the `assign` operation only) | `<name>` must be either `Owner` or `User`                                                                                                                                           |
| `--role <name>`          | Either `--usertype` or `--role` (for the `assign` operation only) | `<name>` must match one of the RBAC roles available in Asset Manager or Pipeline Automation at the corresponding level (organization or project)                                    |
| `--suite <suite-name>`   | Required (and applicable) for the `unassign` operation only       | `<suite-name>` must be either `amc` (for Asset Manager roles) or `automation` (for Pipeline Automation roles)                                                                       |
