Lineage
read-only · v1.0
static mock demo — no cluster connection, no oc, no credentials
Static mock demo. This page uses a small bundled sample dataset. It does not connect to a cluster, run oc, or read local credentials.

User eve htpasswd-backed

Identity provenance

IdentityProviderProvider usernameIdP typeBacking config
dev:eve dev eve HTPasswd Secret/htpasswd-secret

Group memberships

Reach

Where this subject's permissions land. Cluster-wide grants reach every namespace; namespace-scoped grants are listed individually. Grants that come from auto-membership virtual groups (system:authenticated, system:authenticated:oauth, system:serviceaccounts, system:serviceaccounts:<ns>) are folded into the collapsible blocks below — they apply to every authenticated principal on the cluster, not to this subject specifically.

Cluster-wide via system virtual groups (1) — shared with every authenticated principal
RoleViaBinding
view Group/system:authenticated:oauth ClusterRoleBinding/oauth-users-self-review

Per-namespace (2 namespaces)

NamespaceRoleViaBinding
mine-platform admin Group/engineers RoleBinding/admin-rb
admin Group/engineers RoleBinding/admin-rb-copy
payments-prod read-secrets Group/engineers RoleBinding/secret-readers

Effective permissions (3 paths)

Each path is one (role, scope, group-membership) combination. Click Show rules to see the underlying API rules. 1 additional path via auto-membership virtual groups (system:authenticated et al.) is collapsed below — they grant the same access to every authenticated principal.

Namespace: mine-platform * wildcard 3 rules
User eve
member of
Group engineers
bound by
RoleBinding admin-rb
grants
ClusterRole admin privileged
Verbs: *createdeletegetlistpatchupdatewatch  Resources: configmapsdeploymentspodsrolebindingsrolessecrets  API groups: apps, core, rbac.authorization.k8s.io
Aggregated from admin-workloads, admin-rbac
2 duplicate bindings admin-rb, admin-rb-copy
API groupResourcesVerbsFrom
apps deployments * admin-workloads
core pods, secrets, configmaps * admin-workloads
rbac.authorization.k8s.io roles, rolebindings get, list, watch, create, update, patch, delete admin-rbac
Namespace: payments-prod 1 rule
User eve
member of
Group engineers
bound by
RoleBinding secret-readers
grants
Role read-secrets
Verbs: getlist  Resources: secrets  API groups: core
API groupResourcesVerbs
core secrets get, list
Paths via system virtual groups (1) — shared with every authenticated principal
Cluster-wide 1 rule
User eve
member of
Group system:authenticated:oauth
bound by
ClusterRoleBinding oauth-users-self-review
grants
ClusterRole view
Verbs: getlistwatch  Resources: podsservices  API groups: core
API groupResourcesVerbs
core pods, services get, list, watch