# RBAC Demo for Projects in DKP > This note is yours, feel free to play around. :video_game: > Type on the left :arrow_left: and see the rendered result on the right. :arrow_right: ## :memo: Pre-Requisites - [ ] One Management cluster with SSO capability - [ ] One Managed cluster with SSO configured - [ ] Kubectl Access to the both cluster via admin - [ ] Admin access to Management cluster UI ### Step 1: Create a developer group a. Go to the Kommander UI and login with Admin credentials or Root crendentials for the cluster. b. Select `Global` workspace --> `Identity Provider` --> Select `group` c. Select a desired group or create one that you need. In this case I created a group called developers and added `Sagar` a developer to that group using his email. :::info :bulb: When a user is authenticated they inherit `email` attribute from the Authentication entity. All we need to do is map that email address attribute of the user to group here and fine tune the group access control to attain RBAC :::  ### Step 2: Provide developers`view` access to the management cluster's grafana Now that we have a group created at the global level. Now let's pick up the workspace where our managed cluster is running. In my case it's the `default-workspace` a. Select desired workspace b. Select `Access Control` --> `Cluster Role Bindings` c. Click on `Add Roles` for the `developers` group  d. In the roles windows type project it should bring up related roles select `Project Grafana View Role`  e. Save and close out. This step will create necessary roles and roles binding to ensure that your developers can access the Grafana on the management cluster ### Step 3: Fetch Grafana URL to view the logs Follow the directions here on the DKP docs to fetch the URL for Grafana on managed cluster. https://docs.d2iq.com/dkp/kommander/2.1/logging/multi-tenant-logging/view-proj-logdata/ a. The above steps essentially gets two key details `workspace` & `project name` Using those two it fetches a unique URL for accessing the Grafana UI b. Here is an example ``` https://2231e*******ba4-464669233.us-east-1.elb.amazonaws.com/dkp/workspace/kommander-default-workspace/project/mt-test-jbwv2/logging/grafana ``` c. When you go the URL it should take you the SSO path for authentication, once authenticated you should have access to view the grafana endpoint. d. If you are not a user from the `developers` group you would see a `NOT AUTHORIZED` error message e. Currently there is minor bug in DKP which prevent access and in the below fix step you can see a workaround to fix the issue for now ## Temp fix for a. On the management we need to add an extra asterik to the roles we use to the get around the bug b. On the management cluster select workspace where for the managed cluster and within that workspace-namespace you should see all the roles including the `project grafana view role` that we associated to the developers. ``` $ k get workspaceroles -n<WORKSPACE_NAMESPACE> | grep project project-observer-admin-worldprojns Project Grafana Admin Role 26m project-observer-edit-worldprojns Project Grafana Edit Role 26m ``` c. Edit the role and add the extra asterik like below that should fix the issue. and give you access to the UI Before ``` spec: rules: - nonResourceURLs: - /dkp/workspace/hellowsns/project/worldprojns/logging/grafana - /dkp/workspace/hellowsns/project/worldprojns/logging/grafana/* verbs: - '*' ``` After the fix, see the extra asterik. ``` spec: rules: - nonResourceURLs: - /dkp/workspace/hellowsns/project/worldprojns/logging/grafana - /dkp/workspace/hellowsns/project/worldprojns/logging/grafana/** verbs: - '*' ```