redhat-developer · themr0c · May 11, 2026 · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026
diff --git a/assemblies/shared/assembly-manage-authorizations-by-using-external-files.adoc b/assemblies/shared/assembly-manage-authorizations-by-using-external-files.adoc
@@ -16,5 +16,7 @@ include::../modules/shared/proc-define-authorizations-in-external-files-by-using
 
 include::../modules/shared/proc-define-authorizations-in-external-files-by-using-helm.adoc[leveloffset=+1]
 
+include::../modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc[leveloffset=+1]
+
 ifdef::parent-context[:context: {parent-context}]
 ifndef::parent-context[:!context:]
diff --git a/assemblies/shared/assembly-permission-policies-reference.adoc b/assemblies/shared/assembly-permission-policies-reference.adoc
@@ -7,7 +7,7 @@ ifdef::context[:parent-context: {context}]
 :context: permission-policies-reference
 
 [role="_abstract"]
-Reference information about permission policy types and available permissions for catalog, scaffolder, RBAC, Kubernetes, and plugin resources.
+Reference information about permission policy types and available permissions for catalog, scaffolder, RBAC, Kubernetes, Extensions, and plugin resources.
 
 {product-short} supports permission policies for controlling access to resources and functionalities.
 The following reference modules describe the available permission types and permissions for each plugin category.
@@ -34,5 +34,7 @@ include::../modules/shared/ref-argocd-permissions.adoc[leveloffset=+1]
 
 include::../modules/shared/ref-quay-permissions.adoc[leveloffset=+1]
 
+include::../modules/shared/ref-extensions-permissions.adoc[leveloffset=+1]
+
 ifdef::parent-context[:context: {parent-context}]
 ifndef::parent-context[:!context:]
diff --git a/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc b/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc
@@ -0,0 +1,78 @@
+:_mod-docs-content-type: PROCEDURE
+
+[id="configure-rbac-for-extensions-by-using-the-rbac-csv-file_{context}"]
+= Configure RBAC for Extensions by using the RBAC CSV file
+
+[role="_abstract"]
+You can grant access to Extensions plugin management by adding permission policies to your RBAC CSV file.
+
+.Prerequisites
+
+* You have {authorization-book-link}#enabling-and-giving-access-to-rbac_title-authorization[enabled RBAC and assigned a policy administrator role].
+* You {authorization-book-link}#manage-authorizations-by-using-external-files_authorization-in-rhdh[manage authorizations by using external files].
+* You have added `extensions` to the list of authorized plugins under your `permission.rbac.pluginsWithPermission` configuration.
+
+.Procedure
+
+. Add the following policies to your CSV file to allow users to view and manage plugins in Extensions:
++
+[source,csv,subs="+quotes"]
+----
+g, user:default/_<YOUR_USERNAME>_, role:default/extensions-admin
+p, role:default/extensions-admin, extensions.plugin.configuration.read, read, allow
+p, role:default/extensions-admin, extensions.plugin.configuration.write, create, allow
+p, role:default/extensions-admin, catalog.entity.read, read, allow
+----
++
+See xref:extensions-permissions_permission-policies-reference[Extensions permissions].
+
+. Optional: Restrict access to specific plugins by defining a conditional policy in the `rbac-conditional-policies.yaml` file as described in {authorization-book-link}#managing-authorizations-by-using-external-files[Defining conditional policies]:
++
+[source,yaml,subs="+attributes,+quotes"]
+----
+result: CONDITIONAL
+roleEntityRef: "role:default/extensions-admin"
+pluginId: extensions
+resourceType: extensions-plugin
+permissionMapping:
+  - create
+conditions:
+  rule: HAS_NAME
+  resourceType: extensions-plugin
+  params:
+    pluginNames: [_<your_plugin_name>_]
+----
++
+where:
+
+`pluginNames`:: Enter the plugin name or title for user access.
++
+This policy allows users to install or update only the specified plugins and restricts access to all other plugins.
+
+. Optional: Restrict access by annotation by defining a conditional policy:
++
+[source,yaml,subs="+attributes,+quotes"]
+----
+result: CONDITIONAL
+roleEntityRef: "role:default/extensions-admin"
+pluginId: extensions
+resourceType: extensions-plugin
+permissionMapping:
+  - create
+conditions:
+  rule: HAS_ANNOTATION
+  resourceType: extensions-plugin
+  params:
+    annotation: "extensions.backstage.io/certified-by"
+    value: "Red Hat"
+----
++
+This policy allows users to install or update only the plugins that have the specified annotation.
+
+.Verification
+
+* Verify that the user can view and manage plugins in Extensions.
+
+.Additional resources
+* xref:extensions-permissions_permission-policies-reference[Extensions permissions]
+* {installing-and-viewing-plugins-book-link}#configure-rbac-to-manage-extensions_extensions-in-rhdh[Configure RBAC to manage Extensions]
diff --git a/modules/shared/proc-configure-rbac-to-manage-extensions.adoc b/modules/shared/proc-configure-rbac-to-manage-extensions.adoc
@@ -25,3 +25,7 @@ image::extend_installing-and-viewing-plugins-in-rhdh/extensions-rbac-role-create
 .Verification
 After you refresh the {product-very-short} application, when you select a plugin, the *Actions* drop-down is active.
 When you click the *Actions* drop-down, you can edit the plugin configuration, and enable or disable the plugin.
+
+.Additional resources
+* {authorization-book-link}#configure-rbac-for-extensions-by-using-the-rbac-csv-file_manage-authorizations-by-using-external-files[Configure RBAC for Extensions by using the RBAC CSV file]
+* {authorization-book-link}#extensions-permissions_permission-policies-reference[Extensions permissions]
diff --git a/modules/shared/ref-conditional-policy-plugin-examples.adoc b/modules/shared/ref-conditional-policy-plugin-examples.adoc
@@ -4,7 +4,7 @@
 = Conditional policy plugin examples
 
 [role="_abstract"]
-Reference information about conditional policy examples for Keycloak and Quay plugins demonstrating access control patterns.
+Reference information about conditional policy examples for Keycloak, Quay, and Extensions plugins demonstrating access control patterns.
 
 The following examples can be used with {product-short} plugins.
 These examples can help you determine how to define conditional policies:
@@ -59,5 +59,25 @@ Conditional policy defined for Quay plugin:
 The previous example of Quay plugin prevents the role `role:default/developer` from using the Quay scaffolder action.
 Note that `permissionMapping` contains `use`, signifying that `scaffolder-action` resource type permission does not have a permission policy.
 
+Conditional policy defined for Extensions plugin:
+
+[source,json]
+----
+{
+  "result": "CONDITIONAL",
+  "roleEntityRef": "role:default/extensions-admin",
+  "pluginId": "extensions",
+  "resourceType": "extensions-plugin",
+  "permissionMapping": ["create"],
+  "conditions": {
+    "rule": "HAS_NAME",
+    "resourceType": "extensions-plugin",
+    "params": { "pluginNames": ["<your_plugin_name>"] }
+  }
+}
+----
+
+The previous example of Extensions plugin restricts users in the `role:default/extensions-admin` to only installing or updating the specified plugin.
+
 .Additional resources
 * xref:permission-policies-reference_authorization-in-rhdh[]
diff --git a/modules/shared/ref-extensions-permissions.adoc b/modules/shared/ref-extensions-permissions.adoc
@@ -0,0 +1,25 @@
+:_mod-docs-content-type: REFERENCE
+
+[id="extensions-permissions_{context}"]
+= Extensions permissions
+
+[role="_abstract"]
+Reference information about available Extensions permissions for reading and writing plugin configurations.
+
+[cols="15%,25%,15%,45%", frame="all", options="header"]
+|===
+|Name
+|Resource type
+|Policy
+|Description
+
+|`extensions.plugin.configuration.read`
+|`extensions-plugin`
+|`read`
+|Enables a user or role to view plugin configurations in Extensions
+
+|`extensions.plugin.configuration.write`
+|`extensions-plugin`
+|`create`
+|Enables a user or role to install, update, enable, or disable plugins by using Extensions
+|===