Merge pull request #90580 from michaelryanpeter/ocpbugs-42519-clarify-operator-group-rbac-hash

OCPBUGS#42519: Clarify Operator group RBAC hash values

Author: michaelryanpeter

modules/olm-operatorgroups-rbac.adoc

@@ -5,7 +5,7 @@
 [id="olm-operatorgroups-rbac_{context}"]
 = Role-based access control
 
-When an Operator group is created, three cluster roles are generated. Each contains a single aggregation rule with a cluster role selector set to match a label, as shown below:
+When an Operator group is created, three cluster roles are generated. When the cluster roles are generated, they are automatically suffixed with a hash value to ensure that each cluster role is unique. Each Operator group contains a single aggregation rule with a cluster role selector set to match a label, as shown in the following table:
 
 [cols="1,1",options="header"]
 |===
@@ -21,6 +21,18 @@ When an Operator group is created, three cluster roles are generated. Each conta
 |`olm.opgroup.permissions/aggregate-to-view: <operatorgroup_name>`
 |===
 
+[NOTE]
+====
+To use the cluster role of an Operator group to assign role-based access control (RBAC) to a resource, get the full name of cluster role and hash value by running the following command:
+
+[source,terminal]
+----
+$ oc get clusterroles | grep <operatorgroup_name>
+----
+
+Because the hash value is generated when the Operator group is created, you must create the Operator group before you can look up the complete name of the cluster role.
+====
+
 The following RBAC resources are generated when a CSV becomes an active member of an Operator group, as long as the CSV is watching all namespaces with the `AllNamespaces` install mode and is not in a failed state with reason `InterOperatorGroupOwnerConflict`:
 
 * Cluster roles for each API resource from a CRD