A user role contains one
or more privileges that define the operations allowed for the user who is
assigned to that role. A user can be assigned one or more roles. A user
assigned multiple roles has the combined privileges of all assigned roles. For
example, if Role1 has policy-related privileges, and Role2 has tenant-related
privileges, users who are assigned to both Role1 and Role2 have policy- and
tenant-related privileges.
All roles include read
access to all configuration settings in the
instance. The difference between the
read-only role and other roles is that a user who is assigned only the
read-only role cannot modify the system state. A user assigned another role can
modify the system state in that user's assigned area or areas.
The system contains the
following default user roles:
- aaa
-
Users have read
and write access to users, roles, and AAA configuration, and read access to the
rest of the system.
- admin
-
Users have read
and write access to the entire system and has most privileges. However, users
cannot create or delete files, or perform system upgrades. These functions can
be done only through the default admin account. The default admin account is
assigned this role by default, and it cannot be changed.
- intercloud-infra
-
Users
have read and write access for InterCloud operations, including creating
InterCloud links, creating provider accounts, managing InterCloud Extender and
Switch images, and importing InterCloud Agent images. Users with this role are
limited to InterCloud functionality.
- intercloud-server
-
Users have read
and write access for cloud VMs. User can create or move VMs from the enterprise
to the cloud. Users can monitor cloud VMs for multiple tenants. Users with this
role are limited to InterCloud functionality.
- network
-
Users can create
organizations, security policies, and device profiles.
- operations
-
Users can
acknowledge faults, back up the system, and perform some basic operations, such
as logging configuration.
- read-only
-
Users have
read-only access to system configuration and operational status with no
privileges to perform any operations.
- tenant-admin
-
Users can
configure tenant-related policies and resources for their associated tenants.
However, users can view only those objects related to their associated tenants
as defined by their assigned locales and organizations. They cannot see
information about tenants that do not belong to their assigned locales and
organizations.
Roles can be created,
modified to add or remove existing privileges, or deleted. When a role is
modified, the new privileges are applied to all users assigned to that role.
Privilege assignment is not restricted to the privileges defined for the
default roles. That is, you can use a custom set of privileges to create a
unique role. For example, the default Network and Operations roles have
different sets of privileges, but a new Network and Operations role can be
created that combines the privileges of both roles.
If a role is deleted
after it has been assigned to users, it is also deleted from those user
accounts.
The role and locale assignments
for a local user can be changed on
. The role and locale for a remote user
can be changed on LDAP. If any of the following information assigned to a user
is modified, the administrator must delete all existing sessions of that user
so that the new privileges take effect:
-
Role
-
Privilege for a
role
-
Locale
-
Organization in a
locale