Resource Orchestrator can limit the available operations and resources based on the user.
Collections of possible operations
These are referred to as roles.
Resources that can be operated
Theses are referred to as access scope.
Privileges can be controlled by configuring the roles and access scope based on users.
User groups are the function for executing batch management of multiple users. By configuring roles and access scopes in the same way as for users, user privileges for all users belonging to the user group can be configured as a batch operation.
For user groups, only "supervisor" is defined by default.
For the "supervisor" user group, the access scope and role of "all=administrator" are configured.
"all=administrator" is the role for administrators (administrators who are both infrastructure administrators and tenant administrators) with unlimited access scopes.
If no user group is specified when creating a user, the user group will be the same as the user who performed creation. Therefore, it is not necessary to consider the existence of user groups, when using a user within the same department.
When resource folders and resources specified in the access scope of a user and a user group are deleted, they are also deleted from the access scope and the role settings.
For details on the relations on access scope and role settings of a user and a user group, refer to "Table B.1 Relations on Access Scope and Role Settings of Users and User Groups".
Users | User Groups | Access Scope and Roles |
|---|---|---|
Configured | Configured | User configurations are valid |
Configured | Not configured | User configurations are valid |
Not configured | Configured | User group configurations are valid |
Not configured | Not configured | All resources are inaccessible |
Directory services can be used for user and role management. For details on how to install and operate, refer to "Appendix C User Management Using Directory Service".
The following names are used for roles. For details on the detailed operation privileges for each role, refer to "Operation Scopes of Roles" in "B.2 Roles and Available Operations".
Role Types | Role Names | Description |
|---|---|---|
Infrastructure Administrative Role | Infrastructure administrator (infra_admin) | An infrastructure administrator manages the ICT resources of a private cloud (servers, storage, network), and OS's running on an L-Platform. |
Infrastructure operator (infra_operator) | An infrastructure operator can only monitor an L-Platform. | |
Infrastructure monitor (monitor) | A monitor can only monitor all resources. | |
Tenant Management Roles | Tenant administrator (tenant_admin) | Tenant administrators perform L-Server template management, user management of tenant users, and approval of L-Platform creation applications from tenant users. |
Tenant operator (tenant_operator) | Tenant operator can only perform the following operations from the operations which tenant administrators can perform.
| |
Tenant monitor (tenant_monitor) | A tenant monitor can only monitor L-Platforms and L-Servers. | |
Multiple Roles | Administrator (administrator) | An administrator is both an infrastructure administrator and a tenant administrator. |
Operator (operator) | An operator is both an infrastructure operator and a tenant operator. | |
Monitor (monitor) | A monitor can only monitor all resources. | |
Tenant Use Roles | Tenant user (tenant_user) | Tenant users can create L-Platforms inside tenants. Tenant users apply to tenant administrators to create and use L-Platforms. |
L-Platform User (lplatform_user) | L-Platform User is the role to enable tenant users (tenant_user) to use L-Platforms. L-Platform users can operate, change, and delete L-Platforms. This role is automatically assigned when an L-Platform is created. When the L-Platform is deleted, the assigned role is deleted automatically. Addition and deletion is not necessary. |
