5.1.1 Overview

Resource Orchestrator can limit the available operations and resources based on the user.

Collections of possible operations
These are referred to as roles.
Resources that can be operated
These are referred to as access scope.
The access scope of a user who was assigned the tenant administrator role or the tenant user role is a tenant that they manage and use.

Privileges can be controlled by configuring the roles and access scope based on users.

The following names are used for roles. For details on the detailed operation privileges for each role, refer to "Operation Scopes of Roles" in "5.1.2 Roles and Available Operations".

Table 5.1 Role Types
Role Types	Role Names	Description
Infrastructure Administrative Role	Infrastructure administrator (infra_admin)	An infrastructure administrator manages the ICT resources of a private cloud (servers, storage, network), and OSs running on an L-Platform. An infrastructure administrator performs consolidated management of pooled ICT resources using Resource Orchestrator, confirms load status and when necessary, adds ICT resources, and performs switchover and maintenance. The role of the infrastructure administrator is cannot perform operations when L-Platforms and an L-Servers are operating. Use this role to limit the privileges of users managing the infrastructure in regards to L-Platform and L-Servers, in order to prevent the accidental operation of said L-Platforms and L-Servers. The only operations that can be performed for an L-Platform, are monitoring and backup, and for an L-Server, monitoring and the operations given in "17.7 Migration of VM Hosts between Servers" in the "User's Guide for Infrastructure Administrators (Resource Management) CE". However, all operations can be performed for the other resources.
	Infrastructure operator (infra_operator)	An infrastructure operator can only monitor an L-Platform. Power operations and backup for resources in a resource pool can also be executed by an infrastructure operator.
	Infrastructure monitor (monitor)	A monitor can only monitor all resources.
Tenant Management Roles	Tenant administrator (tenant_admin)	Tenant administrators perform L-Server template management, user management of tenant users, and approval of L-Platform creation applications from tenant users. Use a tenant administrator, when another administrator manages an L-Platform, such as when performing cloud-type operations to borrow an L-Platform.
	Tenant operator (tenant_operator)	Tenant operator can only perform the following operations from the operations which tenant administrators can perform. Resource backup L-Platform power operation Resource monitoring of all tenants Tenant and local pool monitoring
	Tenant monitor (tenant_monitor)	A tenant monitor can only monitor L-Platforms and L-Servers.
Multiple Roles	Administrator (administrator)	An administrator is both an infrastructure administrator and a tenant administrator.
	Operator (operator)	An operator is both an infrastructure operator and a tenant operator.
	Monitor (monitor)	A monitor can only monitor all resources.
Tenant Use Roles	Tenant user (tenant_user)	Tenant users can create L-Platforms inside tenants. Tenant users apply to tenant administrators to create and use L-Platforms. When an application is approved and an L-Platform created, the user who applied is automatically assigned the role of L-Platform User (lplatform_user).
Tenant Use Roles	L-Platform User (lplatform_user)	L-Platform User is the role to enable tenant users (tenant_user) to use L-Platforms. L-Platform users can operate, change, and delete L-Platforms. This role is automatically assigned when an L-Platform is created. When the L-Platform is deleted, the assigned role is deleted automatically. Addition and deletion is not necessary.

User groups are the function for executing batch management of multiple users. By configuring roles and access scopes in the same way as for users, user privileges for all users belonging to the user group can be configured as a batch operation.

For user groups, only "supervisor" and "monitor" are defined by default.

For the "supervisor" user group, the access scope and role of "all=administrator" are configured.
"all=administrator" is the role for administrators (administrators who are both infrastructure administrators and tenant administrators) with unlimited access scopes.

For the "monitor" user group, the access scope and role of "all=monitor" are configured.
"all=monitor" is the role for monitors (monitors who are both infrastructure monitors and tenant monitors) with unlimited access scopes.

When a tenant is created, the user group corresponding to a tenant will be created. When the tenant administrator and tenant users are created, they belong to a user group corresponding to the tenant.

If no user group is specified when creating a user, the user group will be the same as the user who performed creation. Therefore, it is not necessary to consider the existence of user groups, when using a user within the same department.

When resource folders and resources specified in the access scope of a user and a user group are deleted, they are also deleted from the access scope and the role settings.

For details on the relations on access scope and role settings of a user and a user group, refer to "Table 5.2 Relations on Access Scope and Role Settings of Users and User Groups".

Table 5.2 Relations on Access Scope and Role Settings of Users and User Groups
Users	User Groups	Access Scope and Roles
Configured	Configured	User configurations are valid
Configured	Not configured	User configurations are valid
Not configured	Configured	User group configurations are valid
Not configured	Not configured	All resources are inaccessible