Resource Orchestrator can limit the available operations and resources based on the user.
Collections of possible operations
These are referred to as roles.
Resources that can be operated
These are referred to as access scope.
The access scope of a user who was assigned the tenant administrator role or the tenant user role is a tenant that they manage and use.
Privileges can be controlled by configuring the roles and access scope based on users.
Role
The following names are used for roles. For details on the detailed operation privileges for each role, refer to "Table 5.3 Operation Scopes of Roles" in "5.1.2 Roles and Available Operations".
Infrastructure administrator (infra_admin)
Infrastructure administrators manage the ICT resources (servers, storage, networks, and system images) in a private cloud.
Using Resource Orchestrator, infrastructure administrators collectively manage ICT resources in resource pools, while monitoring the load and performing addition, replacement, and maintenance of ICT resources when necessary.
Infrastructure administrators prepare L-Platform templates of pre-defined logical platforms (L-Platforms) according to tenant user or tenant administrator needs, and publish them for use by tenant users or tenant administrators.
In accordance with the application process, infrastructure administrators may also receive and review applications from tenant users or tenant administrators.
The main roles and operations of infrastructure administrators are given below.
Manage (add, switch, and maintain) the ICT resources (servers, storage, networks, and system images) in a private cloud
Manage shared pools (global pools)
Create and publish L-Platform templates
Review logical platform (L-Platform) usage applications
Infrastructure operator (infra_operator)
An infrastructure operator can only monitor an L-Platform. Power operations and backup for resources in a resource pool can also be executed by an infrastructure operator.
Infrastructure monitor (monitor)
A monitor can only monitor all resources.
Tenant administrator (tenant_admin)
Tenant administrators prepare an L-Platform template which is specific to the tenant pre-defined by the infrastructure administrator according to tenant user needs, and publish it for tenant users to use.
In accordance with the application process, tenant administrators may also receive and approve applications from tenant users.
Tenant administrators can check the usage status and monitor the operational statuses of tenant users.
The main roles and operations of tenant administrators are given below.
Manage resource pools (local pools) dedicated to tenants
Manage L-Platform templates
Manage accounts of tenant users
Review and approve logical platform (L-Platform) usage applications
Tenant operator (tenant_operator)
Tenant operator can only perform the following operations from the operations which tenant administrators can perform.
Resource backup
L-Platform power operation
Resource monitoring of all tenants
Tenant and local pool monitoring
Tenant monitor (tenant_monitor)
A tenant monitor can only monitor L-Platforms and L-Servers.
Tenant user (tenant_user)
Tenant users can apply to use logical platforms (L-Platforms), and use logical platforms (L-Platforms) configured according to their application.
When the authorization of the tenant administration department manager is required for an application, tenant users must request authorization from the manager in accordance with the application process.
The main roles and operations of tenant users are given below.
Apply for logical platform (L-Platform) usage
Check resource usage conditions
L-Platform User (lplatform_user)
L-Platform User is the role to enable tenant users (tenant_user) to use L-Platforms.
L-Platform users can operate, change, and delete L-Platforms.
This role is automatically assigned when an L-Platform is created. When the L-Platform is deleted, the assigned role is deleted automatically. Addition and deletion is not necessary.
Administrator (administrator)
An administrator is both an infrastructure administrator and a tenant administrator.
Operator (operator)
An operator is both an infrastructure operator and a tenant operator.
Monitor (monitor)
A monitor can only monitor all resources.
User Groups
User groups are the function for executing batch management of multiple users. By configuring roles and access scopes in the same way as for users, user privileges for all users belonging to the user group can be configured as a batch operation.
If no user group is specified when creating a user, the user group will be the same as the user who performed creation. Therefore, it is not necessary to consider the existence of user groups, when using a user within the same department.
When resource folders and resources specified in the access scope of a user and a user group are deleted, they are also deleted from the access scope and the role settings.
For details on the relations on access scope and role settings of a user and a user group, refer to "Table 5.2 Relations on Access Scope and Role Settings of Users and User Groups".
Users | User Groups | Access Scope and Roles |
|---|---|---|
Configured | Configured | User configurations are valid |
Configured | Not configured | User configurations are valid |
Not configured | Configured | User group configurations are valid |
Not configured | Not configured | All resources are inaccessible |
For user groups, only "supervisor" and "monitor" are defined by default.
For the "supervisor" user group, the access scope and role of "all=administrator" are configured.
"all=administrator" is the role for administrators (administrators who are both infrastructure administrators and tenant administrators) with unlimited access scopes.
For the "monitor" user group, the access scope and role of "all=monitor" are configured.
"all=monitor" is the role for monitors (monitors who are both infrastructure monitors and tenant monitors) with unlimited access scopes.
When a tenant is created, the user group corresponding to a tenant will be created. When the tenant administrator and tenant users are created, they belong to a user group corresponding to the tenant.
