Permission Control

Role-Based Permissions

Role-based permissions are a set of permissions that can be individually configured for each role and control the activities that can be performed using CloudCenter resources. Users, members of user groups, and tenants are granted the permissions that are configured for each role with which they are associated. See User Roles for information about configuring user roles.

An administrator can grant role-based permissions by using the Edit User Role feature.

ResourceDescription
Application ProfilePermission to create, update, and manage application profiles. 
Application Profile Template

Permission to create and manage application profile templates.

This permission can be assigned only to admins.

PolicyPermission to create and manage policies.
Deployment EnvironmentPermission to create and manage deployment environments.
Cloud

Permission to create clouds.

This permission can be assigned only to admins.

Cloud Account

Permission to add cloud accounts to clouds.

This permission can be assigned only to admins.

Resource-Based Permissions

Resource-based permissions control how users, members of user groups and, in some cases, tenants associated with a resource can share the resource and perform related activities.

Resource-based permissions are available to resource owners, users who created the resource, and users who are permitted to share the resource. These users can grant permissions to other users.

Deployment Permissions

The deployment owner is always associated with a deployment and can: 

  • Manage web SSH/VNC access to a deployment VM
  • Control which other users have access to deployment VMs

    Only the deployment owner can control permissions and cannot provide manage permissions to any other user – no other user can control permissions for this deployment.

From the Share (see UI Behavior > The Share Popup) option for a deployment, the deployment owner (referred to as owner) can control permissions for a deployment:

PermissionDescription
Access

Controls the log in access for users/groups/tenants in this deployment VM.  

Deployment Environment Permissions

The CloudCenter administrator is always associated with a deployment environment and can:

  • Manage who has access to the deployment environment
  • Control which other users have access to the deployments in this environment
  • Deploy applications to or promote applications from this environment
  • Approve the deployments of applications to the environment.

Administrators can control permissions for a deployment environment as described in the UI Behavior > The Share Popup. The following table describes the permission options:

PermissionDescription
Access

Controls the activities that users or members of user groups can perform in this deployment environment.  

  • View: The user or member of a user group can can view the deployment environment but cannot make changes. 
  • Modify: The user or member of a user group can make changes to this deployment environment
  • Manage: The user or member of a user group can make changes to or delete this deployment environment
User's Deployments

Controls the activities that users can perform on deployments that they started in this deployment environment.

  • None: The user or member of a user group cannot access deployments
  • Access: The user or member of a user group can view deployments
  • Manage: The user or member of a user group can manage deployments, including viewing, starting, suspending, and terminating deployments
Others'
Deployments 

Controls the activities that users or members of user groups can perform on deployments that other users started in this deployment environment.

  • None: The user or member of a user group cannot access deployments
  • Access: The user or member of a user group can view deployments
  • Manage: The user or member of a user group can manage deployments, including viewing, starting, suspending, and terminating deployments
Deploy To

Allows a user or a member of a user group to deploy applications to this deployment environment. This permission is required to use shared app profile and deploy it to a cloud.

Promote From

Allows a user or a member of a user group to promote a running deployment from this deployment environment to another deployment environment.

When you create a Deployment Environment and share it with a user without checking the Promote from option, be aware that the Migrate action will not be available when this user deploys an application that uses this deployment environment.

Authorized Approver

Allows a user or a member of a user group to approve the start of a deployment in the environment, if approval is required.

Extensions Permissions

The CloudCenter administrator is always associated with an Extension and can:

  • Manage who has access to the Extension
  • Control which other users have access to the Extension
  • Deploy applications to or promote applications using these Extensions
  • Approve the deployments of applications using these Extension

Administrators can control permissions for an Extension as described in the UI Behavior > The Share Popup. The following table describes the permission options:

Permission OptionsDescription
Access

Controls permissions to users, groups, and tenants when using an Extension. 

  • View: The user or member of a user group can can view the Extension but cannot make changes. 
  • Modify: The user or member of a user group can make changes to this Extension
  • Manage: The user or member of a user group can make changes to or delete this Extension

Application Profile Permissions

Application profile permissions define certain activities that a user can perform with the application profile.

From the Share option (UI Behavior > The Share Popup) for an application profile, the application owner (referred to as owner) of the  can control permissions for an application profile: 

  • Owner:

    • The author who created an application or application profile is the owner, and by default, manages all  permissions for this application.

    • The owner must explicitly assign access or deploy permissions to any user, admin, group, or sub-tenant. See Application Tasks > More Info for additional context.

      By default the tenant admin does not have any permission to view/modify/manage/deploy an application profile created by any user within this admin's tenant. 

      The owner must explicitly assign share or deploy permissions to the admin.

      Only admins with appropriate permissions can access permitted applications or application profiles.

  • User: The owner must explicitly assign access or deploy permissions. Only users with appropriate permissions can access permitted applications or application profiles. See Application Workflow > Verify User Access for additional context.

By default, only the application profile owner can assign permissions for any user, admin, group, or tenant.

Permission
Description
Access

Controls the activities that users or members of user groups can perform for this application profile.  

  • View: The user or member of a group/tenant can see this application profile but cannot modify, share, or delete it.
  • Modify: The user or member of a group/tenant can edit or update this application profile, but cannot share or delete it.
  • Manage: The user or member of a group/tenant can view, modify, share, and delete this application profile.
Deploy

Allows a user or member of a user group to benchmark and deploy this application profile.

Without the app profile being shared with a user, the user cannot promote or migrate deployments as he does not own that app profile.

From the Publish option for an application profile, a tenant administrator can control the permissions for an application profile when publishing it to a marketplace as described in the following table. These permissions control  access to the application profile after it is imported from the marketplace by a subscribing user.

Permission
Description
Imported
App
Permissions

Permissions for the imported application profile.

  • None: A subscribing user with appropriate privileges user can benchmark and deploy this application profile 
  • View: A subscribing user can view application profile details, and, with appropriate privileges, can benchmark and deploy this application profile
  • Modify: A subscribing user can view and edit application profile details, and, with appropriate privileges, can benchmark and deploy this application profile
Can be
shared
Allows subscribing user to share this application profile with other users.

Marketplace Permissions

Administrators can control permissions for an application profile in the marketplace as described in the UI Behavior > The Share Popup. The following table describes the permission options:

PermissionDescription
Access

Controls the activities that users or members of user groups can perform for this application profile.  

  • View: The user or member of a user group can see and import this application profile but cannot modify the marketplace settings or share or remove the application profile from the marketplace
  • Modify: The user or member of a user group can modify the marketplace setting of this application profile, but cannot share or remove this application profile from the marketplace
  • Manage: The user or member of a user group can see and import this application profile, modify its marketplace settings, and share and remove it from the marketplace 

Repository Permissions

Repository permissions define certain activities that users can perform with repositories. You can control the permissions for a repository as described in the UI Behavior > The Share Popup. The following table describes the permission options.

PermissionDescription
View

The user, members of a user group, or tenant can see this repository but cannot modify, share, or delete it.

Modify

The user, members of a user group, or tenant can make changes to this repository.

Manage

The user, members of a user group, or tenant can make changes to or delete this repository.

Each tenant and users within a tenant can only view shared repositories specific to their tenant (or as permitted by their admin). See Share Artifact Repositories for additional context.

Service Permissions

Service permissions define certain activities that users can perform with custom services. You can control the permissions for a custom service  as described in the UI Behavior > The Share Popup. The following table describes the permission options.

PermissionDescription
View

The user, members of a user group, or tenant can see this service but cannot modify, share, or delete it.

Modify

The user, members of a user group, or tenant can make changes to this service.

Manage
The user, members of a user group, or tenant can make changes to or delete this service.

Each tenant and users within a tenant can only view services specific to their tenant (or as permitted by their admin). See Topology Modeler > Services or Services (Admin) for additional context.

Policy Permissions

Policy permissions define certain activities that users can perform with policies. You can control the permissions for a policy as described in the UI Behavior > The Share Popup. The following table describes the permission options.

PermissionDescription
View

The user or members of a user group can view this policy but cannot make changes to, share, delete, or turn the policy on or off.

Modify

The user or members of a user group can make changes to this policy and turn it on or off, but cannot share or delete it.

ManageThe user or members of a user group can make changes to this policy and turn it on or off, share it, and delete it.

Actions Library Permissions

Custom actions permissions define certain actions that users can perform. You can control the permissions for a custom action.

PermissionDescription
View

The user or members of a user group can view this custom action but cannot make changes to, share, or delete the custom action.

Users who only have View permissions on these action cannot toggle the Enable (default) or Disable action in the Actions Library page.

Modify

The user or members of a user group can make changes to this custom action and toggle the Enable (default) or Disable action in the Actions Library page but cannot share or delete it.

ManageThe user or members of a user group can make changes to this custom action and oggle the Enable (default) or Disable action in the Actions Library page, share it, and delete it.

If you create a custom action and share it, be aware that the permissions for the application profile to which this action is attached must also be in the correct share state for shared users to run this action. You must either create the application profile or share the application profile with these users and assign modify or manage  permissions.

 

Each tenant and users within a tenant can only view/modify custom actions specific to their tenant (or as permitted by their admin). See Actions Library for additional context.

Federated CCM Permissions

You can control the permissions for Linked CCMs in a Federated CCM deployment in the following ways (the table that follows describes the permission options):

  • To assign specific permissions to individual users, add the users to this resource, then set permission options for each user
  • To assign permissions to members of a user group, add the user group to this resource, then set permission options
PermissionDescription
ManageThe user or members of a user group can make changes to this resource and turn it on or off, share it, and delete it.

If both the Parent CCM and the Subordinate CCM share the same IDP and user directory, a user within the Parent CCM tenant can Share resources with a Associated Linked Tenant users in the same tenant. The applications, deployments, and clouds that this tenant user can access on the Subordinate CCM are controlled by this user's permissions on that tenant.

If you propagate a resource to a Subordinate CCM, that resource is available when that user logs in directly into the Subordinate CCM.

Image Permissions

 The Share popup  lets you assign one of the following permissions to share an image as described in the UI Behavior > The Share Popup. The following table describes the permission options.

PermissionDescription
View

The user, members of a user group, or tenant can see this image but cannot modify, share, or delete it.

Modify

The user, members of a user group, or tenant can make changes to this image.

Manage

The user, members of a user group, or tenant can make changes to or delete this image.

Each tenant and users within a tenant can only view shared images specific to their tenant (or as permitted by their admin).

Only permitted users can add images. See Manage Images or Image Permissions for additional context.

Temporary Permission to Launch an Image

The Grant and Revoke Image Permission option appears for OpenStack and Cisco clouds only.

The Grant and Revoke Image Permission option in the Add Cloud Mapping window lets you set up temporary permission to allow any user to launch the image in an OpenStack or Cisco cloud. To set up this permission, check the Grant and Revoke Image Permission box, and then choose the cloud account that owns this image from the Image Owner Cloud Account drop-down menu that appears. See Image Permissions  for additional details.

Tenant Owner Permission Nuances

The following table identifies the permission nuances for each resource and their associated API settings

Resource

Permission Can Be Assigned To

Tenant Owner PermissionAPI objectType EnumerationAPI permsList Enumeration
Application profiles
  • Tenant co-admins
  • Users within a tenant
Always have this permissionAPP

CREATE_APP

Global, aging and scaling policies

POLICY

CREATE_POLICY

Deployment environments

DEPLOYMENT_

ENVIRONMENT

CREATE
_DEPLOYMENT
_ENVIRONMENT
Application profile templatesTenant owners APP_PROFILE 

CREATE_APP
_PROFILE

Cloud groups

Without this permission (even for a cloud group assigned by their parent tenant), sub-tenants cannot:

  • Create new cloud groups
  • Add new cloud regions to existing cloud groups
  • Configure a CCO for an existing cloud region different from their parent tenant
CLOUD CREATE_CLOUD
Cloud accounts

Without this permission (even for a cloud account assigned by their parent tenant), sub-tenants cannot create new cloud accounts

 CLOUD_ACCOUNTCREATE_CLOUD
_ACCOUNT

Project and Phase Permissions

Projects are only displayed in the Project Owner's dashboard. Even if other users are added to a project, the project is only displayed in the users dashboard after the project is published. 

Users can perform the following functions based on assigned privileges:

PermissionDescription
View

The user or members of a user group can view phases (but cannot see any links).

ModifyThe user or members of a user group can only see the Edit link.
ManageThe user or members of a user group can make changes to this resource – turn it on or off, share it, and delete it.

All applications are apart of the project:

  • The application is not shared with a user – The User cannot see the application listed when clicking the Add Deployment link. 
  • A user does not have Deploy privilege for the application – The Add Deployment link is disabled.

All deployment environments are part of a project:

  • A user does not have Deploy To privilege – The Add Deployment link is disabled. 
  • A user's deployment environment privileges  determine access:

    Deployment Environment PrivilegeDescription
    NoneThe Add Deployment link is disabled.
    AccessRunning deployments are not visible.
    Manage
    • Running deployments are visible
    • Cannot perform any job action
    Manage, Promote from
    • Running deployments are visible
    • Perform any job action except the Promote action
    Manage, Promote from, Deploy to
    • Running deployments are visible
    • Perform any job action

See Projects and Phases for additional context.