Access Control Lists
Access Control Lists (ACLs) allow you to modify/view permissions for an API resource. Resources are identified using a unique ID and corresponding. Not all resources are supported by the ACL function. See the ACL-Managed Resources section below for the list of supported resources.
The following table identifies the resources that are supported by the ACL function along with the corresponding pages that provide additional information for the resource. This information is identical to the resourceName attribute used by the CloudCenter APIs.
Description: An identifier for a CloudCenter Resource managed by ACLs. The supported ACL-managed resources are listed as enumerations.
Enumeration Description POLICY ACTION_POLICY See Policy Management > Action Policies PUBLISHED_APP See Application Tasks > Publish to Marketplace DEPLOYMENT_ENVIRONMENT See Deployment Environment APPLICATION REPOSITORY See Share Artifact Repositories CLOUD_ACCOUNT See Configure Cloud(s) SYSTEM_TAG See System Tags SECURITY_PROFILE See Security and Firewall Rules SERVICE See Manage Services LINK_TO_PARENT See Federated CCM Management (Effective CloudCenter 4.8) LINK_TO_CHILD CUSTOM_ACTION See Policy Management APIs > Custom Actions PROJECT See Manage Projects and Phases IMAGE See Manage Images
See Deployment Environments > Sharing Deployments EXTENSION See Extensions ACI_EXTENSION See ACI ACTION See Actions Library (Effective CloudCenter 4.8) VIRTUAL_MACHINE See VM Management (Effective CloudCenter 4.8)
Default Permissions for ACL Resources
Permissions are tightly controlled by CloudCenter and not all permissions are applicable to all resources. You will receive validation errors in the following cases:
- When you apply a permission that is not applicable to a particular resource.
For example, move_in and move_out are only applicable to deployment environments. If you apply either of these two strings to any other resource, you will receive a validation error.
- When you apply a random string that is not listed in the perms array. For example, if you assign your own permission value like readwrite, you will receive a validation error.
- Imported VMs do not have any default per
As this information is identical to the perms attribute used by the CloudCenter APIs, the same information is included here.
Description: The permissions for a CloudCenter Resource managed by ACLs.
Type: Array of strings
resourceName Permissions →
Yes Yes Yes Yes
Yes Yes PROJECT Yes Yes IMAGE Yes MANAGE_EXPORT Yes Yes MANAGE_IMPORT Yes Yes
Permissions are divided into the following categories:
|Permission Category |
(id and perms)
Tenant & Sub-Tenants
Default ACL Resource Permissions
- User permissions are granted to the user who created the resource.
- Tenant permissions are granted to:
- All users of the tenant to which the logged-in user belongs.
- All users in sub-tenant hierarchy starting at tenant of the user who created the resource.
If not specified for Vendor and Tenant then default permissions are not available at that level.
UI and API Differences
ACL Configuration differences between the UI and API:
- UI – If you have a complicated hierarchy with multiple permission combinations in a tenant hierarchy, then the UI only displays permission for the current level. Permissions for parent and child tenants will not be visible to the logged in user.
- API – API users can view or modify permissions for all levels, regardless of this user's level in the tenant hierarchy. Only prerequisite is that the logged in user has administration perms on this resource.
If you are the tenant owner, you can provide any permission to the sub-tenant organization and all its users at the same time.
When providing access to Tenant and Sub-Tenant users, access the Share popup for the required service (CCM UI > Admin > Services > MyService > Share dropdown), click the Tenants tab in the popup, and check the My Tenants & Sub-Tenants check box to provide access to the entire hierarchy.
You also have the option to select just one tenant (if you want to give just one tenant, but not their sub-tenants, and provide access to just that tenant.
- No labels