Action Orchestrator Roles

Overview

In Action Orchestrator, authorization is performed using a Role-Based Access Control System (RBAC). Roles are a collection of permissions, each permission pairs a set of operations that can be performed over some set of Action Orchestrator objects such as workflows, targets, account keys, variables, and so forth. A user assignment gives end users the ability to perform the action. Access rights include Create, View, Update, Delete, Run, and so forth.

A role is assigned to user groups in Action Orchestrator. When Action Orchestrator becomes a part of CloudCenter Suite or another Cisco product, the common RBAC component shall provide APIs to map roles in the host applications to the Action Orchestrator roles.

Typically, roles are defined according to a standardized job function within IT. Examples might include “Level 1 Helpdesk,” “Level 2 Helpdesk,” “Human Resources,” “Network Configuration,” “SAP Basis Expert,” and so on. Security groups already in the directory for the users in these job functions are then typically assigned to the roles.

For more information on roles, see Understand Roles.

Predefined Security Roles

Action Orchestrator provides predefined security roles that ship with the product and cannot be modified. Custom user roles (see Adding Custom Roles) can be created using the Administration view, but the following roles are defined by default:

RoleDescription

Tenant Admin

These users have almost access to all functionality in the product. Users can view or modify or change owner of any workflow or setting such as automation packs, calendar, category, global variable, queue resource, and so forth.

Content Author

This is a user who can define workflows. The user cannot update administration settings.

Operator

This is a classic role for a level 1 Service Desk employee, executing workflows.

System Admin

Only a small number of users are assigned this role. These users have permissions to modify adapter settings.

Adapter Author

These users have access to enable or disable atomic workflows in the product.

For more information, see Roles and Permissions.

Adding Custom Roles

To add a new role, choose Admin > Roles New Role.

In the New Role panel, perform the following procedure to add a new role.

  1. Under General, specify the appropriate information:

    1. Display Name: Enter the unique name to be displayed in the roles page.

    2. Name: Enter the unique name for the role.

    3. Description: Enter the brief description about the role.

    4. Role Type: By default the role type is custom.

  2. Under Permissions, specify the appropriate action:

    1. Use the toggle buttons to activate or deactivate the list of permissions to be included and/or to be made available for inclusion into the security role. 

    2. Click play icon, on the appropriate object type and choose the appropriate powers for the security role from the dropdown list. For more information, see Roles and Permissions.

  3. Click Submit, to add and save the Role.

Roles and Permissions

Object Level Permissions

Object level Permissions define what operations can be performed over workflows. This is similar to file permissions (such as read or update). You can have permissions for each user to access and can be shared to multiple users. When you are logged into Action Orchestrator, you can only access the objects which you have permissions.

Whenever the object shared among users and groups, Action Orchestrator creates a link document in uses collections with the users and groups information with the permission types to that object.

The following table contains information about the permission type and the type of actions supported:

Permission TypeType of action supports

View

Read

Modify

View, Update

Manage

View, Update, Delete, Share

Run

View, Execute, Stop

The following table contains information about the predefined permissions given to the security roles:

The "x" denotes the permission available to the user role.

Object Type

Object Permissions

Tenant Admin Role

Content Author Role

Operator Role

System Admin Role

Adapter Author

Adapter

View

x

x

x



Modify






Manage




x

x

Change Owner




x


Calendar

View



x



Modify






Manage

x

x



x

Change Owner

x





Category

View


x

x


x

Modify






Manage

x





Change Owner

x





Global Variable

View



x



Modify






Manage

x

x



x

Change Owner

x





Role (Tenant specific)

View


x

x


x

Modify






Manage

x



x


Change Owner

x



x


Account Key

View



x



Modify






Manage

x

x



x

Change Owner

x





Schedule




View



x



Modify






Manage

x

x



x

Change Owner

x





Event

View



x



Modify






Manage

x

x



x

Change Owner

x





Target

View



x



Modify






Manage

x

x



x

Change Owner

x





Target Group

View



x



Modify






Manage

x

x



x

Change Owner

x





Workflow definition

Trigger, Actions, Import/Export, and Workflow Variable

View



x



Modify






Manage

x

x



x

Run

x

x

x


x

Change Owner

x





Workflow instance

View



x



Modify






Manage

x

x



x

Cancel

x

x

x


x

Change Owner

x





User/role Assignment

View






Modify






Manage

x





Change Owner

x





Variable Type




View



x



Modify






Manage

x

x



x

Change Owner

x





System

Environment Variables and Adapter Onboarding




View


x

x


x

Modify

x





Manage




x


Change Owner

x





Atomic Workflow







View

x

x

x



Modify






Manage




x

x

Change Owner






Repository (Git Repo)

View


x

x

x

x

Modify






Manage

x





Change Owner

x








  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved