Permission Control

Role-Based Permissions

Role-based permissions are a set of permissions that can be individually configured for each role and control the activities that can be performed using CloudCenter resources. Users, members of user groups, and tenants are granted the permissions that are configured for each role with which they are associated. See User Roles for information about configuring these user roles to grant permission to a sub-tenant, user, or group.

An administrator can grant role-based permissions by using the Edit User Role feature. The following screenshot shows options for granting role-based permissions.

The following table describes resources for permissions.

Resource

Description

Application ProfilePermission to create, update, and manage application profiles. 
Policy

Permission to create and manage policies.

  • If a user doesn’t have a role where the Policy permission is checked, the corresponding Policy tab is removed from view for this user. Same comment for the DE permission.

  • By default, Policy permissions are unchecked for all out-of-box roles except the Admin and Ops roles.
Deployment Environment

Permission to create and manage deployment environments.

  • If a user has a role where the Deployment Environment permission is unchecked, the corresponding Environment tab is removed from view for this user
  • By default:
    • Environment permissions are unchecked for all out-of-box roles except the Admin and Ops roles.
    • A user only has permission to Manage Clouds and Cloud Accounts roles and must be added to a role that provides explicit permission to view or manage deployment environments.

Cloud

Permission to create clouds.

This permission can be assigned only to admins.

Cloud Account

Permission to add cloud accounts to clouds.

This permission can be assigned only to admins.

ProjectPermission to create a workflow to represent their devops process, setup participants and environments, and enforce monetary and resource limits from one central location.
Custom Actions/Actions Library

Permission to create, manage, and execute actions for VM management.

This permission can be assigned only to admins.

Import/Export DeploymentPermission to export applications from a deployed CloudCenter environment to a storage system and to import applications from a storage system to another CloudCenter environment.

Resource-Based Permissions

Resource-based permissions control how users, members of user groups and, in some cases, tenants associated with a resource can share the resource and perform related activities.

Resource-based permissions are available to resource owners, users who created the resource, and users who are permitted to share the resource. These users can grant permissions to other users.

Deployment Permissions

The deployment owner is always associated with a deployment and can: 

  • Manage web SSH/VNC access to a deployment VM

  • Control which other users have access to deployment VMs

    Only the deployment owner can control permissions and cannot provide manage permissions to any other user – no other user can control permissions for this deployment.

From the Share (see UI Behavior > The Share Popup) option for a deployment, the deployment owner (referred to as owner) can control permissions for a deployment, as shown in the following screenshot.

PermissionDescription
Access

Controls the log in access for users/groups/tenants in this deployment VM.  

Deployment Environment Permissions

The tenant administrator can:

  • Manage who has access to the deployment environment.

  • Control which other users have access to the deployments in this environment.

  • Deploy applications to or promote applications from this environment.

  • Approve the deployments of applications to the environment.

  • Share the deployment environment with users who are directly under the tenant owner – these users can manage the environment, if they have inherited deployment environment permissions based on a role configuration. Users further down this tenant hierarchy can only view the environment, if shared, in read-only mode.

Additionally, All users in your (my) tenant can control deployment environment permissions as described in the following table:

PermissionDeployment Environment ImplicationsDescription
Deploy ToA member of your tenant has permission to deploy applications to this deployment environment.


This permission is used to provide permission to a user to deploy in this deployment environment.

All users in the tenant with the Deployment Environment permission enabled in their role automatically have permission to manage all environments in the tenant.

Conversely, users outside the tenant can no longer be given permission to modify or manage any environment in the tenant.  

You can restrict environment availability deployment permissions for individual users within and outside the tenant and for groups within the tenant, by clicking the Deploy To checkbox for those users/groups – these users/groups will inherit read-only access to all policies and tags specified in that deployment environment.

User's DeploymentsIdentifies permission for deployments launched by you (the user) in this deployment environment

Controls the activities that users can perform on deployments that they started in this deployment environment.

  • None: The user or member of your tenant and/or sub-tenant cannot view deployments – even if this user owns the deployment.
  • Access: The user or members of your tenant and/or sub-tenant can view deployments
  • Manage: The user or members of your tenant and/or sub-tenant can manage deployments, including view, start, suspend, reboot, resume, upgrade, and terminate deployments.
Others'
Deployments 
Identifies permission for deployments launched by other users in this deployment environment

Controls the activities that users or members of user groups can perform on deployments that other users started in this deployment environment.

  • None: The user or member of your tenant and/or sub-tenant cannot view deployments – even if this user owns the deployment.
  • Access: The user or members of your tenant and/or sub-tenant can view deployments
  • Manage: The user or members of your tenant and/or sub-tenant can manage deployments, including view, start, suspend, reboot, resume, upgrade, and terminate deployments.
Promote FromA member of your tenant has permission to promote a running deployment from this deployment environment to another deployment environment.

If both deployment settings (User's Deployments and Others' Deployments) are set to None for this user or users within a tenant, then this setting is greyed out and you will not be able to check this box as these viewers will not be able to view the deployment, and hence cannot promote it!

Be sure to provide Access permission for either of these settings if you want to allow this user to promote deployments.

When you create a Deployment Environment and share it with a user without checking the Promote from option, be aware that the Migrate/Promote From action will not be available when this user deploys an application that uses this deployment environment.

Authorized Approver

A member of your tenant has permission to authorize approvals for a deployment.

Allows a user to approve the start of a deployment in the environment, if approval is required. By providing this permission, you are essentially authorizing this user to be an admin for the deployments within your deployment environment.

If a user’s deployment requires approval and the user does not have Authorized Approver permission, then the deployment must be approved by someone else before it being deployed.

Extensions Permissions

The CloudCenter administrator is always associated with an Extension and can:

  • Manage who has access to the Extension

  • Control which other users have access to the Extension

  • Deploy applications to or promote applications using these Extensions

  • Approve the deployments of applications using these Extension

Administrators can control permissions for an Extension as described in the UI Behavior > The Share Popup. The following table describes the permission options.

Permission OptionsDescription
Access

Controls permissions to users, groups, and tenants when using an Extension. 

  • View: The user or member of a user group can can only view the Extension but cannot make changes. 
  • Modify: The user or member of a user group can make changes to this Extension.
  • Manage: The user or member of a user group can share, edit, or delete this Extension.

Application Profile Permissions

Application profile permissions define certain activities that a user can perform with the application profile.

From the Share option (UI Behavior > The Share Popup) for an application profile, the application owner (referred to as owner) of the  can control permissions for an application profile: 

  • Owner:

    • The author who created an application or application profile is the owner, and by default, manages all  permissions for this application.

    • The owner must explicitly assign access or deploy permissions to any user, admin, group, or sub-tenant. See Application Tasks > More Info for additional context.

      By default the tenant admin does not have any permission to view/modify/manage/deploy an application profile created by any user within this admin's tenant. 

      The owner must explicitly assign share or deploy permissions to the admin.

      Only admins with appropriate permissions can access permitted applications or application profiles.

  • User: The owner must explicitly assign access or deploy permissions. Only permitted users can access  applications or application profiles.

By default, only the application profile owner can assign permissions for any user, admin, group, or tenant.

The following table describes the application profile permissions options.

Permission
Description
Access

Controls the activities that users or members of user groups can perform for this application profile.  

  • View: The user or member of a group/tenant can only view this application profile but cannot modify, share, or delete it.
  • Modify: The user or member of a group/tenant can edit this application profile, but cannot share or delete it.
  • Manage: The user or member of a group/tenant can view, edit, share, and delete this application profile.
Deploy

Allows a user or member of a user group to benchmark and deploy this application profile.

Without the app profile being shared with a user, the user cannot promote or migrate deployments as he does not own that app profile.

From the Publish option for an application profile, a tenant administrator can control the permissions for an application profile when publishing it to a marketplace as described in the following table. These permissions control  access to the application profile after it is imported from the marketplace by a subscribing user. The following table describes these permission options.

Permission
Description
Imported
App
Permissions

Permissions for the imported application profile.

  • None: A subscribing user with appropriate privileges user can benchmark and deploy this application profile 
  • View: A subscribing user can view application profile details, and, with appropriate privileges, can benchmark and deploy this application profile
  • Modify: A subscribing user can edit application profile details, and, with appropriate privileges, can benchmark and deploy this application profile
Can be
shared
Allows subscribing user to share this application profile with other users.

Marketplace Permissions

Administrators can control permissions for an application profile in the marketplace as described in the Enterprise Marketplace.

Repository Permissions

Repository permissions define certain activities that users can perform with repositories. You can control the permissions for a repository as described in the UI Behavior > The Share Popup. The following table describes the permission options.

PermissionDescription
View

The user, members of a user group, or tenant can only see this repository but cannot modify, share, or delete it.

Modify

The user, members of a user group, or tenant can edit this repository.

Manage

The user, members of a user group, or tenant can edit or delete this repository.

Service Permissions

Service permissions define certain activities that users can perform with custom services. You can control the permissions for a custom service  as described in the UI Behavior > The Share Popup. The following table describes the permission options.

PermissionDescription
View

The user, members of a user group, or tenant can see this service but cannot modify, share, or delete it.

Modify

The user, members of a user group, or tenant can edit this service.

Manage
The user, members of a user group, or tenant can edit or delete this service.

Each tenant and users within a tenant can only view services specific to their tenant (or as permitted by their admin). See Topology Modeler > Services or Services (Admin) for additional context.

Actions Library Permissions

Custom actions permissions define certain actions that users can perform. You can control the permissions for a custom action. The following table describes the permission options.

PermissionDescription
View

The user or members of a user group can view this custom action but cannot make changes to, share, or delete the custom action.

Users who only have View permissions on these actions cannot toggle the Enable (default) or Disable action in the Actions Library page.

Modify

The user or members of a user group can edit this custom action and toggle the Enable (default) or Disable action in the Actions Library page but cannot share or delete it.

ManageThe user or members of a user group can edit this custom action and toggle the Enable (default) or Disable action in the Actions Library page, share it, and delete it.

If you create a custom action and share it, be aware that the permissions for the application profile to which this action is attached must also be in the correct share state for shared users to run this action. You must either create the application profile or share the application profile with these users and assign modify or manage  permissions.


Each tenant and users within a tenant can only view/modify custom actions specific to their tenant (or as permitted by their admin). See Actions Library for additional context.

Federated CCM Permissions

You can control the permissions for Linked CCMs in a Federated CCM deployment in the following ways:

  • To assign specific permissions to individual users, add the users to this resource, then set permission options for each user

  • To assign permissions to members of a user group, add the user group to this resource, then set permission options

The following table follows describes the permission options.

PermissionDescription
ManageThe user or members of a user group can make changes to this resource and turn it on or off, share it, and delete it.

If both the Parent CCM and the Subordinate CCM share the same IDP and user directory, a user within the Parent CCM tenant can Share resources with a Associated Linked Tenant users in the same tenant. The applications, deployments, and clouds that this tenant user can access on the Subordinate CCM are controlled by this user's permissions on that tenant.

If you propagate a resource to a Subordinate CCM, that resource is available when that user logs in directly into the Subordinate CCM.

Image Permissions

 The Share popup  lets you assign one of the following permissions to share an image as described in the UI Behavior > The Share Popup. The following table describes the permission options.

PermissionDescription
View

The user, members of a user group, or tenant can see this image but cannot modify, share, or delete it.

Modify

The user, members of a user group, or tenant can edit this image.

Manage

The user, members of a user group, or tenant can edit or delete this image.

Each tenant and users within a tenant can only view shared images specific to their tenant (or as permitted by their admin).

Only permitted users can add images. See Manage Images or Image Permissions for additional context.

Temporary Permission to Launch an Image

The Grant and Revoke Image Permission option appears for OpenStack and Cisco clouds only.

The Grant and Revoke Image Permission option in the Add Cloud Mapping window lets you set up temporary permission to allow any user to launch the image in an OpenStack or Cisco cloud. To set up this permission, check the Grant and Revoke Image Permission box, and then choose the cloud account that owns this image from the Image Owner Cloud Account drop-down menu that appears. See Image Permissions  for additional details.

Tenant Owner Permission Nuances

The following table identifies the permission nuances for each resource and their associated API settings

Resource

Permission Can Be Assigned To

Tenant Owner PermissionAPI objectType EnumerationAPI permsList Enumeration
Application profiles
  • Tenant co-admins
  • Users within a tenant
Always have this permissionAPP

CREATE_APP

Global, aging and scaling policies

POLICY

CREATE_POLICY

Deployment environments

DEPLOYMENT_

ENVIRONMENT

CREATE
_DEPLOYMENT
_ENVIRONMENT
Application profile templatesTenant owners
APP_PROFILE 

CREATE_APP
_PROFILE

Cloud groups

Without this permission (even for a cloud group assigned by their parent tenant), sub-tenants cannot:

  • Create new cloud groups
  • Add new cloud regions to existing cloud groups
  • Configure a CCO for an existing cloud region different from their parent tenant
CLOUD CREATE_CLOUD
Cloud accounts

Without this permission (even for a cloud account assigned by their parent tenant), sub-tenants cannot create new cloud accounts

 CLOUD_ACCOUNTCREATE_CLOUD
_ACCOUNT

Project and Phase Permissions

Projects are only displayed in the Project Owner's dashboard. Even if other users are added to a project, the project is only displayed in the users dashboard after the project is published. 

Users can perform the functions that the following table describes based on assigned privileges:

PermissionDescription
View

The user or members of a user group can only view this resource.

ModifyThe user or members of a user group can Edit phases.
ManageThe user or members of a user group can edit,  turn it on or off, share, and delete this resource.

All applications are apart of the project:

  • The application is not shared with a user – The User cannot see the application listed when clicking the Add Deployment link. 

  • A user does not have Deploy privilege for the application – The Add Deployment link is disabled.

All deployment environments are part of a project:

  • A user does not have Deploy To privilege – The Add Deployment link is disabled. 

  • A user's deployment environment privileges determine access, as described in the following table

    Deployment Environment PrivilegeDescription
    NoneThe Add Deployment link is disabled.
    AccessRunning deployments are not visible.
    Manage
    • Running deployments are visible
    • Cannot perform any job action
    Manage, Promote from
    • Running deployments are visible
    • Perform any job action except the Promote action
    Manage, Promote from, Deploy to
    • Running deployments are visible
    • Perform any job action

See Projects and Phases for additional context.

© 2017-2019 Cisco Systems, Inc. All rights reserved