Understand Roles

Overview

Roles are a collection of permissions provided to a OOB Suite Admin Group. The users within each group can perform permitted functions on permitted resources by virtue of being part of the group. 

  • Permitted function refers to configuration functions like create, view, update, delete, run, and so forth.

  • Permitted resources differ based on the module where users in a group perform these actions. As the resources differ between modules, each user can only perform actions permitted within the authorized group. 

    You cannot assign a role to a specific user in any group.

Permissions identify what operations can be performed on which resources based on tenant association, module restriction, and user level (see Understand User Levels). 

Role-Based Access Control (RBAC)

Authorization is based on Role-Based Access Control (RBAC), but restricted to groups in this release. 

The RBAC function is inherent and cannot be configured on a per role/user basis. It is inherent because of the group association to users.

Roles are only associated with user groups. Coupled with permissions and Access Control Lists (ACL, see the documentation for each module for related details), roles offer the ability to perform specific tasks and view corresponding data. 

Permissions can be configured and controlled by different types of roles:

  • Predefined, default roles 

  • Custom roles are controlled by the modules to which these roles belong. These roles may be required to provide additional granularity for a resource. These roles can be configured for each module. Only the Action Orchestrator allows custom role creation.

Default/custom roles are visible from the Suite Admin's Tenants list page or the Users list page, which displays the configured action for each tenant or user.

See Action Orchestrator Roles for content specific to the Action Orchestrator at the tenant level.

Predefined, Default Roles

Predefined, default roles are provided OOB by the Suite Admin for each modules. These roles cover 90% of the functionality required for you to get started with the CloudCenter Suite. These roles cannot be configured as they provide specific permission to specific resources.

Each module in the CloudCenter Suite also has default OOB roles that is specific to just that module. The suite administrator can manage these settings at the tenant level and the user level. 

Currently, the Action Orchestrator is the only module that uses the custom role configuration function. See Action Orchestrator Roles for details.

The actions displayed for each module is a fluid list that is created and made available for each tenant or user within the module.

Custom Roles

Custom roles are configured from the module:

  • Module admins can create custom roles within the module.

    Currently, the Action Orchestrator is the only module that uses the custom role configuration function. See Action Orchestrator Roles for details.

    The Workload Manager and Cost Optimizer do not allow custom role creation as all required roles are already available through this user's group membership.

  • Custom roles are available to suite administrators as the administrator can associate each new or existing user with one or more roles. See Custom Groups by Admin > Create a Custom Group for details.

  • When module admins Create a Group, they can assign custom roles for the new group. See Custom Groups by Admin for additional details.

Predefined Roles for Each Module

The OOB ACLs, permissions, and roles that are predefined for each module are explained in the corresponding module documentation. See the pages identified in the following table for additional details.

ModulePage Reference
Workload Manager
Action OrchestratorSee Action Orchestrator Roles
Cost OptimizerSee Access and Roles
  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved