Permission Control

Role-Based Permissions

Role-based permissions are a set of permissions that can be individually configured for each role. Roles are assigned to groups and users are assigned to groups and inherit those roles. This process is handled in the Suite Admin  as described in User Tenant Management. Workload Manager comes with its own OOB Groups, Roles, and Permissions.

Resource-Based Permissions

Resource-based permissions control how users, members of user groups and, in some cases, tenants associated with a resource can share the resource and perform related activities.

Resource-based permissions are available to resource owners, users who created the resource, and users who are permitted to share the resource. These users can grant permissions to other users.

For a given resource, the permission of a user is the union of permissions the user has as an individual, as part of a group, or as part of a tenant, with the most permissive permission taking precedence.

Deployment Permissions

The deployment owner is always associated with a deployment and can: 

  • Manage web SSH/VNC access to a deployment VM

  • Control which other users have access to deployment VMs

    Only the deployment owner can control permissions and cannot provide manage permissions to any other user – no other user can control permissions for this deployment.

From the Share Popup (see Understand ACLs) for a deployment, the deployment owner (referred to as owner) can control permissions for a deployment, as summarized in the table below.

PermissionDescription
Access

Controls whether other users/groups/tenants have SSH or VNC access to VMs in this deployment.

Access permission is only effective for users/groups/tenants that also have Access or Manage privilege for the deployment environment associated with this deployment.

Deployment Environment Permissions

The tenant administrator can:

  • Manage who has access to the deployment environment.

  • Control which other users have access to the deployments in this environment.

  • Deploy applications to or promote applications from this environment.

  • Approve the deployments of applications to the environment.

  • Share the deployment environment with users who are directly under the tenant owner – these users can manage the environment, if they have inherited deployment environment permissions based on a role configuration. Users further down this tenant hierarchy can only view the environment, if shared, in read-only mode.

Additionally, All users in your (my) tenant can control deployment environment permissions as described in the following table:

PermissionDeployment Environment ImplicationsDescription
Deploy ToA member of your tenant has permission to deploy applications to this deployment environment.


This permission is used to provide permission to a user to deploy in this deployment environment.

All users in the tenant with the Deployment Environment permission enabled in their role automatically have permission to manage all environments in the tenant.

Conversely, users outside the tenant can no longer be given permission to modify or manage any environment in the tenant.  

You can restrict environment availability deployment permissions for individual users within and outside the tenant and for groups within the tenant, by clicking the Deploy To checkbox for those users/groups – these users/groups will inherit read-only access to all policies and tags specified in that deployment environment.

User's DeploymentsIdentifies permission for deployments launched by you (the user) in this deployment environment

Controls the activities that users can perform on deployments that they started in this deployment environment.

  • None: The user or member of your tenant and/or sub-tenant cannot view deployments – even if this user owns the deployment.
  • Access: The user or members of your tenant and/or sub-tenant can view deployments
  • Manage: The user or members of your tenant and/or sub-tenant can manage deployments, including view, start, suspend, reboot, resume, upgrade, and terminate deployments.
Others'
Deployments 
Identifies permission for deployments launched by other users in this deployment environment

Controls the activities that users or members of user groups can perform on deployments that other users started in this deployment environment.

  • None: The user or member of your tenant and/or sub-tenant cannot view deployments – even if this user owns the deployment.
  • Access: The user or members of your tenant and/or sub-tenant can view deployments
  • Manage: The user or members of your tenant and/or sub-tenant can manage deployments, including view, start, suspend, reboot, resume, upgrade, and terminate deployments.
Promote FromA member of your tenant has permission to promote a running deployment from this deployment environment to another deployment environment.

If both deployment settings (User's Deployments and Others' Deployments) are set to None for this user or users within a tenant, then this setting is greyed out and you will not be able to check this box as these viewers will not be able to view the deployment, and hence cannot promote it!

Be sure to provide Access permission for either of these settings if you want to allow this user to promote deployments.

When you create a Deployment Environment and share it with a user without checking the Promote from option, be aware that the Migrate/Promote From action will not be available when this user deploys an application that uses this deployment environment.

Authorized Approver

A member of your tenant has permission to authorize approvals for a deployment.

Allows a user to approve the start of a deployment in the environment, if approval is required. By providing this permission, you are essentially authorizing this user to be an admin for the deployments within your deployment environment.

If a user’s deployment requires approval and the user does not have Authorized Approver permission, then the deployment must be approved by someone else before it being deployed.

Extensions Permissions

The Workload Manager administrator is always associated with an Extension and can:

  • Manage who has access to the Extension

  • Control which other users have access to the Extension

  • Deploy applications to or promote applications using these Extensions

  • Approve the deployments of applications using these Extension

Administrators can control permissions for an Extension as described in the Share Popup (see Understand ACLs). The following table describes the permission options.

Permission OptionsDescription
Access

Controls permissions to users, groups, and tenants when using an Extension. 

  • View: The user or member of a user group can can only view the Extension but cannot make changes. 
  • Modify: The user or member of a user group can make changes to this Extension.
  • Manage: The user or member of a user group can share, edit, or delete this Extension.

Application Profile Permissions

Application profile permissions define certain activities that a user can perform with the application profile.

From the Share Popup (see Understand ACLs) for an application profile, the application owner (referred to as owner) of the  can control permissions for an application profile: 

  • Owner:

    • The author who created an application or application profile is the owner, and by default, manages all  permissions for this application.

    • The owner must explicitly assign access or deploy permissions to any user, admin, group, or sub-tenant. See Application Tasks > More Info for additional context.

      By default the tenant admin does not have any permission to view/modify/manage/deploy an application profile created by any user within this admin's tenant. 

      The owner must explicitly assign share or deploy permissions to the admin.

      Only admins with appropriate permissions can access permitted applications or application profiles.

  • User: The owner must explicitly assign access or deploy permissions. Only permitted users can access  applications or application profiles.

By default, only the application profile owner can assign permissions for any user, admin, group, or tenant.

The following table describes the application profile permissions options.

Permission

Description

Access

Controls the activities that users or members of user groups can perform for this application profile.  

  • View: The user or member of a group/tenant can only view this application profile but cannot modify, share, or delete it.
  • Modify: The user or member of a group/tenant can edit this application profile, but cannot share or delete it.
  • Manage: The user or member of a group/tenant can view, edit, share, and delete this application profile.
Deploy

Allows a user or member of a user group to benchmark and deploy this application profile.

Without the app profile being shared with a user, the user cannot promote or migrate deployments as he does not own that app profile.

From the Publish option for an application profile, a tenant administrator can control the permissions for an application profile when publishing it to a marketplace as described in the following table. These permissions control  access to the application profile after it is imported from the marketplace by a subscribing user. The following table describes these permission options.

Permission

Description

Imported
App
Permissions

Permissions for the imported application profile.

  • None: A subscribing user with appropriate privileges user can benchmark and deploy this application profile 
  • View: A subscribing user can view application profile details, and, with appropriate privileges, can benchmark and deploy this application profile
  • Modify: A subscribing user can edit application profile details, and, with appropriate privileges, can benchmark and deploy this application profile
Can be
shared
Allows subscribing user to share this application profile with other users.

Repository Permissions

Repository permissions define certain activities that users can perform with repositories. You can control the permissions for a repository as described in the Share Popup (see Understand ACLs). The following table describes the permission options.

PermissionDescription
View

The user, members of a user group, or tenant can only see this repository but cannot modify, share, or delete it.

Modify

The user, members of a user group, or tenant can edit this repository.

Manage

The user, members of a user group, or tenant can edit or delete this repository.

Service Permissions

Service permissions define certain activities that users can perform with custom services. You can control the permissions for a custom service  as described in the Share Popup (see Understand ACLs). The following table describes the permission options.

PermissionDescription
View

The user, members of a user group, or tenant can see this service but cannot modify, share, or delete it.

Modify

The user, members of a user group, or tenant can edit this service.

Manage

The user, members of a user group, or tenant can edit or delete this service.

Each tenant and users within a tenant can only view services specific to their tenant (or as permitted by their admin). See Topology Modeler > OOB Services or Services (Admin)for additional context.

Actions Library Permissions

Custom actions permissions define certain actions that users can perform. You can control the permissions for a custom action. The following table describes the permission options.

PermissionDescription
View

The user or members of a user group can view this custom action but cannot make changes to, share, or delete the custom action.

Users who only have View permissions on these actions cannot toggle the Enable (default) or Disable action in the Actions Library page.

Modify

The user or members of a user group can edit this custom action and toggle the Enable (default) or Disable action in the Actions Library page but cannot share or delete it.

ManageThe user or members of a user group can edit this custom action and toggle the Enable (default) or Disable action in the Actions Library page, share it, and delete it.

If you create a custom action and share it, be aware that the permissions for the application profile to which this action is attached must also be in the correct share state for shared users to run this action. You must either create the application profile or share the application profile with these users and assign modify or manage  permissions.


Each tenant and users within a tenant can only view/modify custom actions specific to their tenant (or as permitted by their admin). See Actions Library for additional context.

Image Permissions

 The Share popup lets you assign one of the following permissions to share an image as described in the Share Popup (see Understand ACLs). The following table describes the permission options.

PermissionDescription
View

The user, members of a user group, or tenant can see this image but cannot modify, share, or delete it.

Modify

The user, members of a user group, or tenant can edit this image.

Manage

The user, members of a user group, or tenant can edit or delete this image.

Each tenant and users within a tenant can only view shared images specific to their tenant (or as permitted by their admin).

Only permitted users can add images. See Image Administration and Image Launch Permissions for additional context.

Temporary Permission to Launch an Image

The Grant and Revoke Image Permission option appears for OpenStack clouds only.

The Grant and Revoke Image Permission option in the Add Cloud Mapping window lets you set up temporary permission to allow any user to launch the image in an OpenStack cloud. To set up this permission, check the Grant and Revoke Image Permission box, and then choose the cloud account that owns this image from the Image Owner Cloud Account drop-down menu that appears. See Image Launch Permissions for additional details.

Tenant Owner Permission Nuances

The following table identifies the permission nuances for each resource and their associated API settings

Resource

Permission Can Be Assigned To

Tenant Owner PermissionAPI objectType EnumerationAPI permsList Enumeration
Application profiles
  • Tenant co-admins
  • Users within a tenant
Always have this permissionAPP

CREATE_APP

Global, aging and scaling policies

POLICY

CREATE_POLICY

Deployment environments

DEPLOYMENT_

ENVIRONMENT

CREATE
_DEPLOYMENT
_ENVIRONMENT
Application profile templatesTenant owners
APP_PROFILE 

CREATE_APP
_PROFILE

Cloud groups

Without this permission (even for a cloud group assigned by their parent tenant), sub-tenants cannot:

  • Create new cloud groups
  • Add new cloud regions to existing cloud groups
  • Configure an existing cloud region different from their parent tenant
CLOUD CREATE_CLOUD
Cloud accounts

Without this permission (even for a cloud account assigned by their parent tenant), sub-tenants cannot create new cloud accounts

 CLOUD_ACCOUNTCREATE_CLOUD
_ACCOUNT

Project and Phase Permissions

Projects are only displayed in the Project Owner's dashboard. Even if other users are added to a project, the project is only displayed in the users dashboard after the project is published. 

Users can perform the functions that the following table describes based on assigned privileges:

PermissionDescription
View

The user or members of a user group can only view this resource.

ModifyThe user or members of a user group can Edit phases.
ManageThe user or members of a user group can edit,  turn it on or off, share, and delete this resource.

All applications are apart of the project:

  • The application is not shared with a user – The User cannot see the application listed when clicking the Add Deployment link. 

  • A user does not have Deploy privilege for the application – The Add Deployment link is disabled.

All deployment environments are part of a project:

  • A user does not have Deploy To privilege – The Add Deployment link is disabled. 

  • A user's deployment environment privileges determine access, as described in the following table

    Deployment Environment PrivilegeDescription
    NoneThe Add Deployment link is disabled.
    AccessRunning deployments are not visible.
    Manage
    • Running deployments are visible
    • Cannot perform any job action
    Manage, Promote from
    • Running deployments are visible
    • Perform any job action except the Promote action
    Manage, Promote from, Deploy to
    • Running deployments are visible
    • Perform any job action

See Project and Phase Management for additional context.

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved