Access Control Lists
Access Control Lists (ACLs) allow you to modify/view permissions for an API resource. Resources are identified using a unique ID and corresponding. Not all resources are supported by the ACL function. See the ACL-Managed Resources section below for the list of supported resources.
The following table identifies the resources that are supported by the ACL function along with the corresponding pages that provide additional information for the resource. This information is identical to the resourceName attribute used by the CloudCenter APIs.
Description: An identifier for a CloudCenter Resource managed by ACLs. The supported ACL-managed resources are listed as enumerations.
Enumeration Description POLICY
See >Action Policies
PUBLISHED_APP See> Publish to DEPLOYMENT_ENVIRONMENT See APPLICATION
- Model an Application by Importing the Profile
REPOSITORY See CLOUD_ACCOUNT See SYSTEM_TAG See SECURITY_PROFILE See SERVICE See LINK_TO_PARENT See(Effective CloudCenter 4.8) LINK_TO_CHILD CUSTOM_ACTION See> PROJECT See Projects IMAGE See
See> Sharing Deployments EXTENSION See ACI_EXTENSION See SERVICE_NOW_EXTENSION See(Effective CloudCenter 4.8.2) ACTION See(Effective CloudCenter 4.8) VIRTUAL_MACHINE See(Effective CloudCenter 4.8) AGING_POLICY See(Effective CloudCenter 4.8.2) SUSPENSION_POLICY
Default Permissions for ACL Resources
Permissions are tightly controlled by CloudCenter and not all permissions are applicable to all resources. You will receive validation errors in the following cases:
When you apply a permission that is not applicable to a particular resource.
For example, move_in and move_out are only applicable to deployment environments. If you apply either of these two strings to any other resource, you will receive a validation error.
When you apply a random string that is not listed in the perms array. For example, if you assign your own permission value like readwrite, you will receive a validation error.
Imported VMs do not have any default per
ACL Manage Permissions
As this information is identical to the perms attribute used by the CloudCenter APIs, the same information is included here.
Description: The permissions for a CloudCenter Resource managed by ACLs.
Type: Array of strings
resourceName Permissions →
Yes Yes Yes Yes
Yes Yes PROJECT Yes Yes IMAGE Yes MANAGE_EXPORT Yes Yes MANAGE_IMPORT Yes Yes
Permissions are divided into the categories that the following table describes:
|Permission Category |
(id and perms)
Tenant & Sub-Tenants
Default ACL Resource Permissions
The following default permissions are automatically granted to ACL resources after each resource is created.
User permissions are granted to the user who created the resource.
Tenant permissions are granted to:
All users of the tenant to which the logged-in user belongs.
All users in sub-tenant hierarchy starting at tenant of the user who created the resource.
If not specified for Vendor and Tenant then default permissions are not available at that level.
The following table describes ACL resource permissions.
UI and API Differences
ACL Configuration differences between the UI and API:
- UI – If you have a complicated hierarchy with multiple permission combinations in a tenant hierarchy, then the UI only displays permission for the current level. Permissions for parent and child tenants will not be visible to the logged in user.
- API – API users can view or modify permissions for all levels, regardless of this user's level in the tenant hierarchy. Only prerequisite is that the logged in user has administration perms on this resource.
If you are the tenant owner, you can provide any permission to the sub-tenant organization and all its users at the same time.
When providing access to Tenant and Sub-Tenant users, access the Share popup for the required service (CCM UI > Admin > Services > MyService > Share dropdown), click the Tenants tab in the popup, and check the My Tenants & Sub-Tenants check box to provide access to the entire hierarchy.
You also have the option to select just one tenant (if you want to give just one tenant, but not their sub-tenants, and provide access to just that tenant.
- No labels