Advanced privilege setting mode
To configure privileges in advanced mode, you must have theedit_role or edit_role_any privilege
The advanced mode of privilege configuration allows the administrator to fine-tune user access rights to system resources (without using presets) and minimize the potential for information security issues.
For example, an administrator with the privilege of assigning roles to user groups assigned a role to group “A”, and another organization administrator, who cannot assign roles to user groups but can manage the composition of group members, added users to group “A”, thereby increasing their privileges without the consent of the first administrator.
To avoid such situations and minimize the possibility of violating secure access, the advanced mode of setting privileges in Nextopis based on the principle of “least privilege”, which means that the software user should be granted the minimum possible set of rights and accesses necessary and sufficient to perform the tasks set before him.
In Nextop, to prevent potential information security breaches, among other things, the following restrictions are implemented:
only a global administrator can create new user accounts, groups, roles;
group nesting is not supported - a group cannot be added as a member of another group.
Principles of privilege organization in Nextop
To understand the logic of organizing work with privileges in AirCloud, it is important to understand the basic principles that underlie their concept:
Every user without exception can view the list of all roles available in the system (even those that exceed the set of privileges of the roles assigned to the user in the system).
It is considered that role A exceeds role B in terms of privileges if role A has privileges that are absent in role B.
A system user should not be able to grant other users (including themselves) privileges that they currently do not have.
A user can grant other users administrative access only to those AirCloud resources to which they themselves have access.
A user can only delete those entries from the global access list whose roles do not exceed the set of privileges of the roles assigned to the user in the system.
A user can edit roles (change the composition of their privileges) only those whose set of privileges does not exceed the set of privileges of the roles assigned to the user in the system.
Important! In the context of editing roles, the set of privileges of the roles assigned to the user in the system is considered to be the set of entries in the global administrative access list with the option of inheriting privileges from the parent resource to the children.
At the same time, the user can add to the editable role only those privileges that they themselves have.
A user can only delete from the system those roles that do not exceed the set of privileges of the roles assigned to the user in the system.
Since deleting roles from the system entails changing the access lists in which the deleted role participates, additional mandatory conditions are the presence of user privileges for deleting administrative access records, as well as changing the composition of roles in all local and global Nextop access lists.
A system user can be restricted (using privileges) in the ability to create and delete roles. A user can:
create/delete absolutely any roles, even those exceeding the powers of the user himself in the system;
create/delete only those roles whose privileges the user himself has.
Privilege Dependencies
Many user tasks require simultaneous privileges on multiple Nextop resources. If a user attempting to perform a task has privileges on only one of the resources, the task will not be completed successfully.
For example:
To perform any operation affecting disk space, access to the Data Store is required. A user trying to create, for example, a system backup, must also have the privilege to write to disk space.
To move an object (e.g., VM) between AirCloud objects, the corresponding privileges are required for the object itself, the original parent object (e.g., Cluster A), and the target parent object (Cluster B).
As with setting privileges in basic mode, advanced mode may result in conflicts between established privileges, which will be displayed to the user with the possibility of automatically resolving the arisen system contradictions.
Setting Privileges for a Role
Setting privileges for a role includes configuring resource management parameters depending on their ownership by the user (Personal and Shared), as well as access privileges to each of the system’s resources. Reference information about all AirCloud privileges and their dependencies on each other, which can be used for role configuration, is located in the following sections:
Глобальные привилегии (part of the “Administration” section in the interface)
Important! By granting users privileges, you can indirectly expand the user’s capabilities in the system concerning other resources – for example, by changing the composition of group members, you indirectly affect the access list to the resources to which the group has access, and the user added to the group gets access rights to the resource.