Privileges and roles
Privilege - An atomic action that a user is allowed to perform on a system with respect to its resource.
Role - a set of privileges that define access rules and a list of possible actions for each type of resource in the system. Roles allow you to assign permissions for accessing system resources based on a set of typical tasks performed by users.
When the task of assigning permissions to a user occurs, the administrator associates the user or group with a role and associates the pair with an AirCloud inventory resource. A single user or group can have different roles for different resources on the system.
Suppose there are two resources on the system - "Cluster A" и "Cluster B". An administrator assigns a user group a role with "View & Edit" permissions on "Cluster A" and the "View access" role on "Cluster B". With these assignments, the users of the group can use the child resources of "Cluster A" (e.g., enable and work with virtual machines on it), but on "Cluster B" cluster, they can only view a list of its virtual machines.
Privilege Configuration Modes
AirCloud has two modes of privilege configuration for a role:
1. "Basic mode" - allows you to quickly configure privileges for a role by specifying one of the pre-defined permission sets.
2. "Advancedmode" - a fine-tuned privilege configuration mode where you have the option to manually configure each privilege by checking or unchecking the appropriate checkbox in the list of available privileges.
For more information about privilege customization modes - see "Basic Privilege Customization Mode". "Basic Privilege Customization Mode" и "Advanced Privilege Customization Mode".
Changes to roles and privileges take effect immediately, even if the affected users are already logged in.
When changing from "Basic mode" to "Advanced mode" or vice versa, the preset settings are not reset, but rather the preset permission sets are overridden and mapped to manually defined privileges.
Preset Roles
AirCloud has preset system roles that can be edited, cloned, deleted by the administrator during the access configuration process.
A preset role is a set of privileges based on the typical tasks a user will perform using system resources. The following system roles are implemented in AirCloud:
Consumer;
Developer;
Operator;
Admin;
Viewer;
Super Admin;
Owner (role deletion is not possible).
To avoid losing the "factory" settings for preset roles, first clone the role and make changes to the copy of the role. You cannot reset system role settings to default values.
Summarizing personal and group user privileges
AirCloud policy allows you to assign multiple roles to a single user (either personally or as part of a group of users) with respect to a single system resource. In this case, the user's total permissions with respect to the resource are determined by the principle of additivity - the value of his/her total permissions in the system is equal to the sum of his/her permissions defined for him/her personally and as a member of each of the groups of which he/she is a member.
If several group roles are defined for the same resource and the user belongs to two or more of these groups, the user gets the union of the permissions that the groups have with respect to the resource.
Important! There are a few important things to keep in mind when configuring roles and privileges in AirCloud:
In AirCloud, the permissions defined for a child resource always override the permissions that apply to it from parent resources.
Many tasks require permissions on multiple AirCloud resources. If the user attempting to perform a task has privileges on only one resource, the task cannot be successfully completed and a notification will be displayed. For example, moving an object through the system hierarchy requires appropriate privileges for the object itself, the source parent object (such as a folder or cluster), and the target parent object.
Summarizing privileges from multiple user roles
TBD
Deleting Roles
Unlike pre-defined system roles, any of the roles created by the administrator can be deleted from the system. When deleting a role that is not assigned to any AirCloud user/group, the role is simply removed from the list of roles available for selection. When deleting a role that is already assigned to users/group, they have all privileges included in the role removed.
All roles created based on the deleted role remain available for further use in the system.