RBAC

A role model is implemented in ADCM. Specific sets of permissions for operations with various ADCM objects can be grouped into roles. The roles are used to create policies to grant roles’s permissions to users or user groups.

Permission is a basic element of the role model. Role is a set of permissions. Permissions can not be assigned directly to the users or groups. Permissions can be only added to the roles.

Some permissions are necessary to work with any product via ADCM. Such permissions are always present in ADCM. Other permissions are necessary to work only with a particular product. Those permissions appear in ADCM when a bundle is uploaded.

The role is assigned to a user or to a user group via policy. Assignment of multiple roles is supported. The user inherits the roles of the group to which he belongs. Inheritance occurs even if the user is assigned a separate role. Only the ADCM administrator (= superuser) can assign roles to the users. In particular, only the superuser can grant a superuser role to another user.

Policy is a triad that consists of the following elements:

1. User or user group
2. Role
3. Object, to which the role’s permissions are applied.

Object can have one of the following types:

• Cluster
• Service
• Host
• Provider

While creating a policy the user is prompted to select one or more objects of the type that corresponds to the chosen user role.

A policy is applied to object as well as to all of its child objects. For example, if a policy is given to a cluster, then that policy also affects all services, components, and hosts of that cluster.

Built-in roles

ADCM comes with a few built-in roles. Changing the permissions of built-in roles is prohibited.

Табл. 1. Built-in ADCM roles

Role name	Description	Object type
ADCM User	View-only role that provides ability to view all objects information	None
Service Administrator	Role provides ability to configure and control the life cycle of the relevant service	Service
Cluster Administrator	Role provides ability to configure and control the relevant cluster, its hosts, and its services	Cluster
Provider Administrator	Role gives full control over the relevant provider	Provider
ADCM Administrator	Role gives full control over all aspects of ADCM	None

Permissions and roles

In addition to the built-in roles, ADCM administrator can create custom roles with permissions. Available permissions and their relations to the built-in roles are listed in the table below (scroll right to see all columns).

Табл. 2. Permissions and roles

Permission name	Description	ADCM User	Service Admin	Provider Admin	Cluster Admin	ADCM Admin
View any object configurations	The ability to view any object configurations	Yes	No	No	No	Yes
View cluster configurations	The ability to view cluster configurations	No	No	No	Yes	No
View service configurations	The ability to view service configurations	No	Yes	No	Yes	No
View component configurations	The ability to view component configurations	No	Yes	No	Yes	No
View provider configurations	The ability to view provider configurations	No	No	Yes	No	No
View host configurations	The ability to view host configurations	No	Yes	Yes	Yes	No
Edit cluster configurations	The ability to edit cluster configurations	No	No	No	Yes	Yes
Edit service configurations	The ability to edit service configurations	No	Yes	No	Yes	Yes
Edit component configurations	The ability to edit component configurations	No	Yes	No	Yes	Yes
Edit provider configurations	The ability to edite provider configurations	No	No	Yes	No	Yes
Edit host configurations	The ability to edit host configurations	No	No	Yes	Yes	Yes
View any object imports	The ability to view the import page	Yes	No	No	No	Yes
View imports	The ability to view the import page	No	Yes	No	Yes	No
Manage Imports	The ability to manage imports	No	Yes	No	Yes	Yes
View any cluster host-components	The ability to view any cluster hosts and components mappings	Yes	No	No	No	Yes
View Host-Components	The ability to view hosts and components mapping	No	Yes	No	Yes	No
Manage Host-Components	The ability to change hosts and components mapping	No	No	No	Yes	Yes
Add service	The ability to add service to cluster	No	No	No	Yes	Yes
Remove hosts	The ability to remove host (in Hosts page)	No	No	Yes	Yes	Yes
Add hosts to the cluster	The ability to add hosts to the cluster	No	No	No	Yes	Yes
Remove hosts from thecCluster	The ability to remove hosts from the cluster	No	No	No	Yes	Yes
Upgrade cluster bundle	The ability to upgrade the cluster bundle	No	No	No	Yes	Yes
Upgrade provider bundle	The ability to upgrade the provider bundle	No	No	Yes	No	Yes
Create hostprovider	The ability to create hostproviders	No	No	No	No	Yes
Create host	The ability to create hosts	No	No	Yes	Yes	Yes
Remove hostprovider	The ability to remove hostprovider	No	No	No	No	Yes
Create cluster	The ability to create clusters	No	No	No	No	Yes
Remove cluster	The ability to remove cluster	No	No	No	No	Yes
Upload bundle	The ability to upload bundles	No	No	Yes	Yes	Yes
Remove bundle	The ability to remove bundles	No	No	Yes	Yes	Yes
View ADCM settings	The ability to view settings.	No	No	No	No	Yes
Edit ADCM settings	The ability to edit settings.	No	No	No	No	Yes
View users	The ability to view users	No	No	No	No	Yes
Add new user	The ability to create users	No	No	No	No	Yes
Delete user	The ability to remove users	No	No	No	No	Yes
Update user	The ability to update users	No	No	No	No	Yes
View roles	The ability to view roles	No	No	No	No	Yes
Add new role	The ability to create roles	No	No	No	No	Yes
Delete role	The ability to remove roles (only for custom roles)	No	No	No	No	Yes
Update role	The ability to update roles (only for custom roles)	No	No	No	No	Yes
View groups	The ability to view groups	No	No	No	No	Yes
Add new group	The ability to create groups	No	No	No	No	Yes
Delete group	The ability to remove groups	No	No	No	No	Yes
Update group	The ability to update groups	No	No	No	No	Yes
View policies	The ability to view policies	No	No	No	No	Yes
Add new policy	The ability to create policies	No	No	No	No	Yes
Delete policy	The ability to remove policies	No	No	No	No	Yes
Update policy	The ability to update policies	No	No	No	No	Yes
Cluster Action: <Action name>	The ability to perform the <Action name> action	No	No	No	Yes	Yes
Host Action: <Action name>	The ability to perform the <Action name> action	No	No	Yes	Yes	Yes
Service Action: <Action name>	The ability to perform the <Action name> action	No	Yes	No	Yes	Yes
Component Action: <Action name>	The ability to perform the <Action name> action	No	Yes	No	Yes	Yes
Provider Action: <Action name>	The ability to perform the <Action name> action	No	No	Yes	No	Yes

Creating a role

This functional is available only to the user with appropriate permissions.

In order to create a new role:

1. Log into ADCM console.

2. Navigate to the Roles tab. Roles list opens. 2. Click Add new role button. Add Role window opens. 3. Fill in the fields. Role name is required. 4. Add permissions. Use buttons with product names as filters to select permissions. 5. Click Add button.

New role is added.

Creating a policy

This functional is available only to the user with appropriate permissions.

In order to create a new policy:

1. Log into ADCM console.

2. Navigate to the Policies tab. Policy list opens. 2. Click Add new policy button. Add Policy window opens. 3. Fill in the fields at Step 1. Policy name, Role, User, and Group are required. 4. Specify the objects at Step 2. 5. Click Add button at Step 3.

New policy is added.

Important

You can not mix permissions related to objects of different hierarchy.

Cluster hierarchy objects:

• Cluster
• Service
• Component
• Host

Provider hierarchy objects:

• Provider
• Host