ADCM role model
A role model is implemented in ADCM. Specific sets of permissions for operations with various ADCM objects can be grouped into roles. The roles are used to create policies to grant roles’s permissions to users or user groups.
Permission is a basic element of the role model. Role is a set of permissions. Permissions can not be assigned directly to the users or groups. Permissions can be only added to the roles.
Some permissions are necessary to work with any product via ADCM. Such permissions are always present in ADCM. Other permissions are necessary to work only with a particular product. Those permissions appear in ADCM when a bundle is uploaded.
The role is assigned to a user or to a user group via policy. Assignment of multiple roles is not supported. Each user inherits the roles of the group to which they belong. Inheritance occurs even if the user is assigned a separate role.
|
NOTE
Only the ADCM administrator (= superuser) can assign roles to the users. In particular, only the superuser can grant a superuser role to another user. |
Policy is a triad that consists of the following elements:
-
User or user group.
-
Role.
-
Object, to which the role’s permissions are applied. Object can have one of the following types:
-
Cluster
-
Service
-
Host
-
Provider
-
While creating a policy, the user is prompted to select one or more objects of the type that corresponds to the chosen user role.
|
NOTE
A policy is applied to an object as well as to all of its child objects. For example, if a policy is given to a cluster, then that policy also affects all services, components, and hosts of that cluster. |
Built-in roles
ADCM comes with a few built-in roles. Changing the permissions of built-in roles is prohibited.
| Role name | Description | Object type |
|---|---|---|
ADCM User |
View-only role that provides ability to view all objects information |
None |
Service Administrator |
Role provides ability to configure and control the life cycle of the relevant service |
Service |
Cluster Administrator |
Role provides ability to configure and control the relevant cluster, its hosts, and its services |
Cluster |
Provider Administrator |
Role gives full control over the relevant hostprovider and its hosts |
Provider |
ADCM Administrator |
Role gives full control over all aspects of ADCM |
None |
Permissions and roles
In addition to the built-in roles, ADCM administrator can create custom roles with permissions. Available permissions and their relations to the built-in roles are listed in the table below.
| Permission name | Description | ADCM User | Service Administrator | Provider Administrator | Cluster Administrator | ADCM Administrator |
|---|---|---|---|---|---|---|
View any object configurations |
The ability to view any object configurations |
Yes |
No |
No |
No |
Yes |
View cluster configurations |
The ability to view cluster configurations |
No |
No |
No |
Yes |
No |
View service configurations |
The ability to view service configurations |
No |
Yes |
No |
Yes |
No |
View component configurations |
The ability to view component configurations |
No |
Yes |
No |
Yes |
No |
View provider configurations |
The ability to view hostprovider configurations |
No |
No |
Yes |
No |
No |
View host configurations |
The ability to view host configurations |
No |
Yes |
Yes |
Yes |
No |
Edit cluster configurations |
The ability to edit cluster configurations |
No |
No |
No |
Yes |
Yes |
Edit service configurations |
The ability to edit service configurations |
No |
Yes |
No |
Yes |
Yes |
Edit component configurations |
The ability to edit component configurations |
No |
Yes |
No |
Yes |
Yes |
Edit provider configurations |
The ability to edit hostprovider configurations |
No |
No |
Yes |
No |
Yes |
Edit host configurations |
The ability to edit host configurations |
No |
No |
Yes |
Yes |
Yes |
View any object imports |
The ability to view imports of all objects |
Yes |
No |
No |
No |
Yes |
View imports |
The ability to view imports of a chosen object |
No |
Yes |
No |
Yes |
No |
Manage Imports |
The ability to manage imports |
No |
Yes |
No |
Yes |
Yes |
View any cluster host-components |
The ability to view any cluster hosts and components mappings |
Yes |
No |
No |
No |
Yes |
View Host-Components |
The ability to view hosts and components mapping |
No |
Yes |
No |
Yes |
No |
Manage Host-Components |
The ability to change hosts and components mapping |
No |
No |
No |
Yes |
Yes |
Add service |
The ability to add services to cluster |
No |
No |
No |
Yes |
Yes |
Remove hosts |
The ability to remove hosts (in Hosts page) |
No |
No |
Yes |
Yes |
Yes |
Add hosts to the cluster |
The ability to add hosts to the cluster |
No |
No |
No |
Yes |
Yes |
Remove hosts from the cluster |
The ability to remove hosts from the cluster |
No |
No |
No |
Yes |
Yes |
Upgrade cluster bundle |
The ability to upgrade the cluster bundle |
No |
No |
No |
Yes |
Yes |
Upgrade provider bundle |
The ability to upgrade the hostprovider bundle |
No |
No |
Yes |
No |
Yes |
Create hostprovider |
The ability to create hostproviders |
No |
No |
No |
No |
Yes |
Create host |
The ability to create hosts |
No |
No |
Yes |
Yes |
Yes |
Remove hostprovider |
The ability to remove hostproviders |
No |
No |
No |
No |
Yes |
Create cluster |
The ability to create clusters |
No |
No |
No |
No |
Yes |
Remove cluster |
The ability to remove clusters |
No |
No |
No |
No |
Yes |
Upload bundle |
The ability to upload bundles |
No |
No |
Yes |
Yes |
Yes |
Remove bundle |
The ability to remove bundles |
No |
No |
Yes |
Yes |
Yes |
View ADCM settings |
The ability to view settings |
No |
No |
No |
No |
Yes |
Edit ADCM settings |
The ability to edit settings |
No |
No |
No |
No |
Yes |
View users |
The ability to view users |
No |
No |
No |
No |
Yes |
Add new user |
The ability to create users |
No |
No |
No |
No |
Yes |
Delete user |
The ability to remove users |
No |
No |
No |
No |
Yes |
Update user |
The ability to update users |
No |
No |
No |
No |
Yes |
View roles |
The ability to view roles |
No |
No |
No |
No |
Yes |
Add new role |
The ability to create roles |
No |
No |
No |
No |
Yes |
Delete role |
The ability to remove roles (only for custom roles) |
No |
No |
No |
No |
Yes |
Update role |
The ability to update roles (only for custom roles) |
No |
No |
No |
No |
Yes |
View groups |
The ability to view groups |
No |
No |
No |
No |
Yes |
Add new group |
The ability to create groups |
No |
No |
No |
No |
Yes |
Delete group |
The ability to remove groups |
No |
No |
No |
No |
Yes |
Update group |
The ability to update groups |
No |
No |
No |
No |
Yes |
View policies |
The ability to view policies |
No |
No |
No |
No |
Yes |
Add new policy |
The ability to create policies |
No |
No |
No |
No |
Yes |
Delete policy |
The ability to remove policies |
No |
No |
No |
No |
Yes |
Update policy |
The ability to update policies |
No |
No |
No |
No |
Yes |
Cluster Action: <Action name> |
The ability to perform the <Action name> action |
No |
No |
No |
Yes |
Yes |
Host Action: <Action name> |
The ability to perform the <Action name> action |
No |
No |
Yes |
Yes |
Yes |
Service Action: <Action name> |
The ability to perform the <Action name> action |
No |
Yes |
No |
Yes |
Yes |
Component Action: <Action name> |
The ability to perform the <Action name> action |
No |
Yes |
No |
Yes |
Yes |
Provider Action: <Action name> |
The ability to perform the <Action name> action |
No |
No |
Yes |
No |
Yes |