ADCM role model
A role model is implemented in ADCM. Specific sets of permissions for operations with various ADCM objects can be grouped into roles. The roles are used to create policies to grant roles’s permissions to user groups.
Permission is a basic element of the role model. Role is a set of permissions. Permissions can not be assigned directly to the groups. Permissions can be only added to the roles.
Some permissions are necessary to work with any product via ADCM. Such permissions are always present in ADCM. Other permissions are necessary to work only with a particular product. Those permissions appear in ADCM when a bundle is uploaded.
The role is assigned to a user group via policy. Assignment of multiple roles is not supported. Each user inherits the roles of the group to which they belong.
|
NOTE
Only the ADCM administrator (= superuser) can assign roles to the users. In particular, only the superuser can grant a superuser role to another user. |
Policy is a triad that consists of the following elements:
-
User group.
-
Role.
-
Object, to which the role’s permissions are applied. Object can have one of the following types:
-
Cluster
-
Service
-
Host
-
Provider
-
While creating a policy, the user is prompted to select one or more objects of the type that corresponds to the chosen user role.
|
NOTE
A policy is applied to an object as well as to all of its child objects. For example, if a policy is given to a cluster, then that policy also affects all services, components, and hosts of that cluster. |
Built-in roles
ADCM comes with a few built-in roles. Changing the permissions of built-in roles is prohibited.
| Role name | Description | Object type |
|---|---|---|
ADCM User |
View-only role that provides ability to view all objects information |
None |
ADCM Auditor |
View-only role that provides ability to view audit results |
None |
Service Administrator |
Role provides ability to configure and control the life cycle of the relevant service |
Service |
Cluster Administrator |
Role provides ability to configure and control the relevant cluster, its hosts, and its services |
Cluster |
Provider Administrator |
Role gives full control over the relevant hostprovider and its hosts |
Provider |
ADCM Administrator |
Role gives full control over all aspects of ADCM |
None |
Permissions and roles
In addition to the built-in roles, ADCM administrator can create custom roles with permissions. Available permissions and their relations to the built-in roles are listed in the table below.
| Permission name | Description | ADCM User | Service Administrator | Provider Administrator | Cluster Administrator | ADCM Administrator | ADCM Auditor |
|---|---|---|---|---|---|---|---|
View any object configurations |
Ability to view any object configurations |
+ |
+ |
||||
View cluster configurations |
The ability to view cluster configurations |
+ |
+ |
||||
View service configurations |
Ability to view service configurations |
+ |
+ |
+ |
|||
View component configurations |
Ability to view component configurations |
+ |
+ |
+ |
|||
View provider configurations |
Ability to view hostprovider configurations |
+ |
+ |
||||
View host configurations |
Ability to view host configurations |
+ |
+ |
+ |
+ |
||
Edit cluster configurations |
Ability to edit cluster configurations |
+ |
+ |
||||
Edit service configurations |
Ability to edit service configurations |
+ |
+ |
+ |
|||
Edit component configurations |
Ability to edit component configurations |
+ |
+ |
+ |
|||
Edit provider configurations |
Ability to edit hostprovider configurations |
+ |
+ |
||||
Edit host configurations |
Ability to edit host configurations |
+ |
+ |
+ |
|||
View any object imports |
Ability to view imports of all objects |
+ |
+ |
||||
View imports |
Ability to view imports of a chosen object |
+ |
+ |
+ |
|||
Manage Imports |
Ability to manage imports |
+ |
+ |
+ |
|||
View any cluster host-components |
Ability to view any cluster hosts and components mappings |
+ |
+ |
||||
View Host-Components |
Ability to view hosts and components mapping |
+ |
+ |
+ |
|||
Manage Host-Components |
Ability to change hosts and components mapping |
+ |
+ |
||||
Add service |
The ability to add services to cluster |
+ |
+ |
||||
Remove hosts |
Ability to remove hosts (in the Hosts section) |
+ |
+ |
||||
Add hosts to the cluster |
Ability to add hosts to the cluster |
+ |
+ |
||||
Remove hosts from the cluster |
Ability to remove hosts from the cluster |
+ |
+ |
||||
Upgrade cluster bundle |
Ability to upgrade the cluster bundle |
+ |
+ |
||||
Upgrade provider bundle |
Ability to upgrade the hostprovider bundle |
+ |
+ |
||||
Create hostprovider |
Ability to create hostproviders |
+ |
|||||
Create host |
Ability to create hosts |
+ |
+ |
+ |
|||
Remove hostprovider |
Ability to remove hostproviders |
+ |
|||||
Create cluster |
Ability to create clusters |
+ |
|||||
Remove cluster |
Ability to remove clusters |
+ |
|||||
Upload bundle |
Ability to upload bundles |
+ |
+ |
+ |
|||
Remove bundle |
The ability to remove bundles |
+ |
+ |
+ |
|||
View audit operations |
Ability to view results of operation audit |
+ |
+ |
+ |
+ |
+ |
+ |
View audit logins |
Ability to view results of login audit |
+ |
+ |
+ |
+ |
+ |
+ |
View ADCM settings |
Ability to view settings |
+ |
|||||
Edit ADCM settings |
Ability to edit settings |
+ |
|||||
View users |
Ability to view users |
+ |
+ |
||||
Add new user |
Ability to create users |
+ |
|||||
Delete user |
Ability to remove users |
+ |
|||||
Update user |
Ability to update users |
+ |
|||||
View roles |
Ability to view roles |
+ |
+ |
||||
Add new role |
Ability to create roles |
+ |
|||||
Delete role |
Ability to remove roles (only for custom roles) |
+ |
|||||
Update role |
Ability to update roles (only for custom roles) |
+ |
|||||
View groups |
Ability to view groups |
+ |
+ |
||||
Add new group |
Ability to create groups |
+ |
|||||
Delete group |
Ability to remove groups |
+ |
|||||
Update group |
Ability to update groups |
+ |
|||||
View policies |
Ability to view policies |
+ |
|||||
Add new policy |
Ability to create policies |
+ |
|||||
Delete policy |
Ability to remove policies |
+ |
|||||
Update policy |
Ability to update policies |
+ |
|||||
Cluster Action: <Action name> |
Ability to perform the <Action name> action |
+ |
+ |
||||
Host Action: <Action name> |
Ability to perform the <Action name> action |
+ |
+ |
+ |
|||
Service Action: <Action name> |
Ability to perform the <Action name> action |
+ |
+ |
+ |
|||
Component Action: <Action name> |
Ability to perform the <Action name> action |
+ |
+ |
+ |
|||
Provider Action: <Action name> |
Ability to perform the <Action name> action |
+ |
+ |