CloudSoda’s support of RBAC functionality enables you to leverage the advantages of role-based access control in your storage system. But If you haven’t worked with RBAC before, it can be challenging to know how to administer it correctly. We’ve got you covered with recommended user roles to add to your storage environment and guidance on using RBAC to manage resource access and assign permissions to user roles.
Defining Standard User Roles
CloudSoda provides a default System Admin role that maintains full resource management and user access. However, you should not rely on this role as the single control point for administering RBAC. We strongly recommend that you define this “starter pack” of standard user roles and assign your users to them:
These standard roles will cover a broad range of use cases and can simplify RBAC administration in your CloudSoda environment. Of course, you can add custom user roles as needed to support the specific requirements of your environment.
IT Admin
The IT Admin has full permissions to manage all users and resources in the storage system. When properly configured, the capabilities of this role are fully co-extensive with the default System Admin role provided in CloudSoda.
To provide IT Admin with full system access, pair it with the Account and Default scopes and all of their associated permissions. This role should also be paired with all scopes you create in the CloudSoda system and have the proper permissions assigned, for example, Remote Group, listed in the table below.
| Scope | Permissions |
|---|---|
| Account | Administer, Manage Policies |
| Default | Write Storage, Manage Storage, Manage Agent, Manage Accessor, Use Accessor, Use Agent |
| Remote Group | Use Accessor, Use Agent, Write Storage, Manage Scope, Manage Accessor, Manage Storage, Manage Agent |
When the IT Admin role is fully configured, it should be attached to the following scopes (Remote Group is an example):
Storage Admin
The Storage Admin is a group-level role that has full control over the resources in its group, such as adding/removing storage or resources, and managing policies, Agents, and Accessors. However, the Storage Admin cannot administer anything outside its group nor add, remove or manage users.
To define the attributes of the Storage Admin role, pair it with the Account scope and the custom scope that defines its group of resources, and assign the proper permissions (shown in the table below where Remote Group is the custom scope).
| Scope | Permissions |
|---|---|
| Account | Manage Policies |
| Remote Group | Write Storage, Use Agent, Use Accessor, Manage Storage, Manage Agent, Manage Accessor |
When the Storage Admin role is fully configured, it should be attached to the following scopes (Remote Group is an example):
Storage User
The Storage User can write to storage and run jobs on it, manage policies, and use Agents and Accessors. To define the attributes of the Storage User role, pair it with the Account scope and the custom scope that defines its group of resources, and assign the proper permissions (shown in the table below where Remote Group is the custom scope).
| Scope | Permissions |
|---|---|
| Account | Manage Policies |
| Remote Group | Write Storage, Use Agent, Use Accessor |
When the Storage User role is fully configured, it should be attached to the following scopes (Remote Group is an example):
Viewer
The Viewer can read (see) storage, including jobs running on them, but not administer or manage storage. To define the attributes of the Viewer role, pair it with the Default scope and the custom scope that defines its group of resources, and assign the proper permissions (shown in the table below where Remote Group is the custom scope).
| Scope | Permissions |
|---|---|
| Default | Read Storage |
| Remote Group | Read Storage |
When the Viewer role is fully configured, it should be attached to the following scopes (Remote Group is an example):
Roles List
After you’ve added the standard user roles, they should appear in the Roles list, along with the default System Admin profile:
Comments
0 comments
Please sign in to leave a comment.