Managing Roles, Scopes, Permissions, and Accounts – Cloud Soda

The core components of an RBAC system are roles, scopes, and the relationships between them in the form of permissions. Use the topics in this article to define and manage these RBAC components in your CloudSoda environment.

Managing Roles
Managing Scopes
Managing Permissions
Managing Accounts

Managing Roles

A role is a group of users or a function that a user performs, such as Accounting, HR or an External Collaborator. Users are assigned to roles that enable them to access storage, perform actions or manage system resources based on their associated scope.

System Admin/Account Admin Role

By default, CloudSoda contains one special role, System Admin, which can fully administer the CloudSoda account and manage all job policies because it is assigned to the Account scope. To ensure that resources always maintain full system access and management capabilities, the System Admin role cannot be modified or deleted.

If you want all CloudSoda users to have the same permissions and system access, then it is fine to use the default System Admin role. But if you want to leverage RBAC to its full capabilities and create differentiated roles, scopes, and relationships between them, then we require you create a specific administrator role (such as IT Admin) and assign it to users who will manage CloudSoda.

Create a Role

You can create as many unique roles as needed to support your organization. To create a role:

Click Orchestration > Management in the left-hand navigation panel.
The Management page displays and defaults to the Scopes tab, listing the defined scopes.
Click Roles > Create Role.
The Create Role dialog box displays.
Enter the name of the role and click Save.

A new role is created. The Roles page updates to display the new role in the list. Existing roles are shown with the number of clients and users associated with them.

Assign a Member User or Client to a Role

Users are individuals who access the CloudSoda UI. Clients interact with CloudSoda programmatically via APIs. You can only assign existing users and clients to roles. To create a new user or client before assigning them to a role, see Adding Users and Configuring REST APIs. To add a user or client to a role:

Click Orchestration > Management in the left-hand navigation panel.
The Management page displays and defaults to the Scopes tab, listing the defined scopes.
Click Roles.
The Roles page lists the defined roles.
Click the role to which the user or client will be assigned.
The selected role's page displays and defaults to the Scopes tab, listing the existing scopes.
Assign a user to a role.
1. Click Users > Add new user(+).
2. Click the down arrow to display users (by email address) and select a user from the list.
3. Click the checkmark to confirm the selection.
  The Users tab updates to list the user as assigned to the role.
Assign a client to a role.
1. Click Clients > Add new client.
2. Click the down arrow to display clients and select a client from the list.
3. Click the checkmark to confirm the selection.
  The Clients tab updates to list the client as assigned to the role.

IMPORTANT: When you create a user or client, you do not have to assign them to a role. However, unassigned users cannot view system resources, perform actions or run jobs on scoped storage. Unassigned clients cannot run API functions on the CloudSoda application. As a best practice, to enable your users and clients to fully interact with CloudSoda, we recommend that you assign them to an appropriate role when they are created. Additionally, clients must be assigned to a role associated with scoped storage where the API functions will occur.

Assign a Manager to a Role

Managers are individuals who can edit the attributes of a role (i.e. add or remove scope permissions, users, clients, or other managers). A manager can only assign existing users to roles, they cannot add users. To create a new user before assigning them to a role, see Adding Users. To add a manager to a role:

Click Roles on the Administration screen.
The Roles screen displays a list of existing roles.
Click the role to which the user or client will be assigned.
The Role screen displays options for Scopes, Users, Clients, and Managers
Assign a user as a manager.
1. Click Managers> Add new manager(+).
2. Click the down arrow to display users (by email address) and select a user from the list.
3. Click the checkmark to confirm the selection.
  The Managers tab updates to list the user as assigned to the role.

IMPORTANT: The Manager function can be distinct from or combined with User functionality. If you want a user to be part of a role and be able to manage it, then they need to be added as both a "User" and a "Manager".

Managing Scopes

A scope contains a set of CloudSoda resources such as Accessors, Agents, and Storage. After creating a scope, you will assign specific roles to it and, for each role, define permissions/access controls, such as reading or writing to Storage, and/or managing Agents. The net effect of these relationships is that users in roles associated with the scope can perform specific actions on the resources associated with the scope.

In order to manage the scope, which consists of adding and removing permissions, the 'Manage Scope' control must be set with the desired role. When you create a new scope, you will be required to specify a role to manage it.

Default Scope

Additionally, CloudSoda contains a second special scope named Default, which is associated with all existing storage resources unless another scope has been defined for specific storage.

NOTE: When a new resource is created in CloudSoda, its scope must be defined as part of the creation process. For details, see Creating Agents, Creating Accessors, and Configuring Storage.

Create a Scope

You can create as many scopes as needed to support your organization. To create a scope:

Click Scopes on the Administration screen.
The Scopes screen displays a list of existing scopes.
Click Create Scope.
Enter the name of the scope and click Save.
The new scope is created. The Scopes screen updates to display the new scope in the list. Existing scopes are shown with the number of roles and resources associated with them.

Add a Resource to a Scope

CloudSoda supports different types of resources (Accessors, Agents, and Storage), which can be added to a scope and accessed by authorized user roles.

IMPORTANT: When a user tries to add a resource to a scope, the transaction will only be successful if the user's role is 1) authorized to manage permissions on the scope and 2) granted permission to manage the target resource. For example, assume a user is a member of the "linux-fs" role which can manage a specific scope and is authorized to manage Agents and Storage, but only use (not manage) Accessors. If a linux-fs user tries to add an Agent or a storage resource to the scope, those operations will be successful. However, if the user tries to add an Accessor to the scope, that transaction will fail because of insufficient permissions.

Click Scopes on the Administration screen.
The Scopes screen displays a list of existing scopes.
Click the scope to which a new resource will be added.
The Scope screen displays options for Resources and Roles.
To add a new resource:
1. Click Add new resource.
2. In the left box, click the down arrow to display resource types in CloudSoda (Accessor, Agent, and Storage) and select a resource from the list.
3. In the right box, click the down arrow to display available resources that match the specified type and click a resource to select it.
4. Click the checkmark to confirm the selection.
  The Resources tab updates to list the added storage resource and its resource type.

Add a Role to a Scope

Adding one or more roles to a scope defines the user groups which are authorized to access the storage resources associated with the scope. Additionally, when you add a role, you define the permissions and actions that assigned users can perform, such as reading or writing files to storage or managing Agents.

Click Scopes on the Administration screen.
The Scopes tab displays a list of existing scopes.
Click the scope to which the role will be added.
The Scope tab displays options for Resources and Roles.
To add a role to a scope:
1. Click Roles > Add new relationship.
2. In the left box, click the down arrow to display the existing roles and select a role from the list.
3. In the right box, click the down arrow to display the available permissions and select an option.
4. Click the checkmark to confirm the selection.
  The Roles tab updates to list the added role and the permission defined for the role.
5. To define additional permissions, repeat this procedure.

Alternatively, you can define the relationship between scopes and roles from the Roles tab. To add a scope to a role, click the Roles tab, select the role to which the scope will be added, select one of the available scopes and the permission granted to the role, and click the checkmark to confirm the selection.

IMPORTANT: Administer and/or Manage Policies permissions must be associated with the Account scope to enable these access controls to be granted to an assigned role. Administer and Manage Policies permissions will not be active if they are associated with any other scope. For example, assume the System Admin creates a scope named Editor Storage and adds several storage resources to it. Then the System Admin adds a new relationship to the scope by assigning an existing role, named Editors, to the Editor Storage scope and assigns the Manage Policies permission set to this role. Although the Editors role has Manage Policies permissions assigned, users in this role cannot actually manage job policies. This is because Manage Policies permissions are only effective when paired with the Account scope.

Managing Permissions

When creating a relationship between a role and a scope, the following permissions are available for CloudSoda resources:

Resource Type	Permission Type	Description
Accessor	Manage Accessor	Add Accessors to scopes and manage existing Accessors.
Accessor	Use Accessor	Use Accessors to connect Agents to storage resources.
Agent	Manage Agent	Add Agents to scopes and manage existing Agents.
Agent	Use Agent	Use Agents to connect to storage resources.
Storage	Read Storage	Read files from the storage. The user can only perform copy or sync jobs on scoped storage.
	Write Storage	Read and write files to the scoped storage. The user can perform copy, move, and sync jobs. The user cannot manage the storage resources.
	Manage Storage	Enable/disable and add storage to scopes. The user cannot read or write to the scoped storage.
Account	Manage Accounts	Fully administer the CloudSoda account. For example, they can create users, roles, and scopes, see reports, configure settings, and view the activity log. NOTE: This permission only works when the user role has a relationship with the Account scope.
	Administer (deprecated)	Fully administer the CloudSoda account. For example, they can create users, roles, and scopes, see reports, configure settings, and view the activity log. NOTE: This permission only works when the user role has a relationship with the Account scope.
	Manage Jobs	Create, delete, and manage jobs for the storage resources they see. NOTE: This permission only works when the user role has a relationship with the Account scope.
	Manage Policies	Create, delete, and manage policies for the storage resources they see. NOTE: This permission only works when the user role has a relationship with the Account scope.
Scope	Manage Scope	Add or remove relationships from a scope.

Managing Accounts

An account contains a collection of CloudSoda resources such as Scopes, Agents, Users, and Storage. Accounts allow for the segregation of resources. When an account is created, a new default scope for that account is automatically generated and placed within the newly created account.

User Access to CloudSoda Based on Multiple Assigned Roles

By default, a user does not belong to any role, which prevents them from performing any actions in the system. For a user to interact with CloudSoda resources, they need to be added to one or more roles. When a user is assigned to multiple roles, they will assume the permissions of the most expansive role. For example, users in the System Admin role can read and write files to storage and manage those resources, and oversee the entire system deployment. If you add a user who is in the System Admin role to another role that has more limited permissions—such as writing files to specific storage but not managing the resource—the user will still be able to perform all actions in CloudSoda based on the System Admin role, which has full permissions to manage resources (Accessors, Agents, and Storage), in addition to administering the CloudSoda deployment.

CloudSoda UI Layout Based on Assigned Role

When a user logs into CloudSoda, a UI layout displays options that reflect the highest permission level of their assigned roles. For example, a user assigned to the System Admin role will see every option in the left navigation pane of the CloudSoda interface for all available functions (Dashboard, Jobs, Policies, Storage, Agents, Activity, Reporting, Administration, Profile, and Logout) because the System Admin role can access everything within the CloudSoda application. A smaller subset of UI options is displayed for a user assigned to a role with more limited permissions.

RBAC Impact on Jobs

Scopes are not assigned to jobs in CloudSoda. User authority to manage jobs is inherited from role-based permissions defined in scopes. As an example, assume a user is assigned to an IT user role that can read files on storage but cannot write to them, per an associated scope that defines the storage resources and related read permissions of the IT User role. The user logs into CloudSoda and is able to view jobs on storage resources defined by the scope, but they cannot start a job because they do not have write permissions. Although it may be possible for this user to pause or cancel a running job, they will not be able to restart it or create a new job on viewable storage based on the limitations of the IT User role.