Skip to main content

Roles, Permissions and Policies

Authentication

To access the platform and manage rights, a user must be authenticated. Authentication ensures that a user is the one he/she pretends to be by presenting the good credentials. This is done through the log in process. Our customers are logged in through Enterprise Customer Portal Authentication. Multi-factor authentication ensure security of the system by preventing spoofing, or usage of compromised credentials.

Authorization

Authorizations (or permissions) are granted to users according to the usage he/she is intended to use. Some users will administrate (administrators of services, or business users), or use final service (final users). For example, a project manager will be granted with rights to build and manage projects. Some special users will administrate the rights and permissions to grant the rights to the others. These users are IAM administrators, or administrators of rights. They will have the responsibility to manage accounts and permissions to all users. Only the IAM administrators will have access to the Identity and Access Management menu. The IAM will provide to users (administrators of IAM, administrators of services, final users) the permissions to access to resources, through a mechanism of roles and policies described below.

Permissions

The possible actions linked with permission are:

  • create / read / update / delete / list.

The permissions available are listed on the screen accessible on the left by the item "Permissions". A permission has a label, a type of permission, and a resource on which it is applicable. Permissions are built in and dedicated to a type of resource.

Roles

A role is a set of permissions, gathered together to simplify the affectation of these permissions to accounts or group of accounts. Roles are accessible from the menu item "Roles Management". There are some pre existing roles (typed "Built in") that are available. These roles are designed for the administration of the IAM resources (tenant, folder, project, resources). Tenant administrators are able to build custom roles to fit the needs of their projects. To create a new role, click on "Create Role" button. A role has a name (Role label), a description, and a permission set. To choose the permissions, one must click on "associated permission" field, then select in the drop down list the available permissions. The selected permissions are added and displayed just below the field.
Example: a Folder Administrator is a role that has the responsibility to administrate folders. The Folder administrator has the following permissions:

  • delete_folder / read_folder / create_folder / create_project / list_project

Role Assignments

To be able to affect roles to users, we need to define role assignments. The role assignments are listing who can do what. For example, if the Folder administrators list is empty, nobody can administrate the created folders of the tenant. Then, we need to define the accounts, among the available accounts of the tenant, that are designed as folder administrators. This link can be done to groups of accounts, or directly to accounts. To assign roles to users, one need to click on the Roles Assignment menu, and click on the "Create Role Assignment" button. A role assignment has a label, a description, and a role (on single role can be assigned by role assignment). For example, I can create the Folder administrators, of the sales department. After choosing the Role, one need to choose the users. This can be done by filling the "Assigned to" table, using the + icon. This open a modal window. In the upper part, it is possible to display the available accounts, check them and push them in the lower part for selection, using the down arrow icon. Then validate by clicking on "Attach Account". The table "Assigned to" is now filled. Finally, it is possible to attach policies to the role assignment just defined and save.

Policies

To be applicable, a role assignment must be linked to a policy. The policy allows to select the concrete item where a role assignment can be enforced. Thus, when creating a policy, one must select the tree item that is involved by the policy (from domain to leave resource) and select the role assignment.

  • Policies are applicable to one or more Role Assignments.
  • A policy is applicable on instances of resources (on any tree item level).
  • A policy is inherited on sons levels except if another policy prevent it.