Roles

A role is a set of permissions. The role a user has when joining a project determines the permissions the user has in the project.

A role is a collection of permissions. The role a user has when joining a project determines the permissions the user has in the project.

The system built-in roles are described as follows.

Role Permissions Whether to share Permission scope Permission description
admin sysadmin global shared system The user has full system backend privileges only if he joins default’s system project as admin.
domainadmin domainadmin global_share domain all_domain_administrative_backend_permissions
project_owner projectadmin global_sharing project all permissions within the project scope
project_editor project_editor global_share project Edit access to any resource within the scope of the project
member projectviewer, projectdashboard Global shared project Read-only access to any resource within the scope of the project
fa sysmeteradmin, sysdashboard Global Share System All permissions for billing metering within the system

Entry: In the cloud management platform, click on the top left corner of navigation menu, and click “IAM & Security/IAM/Roles” menu item in the left menu bar that pops up to enter the roles page.

Create role

This function is used to create a role, when the system built-in role does not meet the user’s needs, you can create a custom role.

  1. In the Roles page, click the “Create” button at the top of the list to bring up the Create Role dialog box.
  2. Enter the name, the domain to which the role belongs, and click the “Next” button to enter the Associated Permissions dialog box.
  3. Configure the following parameters.
    • Permissions: Select the permissions associated with the role, and select the permissions in the pop-up Please Select Permissions dialog box, which supports multiple selections.
    • IP whitelist: Set IP whitelist IP address and address segment, only users in the IP whitelist will have the corresponding roles and permissions when they log in, if it is empty, all IP access will be allowed. The format is 192.168.1.1 or 192.168.1.0/24, and multiple IP addresses are split by English “;”.
    • Project: set the permission to take effect in the specified project, if no project is specified, the permission takes effect globally; if the project is specified, the permission only takes effect in the specified project and is invalid in other projects.
  4. Click “OK” button to complete the operation.

Manage Permissions

This function is used to manage the permissions associated with the role.

Add Permissions

This function is used to add permissions to a role.

  1. On the Role page, click the “Manage Permissions” button on the right column of the role to enter the Details - Permissions page.
  2. Click the “Add Permissions” button at the top of the list to bring up the Add Permissions dialog box.
  3. Configure the following parameters.
    • Permissions: Select the permissions associated with the role, and select the permissions in the pop-up dialog box of Please Select Permissions, which supports multiple selections.
    • IP whitelist: Set IP whitelist IP address and address segment, only users in the IP whitelist will have the corresponding roles and permissions when they log in, if it is empty, all IP access will be allowed. The format is 192.168.1.1 or 192.168.1.0/24, and multiple IP addresses are split by English “;”.
    • Project: set the permission to take effect in the specified project, if no project is specified, the permission takes effect globally; if the project is specified, the permission only takes effect in the specified project and is invalid in other projects.
  4. Click “OK” button to finish the operation.

Remove Permissions

This function is used to remove permissions for a role.

Individual Removal

  1. On the Role page, click the “Manage Permissions” button on the right column of the role to enter the Details - Permissions page.
  2. Click the “Remove” button in the action column to the right of the permission to bring up the action confirmation dialog.
  3. Click “OK” button to complete the operation.

Batch Remove

  1. On the Role page, click the “Manage Permissions” button in the action column to the right of the role to enter the Details - Permissions page.
  2. Select one or more permissions in the list, and click the “Remove” button at the top of the list to bring up the action confirmation dialog.
  3. Click the “OK” button to complete the operation.

Set up sharing

This function is used to set the sharing status of the role.

There are three types of sharing ranges for domain resources.

  • No sharing (private): I.e. domain resources are only available to users in this domain.
  • Domain sharing-part (Multiple Domains sharing): that is, domain resources can be shared to the specified domain (one or more), and only users under the domain where the domain resources are located and the shared domain can use the domain resources.
  • Domain Share-All (Global share): I.e. domain resources can be shared to all domains, i.e. all users in the system can use the domain resources.

set sharing

  1. On the role page, click the “More” button on the right action bar of the role in “Private” status, and select the “Set up sharing” menu item to bring up the Set up sharing dialog box.
  2. Configure the following parameters.
    • When the sharing range is selected as “No Sharing”, the sharing range of domain resources is private and only users of this domain can use it.
    • When Shared Range is selected as “Domain Shared”, you need to select the domain to be shared.
      • When the domain is selected as one or more domains, the shared scope of the domain resource is Domain Shared-Partial, and only users in the domain where the domain resource is located and under the shared domain can use the domain resource.
      • When the domain selects All, i.e. the sharing scope of the domain resource is Domain Share-All, all users in the system can use the domain resource.
  3. Click the “OK” button to complete the operation.

Batch set up sharing.

  1. Select one or more roles in the role list and click the “Set up sharing” button at the top of the list to bring up the Set up sharing dialog box.
  2. Configure the following parameters.
    • When the sharing scope is selected as “No Sharing”, the sharing scope of domain resources is private and only users of this domain can use it.
    • When Shared Range is selected as “Domain Shared”, you need to select the domain to be shared.
      • When the domain is selected as one or more domains, the shared scope of the domain resource is Domain Shared-Partial, and only users in the domain where the domain resource is located and under the shared domain can use the domain resource.
      • When the domain selects All, i.e. the sharing scope of the domain resource is Domain Share-All, all users in the system can use the domain resource.
  3. Click the “OK” button to complete the operation.

Delete Role

This function is used to delete roles, and supports single and batch deletion of roles. Roles can be deleted only when they are private and unused.

Delete

  1. On the role page, click the “More” button in the action bar to the right of the role, and select the “Delete” menu item to bring up the action confirmation dialog.
  2. Click the “OK” button to complete the operation.

Batch Delete

  1. Select one or more roles in the role list, and click the “Delete” button at the top of the list to bring up the operation confirmation dialog box.
  2. Click the “OK” button to complete the operation.

View Role Details

This function is used to view the details of a role.

  1. On the role page, click the role name item to enter the role details page.
  2. View the role Cloud ID, ID, name, status, domain, items, permissions, number of matching users, shared scope, created at, updated at, and description.

View operation log

This function is used to view the log information of the role-related operations.

  1. On the role details page, click the Operation Log tab to enter the Operation Log page.
    • Load More Logs: In the Operation Logs page, the list shows 20 operation logs by default. To view more operation logs, click the “Load More” button to get more log information.
    • View Log Details: Click the “View” button on the right column of the operation log to view the log details. Copy details are supported.
    • View logs of specified time period: If you want to view the operation logs of a certain time period, set the specific date in the start date and end date at the top right of the list to query the log information of the specified time period.
    • Export logs: Currently, only the logs displayed on this page are supported to be exported. Click the upper-right corner of icon, set the export data column in the pop-up export data dialog, and click the “OK” button to export the logs.