forked from ReneeRendon/docs-common
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsection_RBAC_2roles.xml
172 lines (166 loc) · 9.74 KB
/
section_RBAC_2roles.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section [
<!-- Some useful entities borrowed from HTML -->
<!ENTITY ndash "–">
<!ENTITY mdash "—">
<!ENTITY hellip "…">
<!ENTITY plusmn "±">
<!-- Useful for describing APIs -->
<!ENTITY GET '<command xmlns="http://docbook.org/ns/docbook">GET</command>'>
<!ENTITY PUT '<command xmlns="http://docbook.org/ns/docbook">PUT</command>'>
<!ENTITY POST '<command xmlns="http://docbook.org/ns/docbook">POST</command>'>
<!ENTITY DELETE '<command xmlns="http://docbook.org/ns/docbook">DELETE</command>'>
<!ENTITY CHECK '<inlinemediaobject xmlns="http://docbook.org/ns/docbook">
<imageobject>
<imagedata fileref="figures/Check_mark_23x20_02.svg"
format="SVG" scale="60"/>
</imageobject>
</inlinemediaobject>'>
<!ENTITY ARROW '<inlinemediaobject xmlns="http://docbook.org/ns/docbook">
<imageobject>
<imagedata fileref="figures/Arrow_east.svg"
format="SVG" scale="60"/>
</imageobject>
</inlinemediaobject>'>
]>
<section xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="section_rbac_2">
<title>Role Based Access Control</title>
<para> Role Based Access Control (RBAC) restricts access to the capabilities of Rackspace Cloud services, including the
cloudproduct API, to authorized users only. RBAC enables Rackspace Cloud customers to specify which account users of
their Cloud account have access to which cloudproduct API service capabilities, based on roles defined by Rackspace
(see <xref linkend="RBAC_product_roles_table_2"/>). The permissions to perform certain operations in the cloudproduct
API – create, read, update, delete – are assigned to specific roles. The account owner user assigns these roles,
either multiproduct (global) or product-specific (for example, cloudproduct), to account users. </para>
<section xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="section_assign_roles_2">
<title>Assigning Roles to Account Users</title>
<para> The account owner (identity:user-admin) can create account users on the account and then assign roles to those
users. The roles grant the account users specific permissions for accessing the capabilities of the cloudproduct
service. Each account has only one account owner, and that role is assigned by default to any Rackspace Cloud
account when the account is created. </para>
<para> See
the<link xlink:href="http://docs.rackspace.com/auth/api/v2.0/auth-client-devguide/content/index.html">
<citetitle>Cloud Identity Client Developer Guide API v2.0</citetitle></link>
for information about how to perform the following tasks: </para>
<itemizedlist>
<listitem>
<para>
<link xlink:href="http://docs.rackspace.com/auth/api/v2.0/auth-client-devguide/content/POST_addUser_v2.0_users_User_Calls.html">
Create account users</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="http://docs.rackspace.com/auth/api/v2.0/auth-client-devguide/content/PUT_addUserRole__v2.0_users__userId__roles__roleid__Role_Calls.html">
Assign roles to account users</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="http://docs.rackspace.com/auth/api/v2.0/auth-client-devguide/content/DELETE_deleteUserRole__v2.0_users__userId__roles__roleid__Role_Calls.html">
Delete roles from account users</link>
</para>
</listitem>
</itemizedlist>
<note>
<para> The account owner (identity:user-admin) role cannot hold any additional roles because it already has full
access to all capabilities. </para>
</note>
</section>
<section xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="section_roles_for_products_2">
<title>Roles Available for cloudproduct</title>
<para> Two roles (observer and admin) can access the cloudproduct API specifically. The following table
describes these roles and their permissions. </para>
<table rules="all" width="100%" xml:id="RBAC_product_roles_table_2">
<caption> cloudproduct Product Roles and Permissions</caption>
<thead>
<tr>
<td colspan="1">Role name</td>
<td colspan="2">Role permissions</td>
</tr>
</thead>
<tbody>
<tr>
<td colspan="1">cloudproductabbrev:admin</td>
<td colspan="2">This role provides Create, Read, Update, and Delete permissions in cloudproduct, where
access is granted.</td>
</tr>
<tr>
<td colspan="1">cloudproductabbrev:observer</td>
<td colspan="2">This role provides Read permission in cloudproduct, where access is granted.</td>
</tr>
</tbody>
</table>
<para> Additionally, two multiproduct roles apply to all products. Users with multiproduct roles inherit access to
future products when those products become RBAC-enabled. The following table describes these roles and their
permissions. </para>
<table rules="all" width="100%" xml:id="RBAC_global_roles_table_2">
<caption> Multiproduct (Global) Roles and Permissions</caption>
<thead>
<tr>
<td colspan="1">Role Name</td>
<td colspan="2">Role Permissions</td>
</tr>
</thead>
<tbody>
<tr>
<td colspan="1">admin</td>
<td colspan="2">This role provides Create, Read, Update, and Delete permissions in all products, where
access is granted.</td>
</tr>
<tr>
<td colspan="1">observer</td>
<td colspan="2">This role provides Read permission in all products, where access is granted.</td>
</tr>
</tbody>
</table>
</section>
<section xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="RBAC_Role_Conflict_2">
<title>Resolving Conflicts between RBAC Multiproduct and Custom (Product-Specific) Roles</title>
<para> The account owner can set multiproduct roles and roles specifically for cloudproduct, and it is important to
understand how any potential conflicts among these roles are resolved. When two roles appear to conflict, the
role that provides the more extensive permissions takes precedence. Therefore, admin roles take precedence over
observer roles, because admin roles provide more permissions. </para>
<para> The following table shows two examples of how potential conflicts between user roles in the Control Panel are
resolved. </para>
<para>
<informaltable rules="all">
<thead>
<tr align="center">
<td>Permission Configuration</td>
<td>View of Permission in the Control Panel </td>
<td>Can the User Perform Product Admin Functions in the Control Panel?</td>
</tr>
</thead>
<tbody>
<tr>
<td>User is assigned the following roles: multiproduct <emphasis role="bold">observer</emphasis> and
cloudproduct <emphasis role="bold">admin</emphasis></td>
<td>Appears that the user has only the multiproduct <emphasis role="bold">observer</emphasis>
role</td>
<td>Yes, for cloudproduct only. The user has the <emphasis role="bold">observer</emphasis> role for
the rest of the products.</td>
</tr>
<tr>
<td>User is assigned the following roles: multiproduct <emphasis role="bold">admin</emphasis> and
cloudproduct <emphasis role="bold">observer</emphasis></td>
<td>Appears that the user has only the multiproduct <emphasis role="bold">admin</emphasis> role</td>
<td>Yes, for all of the products. The cloudproduct <emphasis role="bold">observer</emphasis> role is
ignored.</td>
</tr>
</tbody>
</informaltable>
</para>
</section>
<section xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="RBAC_API_XREF_2">
<title>RBAC Permissions Cross-Reference to cloudproduct API Operations</title>
<para> API operations for cloudproduct may or may not be available to all roles. To learn which operations are
permitted to invoke which calls, see
<link xlink:href="http://www.rackspace.com/knowledge_center/article/permissions-matrix-for-role-based-access-control-rbac">
Permissions Matrix for Role-Based Access Control (RBAC)</link> in the Rackspace Knowledge Center.</para>
</section>
</section>