Versions Compared

Version Old Version 84 New Version 85
Changes made by

MS

MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt
nameCreate or modify a role

Abiquo provides a set of default roles and you can clone and modify them to create new roles. See Default roles. See Privileges for a list of the privileges for each role.

Panel
bgColor#FFFAE6

Privileges: Access Roles and Scope screens, Manage roles, Manage global role

A user can only have one role, but a role can be associated with multiple OpenID, AD, or LDAP groups. 

By default the new role will have "Copy:" added to its name, for example, "Copy: CLOUD_ADMIN".

To create or modify a role:

  1. Go to UsersRoles

    • To clone a role, click the duplicate clone button. Select the cloned role and click the pencil edit button

    • To create a new role, click the + add button

  2. Complete the dialog.

    1. Enter the Name of the role. The names of global roles must be unique

      • To create a local role, select the Enterprise that the role will belong to

      • To create a global role, select Make this role global

    2. Optionally, to create a list of network addresses from which users with this role can access the platform, enter Allowed CIDRs.
      The CIDRs from a user’s role and scope will apply to the user but allowed CIDRs set directly for the user will have the highest priority.

    3. Enter the corresponding External roles, e.g. LDAP group, for the user. This is required in external authentication modes (openid, ldap).
      A user's external roles must map to a single role (local or global). See LDAP and Active Directory Integration and Abiquo OpenID Connect Integration.
      You can also set external scopes.

      • Examples of external roles for LDAP:

        • ldap_group_01

        • ldap_group_02

      • Example for OpenID:

        • id=admins,ou=group,o=qa,ou=services,dc=openam,dc=forgerock,dc=org

After you create or clone a role, select the role name in the list and edit the privileges as required, then click Save.

...

Excerpt
nameModify the privileges of a role

To modify the privileges of a user role:

Panel

Privilege: Manage privileges

  1. Go to Users → Roles

  2. For a local role, select the enterprise that the role belongs to

  3. From the Roles list select the role

  4. In the Privileges pane, select or deselect the privileges 

    • To add or remove groups of privileges, click the All privileges checkbox beside the group name

    • You cannot undo but you can discard the changes

  5. Save the changes by clicking Save

    • (warning) The platform will discard your changes if you do an action outside of the Privileges pane, for example, clicking on a another role name

Note

Role troubleshooting and tips

Roles

  • The default CLOUD_ADMIN role has all privileges and is locked

  • You can only access roles with the same privileges or fewer privileges than your own role

  • You cannot modify your own role.

Privileges

  • You can only select or deselect privileges that are in your own role

  • Privileges are generally independent.
    For example, for a user with a role without the "Access Infrastructure view" privilege, the Infrastructure icon does not display in the UI. However, if this user's role has the privileges to "Manage datacenters" and "View datacenter details", the user will be able to access these functions through the API

...