In order to allow
Cloud services to model their user privilege models in CPBM, a cloud service is
able to introduce security roles that can be used by the connector to determine
the level of privilege to be accorded to users being represented in the cloud
service. These roles can then be added to appropriate profiles defined in CPBM
that can then be granted to individual users in CPBM. In CPBM, roles are scoped
by the level of visibility they have in the system. There are four defined
scopes in CPBM. They are:
- GLOBAL_ADMIN: Represents
the super user scope. There are two and only two users in the system that have
profiles of this scope. ‘root’ and ‘portal’. ‘portal’ represents the
CloudPortal Business Manager portal itself, and any operations done by the
system are done as the ‘portal’ user.
- GLOBAL: Has global
visibility across multiple tenants. These roles require that the user be a
service operator user (i.e, is a member of the SERVICE tenant), which will be
tested by the security system before granting users access.
- TENANT_ADMIN: Tenant scoped
role that represents a tenant administrator. This user, as a rule, should have
visibility across users in this tenant.
- TENANT: Tenant scoped roles
are granted to users who have visibility across all users in a tenant. Roles in
this scope are used to manage resources within a given tenant.
- USER: User scoped roles are
roles that are granted to users who should have visibility to only what they
own and manage.
When users are
created, they are associated with a profile. This profile has a list of roles
associated with the profile. Connectors should use these roles to determine the
level of privilege the user should be provided when the user is created in
specific to a connector/cloud service are described in the metadata.
adding/removing roles from profiles and how that is reflected in the underlying