11.5. Managing Roles¶
Roles are system objects defining the privileges a particular user is endowed with. In other words, roles define all possible actions the user may perform on a physical server, a virtual environment, or Logical Unit. Virtuozzo Automator allows you to manage roles in one of the following ways:
view the roles currently existing in VA;
create a new role;
configuring the parameters of an existing role;
remove an existing role.
11.5.1. Viewing Roles¶
Roles are system objects created to embody a certain multitude of permissions, i. e. the parameters that ultimately define the scope of the privileges the user is endowed with. In other words, roles are users’ attributes and are made up of permissions. Permissions are all possible actions that a user or administrator is allowed to perform in the physical server or virtual environment context. You can create any number of roles at your discretion - as long as your own permissions allow you to do so.
To view a list of roles currently existing on the physical server, follow the Security link on the Virtuozzo Automator menu and then click the Roles tab on the Security screen. The information on each role is presented in the table having the following columns:
Column name |
Description |
---|---|
Name |
The name of the role. |
Description |
The role description. |
Built-in |
Indicates whether the given role has been manually created by you or any other user (‘No’) or it is a built-in role (‘Yes’). |
By default, 20 roles are displayed on a page. To change the number of roles shown per page, click the appropriate link below the table. You can also filter the roles shown in the Roles table. To do that, click Show Search, enter search patterns in the search fields, and click Search. To change what search fields are displayed, click Customize. To have the full list of roles back, click Reset Results. To change the roles order in the table, click the corresponding column name.
On the Roles tab you can complete the following tasks:
Create a new role by following the New Role link at the top of the Roles table.
Clone a role by selecting the check box near the corresponding role and clicking the Clone button. Upon the operation completion, the cloned role will be displayed in the Roles table with Copy of preceding the role name. To clone all the roles at once, select the uppermost check box and click the Clone button.
Remove an existing role by selecting the check box near the corresponding role and clicking the Delete button. To delete all the roles at once, select the uppermost check box and click the Delete button. When deleting roles, please keep in mind the following:
You cannot delete a role which is still assigned to any existing user.
You cannot delete any of the built-in roles.
If you have already developed a well-designed taxonomy of roles and are going to further maintain it using the built-in roles remember that you cannot modify or rename the built-in roles to fit them in. If you want to have a modified built-in role to be assigned to a user, clone this role first, and then change the cloned role.
11.5.2. Creating New Roles¶
You can create any number of roles at your discretion provided your own permissions allow you to do so. You can create a new role on the New Role page which can be accessed by following the Security link on the Virtuozzo Automator menu, clicking the Roles tab on the Security screen, and then clicking the New Role button over the Roles table.
Under the General Parameters group of parameters, you must enter the name to be assigned to the role in the Name field and can provide the role description in the Description field.
The Privileges and Included Roles groups allow you to define the privileges to be assigned to the role:
If the privileges of an existing role represent a subset of the privileges to be assigned to the new role, you can save your time by adding the previously created role to the new one. To this effect, expand the Included Roles group by clicking the triangle icon, select the name of the role you wish to include in the new one in the Available table and click the >> button. The selected role will be moved to the Selected table. To cancel your action, select the role in the Selected table and click the << button.
If there are no roles that can be used as the basis for the role being created, you can manually specify what privileges are to be assigned to the role. In this case, you should browse through the hierarchy of available privileges under the Privileges group and select the check boxes near those privileges that you wish to have included in the role. Each privilege represents the possibility (if the corresponding check box is selected) or impossibility (if the corresponding check box is cleared) to perform a certain action in the scope context. For example, you can select the check box near the
Virtual Environment Management
privilege to include the right of performing any operations in the virtual environment context (e.g. to create or destroy a virtual environment) in the role. Please keep in mind that selecting a check box which stands for a higher level set of privileges will automatically add the privileges from all lower level sets to the role. So, theVirtual Environment Management
privilege includes all the lower level privileges (Configure Virtual Environment
,Delete Virtual Environment
, etc.).
When setting up VA roles, you should have a clear idea about the scope where these roles will be assigned to users/groups to form permissions. Thus, it is necessary to know in what scope this or that privilege can be applied and what exactly is implied by the privilege. E.g. it bears little sense to include the Log in to Virtuozzo Automator
privilege in the role intended for virtual environment administrators and, therefore, used in the virtual environment scope only.
The table below describes all the available privileges and indicates the scopes where they can be used:
Privilege |
G |
U |
PS |
VE |
Description |
---|---|---|---|---|---|
Full Control |
+ |
+ |
+ |
+ |
Provide the user with full control over the given scope. |
Control Panels |
+ |
+ |
+ |
+ |
Allow the user to log in to various control panels on the given scope. |
Log in to VA Control Panel |
+ |
- |
- |
- |
Allow the user to log in to Virtuozzo Automator. |
Log in to Virtuozzo Power Panel |
+ |
+ |
+ |
+ |
Allow the user to log in to Virtuozzo Power Panel of any virtual environment included in the given scope. |
Log in to virtual environment terminal |
+ |
+ |
+ |
+ |
Allow browser-based connections to any virtual environment included in the given scope. |
Log in to Plesk |
+ |
+ |
+ |
+ |
Allow the user to log in to the Plesk control panel of any container included in the given scope. |
Log in via SOAP |
+ |
+ |
+ |
+ |
Allow the user to log in to the physical server using the SOAP API (Application Programming Interface). |
Virtual Environment Management |
+ |
+ |
+ |
+ |
Provide the user with all the various virtual environment management permissions enumerated below. |
New virtual environment |
+ |
+ |
+ |
+ |
Allow the user to create a new virtual environment using the various methods enumerated below. In a non-global scope, this privilege only allows to clone an existing virtual environment. |
Create virtual environment |
+ |
- |
- |
- |
Allow the user to create a new virtual environment. |
Clone virtual environment |
+ |
+ |
+ |
+ |
Allow the user to clone any virtual environment included in the given scope. |
Migrate physical server to virtual environment |
+ |
- |
- |
- |
Allow the user to create a new virtual environment on the basis of an existing physical server. |
View virtual environment properties |
+ |
+ |
+ |
+ |
Allow the user to view the properties of any virtual environment included in the given scope and to have the corresponding virtual environment displayed in the lists of virtual environments. Note This privilege is necessary for all the other Virtual Environment Management privileges to work. |
View extended resources |
+ |
+ |
+ |
+ |
Allow the user to view the resources consumption and configuration on any virtual environment included in the given scope. |
Operate virtual environment |
+ |
+ |
+ |
+ |
Allow the user to start, stop, suspend, resume, and migrate any virtual environment included in the given scope. |
Start and stop virtual environment |
+ |
+ |
+ |
+ |
Allow the user to start and stop any virtual environment included in the given scope. |
Migrate virtual environment |
+ |
+ |
+ |
+ |
Allow the user to migrate any virtual environment included in the given scope to another physical server registered in Virtuozzo Automator, provided the user has the privilege to access the Destination physical server. |
Configure virtual environment |
+ |
+ |
+ |
+ |
Allow the user to set up the various virtual environment settings enumerated below. |
Configure virtual environment general settings |
+ |
+ |
+ |
+ |
Allow the user to configure the general settings of any virtual environment in the given scope: name and description, networking, resources, etc. |
Manage applications |
+ |
+ |
+ |
+ |
Allow the user to manage the software packages inside any virtual environment in the given scope. |
Manage devices |
+ |
+ |
+ |
+ |
Allow the user to mount and unmount disk volumes in any virtual environment in the given scope. |
Maintenance |
+ |
+ |
+ |
+ |
Allow the user to enter the repair mode for any virtual environment included in the given scope. |
Repair virtual environment |
+ |
+ |
+ |
+ |
Allow the user to enter the repair mode for any virtual environment included in the given scope. |
Backups Management |
+ |
+ |
+ |
+ |
Allow the user to manage the backups of any included in the given scope. |
List virtual environment backups |
+ |
+ |
+ |
+ |
Allow the user to view the backups of any virtual environment included in the given scope. |
Back up virtual environment |
+ |
+ |
+ |
+ |
Allow the user to back up any virtual environment included in the given scope. |
Restore virtual environment |
+ |
+ |
+ |
+ |
Allow the user to restore the backup of any virtual environment included in the given scope. |
Remove virtual environment backups |
+ |
+ |
+ |
+ |
Allow the user to delete the backups of any virtual environment included in the given scope. |
Manage services |
+ |
+ |
+ |
+ |
Allow the user to manage the services in any virtual environment included in the given scope. |
Manage files and services |
+ |
+ |
+ |
+ |
Allow the user to manage the files and services in any virtual environment included in the given scope. |
Delete virtual environment |
+ |
+ |
+ |
+ |
Allow the user to delete any virtual environment included in the given scope. |
Manage scheduled operations |
+ |
+ |
+ |
+ |
Allow the user to automate container routine operations in the given scope. |
Node Management |
+ |
+ |
+ |
- |
Provide the user with all the various physical server management permissions enumerated below. |
View Node properties |
+ |
+ |
+ |
- |
Allow the user to view the properties of any Hardware Node included in the given scope and to have the corresponding Node displayed in the lists of Hardware Nodes. Note This privilege is necessary for all the other Node Management privileges to work. |
Configure Node |
+ |
+ |
+ |
- |
Allow the user to configure the email gateway, network settings, and application templates for any Hardware Node included in the given scope. |
Configure Node general settings |
+ |
+ |
+ |
- |
Allow the user to configure the general settings of any physical server: name and description, networking, resources, etc. |
Configure email and notifications |
+ |
+ |
+ |
- |
Allow the user to configure the email gateway for any physical server included in the given scope. |
Configure network |
+ |
+ |
+ |
- |
Allow the user to configure the network settings for any physical server included in the given scope: traffic accounting and shaping, proxy settings, network interfaces. Note To allow the user to configure the proxy server settings, you should additionally enable the Configure email and notifications privilege. |
Manage OS and application templates |
+ |
+ |
+ |
- |
Allow the user to perform all the available operations on the application templates for any physical server included in the given scope. |
Backups Administration |
+ |
+ |
+ |
- |
Allow the user to administer any physical server included in the given scope as a Backup physical server. |
Configure backups |
+ |
+ |
+ |
- |
Allow the user to configure the way of storing backups for any physical server included in the given scope. |
List backups |
+ |
+ |
+ |
- |
Allow the user to view the backups stored on any physical server included in the given scope. |
Store backups |
+ |
+ |
+ |
- |
Allow the user to place virtual environment backups on any physical server included in the given scope. |
Remove backups |
+ |
+ |
+ |
- |
Allow the user to delete the virtual environment backups from any physical server included in the given scope. |
Update System |
+ |
+ |
+ |
- |
Allow the user to configure the update repository settings for any physical server included in the given scope. |
Reboot |
+ |
+ |
+ |
- |
Allow the user to reboot any physical server included in the given scope. |
Policy Management |
+ |
+ |
+ |
+ |
Allow the user to view, assign, and configure the policies. |
Configure global policies |
+ |
+ |
+ |
+ |
Allow the user to configure the global policies. |
Assign policies to an object |
+ |
+ |
+ |
+ |
Allow the user to assign policies. |
Logical Structure |
+ |
+ |
- |
- |
Provide the user with all the possible privileges to build up the logical structure of the VA datacenter. |
List units |
+ |
+ |
- |
- |
|
Manage virtual environments and Nodes in unit |
+ |
+ |
- |
- |
Allow the user to manage the physical servers and virtual environments in any logical unit included in the given scope. Unlike the Administer unit privilege, this privilege does not allow the user to remove logical units. |
Administer unit |
+ |
+ |
- |
- |
Allow the user to manage the physical servers and virtual environments in any logical unit included in the given scope and remove the corresponding unit. |
Manage sub-units |
+ |
+ |
- |
- |
Allow the user to add sub-units to any logical unit included in the given scope and to remove sub-units from it. |
Infrastructure |
+ |
- |
- |
- |
Provide the user with all the possible privileges to set up the VA datacenter infrastructure. |
Manage disk images |
+ |
- |
- |
- |
Allow the user to set up and work with disk images. |
Manage Server Group |
+ |
- |
- |
- |
Allow the user to exercise the overall management on Master Server and all its slave physical servers: view them, register and unregister Hardware Nodes, etc. Important This privilege should be included in the role intended for VA administrators only. |
Manage IP addresses pools |
+ |
- |
- |
- |
Allow the user to perform all the available operations on IP addresses pools. |
Manage virtual networks |
+ |
- |
- |
- |
Allow the user to create, edit, and delete virtual networks, as well as set up bridged networking on physical servers. Note This kind of privilege is normally granted to a single person, so included in one role only. |
Manage licenses |
+ |
- |
- |
- |
Allow the user to install and remove Virtuozzo licenses. Note This kind of privilege is normally granted to a single person, so included in one role only. |
Manage virtual environment templates |
+ |
- |
- |
- |
Allow the user to perform all the available operations on virtual environment configuration templates. The user will be able to manage the VM Templates Storage: changing VM Templates Storage configuration, adding or removing VM templates in the Storage. |
Set up messaging |
+ |
- |
- |
- |
Allow the user to configure the email messaging system. |
Workflow |
+ |
+ |
+ |
+ |
Provide the user with a set of privileges related to virtual environment troubleshooting. |
Troubleshooting |
+ |
+ |
+ |
+ |
|
Security |
+ |
+ |
+ |
+ |
Allow the user to manage the Virtuozzo Automator security policy. Important This privilege should be included in the role intended for VA administrators only. |
Manage users and groups |
+ |
+ |
+ |
+ |
Allow the user to change the administrative password of any virtual environment included in the given scope or set the administrative password during its reinstallation. |
List users and groups |
+ |
+ |
+ |
+ |
Allow the user to list and view users and groups of any virtual environment included in the given scope. |
Edit users and groups |
+ |
+ |
+ |
+ |
Allow the user to create, edit and delete users and groups of any virtual environment included in the given scope. |
Manage roles |
+ |
- |
- |
- |
Allow the user to create, modify, and delete roles and create permissions on their basis in any scope. Important This privilege should be included in the role intended for VA administrators only. |
Manage authentication databases |
+ |
- |
- |
- |
Allow the user to register, configure, and unregister authentication databases in Virtuozzo Automator. |
Log Operations |
+ |
+ |
+ |
+ |
Allow the user to view the logs and cancel the running tasks relevant to the given scope. |
View logs |
+ |
+ |
+ |
+ |
Allow the user to view the tasks logs, alerts, and events related to any virtual environment included in the given scope. |
The table indicates whether using a particular privilege makes sense in each of the 4 available scopes:
G - the Global scope;
U - the scope of a single logical or infrastructure Unit;
PS - the scope of a single physical server;
VE - the scope of a single virtual environment.
When you are ready, click the Submit button to start creating the role with the specified parameters.
Note
If you have already developed a well-designed taxonomy of roles and are going to further maintain it using the built-in roles remember that you cannot modify or rename the built-in roles to fit them in. If you want to have a modified built-in role to be assigned to a user, clone this role first, and then change the cloned role.
11.5.3. Configuring Role Parameters¶
The Manage Role page allows you to configure the parameters of any roles existing in Virtuozzo Automator. To display this page, follow the Security link on the Virtuozzo Automator menu, click the Roles tab on the Security screen, and then click the name of the role you wish to edit in the Roles table.
Note
To edit a role, you need to have your own permission to perform this action.
You cannot modify or rename the built-in roles. If you want to have a modified built-in role, you should clone this role first and then change its parameters.
In this window you can configure the following parameters of a role:
The General Parameters group of parameters allows you to change the name and description of the role by typing the desired information in the fields provided.
The Privileges and Included Roles groups of parameters enable you to modify the role privileges:
Browse through the hierarchy of available privileges under the Privileges group and select or clear the check boxes of those privileges that you wish to include in the role or to exclude from the role, respectively.
Expand the Included Roles group and use the >> and << buttons to include/exclude any of the existing roles to the role you are editing, respectively.
When setting up VA roles, you should have a clear idea about the scope where these roles will be assigned to users/groups to form permissions. Thus, it is necessary to know in what scope this or that privilege can be applied and what exactly is implied by the privilege. E.g. it bears little sense to include the Log in to Virtuozzo Automator
privilege in the role intended for virtual environment administrators and, therefore, used in the virtual environment scope only.
The list of settings, you can reconfigure in the Privileges section is the same one that you set up when create a new role.
After you have configured the role parameters, click the Submit button for the changed to take effect.