Managing roles

Roles are used to specify what actions a user can perform. Roles are assigned to a user. A user can have more than one role, in which case they are able to perform any action that at least one of their roles allows.

To access a project, you must be assigned a role on that project. A user that has the self_service, project_manager, or admin role in one project cannot be assigned with any other roles in that project. For example, if user1 has the self_service role in Project A, then user1 cannot also be a deployer in Project A. However, user1 might be assigned the deployer role in Project B.

At least one user should have the admin role, since otherwise, any action that requires the admin role (such as creating role assignments) would not be possible. When IBM® Cloud Infrastructure Center is installed, root is initially assigned the admin role.

To work with user roles, from the Configuration page, click Users and Groups. Only role assignments specific to a project are supported.

Read the following details to learn more specific information about these roles:

  • Standard roles

  • Advanced roles

Standard roles

These are the commonly assigned roles.

Administrator (admin)

Users with this role can perform all tasks and have access to all resources. Only administrators on the ibm-default project can list, create, and delete projects. Only administrators on the ibm-default project can add, edit, update and delete host and storage.

Project manager (project_manager)

Users with this role are given a simplified view that omits infrastructure details, but are allowed high-level access to act on project-specific resources, including performing the following actions:

  • Viewing and editing cloud policies.

  • Viewing and editing email server and template configuration.

  • Approving or rejecting requests from self service users.

  • Editing virtual machine ownership and expiration dates.

  • Viewing quotas and resource usage information.

  • Deploying a virtual machine from a deploy template.

  • Deleting, starting, stopping, or restarting virtual machines.

  • Creating, restoring or deleting a backup for virtual machines that are booted from IBM Storage Scale Volume.

  • Configuring their own email preferences (if an email server is configured).

Note: By default, for non ibm-default project managers, there are some restrictions with public image deploy templates.

  • In the non ibm-default projects, project managers are not able to see public image deploy templates and deploy virtual machines with the deploy templates.

  • In the non ibm-default projects, project managers are not able to see public image deploy template requests from self-service users.

    These public image deploy templates and their self-service requests are directly managed by the project administrators. However, considering different business requirements, these restrictions for project managers can be disabled by the setting disable_public_image_limit, refer to Switch setting for enable/disable public image deploy template different behavior

Self service user (self_service)

Users with this role are given a simplified view and can only see resources that they own. They are allowed to perform the following tasks, subject to cloud policies that might require the administrator or project manager approval for certain actions.

  • Deploying a virtual machine from a deploy template.

  • Deleting, starting, stopping, or restarting their own virtual machines.

  • Requesting expiration date extensions for their own virtual machines.

  • Viewing and canceling requests that they have made by cloud policies.

Advanced roles

These roles require a deeper understanding of the product and should be assigned only to advanced users. Each of these roles would only be used in certain situations, for example:

  • If a user needs to write automation to deploy virtual machines, but does not need to perform any other tasks, assign that user deployer.

  • If a user needs to deploy and manage their own virtual machines, but the user does not need to work with images, storage, or perform infrastructure tasks, such as registering hosts, assign that user vm_manager.

  • If a user needs to deploy and manage virtual machines but also needs to capture and manage images, assign the user both vm_manager and image_manager.

  • If a user needs to work with storage volumes and nothing else, assign that user storage_manager.

  • If a user needs to manage virtual machines that others have created, assign that user vm_manager.

Deployer (deployer)

Users with this role can perform the following tasks:

  • Deploying a virtual machine from an image.

  • Viewing all resources except users and groups.

Image manager (image_manager)

Users with this role can perform the following tasks:

  • Creating, capturing, or deleting an image.

  • Editing description of an image.

  • Viewing all resources except users and groups.

Storage manager (storage_manager)

Users with this role can perform the following tasks:

  • Creating, deleting, or resizing a volume.

  • Viewing all resources except users and groups.

Viewer (viewer)

Users with this role can view resources and the properties of resources, but can perform no tasks. They cannot view users and groups.

Virtual machine manager (vm_manager)

Users with this role can perform the following tasks:

  • Deploying a virtual machine from an image.

  • Deleting, starting, stopping, or restarting a virtual machine.

  • Creating, restoring or deleting a backup for virtual machines that are booted from IBM Storage Scale Volume.

  • Attaching or detaching volume.

  • Editing details of a deployed virtual machine.

  • Viewing all resources except users and groups.

Virtual machine user (vm_user)

Users with this role can perform the following tasks:

  • Starting, stopping, or restarting a virtual machine.

  • Viewing all resources except users and groups.