Managing roles

Edit online

Roles are used to specify what actions a user can perform. Roles are assigned to a user (or group, in which case they are inherited by all users in that group). A user or group can have more than one role, in which case they are able to perform any action that at least one of their roles allows.

To access a project, you must be assigned a role on that project. A user that has the self_service role, project_manager, or admin role in one project must not be assigned any other roles in that project, either as an inherited role from a group, or as a directly assigned role. For example, if User1 has the self_service role in Project A, then he or she must not also be a deployer in Project A. However, that user could be assigned the deployer role in Project B.

At least one user must have the admin role, since otherwise any action that requires the admin role (such as creating role assignments) would never be possible. When PowerVC is installed, root is initially assigned the admin role. It is recommended that you assign the admin role to another user (or group) and then remove the admin role assignment from root.

To work with user and group roles, from the Configuration page, click Users and Groups. Only role assignments specific to a project are supported.

Read the details about each role in the sections that follow to learn more specific information about these roles:

Standard roles

These are the commonly assigned roles.

Administrator (admin)
Users with this role can perform all tasks and have access to all resources. Only administrators on the ibm-default project can list, create, and delete projects. Also, the admin user of ibm-default project can set the image visibility of PowerVC images from private to public. Project administrators can create deploy templates using these public or shared images. Users with this role can perform snapshot and restore operations on the volumes that are attached to a virtual machine. The admin user can create consistency groups and group snapshots.
Admin user can perform these operations.
  • Image backup - Export or import an image, upload or download an image, view or list image backups, list valid storage templates for image backups, get progress of image backup operation, update or delete an image backup.
  • Backup node - Backup node operations such as list, create, view, discover existing OVAs on a backup node, delete or update a backup node.
  • Cloud Object Storage (COS) - List, create, view, update, delete COS or list images on COS.
Administrator assistant (admin_assist)
Users with this role can perform create and edit tasks but do not have privileges to perform remove or delete operations (for example, delete a virtual machine or a volume, or remove a host or a network, etc.). However, these users can perform all virtual machine, image, and volume lifecycle operations except Delete. The admin_assist users of ibm-default project can set the image visibility of PowerVC images from private to public. Users with this role can perform snapshot and restore operations on the volumes that are attached to a virtual machine. The admin user can create consistency groups and group snapshots.
  • Image backup - Export or import an image, upload or download an image, view or list image backups, list valid storage templates for image backups, get progress of image backup operation, update an image backup.
  • Backup node - Backup node operations such as list, create, view, discover existing OVAs on a backup node, or update a backup node.
  • Cloud Object Storage (COS) - List, create, view, update, and list images on COS.
Project manager (project_manager)
Users with this role are given a simplified view that omits infrastructure details, but are allowed high-level access to act on project-specific resources, including performing the following actions:
  • Viewing and editing cloud policies
  • Viewing and editing email server and template configuration
  • Approving or rejecting requests from self service users
  • Editing virtual machine ownership and expiration dates
  • Viewing quotas and resource usage information
  • Deploying a virtual machine from a deploy template
  • Deleting, starting, stopping, or restarting virtual machines
  • Configuring their own email preferences (if an email server has been configured)
  • Snapshot and restore a volume
  • Create consistency groups and snapshots.
  • Backup node - Backup node operations such as list, view, or discover existing OVAs on a backup node.
  • Cloud Object Storage (COS) - List, view, update, and list images on COS.
Self service user (self_service)
Users with this role are given a simplified view and can only see resources that they own. They are allowed to perform the following tasks, subject to cloud policies that might require administrator or project manager approval for certain actions.
  • Deploying a virtual machine from a deploy template
  • Deleting, starting, stopping, or restarting their own virtual machines
  • Requesting expiration date extensions for their own virtual machines
  • Viewing and canceling requests that they have made by cloud policies
  • Configuring their own email preferences (if an email server has been configured)
  • Snapshot and restore a volume

Advanced roles

These roles require a deeper understanding of the product and should only be assigned to advanced users. Each of these roles would only be used in certain situations, for example:
  • If a user needs to write automation to deploy virtual machines, but does not need to perform any other tasks, assign that user Deployer.
  • If a user needs to deploy and manage their own virtual machines, but the user does not need to work with images, storage, or perform infrastructure tasks, such as registering hosts, assign that user Virtual machine manager.
  • If a user needs to deploy and manage virtual machines but also needs to capture and manage images, assign the user both Virtual machine manager and Image manager.
  • If a user needs to work with storage volumes and nothing else, assign that user Storage manager.
  • If a user needs to manage virtual machines that others have created, assign that user Virtual machine manager.
Deployer (deployer)
Users with this role can perform the following tasks:
  • Deploying a virtual machine from an image
  • Viewing all resources except users and groups
  • Image backup - View, list image backups, or list valid storage templates for image backups.
  • Backup node - Backup node operations such as list, view, or discover existing OVAs on a backup node.
  • Cloud Object Storage (COS) - List, view, or list images on COS.
Image manager (image_manager)
Users with this role can perform the following tasks:
  • Creating, capturing, importing, or deleting an image
  • Editing description of an image
  • Viewing all resources except users and groups
  • Image backup - Export or import an image, upload or download an image, view or list image backups, list valid storage templates for image backups, get progress of image backup operation, update or delete an image backup.
  • Backup node - Backup node operations such as list, create, view, discover existing OVAs on a backup node, delete or update a backup node.
  • Cloud Object Storage (COS) - List, create, view, update, or delete COS and list images on COS.
Storage manager (storage_manager)
Users with this role can perform the following tasks:
  • Creating, deleting, or resizing a volume
  • Viewing all resources except users and groups
  • Image backup - Export or import an image, upload or download an image, view or list image backups, list valid storage templates for image backups, get progress of image backup operation, update or delete an image backup.
  • Backup node - Backup node operations such as list, create, view, discover existing OVAs on a backup node, delete or update a backup node.
  • Cloud Object Storage (COS) - List, create, view, update, or delete COS and list images on COS.
Viewer (viewer)
Users with this role can view resources and the properties of resources, but can perform no tasks. They cannot view users and groups.
  • Image backup - View or list image backups, list valid storage templates for image backups.
  • Backup node - View or list backup node details.
  • Cloud Object Storage (COS) - List, view COS, or list images on COS.
Virtual machine manager (vm_manager)
Users with this role can perform the following tasks:
  • Deploying a virtual machine from an image
  • Deleting, resizing, starting, stopping, or restarting a virtual machine
  • Attaching or detaching volume
  • Snapshot and restore a volume
  • Attaching or detaching network interface
  • Editing details of a deployed virtual machine
  • Viewing all resources except users and groups
  • Creating, attaching, detaching, and deleting floating IP addresses
  • Image backup - View or list image backups, list valid storage templates for image backups.
Virtual machine user (vm_user)
Users with this role can perform the following tasks:
  • Starting, stopping, or restarting a virtual machine
  • Viewing all resources except users and groups
  • Image backup - View or list image backups, list valid storage templates for image backups.
  • Backup node - View, discover existing OVAs on a backup node, or list backup node details.
  • Cloud Object Storage (COS) - List, view COS, and list images on COS.