Managing roles

Edit online

Roles are used to specify what actions a user can perform. Roles are assigned to a user (or group, in which case they are inherited by all users in that group). A user or group can have more than one role, in which case they are able to perform any action that at least one of their roles allows.

At least one user must have the admin role, since otherwise any action that requires the admin role (such as creating role assignments) would never be possible. When PowerVC is installed, root is initially assigned the admin role. It is recommended that you assign the admin role to another user (or group) and then remove the admin role assignment from root.

To work with user and group roles, from the Configuration page, click Users and Groups. Only role assignments specific to a project are supported.

Standard roles

These are the commonly assigned roles.

Administrator (admin)
Users with this role can perform all tasks and have access to all resources. Only administrators on the ibm-default project can list, create, and delete projects. Also, the admin user of ibm-default project can set the image visibility of PowerVC images from private to public. Project administrators can create deploy templates using these public or shared images. Users with this role can perform snapshot and restore operations on the volumes that are attached to a virtual machine. The admin user can create consistency groups and group snapshots.
Admin user can perform these operations.
  • Image backup - Export or import an image, upload or download an image, view or list image backups, list valid storage templates for image backups, get progress of image backup operation, update or delete an image backup.
  • Backup node - Backup node operations such as list, create, view, discover existing OVAs on a backup node, delete or update a backup node.
  • Cloud Object Storage (COS) - List, create, view, update, delete COS or list images on COS.
Administrator assistant (admin_assist)
Users with this role can perform create and edit tasks but do not have privileges to perform remove or delete operations (for example, delete a virtual machine or a volume, or remove a host or a network, etc.). However, these users can perform all virtual machine, image, and volume lifecycle operations except Delete. The admin_assist users of ibm-default project can set the image visibility of PowerVC images from private to public. Users with this role can perform snapshot and restore operations on the volumes that are attached to a virtual machine. The admin user can create consistency groups and group snapshots.
  • Image backup - Export or import an image, upload or download an image, view or list image backups, list valid storage templates for image backups, get progress of image backup operation, update an image backup.
  • Backup node - Backup node operations such as list, create, view, discover existing OVAs on a backup node, or update a backup node.
  • Cloud Object Storage (COS) - List, create, view, update, and list images on COS.

Advanced roles

These roles require a deeper understanding of the product and should only be assigned to advanced users. Each of these roles would only be used in certain situations, for example:
  • If a user needs to write automation to deploy virtual machines, but does not need to perform any other tasks, assign that user Deployer.
  • If a user needs to deploy and manage their own virtual machines, but the user does not need to work with images, storage, or perform infrastructure tasks, such as registering hosts, assign that user Virtual machine manager.
  • If a user needs to deploy and manage virtual machines but also needs to capture and manage images, assign the user both Virtual machine manager and Image manager.
  • If a user needs to work with storage volumes and nothing else, assign that user Storage manager.
  • If a user needs to manage virtual machines that others have created, assign that user Virtual machine manager.
Deployer (deployer)
Users with this role can perform the following tasks:
  • Deploying a virtual machine from an image
  • Viewing all resources except users and groups
  • Image backup - View, list image backups, or list valid storage templates for image backups.
  • Backup node - Backup node operations such as list, view, or discover existing OVAs on a backup node.
  • Cloud Object Storage (COS) - List, view, or list images on COS.
Image manager (image_manager)
Users with this role can perform the following tasks:
  • Creating, capturing, importing, or deleting an image
  • Editing description of an image
  • Viewing all resources except users and groups
  • Image backup - Export or import an image, upload or download an image, view or list image backups, list valid storage templates for image backups, get progress of image backup operation, update or delete an image backup.
  • Backup node - Backup node operations such as list, create, view, discover existing OVAs on a backup node, delete or update a backup node.
  • Cloud Object Storage (COS) - List, create, view, update, or delete COS and list images on COS.
Storage manager (storage_manager)
Users with this role can perform the following tasks:
  • Creating, deleting, or resizing a volume
  • Viewing all resources except users and groups
  • Image backup - Export or import an image, upload or download an image, view or list image backups, list valid storage templates for image backups, get progress of image backup operation, update or delete an image backup.
  • Backup node - Backup node operations such as list, create, view, discover existing OVAs on a backup node, delete or update a backup node.
  • Cloud Object Storage (COS) - List, create, view, update, or delete COS and list images on COS.
Viewer (viewer)
Users with this role can view resources and the properties of resources, but can perform no tasks. They cannot view users and groups.
  • Image backup - View or list image backups, list valid storage templates for image backups.
  • Backup node - View or list backup node details.
  • Cloud Object Storage (COS) - List, view COS, or list images on COS.
Virtual machine manager (vm_manager)
Users with this role can perform the following tasks:
  • Deploying a virtual machine from an image
  • Deleting, resizing, starting, stopping, or restarting a virtual machine
  • Attaching or detaching volume
  • Snapshot and restore a volume
  • Attaching or detaching network interface
  • Editing details of a deployed virtual machine
  • Viewing all resources except users and groups
  • Creating, attaching, detaching, and deleting floating IP addresses
  • Image backup - View or list image backups, list valid storage templates for image backups.
Virtual machine user (vm_user)
Users with this role can perform the following tasks:
  • Starting, stopping, or restarting a virtual machine
  • Viewing all resources except users and groups
  • Image backup - View or list image backups, list valid storage templates for image backups.
  • Backup node - View, discover existing OVAs on a backup node, or list backup node details.
  • Cloud Object Storage (COS) - List, view COS, and list images on COS.