> Roles and permissions - Nerve Blue 2.2.1 Documentation Skip to content
PDF

Roles and permissions

Note

This page describes the standard roles and permission management in the Nerve Blue Management System. When LDAP authentication is active, roles and permissions are applied according to the LDAP synchronization settings. Refer to LDAP for more information on LDAP synchronization.

Usage of the Management System is restricted by role-based access control (RBAC), meaning that users in the Management System are assigned roles. These roles are assigned a set of UI permissions and API permissions. Two user roles — Admin and User — are available by default. Multiple roles can be assigned to one user. A user that is assigned multiple roles is granted the combined permissions of each role. Select Roles in the navigation on the left to reach a list of all available roles:

!Roles List

Item Description
Search bar (1) Use the search bar to filter roles by name.
Type filter (2) Filter the list of roles by authentication method. The target of the filter is the TYPE column and the options are Local, LDAP and All.
Add new role (3) Click here to add a new role.
NAME (4) This is the name of the role that was defined when it was created. This name is also used when the role is assigned to users.
TYPE (5) This column shows the type of the role according to the authentication method used:
  • Local
    This describes roles that are created locally through the Management System.
  • LDAP
    This describes roles that are created following an LDAP synchronization.
NUMBER OF ASSIGNED USERS (6) The number of users that this role has been assigned to is displayed here.
DESCRIPTION (7) This is a description that gives more information about each user role.
Ellipsis menu (8) Clicking here opens an overlay that allows deleting roles.

The Admin role has all permissions assigned and cannot be edited. The User role has limited permissions. A user that has the User role assigned is not allowed to perform changes to the system such as adding or removing nodes, creating workloads or establishing remote connections among others. Users with the User role can work with the node tree and deploy workloads to nodes.

UI permissions

UI permissions reflect the permissions of the frontend. They are relevant for a users interaction with the Management System. Below is the list of available UI permissions with descriptions.
As some actions depend on other actions, the system automatically selects and deselects permissions, including API permissions that are required for these actions.
When creating a new role for a regular user that will operate the Management System, use the UI permissions as a starting point and change API permissions only if necessary. However, note that changes to API permissions should only be done by users with expert knowledge.

The tables below are separated by the part of the Management System the permissions affect.

Workload deployment

Permission Name Description
Deploy workload UI_DEPLOY:DEPLOY Permission that grants the user the rights to deploy a workload to a node.
Force stop campaign task UI_DEPLOY:FORCE_CANCEL_ONE Permission that grants the user access to see the force stop button for a deployment campaign.
Delete workload deploy log UI_DEPLOY:LOG_DELETE Permission that grants the user the rights to delete a log entry in the workload deployment log.
Reset deployment task UI_DEPLOY:LOG_RESET Permission that grants the user the rights to reset a task in the workload deployment log.
Reset all deployment tasks UI_DEPLOY:LOG_RESET_ALL Permission that grants the user the rights to reset all tasks in the workload deployment log.
Preview workload deploy log UI_DEPLOY:LOG_VIEW Permission that grants the user the rights to view a log entry in the workload deployment log.
Access "Deploy" -> "Dry run" UI_SUBNAV_DEPLOY_DRY_RUN:VIEW Permission that grants the user the rights to see the dry run entry in the navigation menu and the rights to perform the dry run action with workloads to nodes.
Access "Deploy" -> "Log" UI_SUBNAV_DEPLOY_LOG:VIEW Permission that grants the user the rights to see the deployment log entry in the navigation menu and the rights to view the workload deployment log.

Labels

Permission Name Description
Create new label UI_LABEL:CREATE Permission that grants the user the rights to create new labels.
Delete label UI_LABEL:DELETE Permission that grants the user the rights to delete labels.
Edit existing label UI_LABEL:EDIT Permission that grants the user the rights to edit labels.
Group labels by key UI_LABEL:GROUP Permission that grants the user the rights to group labels by key.
Merge labels to one UI_LABEL:MERGE Permission that grants the user the rights to merge multiple labels.
Preview list of labels UI_LABEL:VIEW Permission that grants the user the rights to view the details of a label.

LDAP

Permission Name Description
Show edit button UI_LDAP:MANAGE_LDAP Permission that grants the user the rights to edit the LDAP configuration.
Permission Name Description
Access Datapath Feature Preview UI_NAV_DATAPATH:VIEW Permission that grants the user access to the Data Services feature.
"Deploy" section UI_NAV_DEPLOY:VIEW Permission that grants the user the rights to view the deployment menu.
"Labels" section UI_NAV_LABELS:VIEW Permission that grants the user the rights to see the labels entry in the navigation menu and the rights to list labels.
Show default ldap configuration UI_NAV_LDAP:VIEW Permission that grants the user the rights to see the LDAP entry in the navigation menu.
"Nodes" section UI_NAV_NODES:VIEW Permission that grants the user the rights to see the nodes entry in the navigation menu and the rights to list nodes.
"Remotes" section UI_NAV_REMOTE_CONNECTIONS:VIEW Permission that grants the user the rights to view active remote connections.
"Roles" section UI_NAV_ROLES:VIEW Permission that grants the user the rights to see the roles entry in the navigation menu and the rights to list roles.
Access "Server Log" UI_NAV_SERVER_LOGS:VIEW Permission that grants the user the rights to list internal server logs.
"Users" section UI_NAV_USERS:VIEW Permission that grants the user the rights to see the users entry in the navigation menu and the rights to list users.
"Workloads" section UI_NAV_WORKLOADS:VIEW Permission that grants the user the rights to see the workloads entry in the navigation menu and the rights to list workloads.

Nodes

Permission Name Description
Create new node UI_NODE:CREATE Permission that grants the user the rights to create new nodes.
Delete node UI_NODE:DELETE Permission that grants the user the rights to delete nodes.
Edit existing node UI_NODE:EDIT Permission that grants the user the rights to edit nodes.
Show logs of node UI_NODE:SHOW_LOGS Permission that grants the user the rights to view internal node logs.
Preview node UI_NODE:VIEW Permission that grants the user the rights to view details of a node.
Change a Node logging level configuration UI_NODE_LOG_LEVEL:MANAGE_LOG_LEVELS Permission that grants the user the rights to change the logging level settings of a node.
Delete node update log UI_NODE_UPDATE:LOG_DELETE Permission that grants the user the rights to delete a log entry in the node update log.
Show node update log UI_NODE_UPDATE:LOG_VIEW Permission that grants the user the rights to view the details of a node update log entry.
Update node UI_NODE_UPDATE:UPDATE Permission that grants the user the rights to update a node.
Access "Nodes" -> "Updates" UI_SUBNAV_NODE_UPDATE:VIEW Permission that grants the user the rights to see the updates sub-entry in the navigation menu.
Access "Nodes" -> "Log" UI_SUBNAV_NODE_UPDATE_LOG:VIEW Permission that grants the user the rights to see the log sub-entry in the navigation menu.

Node tree

Permission Name Description
Add new tree item UI_NODE_TREE:ADD Permission that grants the user the rights to add new elements in the node tree.
Delete tree item UI_NODE_TREE:DELETE Permission that grants the user the rights to delete an element of the node tree.
Edit tree item UI_NODE_TREE:EDIT Permission that grants the user the rights to edit an element of the node tree.
Node tree manipulation UI_NODE_TREE:MANIPULATE Permission that grants the user the rights to manipulate the elements of the node tree structure, i.e perform changes to position and order.
Preview node details in Node tree UI_NODE_TREE:NODE_DETAILS Permission that grants the user the rights to view the node details of a node in the node tree.

Remote connections

Permission Name Description
Connect over remote connection UI_REMOTE_CONN:CONNECT Permission that grants the user the rights to connect to a host through a remote connection.
Create remote connection UI_REMOTE_CONN:CREATE Permission that grants the user the rights to establish a new remote connection.
Delete remote connection UI_REMOTE_CONN:DELETE Permission that grants the user the rights to delete remote connections.
Edit remote connection UI_REMOTE_CONN:EDIT Permission that grants the user the rights to edit existing remote connections.
List all remote connections UI_REMOTE_CONN:LIST Permission that grants the user the rights to list all remote connections in the node and workload details.
Preview remote connection UI_REMOTE_CONN:VIEW Permission that grants the user the rights to view the details of a remote connection.
Terminate remote connection UI_REMOTE_CONNECTIONS:TERMINATE Permission that grants the user the rights to terminate active remote connections.

Roles

Permission Name Description
Create new role UI_ROLE:CREATE Permission that grants the user the rights to create new roles.
Delete role UI_ROLE:DELETE Permission that grants the user the rights to delete roles.
Edit role UI_ROLE:EDIT Permission that grants the user the rights to edit roles.
Preview role UI_ROLE:VIEW Permission that grants the user the rights to view the details of a role.

Server log

Permission Name Description
Preview server logs UI_SERVER_LOGS:VIEW Permission that grants the user the rights to list internal server logs.

User menu

Permission Name Description
Create new user profile UI_USER:CREATE Permission that grants the user the rights to create new users.
Delete user profile UI_USER:DELETE Permission that grants the user the rights to delete users.
Edit user profile UI_USER:EDIT Permission that grants the user the rights to edit the profiles of other users.
Preview user profile UI_USER:VIEW Permission that grants the user the rights to view the details of a user.
Edit user settings UI_USER_SETTINGS:UPDATE Permission that grants the user the rights to update their user settings.
Preview user settings UI_USER_SETTINGS:VIEW Permission that grants the user the rights to view their user settings.

Management System update

Permission Name Description
List available Cloud app versions UI_VERSION:LIST Permission that grants the user the rights to list all available versions of the Management System.
Upload Cloud app versions UI_VERSION:UPDATE Permission that grants the user the rights to update the Management System.

Workload management

Permission Name Description
Create new workload UI_WORKLOAD:CREATE Permission that grants the user the rights to create new workloads.
Delete workload UI_WORKLOAD:DELETE Permission that grants the user the rights to delete workloads.
Disable workload UI_WORKLOAD:DISABLE Permission that grants the user the rights to disable workloads.
Edit workload UI_WORKLOAD:EDIT Permission that grants the user the rights to edit workload details (name and description).
Preview workload UI_WORKLOAD:VIEW Permission that grants the user the rights to view the details of a workload.
Create workload version UI_WORKLOAD:VERSION_CREATE Permission that grants the user the rights to create new workload versions.
Delete workload version UI_WORKLOAD:VERSION_DELETE Permission that grants the user the rights to delete workload versions.
Edit workload version UI_WORKLOAD:VERSION_EDIT Permission that grants the user the rights to edit workload versions.
Preview workload version UI_WORKLOAD:VERSION_VIEW Permission that grants the user the rights to view workload versions.
Control deployed workload UI_WORKLOAD_CONTROL:CONTROL Permission that grants the user full control over status and life cycle of workloads deployed to nodes.
List deployed workloads UI_WORKLOAD_CONTROL:LIST Permission that grants the user the rights to list workloads that are deployed to a node.
Preview deployed workloads UI_WORKLOAD_CONTROL:VIEW Permission that grants the user the rights to view the details of a workload deployed to a node.

API permissions

API permissions reflect the permissions of the server backend. They are primarily relevant for automating the Management System through API calls. When creating a role in the Management System for a program, they can be selected without selecting UI permissions beforehand. When creating a new role for a regular user that will operate the Management System, use the UI permissions as a starting point and change API permissions only if necessary. Note that API permissions should only be handled by persons with expert knowledge.

Adding a new role

When adding a new role, it depends whether the role is going to be created for regular users or programs. When creating a new role for a regular user that will operate the Management System, use the UI permissions as a starting point and change API permissions only if necessary. When creating a role for a program, API permissions can be selected without selecting UI permissions beforehand. Note that API permissions should only be handled by persons with expert knowledge.

Selecting one permission might automatically select other permissions, which are needed to perform the task indicated by the selected permission. An example: if a user is permitted to deploy a workload, then the same user is also permitted to view the list of workloads. Associated API permissions will also be selected. Note that deselecting a permission might also deselect linked permissions.

  1. Select Roles in the navigation on the left.
  2. Click the plus symbol (Add new role) in the upper-right corner.

    !Add New Role

  3. Enter a Name and a Description at the top.

  4. Select the UI PERMISSIONS tab.
  5. Tick the checkboxes next to the desired permissions.

    !Select UI Permissions

  6. Select the API PERMISSIONS tab.

  7. Tick or untick the permissions that need to be changed.

    !Select API Permissions

    Note

    Make sure to review the selected permissions for completeness before saving the role. The system automatically selects and deselects permissions that are linked and might have added or removed desired permissions when permissions where selected or deselected.

  8. Click Save.

Editing a role

Note that editing the permissions of a role changes the permissions for users who are already assigned this role. Also, note that editing of roles coming from LDAP synchronization is limited. The name and description of a role cannot be edited. Permissions, however, can be edited.

  1. Select Roles in the navigation on the left.
  2. Select a role from the list.

    !Roles List

  3. Edit Name and Description at the top.

  4. Select the UI PERMISSIONS tab.
  5. Tick or untick the permissions that need to be changed.

    !Select UI Permissions

  6. Select the API PERMISSIONS tab.

  7. Tick or untick the permissions that need to be changed.

    !Select API Permissions

    Note

    Make sure to review the selected permissions for completeness before saving the role. The system automatically selects and deselects permissions that are linked and might have added or removed desired permissions when permissions where selected or deselected.

  8. Click Save.

Deleting a role

Note that a role cannot be deleted if it is assigned to a user. Also, note that roles coming from LDAP synchronization cannot be deleted.

  1. Select Roles in the navigation on the left.
  2. Choose a role from the list.
  3. Click the ellipsis menu next to the role.
  4. Select DELETE in the overlay that appeared.

    !Delete Role

  5. Select OK to delete the role.

Assigning a role to a user

Assigning a role is done in the users menu. Users can be assigned multiple roles. A user that is assigned multiple roles is granted the combined permissions of each role.

  1. Select Users in the navigation on the left.
  2. Select a user from the list.

    !User List

  3. Click the field under Role to open a drop-down menu.

  4. Tick one or more roles that will be assigned to this user. Note that at least one role must be selected.

    !Assign Role

  5. Select Update in the lower-right.