Roles and permissions
Note
This page describes the standard roles and permission management in the Nerve Management System. When LDAP authentication is active, roles and permissions are applied according to the LDAP synchronization settings. Refer to LDAP for more information on LDAP synchronization.
Usage of the Management System is restricted by role-based access control (RBAC), meaning that users in the Management System are assigned roles. These roles are assigned a set of UI permissions and API permissions. Three user roles — Admin, User and Data Services Admin — are available by default. Multiple roles can be assigned to one user. A user that is assigned multiple roles is granted the combined permissions of each role. Select Roles in the navigation on the left to reach a list of all available roles:
| Item | Description |
|---|---|
| Search bar (1) | Use the search bar to filter roles by name. |
| Type filter (2) | Filter the list of roles by authentication method. The target of the filter is the TYPE column and the options are Local, LDAP and All. |
| Add new role (3) | Click here to add a new role. |
| NAME (4) | This is the name of the role that was defined when it was created. This name is also used when the role is assigned to users. |
| TYPE (5) | This column shows the type of the role according to the authentication method used:
|
| NUMBER OF ASSIGNED USERS (6) | The number of users that this role has been assigned to is displayed here. |
| DESCRIPTION (7) | This is a description that gives more information about each user role. |
| Ellipsis menu (8) | Clicking here opens an overlay that allows deleting roles. |
The Admin role has all permissions assigned and cannot be edited. The User role has limited permissions. A user that has the User role assigned is not allowed to perform changes to the system such as adding or removing nodes, creating workloads or establishing remote connections among others. Users with the User role can work with the node tree and deploy workloads to nodes.
UI permissions
UI permissions reflect the permissions of the frontend. They are relevant for a users interaction with the Management System. Below is the list of available UI permissions with descriptions.
As some actions depend on other actions, the system automatically selects and deselects permissions, including API permissions that are required for these actions.
When creating a new role for a regular user that will operate the Management System, use the UI permissions as a starting point and change API permissions only if necessary. However, note that changes to API permissions should only be done by users with expert knowledge.
The tables below are separated by the part of the Management System the permissions affect.
Workload deployment
| Permission | Name | Description |
|---|---|---|
| Deploy workload | UI_DEPLOY:DEPLOY | Permission that grants the user the rights to deploy a workload to a node. |
| Force stop campaign task | UI_DEPLOY:FORCE_CANCEL_ONE | Permission that grants the user access to see the force stop button for a deployment campaign. |
| Delete workload deploy log | UI_DEPLOY:LOG_DELETE | Permission that grants the user the rights to delete a log entry in the workload deployment log. |
| Reset deployment task | UI_DEPLOY:LOG_RESET | Permission that grants the user the rights to reset a task in the workload deployment log. |
| Reset all deployment tasks | UI_DEPLOY:LOG_RESET_ALL | Permission that grants the user the rights to reset all tasks in the workload deployment log. |
| Preview workload deploy log | UI_DEPLOY:LOG_VIEW | Permission that grants the user the rights to view a log entry in the workload deployment log. |
| Access "Deploy" -> "Dry run" | UI_SUBNAV_DEPLOY_DRY_RUN:VIEW | Permission that grants the user the rights to see the dry run entry in the navigation menu and the rights to perform the dry run action with workloads to nodes. |
| Access "Deploy" -> "Log" | UI_SUBNAV_DEPLOY_LOG:VIEW | Permission that grants the user the rights to see the deployment log entry in the navigation menu and the rights to view the workload deployment log. |
Labels
| Permission | Name | Description |
|---|---|---|
| Create new label | UI_LABEL:CREATE | Permission that grants the user the rights to create new labels. |
| Delete label | UI_LABEL:DELETE | Permission that grants the user the rights to delete labels. |
| Edit existing label | UI_LABEL:EDIT | Permission that grants the user the rights to edit labels. |
| Group labels by key | UI_LABEL:GROUP | Permission that grants the user the rights to group labels by key. |
| Merge labels to one | UI_LABEL:MERGE | Permission that grants the user the rights to merge multiple labels. |
| Preview list of labels | UI_LABEL:VIEW | Permission that grants the user the rights to view the details of a label. |
LDAP
| Permission | Name | Description |
|---|---|---|
| Show edit button | UI_LDAP:MANAGE_LDAP | Permission that grants the user the rights to edit the LDAP configuration. |
Navigation menu
| Permission | Name | Description |
|---|---|---|
| Access Data services Feature Preview | UI_NAV_DATA_SERVICES:VIEW | Permission that grants the user access to the Data Services feature. |
| "Deploy" section | UI_NAV_DEPLOY:VIEW | Permission that grants the user the rights to view the deployment menu. |
| "Labels" section | UI_NAV_LABELS:VIEW | Permission that grants the user the rights to see the labels entry in the navigation menu and the rights to list labels. |
| Show default ldap configuration | UI_NAV_LDAP:VIEW | Permission that grants the user the rights to see the LDAP entry in the navigation menu. |
| "Nodes" section | UI_NAV_NODES:VIEW | Permission that grants the user the rights to see the nodes entry in the navigation menu and the rights to list nodes. |
| "Remotes" section | UI_NAV_REMOTE_CONNECTIONS:VIEW | Permission that grants the user the rights to view active remote connections. |
| "Roles" section | UI_NAV_ROLES:VIEW | Permission that grants the user the rights to see the roles entry in the navigation menu and the rights to list roles. |
| Access "Server Log" | UI_NAV_SERVER_LOGS:VIEW | Permission that grants the user the rights to list internal server logs. |
| "Users" section | UI_NAV_USERS:VIEW | Permission that grants the user the rights to see the users entry in the navigation menu and the rights to list users. |
| "Workloads" section | UI_NAV_WORKLOADS:VIEW | Permission that grants the user the rights to see the workloads entry in the navigation menu and the rights to list workloads. |
Nodes
| Permission | Name | Description |
|---|---|---|
| Create new node | UI_NODE:CREATE | Permission that grants the user the rights to create new nodes. |
| Delete node | UI_NODE:DELETE | Permission that grants the user the rights to delete nodes. |
| Edit existing node | UI_NODE:EDIT | Permission that grants the user the rights to edit nodes. |
| Node logging and monitoring settings | UI_NODE:LOGGING_AND_MONITORING_SETTINGS | Permission that grants the user the rights to access the logging and monitoring settings of a node. |
| Node reboot | UI_NODE:REBOOT | Permission that grants the user the rights to reboot a node. |
| Show logs of node | UI_NODE:SHOW_LOGS | Permission that grants the user the rights to view internal node logs. |
| Preview node | UI_NODE:VIEW | Permission that grants the user the rights to view details of a node. |
| Change a Node logging level configuration | UI_NODE_LOG_LEVEL:MANAGE_LOG_LEVELS | Permission that grants the user the rights to change the logging level settings of a node. |
| Delete node update log | UI_NODE_UPDATE:LOG_DELETE | Permission that grants the user the rights to delete a log entry in the node update log. |
| Show node update log | UI_NODE_UPDATE:LOG_VIEW | Permission that grants the user the rights to view the details of a node update log entry. |
| Update node | UI_NODE_UPDATE:UPDATE | Permission that grants the user the rights to update a node. |
| Access "Nodes" -> "Updates" | UI_SUBNAV_NODE_UPDATE:VIEW | Permission that grants the user the rights to see the updates sub-entry in the navigation menu. |
| Access "Nodes" -> "Log" | UI_SUBNAV_NODE_UPDATE_LOG:VIEW | Permission that grants the user the rights to see the log sub-entry in the navigation menu. |
Node tree
| Permission | Name | Description |
|---|---|---|
| Add new tree item | UI_NODE_TREE:ADD | Permission that grants the user the rights to add new elements in the node tree. |
| Delete tree item | UI_NODE_TREE:DELETE | Permission that grants the user the rights to delete an element of the node tree. |
| Edit tree item | UI_NODE_TREE:EDIT | Permission that grants the user the rights to edit an element of the node tree. |
| Node tree manipulation | UI_NODE_TREE:MANIPULATE | Permission that grants the user the rights to manipulate the elements of the node tree structure, i.e perform changes to position and order. |
| Preview node details in Node tree | UI_NODE_TREE:NODE_DETAILS | Permission that grants the user the rights to view the node details of a node in the node tree. |
System notifications
| Permission | Name | Description |
|---|---|---|
| Create notification | UI_NOTIFICATION:CREATE | Permission that grants the user the rights to create a system notification. |
| Delete notification | UI_NOTIFICATION:DELETE | Permission that grants the user the rights to delete a system notification. |
| Edit notification | UI_NOTIFICATION:EDIT | Permission that grants the user the rights to edit an existing system notification. |
| View notification | UI_NOTIFICATION:VIEW | Permission that grants the user the rights to view system notifications. |
Remote connections
| Permission | Name | Description |
|---|---|---|
| Connect over remote connection | UI_REMOTE_CONN:CONNECT | Permission that grants the user the rights to connect to a host through a remote connection. |
| Create remote connection | UI_REMOTE_CONN:CREATE | Permission that grants the user the rights to establish a new remote connection. |
| Delete remote connection | UI_REMOTE_CONN:DELETE | Permission that grants the user the rights to delete remote connections. |
| Edit remote connection | UI_REMOTE_CONN:EDIT | Permission that grants the user the rights to edit existing remote connections. |
| List all remote connections | UI_REMOTE_CONN:LIST | Permission that grants the user the rights to list all remote connections in the node and workload details. |
| Preview remote connection | UI_REMOTE_CONN:VIEW | Permission that grants the user the rights to view the details of a remote connection. |
| Terminate remote connection | UI_REMOTE_CONNECTIONS:TERMINATE | Permission that grants the user the rights to terminate active remote connections. |
Roles
| Permission | Name | Description |
|---|---|---|
| Create new role | UI_ROLE:CREATE | Permission that grants the user the rights to create new roles. |
| Delete role | UI_ROLE:DELETE | Permission that grants the user the rights to delete roles. |
| Edit role | UI_ROLE:EDIT | Permission that grants the user the rights to edit roles. |
| Preview role | UI_ROLE:VIEW | Permission that grants the user the rights to view the details of a role. |
Server log
| Permission | Name | Description |
|---|---|---|
| Preview server logs | UI_SERVER_LOGS:VIEW | Permission that grants the user the rights to list internal server logs. |
Usage reports
| Permission | Name | Description |
|---|---|---|
| Access Usage Report Feature Preview | UI_USAGE_REPORT:VIEW | Permission that grants the user the rights to access the usage report page. |
User menu
| Permission | Name | Description |
|---|---|---|
| Create new user profile | UI_USER:CREATE | Permission that grants the user the rights to create new users. |
| Delete user profile | UI_USER:DELETE | Permission that grants the user the rights to delete users. |
| Edit user profile | UI_USER:EDIT | Permission that grants the user the rights to edit the profiles of other users. |
| Preview user profile | UI_USER:VIEW | Permission that grants the user the rights to view the details of a user. |
| Edit user settings | UI_USER_SETTINGS:UPDATE | Permission that grants the user the rights to update their user settings. |
| Preview user settings | UI_USER_SETTINGS:VIEW | Permission that grants the user the rights to view their user settings. |
Management System update
| Permission | Name | Description |
|---|---|---|
| List available Cloud app versions | UI_VERSION:LIST | Permission that grants the user the rights to list all available versions of the Management System. |
| Upload Cloud app versions | UI_VERSION:UPDATE | Permission that grants the user the rights to update the Management System. |
Workload management
| Permission | Name | Description |
|---|---|---|
| Create new workload | UI_WORKLOAD:CREATE | Permission that grants the user the rights to create new workloads. |
| Delete workload | UI_WORKLOAD:DELETE | Permission that grants the user the rights to delete workloads. |
| Disable workload | UI_WORKLOAD:DISABLE | Permission that grants the user the rights to disable workloads. |
| Edit workload | UI_WORKLOAD:EDIT | Permission that grants the user the rights to edit workload details (name and description). |
| Preview workload | UI_WORKLOAD:VIEW | Permission that grants the user the rights to view the details of a workload. |
| Create workload version | UI_WORKLOAD:VERSION_CREATE | Permission that grants the user the rights to create new workload versions. |
| Delete workload version | UI_WORKLOAD:VERSION_DELETE | Permission that grants the user the rights to delete workload versions. |
| Edit workload version | UI_WORKLOAD:VERSION_EDIT | Permission that grants the user the rights to edit workload versions. |
| Preview workload version | UI_WORKLOAD:VERSION_VIEW | Permission that grants the user the rights to view workload versions. |
| Apply workload configuration | UI_WORKLOAD_CONFIGURATION:APPLY | Permission that grants the user the rights to apply configuration files to a deployed workload. |
| Update workload resources | UI_WORKLOAD_CONFIGURATION:UPDATE_RESOURCES | Permission that grants the user the rights to change the allocated resources of a deployed workload. |
| Control deployed workload | UI_WORKLOAD_CONTROL:CONTROL | Permission that grants the user full control over status and life cycle of workloads deployed to nodes. |
| List deployed workloads | UI_WORKLOAD_CONTROL:LIST | Permission that grants the user the rights to list workloads that are deployed to a node. |
| Preview deployed workloads | UI_WORKLOAD_CONTROL:VIEW | Permission that grants the user the rights to view the details of a workload deployed to a node. |
API permissions
API permissions reflect the permissions of the server backend. They are primarily relevant for automating the Management System through API calls. When creating a role in the Management System for a program, they can be selected without selecting UI permissions beforehand. When creating a new role for a regular user that will operate the Management System, use the UI permissions as a starting point and change API permissions only if necessary. Note that API permissions should only be handled by persons with expert knowledge.
Adding a new role
When adding a new role, it depends whether the role is going to be created for regular users or programs. When creating a new role for a regular user that will operate the Management System, use the UI permissions as a starting point and change API permissions only if necessary. When creating a role for a program, API permissions can be selected without selecting UI permissions beforehand. Note that API permissions should only be handled by persons with expert knowledge.
Selecting one permission might automatically select other permissions, which are needed to perform the task indicated by the selected permission. An example: if a user is permitted to deploy a workload, then the same user is also permitted to view the list of workloads. Associated API permissions will also be selected. Note that deselecting a permission might also deselect linked permissions.
- Select Roles in the navigation on the left.
-
Click the plus symbol (Add new role) in the upper-right corner.
-
Enter a Name and a Description at the top.
- Select the UI PERMISSIONS tab.
-
Tick the checkboxes next to the desired permissions.
-
Select the API PERMISSIONS tab.
-
Tick or untick the permissions that need to be changed.
Note
Make sure to review the selected permissions for completeness before saving the role. The system automatically selects and deselects permissions that are linked and might have added or removed desired permissions when permissions where selected or deselected.
-
Click Save.
Editing a role
Note that editing the permissions of a role changes the permissions for users who are already assigned this role. Also, note that editing of roles coming from LDAP synchronization is limited. The name and description of a role cannot be edited. Permissions, however, can be edited.
- Select Roles in the navigation on the left.
-
Select a role from the list.
-
Edit Name and Description at the top.
- Select the UI PERMISSIONS tab.
-
Tick or untick the permissions that need to be changed.
-
Select the API PERMISSIONS tab.
-
Tick or untick the permissions that need to be changed.
Note
Make sure to review the selected permissions for completeness before saving the role. The system automatically selects and deselects permissions that are linked and might have added or removed desired permissions when permissions where selected or deselected.
-
Click Save.
Deleting a role
Note that a role cannot be deleted if it is assigned to a user. Also, note that roles coming from LDAP synchronization cannot be deleted.
- Select Roles in the navigation on the left.
- Choose a role from the list.
- Click the ellipsis menu next to the role.
-
Select DELETE in the overlay that appeared.
-
Select OK to delete the role.
Assigning a role to a user
Assigning a role is done in the users menu. Users can be assigned multiple roles. A user that is assigned multiple roles is granted the combined permissions of each role.
- Select Users in the navigation on the left.
-
Select a user from the list.
-
Click the field under Role to open a drop-down menu.
-
Tick one or more roles that will be assigned to this user. Note that at least one role must be selected.
-
Select Update in the lower-right.