Roles and permissions
Note
This page describes the standard roles and permission management in the Nerve Management System. When LDAP authentication is active, roles and permissions are applied according to the LDAP synchronization settings. Refer to LDAP for more information on LDAP synchronization.
Usage of the Management System is restricted by role-based access control (RBAC), meaning that users in the Management System are assigned roles. These roles are assigned a set of UI permissions and API permissions. Two user roles — Admin and User are available by default. Multiple roles can be assigned to one user. A user that is assigned multiple roles is granted the combined permissions of each role. Select Roles in the navigation on the left to reach a list of all available roles:
Item | Description |
---|---|
Search bar (1) | Use the search bar to filter roles by name. |
Type filter (2) | Filter the list of roles by authentication method. The target of the filter is the Type column and the options are Local, LDAP and All. |
Add new role (3) | Click here to add a new role. |
Name (4) | This is the name of the role that was defined when it was created. This name is also used when the role is assigned to users. |
Type (5) | This column shows the type of the role according to the authentication method used:
|
Number of assigned users (6) | The number of users that this role has been assigned to is displayed here. |
Description (7) | This is a description that gives more information about each user role. |
Action (8) | This column contains icons representing different actions. Here, it contains a garbage can icon for deleting roles. |
Note
The Admin role has all UI permissions and a set of API permissions assigned. It cannot be edited or deleted.
The User role has limited permissions assigned per default. It can be further edited.
A user that has the User role assigned is not allowed to perform changes to the system such as adding or removing nodes, creating workloads or establishing remote connections among others. Users with the User role can work with the node tree and deploy workloads to nodes.
UI permissions
UI permissions reflect the permissions of the frontend. They are relevant for users interaction with the Management System. Below is the list of available UI permissions with descriptions.
As some actions depend on other actions, the system automatically selects and deselects permissions, including API permissions that are required for these actions.
Note
When creating a new role for a regular user that will operate the Management System or have access to the node UI, it is advised to use the UI permissions as a starting point and grant API permissions as necessary. However, changes to API permissions should only be done by users with expert knowledge.
The tables below are separated by the part of the Management System the permissions affect.
Workload deployment
Permission | Name | Description |
---|---|---|
Deploy workload | UI_DEPLOY:DEPLOY | Permission that grants the user the rights to deploy a workload to a node. |
Force stop campaign task | UI_DEPLOY:FORCE_CANCEL_ONE | Permission that grants the user access to see the force stop button for a deployment campaign. |
Delete workload deploy log | UI_DEPLOY:LOG_DELETE | Permission that grants the user the rights to delete a log entry in the workload deployment log. |
Reset deployment task | UI_DEPLOY:LOG_RESET | Permission that grants the user the rights to reset a task in the workload deployment log. |
Reset all deployment tasks | UI_DEPLOY:LOG_RESET_ALL | Permission that grants the user the rights to reset all tasks in the workload deployment log. |
Workload deploy log | UI_DEPLOY:LOG_VIEW | Permission that grants the user the rights to view a log entry in the workload deployment log. |
Access "Deploy" -> "Dry run" | UI_SUBNAV_DEPLOY_DRY_RUN:VIEW | Permission that grants the user the rights to see the dry run entry in the navigation menu and the rights to perform the dry run action with workloads to nodes. |
Access "Deploy" -> "Log" | UI_SUBNAV_DEPLOY_LOG:VIEW | Permission that grants the user the rights to see the deployment log entry in the navigation menu and the rights to view the workload deployment log. |
Labels
Permission | Name | Description |
---|---|---|
Create new label | UI_LABEL:CREATE | Permission that grants the user the rights to create new labels. |
Delete label | UI_LABEL:DELETE | Permission that grants the user the rights to delete labels. |
Edit existing label | UI_LABEL:EDIT | Permission that grants the user the rights to edit labels. |
Group labels by key | UI_LABEL:GROUP | Permission that grants the user the rights to group labels by key. |
Merge labels to one | UI_LABEL:MERGE | Permission that grants the user the rights to merge multiple labels. |
List of labels | UI_LABEL:VIEW | Permission that grants the user the rights to view the details of a label. |
LDAP
Permission | Name | Description |
---|---|---|
Show edit button | UI_LDAP:MANAGE_LDAP | Permission that grants the user the rights to edit the LDAP configuration. |
Navigation menu
Permission | Name | Description |
---|---|---|
"Deploy" section | UI_NAV_DEPLOY:VIEW | Permission that grants the user the rights to view the deployment menu. |
"Labels" section | UI_NAV_LABELS:VIEW | Permission that grants the user the rights to see the labels entry in the navigation menu and the rights to list labels. |
Show ldap configuration | UI_NAV_LDAP:VIEW | Permission that grants the user the rights to see the LDAP entry in the navigation menu. |
"Nodes" section | UI_NAV_NODES:VIEW | Permission that grants the user the rights to see the nodes entry in the navigation menu and the rights to list nodes. |
Navigation notification view | UI_NAV_NOTIFICATION:VIEW | Permission that grants the user the rights to see the notifications entry in the navigation menu. |
"Remotes" section | UI_NAV_REMOTE_CONNECTIONS:VIEW | Permission that grants the user the rights to view active remote connections. |
"Roles" section | UI_NAV_ROLES:VIEW | Permission that grants the user the rights to see the roles entry in the navigation menu and the rights to list roles. |
Access "Server Log" | UI_NAV_SERVER_LOGS:VIEW | Permission that grants the user the rights to list internal server logs. |
"Users" section | UI_NAV_USERS:VIEW | Permission that grants the user the rights to see the users entry in the navigation menu and the rights to list users. |
"Workloads" section | UI_NAV_WORKLOADS:VIEW | Permission that grants the user the rights to see the workloads entry in the navigation menu and the rights to list workloads. |
Nodes
Permission | Name | Description |
---|---|---|
Create new node | UI_NODE:CREATE | Permission that grants the user the rights to create new nodes. |
Delete node | UI_NODE:DELETE | Permission that grants the user the rights to delete nodes. |
Edit existing node | UI_NODE:EDIT | Permission that grants the user the rights to edit nodes. |
Node logging and monitoring settings | UI_NODE:LOGGING_AND_MONITORING_SETTINGS | Permission that grants the user the rights to access the logging and monitoring settings of a node. |
Node reboot | UI_NODE:REBOOT | Permission that grants the user the rights to reboot a node. |
Show logs of node | UI_NODE:SHOW_LOGS | Permission that grants the user the rights to view internal node logs. |
Preview node | UI_NODE:VIEW | Permission that grants the user the rights to view details of a node. |
Change a Node logging level configuration | UI_NODE_LOG_LEVEL:MANAGE_LOG_LEVELS | Permission that grants the user the rights to change the logging level settings of a node. |
Delete node update log | UI_NODE_UPDATE:LOG_DELETE | Permission that grants the user the rights to delete a log entry in the node update log. |
Show node update log | UI_NODE_UPDATE:LOG_VIEW | Permission that grants the user the rights to view the details of a node update log entry. |
Update node | UI_NODE_UPDATE:UPDATE | Permission that grants the user the rights to update a node. |
Access "Nodes" -> "Updates" | UI_SUBNAV_NODE_UPDATE:VIEW | Permission that grants the user the rights to see the updates sub-entry in the navigation menu. |
Access "Nodes" -> "Log" | UI_SUBNAV_NODE_UPDATE_LOG:VIEW | Permission that grants the user the rights to see the log sub-entry in the navigation menu. |
Node tree
Permission | Name | Description |
---|---|---|
Add new tree item | UI_NODE_TREE:ADD | Permission that grants the user the rights to add new elements in the node tree. |
Delete tree item | UI_NODE_TREE:DELETE | Permission that grants the user the rights to delete an element of the node tree. |
Edit tree item | UI_NODE_TREE:EDIT | Permission that grants the user the rights to edit an element of the node tree. |
Node tree manipulation | UI_NODE_TREE:MANIPULATE | Permission that grants the user the rights to manipulate the elements of the node tree structure, i.e perform changes to position and order. |
Preview node details in Node tree | UI_NODE_TREE:NODE_DETAILS | Permission that grants the user the rights to view the node details of a node in the node tree. |
System notifications
Permission | Name | Description |
---|---|---|
Create notification | UI_NOTIFICATION:CREATE | Permission that grants the user the rights to create a system notification. |
Delete notification | UI_NOTIFICATION:DELETE | Permission that grants the user the rights to delete a system notification. |
Edit notification | UI_NOTIFICATION:EDIT | Permission that grants the user the rights to edit an existing system notification. |
View notification | UI_NOTIFICATION:VIEW | Permission that grants the user the rights to view system notifications. |
Remote connections
Permission | Name | Description |
---|---|---|
Connect over remote connection | UI_REMOTE_CONN:CONNECT | Permission that grants the user the rights to connect to a host through a remote connection. |
Create remote connection | UI_REMOTE_CONN:CREATE | Permission that grants the user the rights to establish a new remote connection. |
Delete remote connection | UI_REMOTE_CONN:DELETE | Permission that grants the user the rights to delete remote connections. |
Edit remote connection | UI_REMOTE_CONN:EDIT | Permission that grants the user the rights to edit existing remote connections. |
List all remote connections | UI_REMOTE_CONN:LIST | Permission that grants the user the rights to list all remote connections in the node and workload details. |
Preview remote connection | UI_REMOTE_CONN:VIEW | Permission that grants the user the rights to view the details of a remote connection. |
Terminate remote connection | UI_REMOTE_CONNECTIONS:TERMINATE | Permission that grants the user the rights to terminate active remote connections. |
Roles
Permission | Name | Description |
---|---|---|
Create new role | UI_ROLE:CREATE | Permission that grants the user the rights to create new roles. |
Delete role | UI_ROLE:DELETE | Permission that grants the user the rights to delete roles. |
Edit role | UI_ROLE:EDIT | Permission that grants the user the rights to edit roles. |
Preview role | UI_ROLE:VIEW | Permission that grants the user the rights to view the details of a role. |
Server log
Permission | Name | Description |
---|---|---|
Preview server logs | UI_SERVER_LOGS:VIEW | Permission that grants the user the rights to list internal server logs. |
Usage reports
Permission | Name | Description |
---|---|---|
Access Usage Report Feature Preview | UI_USAGE_REPORT:VIEW | Permission that grants the user the rights to access the usage report page. |
User menu
Permission | Name | Description |
---|---|---|
Create new user profile | UI_USER:CREATE | Permission that grants the user the rights to create new users. |
Delete user profile | UI_USER:DELETE | Permission that grants the user the rights to delete users. |
Edit user profile | UI_USER:EDIT | Permission that grants the user the rights to edit the profiles of other users. |
MFA control for user | UI_USER:MFA | Permission that grants the user the rights to enable/disable MFA. |
Preview user profile | UI_USER:VIEW | Permission that grants the user the rights to view the details of a user. |
Edit user settings | UI_USER_SETTINGS:UPDATE | Permission that grants the user the rights to update their user settings. |
Preview user settings | UI_USER_SETTINGS:VIEW | Permission that grants the user the rights to view their user settings. |
Management System update
Permission | Name | Description |
---|---|---|
List available Cloud app versions | UI_VERSION:LIST | Permission that grants the user the rights to list all available versions of the Management System. |
Upload Cloud app versions | UI_VERSION:UPDATE | Permission that grants the user the rights to update the Management System. |
Workload management
Permission | Name | Description |
---|---|---|
Create new workload | UI_WORKLOAD:CREATE | Permission that grants the user the rights to create new workloads. |
Delete workload | UI_WORKLOAD:DELETE | Permission that grants the user the rights to delete workloads. |
Disable workload | UI_WORKLOAD:DISABLE | Permission that grants the user the rights to disable workloads. |
Edit workload | UI_WORKLOAD:EDIT | Permission that grants the user the rights to edit workload details (name and description). |
Preview workload | UI_WORKLOAD:VIEW | Permission that grants the user the rights to view the details of a workload. |
Create workload version | UI_WORKLOAD:VERSION_CREATE | Permission that grants the user the rights to create new workload versions. |
Delete workload version | UI_WORKLOAD:VERSION_DELETE | Permission that grants the user the rights to delete workload versions. |
Edit workload version | UI_WORKLOAD:VERSION_EDIT | Permission that grants the user the rights to edit workload versions. |
Preview workload version | UI_WORKLOAD:VERSION_VIEW | Permission that grants the user the rights to view workload versions. |
Apply workload configuration | UI_WORKLOAD_CONFIGURATION:APPLY | Permission that grants the user the rights to apply configuration files to a deployed workload. |
Update workload resources | UI_WORKLOAD_CONFIGURATION:UPDATE_RESOURCES | Permission that grants the user the rights to change the allocated resources of a deployed workload. |
Control deployed workload | UI_WORKLOAD_CONTROL:CONTROL | Permission that grants the user full control over status and life cycle of workloads deployed to nodes. |
List deployed workloads | UI_WORKLOAD_CONTROL:LIST | Permission that grants the user the rights to list workloads that are deployed to a node. |
Preview deployed workloads | UI_WORKLOAD_CONTROL:VIEW | Permission that grants the user the rights to view the details of a workload deployed to a node. |
API permissions
API permissions reflect the permissions of the server backend and on the onboarded nodes. Primarily relevant for automating the Management System through API calls, API permissions can also be granted to regular users.
When creating a role in the Management System for a program, they can be selected without selecting UI permissions beforehand.
When creating a new role for a regular user that will operate the Management System, use the UI permissions as a starting point and change the Backend API permissions as mandatory. Note that API permissions should only be handled by persons with expert knowledge.
Server Backend API permissions
Backend API permissions are primarily relevant for automating the Management System through API calls.
Nodes access API permissions
These API permissions reflect the access privileges to the Local UI of all Nerve nodes onboarded to the Management System. Nerve Nodes API permissions directly correspond to the Role-Based Access Control (RBAC) permissions defined in Node Permissions and Users.
Permission | Name | Description |
---|---|---|
Node Administrator | NODE:ADMIN_ACCOUNT | Permission that grants the user full administrator rights on the Local UI of a node. |
Remote Connections Controller | NODE:RC_CONTROLLER_ACCOUNT | Permission that allows a user to view and use Remote Connection on the Local UI of a node. |
Node Viewer | NODE:VIEWER_ACCOUNT | This permission allows users to see the Local UI dashboards but prevents them from making any changes |
Additionally these API permissions are available to handle the node local user database
Permission | Name | Description |
---|---|---|
Delete cached user | NODE_USER_MANAGEMENT:DELETE | Permission that grants the possibility to delete any cached user from the node local user database. |
List cached user | NODE_USER_MANAGEMENT:LIST | Permission to query a list of the local user database content of a node. |
Adding a new role
When adding a new role, it depends whether the role is going to be created for regular users or programs. When creating a new role for a regular user that will operate the Management System, use the UI permissions as a starting point and change API permissions only if necessary. When creating a role for a program, API permissions can be selected without selecting UI permissions beforehand. Note that API permissions should only be handled by persons with expert knowledge.
Selecting one permission might automatically select other permissions, which are needed to perform the task indicated by the selected permission. An example: if a user is permitted to deploy a workload, then the same user is also permitted to view the list of workloads. Associated API permissions will also be selected. Note that deselecting a permission might also deselect linked permissions.
- Select Roles in the navigation on the left.
-
Click the plus symbol (Add new role) in the upper-right corner.
-
Enter a Name and a Description at the top.
- Select the UI PERMISSIONS tab.
-
Tick the checkboxes next to the desired permissions.
-
Select the API PERMISSIONS tab.
-
Tick or untick the permissions that need to be changed.
Note
Make sure to review the selected permissions for completeness before saving the role. The system automatically selects and deselects permissions that are linked and might have added or removed desired permissions when permissions where selected or deselected.
-
Select Save.
Editing a role
Note that editing the permissions of a role changes the permissions for users who are already assigned this role. Also, note that editing of roles coming from LDAP synchronization is limited. The name and description of a role cannot be edited. Permissions, however, can be edited.
- Select Roles in the navigation on the left.
-
Select a role from the list.
-
Edit Name and Description at the top.
- Select the UI PERMISSIONS tab.
-
Tick or untick the permissions that need to be changed.
-
Select the API PERMISSIONS tab.
-
Tick or untick the permissions that need to be changed.
Note
Make sure to review the selected permissions for completeness before saving the role. The system automatically selects and deselects permissions that are linked and might have added or removed desired permissions when permissions where selected or deselected.
-
Select Save.
Deleting a role
Note that a role cannot be deleted if it is assigned to a user. Also, note that roles coming from LDAP synchronization cannot be deleted.
- Select Roles in the navigation on the left.
- Choose a role from the list.
-
Select the Delete icon in the Action column.
-
Select Yes to delete the role.
Assigning a role to a user
Assigning a role is done in the users menu. Users can be assigned multiple roles. A user that is assigned multiple roles is granted the combined permissions of each role.
- Select Users in the navigation on the left.
-
Select a user from the list.
-
Select the field under Role to open a drop-down menu.
-
Tick one or more roles that will be assigned to this user. Note that at least one role must be selected.
-
Select Update in the lower-right.
Note
For the changes to take effect, sign out of the Management System and sign back in again.