Manage Roles

Updated

Introduction

A role is an access privilege that can be assigned to users. In ZEDEDA Cloud, a role can be defined across activities such as Create, Monitor, Operate, and Remove. These activities are similar to the four basic "CRUD" activities that are used to manage a database: create, read, update, and delete. The permissions associated with a role are applied to the various system objects, such as edge nodes, edge apps, users, enterprises and so on.
 
This illustration shows how a user is linked to system objects and the permissions for these objects.
Roles_Overview.png
In the ZEDEDA GUI, operations are labeled with Add (create), Monitor (read), Operate (update), and Remove (delete). These correspond to the CRUD operations (Create, Read(show), Update, Delete) used in the CLI, performing the same fundamental actions but with different terminology in the graphical interface.
 

Role-based permissions for users

Each user role has access to the projects in scope and the level of CRUD permissions across objects. The permissions are applied for each of the objects, such as edge nodes, edge apps, users, and enterprises. However, note that only someone with ZEDEDA administrative privileges has the permissions needed to create and remove enterprises.
 
ZEDEDA Cloud operates with the following predefined roles and their associated permissions:
 
  • SysAdmin - Members of the system admin can perform CRUD activities for each of the objects (except create and remove enterprises). Only users with this role can create, operate, or remove other users. The scope of these permissions is across all projects in the enterprises.
  • SysManager - Members of the system manager role can perform CRUD activities, but only for edge nodes and edge app objects for a specific project. A user with system manager role can only monitor user permissions.
  • SysMonitor - Members of the system monitor role can only monitor the projects in scope across the edge node, edge app, and users objects.
  • SysOperator - System operator members can monitor and operate the projects in scope across the edge node and edge app objects. This role user can monitor user objects.
  • CSadmin - Members of the CSadmin role can perform CRUD activities for all objects (including enterprises and users) across all projects. However, members of this role cannot create or delete edge nodes. This role is exclusively for CS personnel and is hidden from general users.
  • SysRoot - Members of the SysRoot role have unrestricted access and can perform all CRUD activities on all objects within the system, across all enterprises and projects. This includes the ability to create, operate, and remove users, manage enterprises, and control all aspects of edge nodes and edge apps. This role has the highest level of administrative privileges and is hidden from general users.
 
When the system admin creates new users, one of the predefined role templates has to be selected.
 
Note: You cannot create a custom permission set from scratch. You must choose from one of the available the projects and/or permissions templates to create a custom role.
 

Project scope

User permissions and roles that define access levels are tied to individual projects, rather than applying across an entire organization. These roles can be customized for each project. For example, the system admin can only give access to a particular project for a particular user. Then, in that case, the user cannot access other projects under the Enterprise.

 The following diagram shows the details of Project-based access with three separate projects. There are three sets of projects (Project A, Project B, and Project N). Each project has a set of roles that are customized from the system default roles. The new roles are each bound to their respective projects. For example, SysAdmin A, SysAdmin B, and SysAdmin N.

 
Roles_Project_Overview.png
 

List View

You can view the system’s preconfigured default roles as follows:
  1. Log into ZEDEDA GUI.
  2. From the left panel, go to Administration > Roles.
  3. Observe the roles in the table:
    • Name - this column displays the name of the default roles. For example, SysAdmin, SysManager, SysMonitor, and any custom roles you have created.
    • Projects - this column displays the scope of the role in terms of projects. It specifies whether the role applies to All Projects or only two a specific number of projects.
    • Permission Type - this column describes the nature of the permissions associated with the role. This can be one of the default values or a custom (user-created) value.
    • Tags - this column displays any configured tags for the roles. These are commonly used to assist in the categorization of roles.

 

Detail View

  1. Click on any of the roles in the list view.
  2. The detailed view of this role appears.
  3. You can click the edit icon at upper right. See update (edit) below for more. 
 

Operations Using the ZEDEDA GUI
 

The following are the role operations that you can perform.
 

Create (Add)

You can use one of the system’s preconfigured default roles, or if you want to create your own customized role, do the following:
  1. Log into ZEDEDA GUI.
  2. From the left panel, go to Administration > Roles.
  3. Click the Add icon at the top right of the page.
  4. Enter the Name and Title of your choice.
  5. Enter Project Tags key-value pair (optional). This is a label or category that’s assigned to the project and it controls what a user with this role can manage.
  6. In the Permissions section, select the Project to which this role will have access.
    By default, all projects are selected, but you can select a specific project from the drop-down menu to add permissions in a more granular way.
  1. If using the granular approach, select the desired Project from the drop-down, and select the ‘CRUD’ permissions you want for your customized role. For example, for Enterprise objects, you could click the Add and Monitor buttons to allow this role to add and monitor new enterprises, but don’t select the Remove button if you don’t want to allow users with this role to be able to delete an enterprise.
  2. Select the ‘CRUD’ permissions for each of the objects, such as Enterprise, Users, Edge Nodes, Edge Apps, Edge App Instances, and 3rd-Party Integrations.   
  3. You can repeat this process of assigning ‘CRUD’ permissions for a different project by clicking the plus icon.
  4. Click Add.

 

Read (Monitor)

You can access the read operation (monitor) from the roles detail view.
  1. Log into ZEDEDA GUI.
  2. From the left panel, go to Administration > Roles.
  3. Click on the desired role from the list view to display a detailed view of the role.
    The read view displays a 'Basic Info' section. 
 

Basic Info

This view displays details configured when the role was created such as Name, Title, the Project Tags, and Permissions (which are the CRUD/AMOR permissions for each of the objects to which this role is assigned).
 
Note: The system default roles cannot be edited or updated. Only the customer roles can be modified. 
 

Update (Edit)

 
You can update (edit) a custom role as follows:
  1. Click the Edit icon.
  2. Update the editable fields, such as title, tags or permissions.
  3. Click Save.
  4. The custom role is updated successfully.
 

Delete (Remove)

The delete operation can be performed in the Roles list and detail view. After you log into the ZEDEDA GUI, if you no longer require the custom role, you can delete it as follows:
 
Note: You can perform the delete operation from either the List View or Detail View. For simplicity, we will follow the deletion of multiple custom roles workflow, which you can carry out from the list view.
 
  1. Click on the custom role list.
  2. Check boxes on which the required operation needs to be performed.
  3. Click on More actions at upper right.
  4. From the dropdown, select Delete.
  5. Click Delete from the modal dialog to confirm.

  6. A toast message confirms the role has been deleted.

     
Note: There is no way to reclaim the data after a delete operation has been performed.
 

Operations Using ZEDEDA CLI

To log into the ZEDEDA Cloud through the ZEDEDA CLI, see here.
 

Create

You can create a role using the following command:
zcli> zcli role create <name> --access-right=<object-access>... [--title=<title>] [--description=<description>]
 

Example:

The following example shows how to use the --access-right=<object-access> parameter to create a role called MY_ROLE with read access to users, full access to edge nodes, full access to edge apps, full access to enterprise integration items (third party integration), access to own enterprise only, access to MY_PROJECT.

zcli role create MY_ROLE --access-right="user:r,edge-node:crud,edge-app:crud,enterprise-integration-items:crud,enterprise-scope:local,project-scope:MY_PROJECT"

Excerpt from the ZCLI man page: 

--access-right=<object-access>
          Scope and Right to access objects. Define access permissions using
          object:action format.

              Object types:
               - user: User management
               - edge-node: Edge node/device management
               - edge-app: Edge application management
               - app-instance: Application instance management
               - enterprise: Enterprise management
               - enterprise-integration-items: Enterprise integration items
          management

              Action types (combine letters for multiple permissions):
               - c: Create permission
               - r: Read permission
               - u: Update permission
               - d: Delete permission
               - crud: Full permissions (Create, Read, Update, Delete)

              Scope filters:
               - enterprise-scope: Define enterprise access scope
                 * local: Access to own enterprise only
                 * global: Access to all enterprises
               - project-scope: Define project access scope (space-separated
          project names)
                 * Use project names to limit access to specific projects
                 * If not specified, defaults to all projects (srAll)

              Example: '--access-right="user:r,edge-node:crud,edge-
          app:crud,enterprise-integration-items:crud,enterprise-
          scope:local,project-scope:project-a project-b"'
             Multiple scopes can be specified by repeating this option

Read (Show)

You can use the following command to see the details for the roles that have been created:
zcli> zcli role show [[[<name> |--self | --uuid=<uuid>] [--detail]] | [[--project=<project>] [--name-pattern=<name-pattern>]]]
 
For example, the show command displays the following output (E-Scope is the enterprise scope, P-Scope is the project scope):
 
zcli> zcli role show
Role         E-Scope  P-Scope  EdgeNodeAccess Apps Access  User Access  EntrpriseAccess
------------ -------- -------- -------------- ------------ ------------ ----------
SysMonitor   local    All      R              R            R 
SysOperator  local    All      RU             RU           R 
SysAdmin     local    All      CRUD           CRUD         CRUD         RU
SysManager   local    All      CRUD           CRUD         R 
Total 4
zcli>
 

Update (Edit)

You can update a role using the following command:
zcli> zcli role update <name> [--access-right=<object-access>...] [--title=<title>] [--description=<description>]
 

Example:

zcli role update MY_ROLE --access-right="user:r,edge-node:r,edge-app:r,enterprise-integration-items:r,enterprise-scope:local,project-scope:MY_PROJECT"

Delete

You can delete a role using the following command:
zcli> zcli role delete <name> [-f]
 
Note: -f is to forcefully make the delete request to ZEDEDA Cloud, without prompting the user.
 
Role operations are successfully executed!
Was this article helpful?
6 out of 7 found this helpful