Introduction
A Role is an access privilege that can be assigned to Users. In ZEDEDA Cloud, a role can be defined across activities such as Create, Monitor, Operate, and Remove (CRUD activities). The permissions are then applied to various objects such as Edge Node, Edge Applications, Users, and Enterprises.
The following illustration shows how a particular user may be linked with the objects and permissions.
Role-based permissions for users
In ZEDEDA, each user role has access to the projects in scope and the level of CRUD permissions across objects. The permissions are applied for each of the objects such as Edge Node, Edge Application, Users, and Enterprise. However, the creation and removal permissions for the Enterprise objects rests only with the ZEDEDA admin.
ZEDEDA Cloud operates with predefined roles and their capabilities as follows:
- SysAdmin - Members of the system admin can perform CRUD activities for each of the objects (except create and remove enterprises). Only these Role users can create, operate or remove other users. The scope is across all projects in the enterprises.
- SysManager - Members of the system manager can perform CRUD activities only for Edge Node and Edge Application objects for the projects in scope as permitted. A system manager can only monitor User permissions.
- SysMonitor - Members of the system monitor can only monitor the projects in scope across the Edge Node, Edge Application, and Users objects.
- SysOperator - System operator members can monitor and operate the projects in scope across the Edge Node and Edge Application objects. This role user can monitor the User object.
When the system admin creates new users, one of the predefined role templates has to be selected.
Note: You cannot create a custom permission set. You can only choose the project/s and permissions template to create a custom role.
Project scope
All roles are project-based. Roles can also be defined project-wise. For example, the system admin can only give access to a particular project for a particular user. Then, in that case, the user cannot access other projects under the Enterprise.
The following diagram shows the details of Project-based access (one or more than one).
List View
After you log in to the ZEDEDA GUl:
- Click on the Administration () icon.
- Click on 'Roles'.
Detail View
- Click on any of the Roles in the list view to show the detailed view of the same.
- A temporary tab () is created, navigating you to the detailed view of the selected Role.
Operations using the ZEDEDA GUI
The following are the Role operations:
Create
The create operation can be performed in the Roles list view only. After you log in to the ZEDEDA GUI, create a custom role using the following steps:
- Click on the Add () icon
- Populate the input field values such as 'Name', 'Title', and 'Description'.
- Select the 'Projects' to which this particular role has to be given access, along with the 'Permissions Template.'
- Click on the 'Add' button.
- When you click on the 'Add' button.
- You can see the new Role by name is 'test' is added in the Roles list Role.
Read
The read operation can be performed in the Roles detail view only. After you log in to the ZEDEDA GUI, click on Administration () icon and select 'Roles' to go to the already available roles list. Click on any of the Roles in the list view to show the detailed view of the same.
The read view shows only the 'Basic Info' section.
Basic Info
Shows the details when the Role is created.
Note: The default Roles which are present cannot be Edited or Updated.
Update (Edit)
The read operation can be performed in the Roles detail view only. After you log in to the ZEDEDA GUI, click on Administration () icon and select 'Roles' to go to the already available roles list. Click on any of the Roles in the list view to show the detailed view of the same.
Basic Info
Update/edit a custom role using the following steps:
- Click on Edit () icon.
- Update the editable fields.
- Click on the 'Submit' button.
- When you click on the 'Submit' button.
The custom Role is updated successfully!
Delete
The delete operation can be performed in the Roles list and detail view. After you log in to the ZEDEDA GUI, if you no longer require the custom role, you could delete it using the following steps:
Note: You can perform the delete operation on either the ListView or Detail View screen. For simplicity, we will follow the deletion of multiple custom roles workflow, which you can carry out from the list view.
- Click on the custom role list.
- Check boxes on which the required operation needs to be performed.
- Click on More () icon on the top right corner.
- From the dropdown, select 'Delete'.
- Click the 'Confirm' button on the modal dialogue.
-
When you click on the 'Confirm' button, a toast message announcing the successful submission of the deleted Role appears.
Note: There is no way to reclaim the data, after the delete operation is performed.
The selected custom Role is deleted successfully!
Operations Using zCLI
Create
You can create a Role using the following command:
zcli> zcli role create <name> --access-right=<object-access>... [--title=<title>] [--description=<description>]
Read (Show)
You can use the following command to see the created Role details:
zcli> zcli role show [[[<name> |--self | --uuid=<uuid>] [--detail]] | [[--project=<project>] [--name-pattern=<name-pattern>]]]
For example, the show command for Role displays the following output:
zcli> zcli role show
Role E-Scope P-Scope EdgeNodeAccess Apps Access User Access EntrpriseAccess
------------ -------- -------- -------------- ------------ ------------ ----------------
SysMonitor local All R R R
SysOperator local All RU RU R
SysAdmin local All CRUD CRUD CRUD RU
SysManager local All CRUD CRUD R
Total 4
zcli>
Update (Edit)
You can update a Role using the following command:
zcli> zcli role update <name> [--access-right=<object-access>...] [--title=<title>] [--description=<description>]
Delete
You can delete a Role using the following command:
zcli> zcli role delete <name> [-f]
Note: -f is to forcefully make the delete request to ZEDEDA Cloud, without prompting the user.
Role operations are successfully executed!