Authorization overview

SInce 7.0

MetalSoft implements both Role-based Access Control and Attribute-Based Access control.

Concepts and relationships

These are the elements that control access to resources:

  • An User can be assigned a single Role at a time. The default role for Users is the built-in “User” role.

  • A Role has one or more Permissions. Roles are shared across multiple users.

  • A Permission is described by:

    • a Subject (a VM, A Server etc.)

    • an Actions (Create, List, Read etc.)

    • a list of Fields (such as “label”. These are the fields on the Subject’s object that can be manipulated)

    • A list of Conditions such as { status: { $in: ['deployed', 'active'] } }

Roles and Permissions

MetalSoft provides a series of built-in Roles and Permissions and allows the creation of custom ones.

Authentication methods

Separately, MetalSoft uses multiple forms of authentication:

  1. Built-in

  2. LDAP-based

  3. SAML-based

More than one form of authentication can be active at any given time. Use Global Configurations > Authentication to manage them.

Consult Authentication Overview for more details.

Resource ownership

Many resources have an owner associated with them. In that case some resources (such as OS templates and Workflows) will not be visible to the other admins until they are published. This is controlled by a property called visibility. Set the visibility to ‘public’ to share the resource with other users.

The “Billable” account

Only infrastructures that are owned by a Billable account can be deployed. Normally in an organization only one account will have Billing activated such as by adding a credit card. This flag can also be used by an external Billing system to determine who needs to be invoiced.

User limits

Users also have various Limits associated with them such as the maximum number of servers an account can provision. These are added to prevent abuse or Denial-of-Service type attacks. Use the Users & Permissions//Limits section to change these limits.

Accounts

An account typically maps to a company that has multiple Users and includes billing information. Default Limits can be set on the Account and all Users will inherit those custom limits.

Delegation

To simplify permission management users can share access to specific Infrastructures to other users via the Infrastructure > Infrastructure Settings > Sharing as well as share their entire account.