Built-in roles and permissions

MetalSoft provides several built-in roles that cannot be edited:

• Root - Highest level.

• Full Admin - Similar to Root but cannot put the system into maintenance

• Basic Admin - Primarily read only across all admin resources

• User - Access only to infrastructures and the user interface

Custom roles can also be created. In general, the permissions follow the Admin UI providing with read and write to the respective resources. For example the workflow_read will allow a read-only view of the Workflows section. Having workflow_write will allow you to edit the workflows.

Built-in permissions

The following are built-in permissions. Custom ones can also be created and assigned to roles.

Users related permissions

• users_read - Allows the read details about a user such as name

• users_write - Allows the change details about a user such as name

• users_and_permissions_read - Allows the read of user’s role, limits and credentials access

• users_and_permissions_write - Allows the change of a user’s role, limits and credentials access

• users_2fa_disable - Allows the disabling of a user’s 2FA setting

• skip_user_limits - Permission to be set on role when user utilization limits should not be checked by the system.

• skip_authenticator - Permission to be set on role if 2FA authentication is optional.

• metalcloud_access - Default permission for user role

Network profiles

• network_profiles_read - Allows a read operation on public network profile objects.

• network_profiles_write - Allows a write operation on public network profile objects.

• network_profiles_allowed_for_user_read - Allows a write operation on specific user’s network profile objects.

• network_profiles_allowed_for_user_write - Allows a write operation on specific user’s network profile objects.

• network_profiles_allow_specific_vlan_ids - Allow a specific VLAN rather than automatically allocated ones. This has security implications as it allows the use of VLANs that might be in use by other users.

Network Fabrics

Network Fabrics

• network_fabrics_read - Allows reading details of network fabric objects.

• network_fabrics_write - Allows creation, editing, and deletion of network fabric objects.

Licenses related permissions

• Licenses read - Allows the read of licensing details

• Licenses write - Allows the change of licensing details such as adding a new license key.

Firmware related permissions

• firmware_upgrade_read - Allows the user to read firmware-related objects such as baselines.

• firmware_upgrade_read - Allows the user to create and edit firmware-related objects such as baselines.

• firmware_baselines_read - (not used)

• firmware_baselines_write - (not used)

Site related permissions

• site_read - Site Read

• site_write - Site Write

Servers

• servers_read - Allows read of server object details.

• servers_write - Allows change and edit of server object details such as tags.

• server_types_read - Allows read of server type object details such as tags.

• server_type_utilization_report_read - Allows read of server type utilization report.

Switches

• switches_read - Allows read of switch object.

• switches_write - Allows creation, edit and delete of switch object.

Storage

• storage_read - Allows read of storage objects.

• storage_write - Allows creation,edit and delete of storage objects.

IPAM Subnets

• subnets_read - Allows read of subnet objects.

• subnets_write - Allows creation, edit and delete of subnet objects.

Infrastructures

• infrastructures_read - Allows the read of infrastructures details of other users

• infrastructures_write - Allows the user to delete or change other user’s infrastructures.

OS Templates

• templates_read - Allows the creation of templates

• templates_write - Allows the user to create, edit and delete templates

Events & jobs

• events_read - Allows the listing of events

• events_write - (Not used)

• job_queue_read - Allows the listing of jobs

• job_queue_write - Allows operations on jobs such as resume.

Variables

• variables_and_secrets_read - Allows listing of variables and secrets and view of only the variables object but not that of secrets.

• variables_and_secrets_write - Allows the creation, edit and delete of variables.

Subscriptions

• subscriptions_read - Allows listing of reservations of all users.

• subscriptions_write - Allows creation, edit and delete of reservations for other users.

Reports

• utilization_reports_read - Allows read of other user’s utilization reports

Utility

• admin_access - Allows access to the admin interface

• suspend_reasons_read - Allows user to see suspend reasons

• suspend_reasons_write - Allows user to suspend other users and add reasons

• global_configurations_write - Global Configurations Write

• global_configurations_read - Global Configurations Read

• maintenance_read - Allows the user to view the user interface maintenance flag (deprecated)

• maintenance_write - Allows the user to change the user interface maintenance flag (deprecated)

• admin_maintenance_read - Allows the user to view the admin interface maintenance flag (deprecated)

• admin_maintenance_write - Allows the user to view the admin interface maintenance flag (deprecated)

Virtual Machines (VMs)

• vm_pools_read - Allows reading details of VM pools.

• vm_pools_write - Allows creation, editing, and deletion of VM pools.

• vm_types_read - Allows reading details of VM types.

• vm_types_write - Allows creation, editing, and deletion of VM types.

• vm_profiles_read - Allows reading details of VM profiles.

• vm_profiles_write - Allows creation, editing, and deletion of VM profiles.

• vms_read - Allows reading details of virtual machines.

• vms_write - Allows creation, editing, and deletion of virtual machines.

S3 buckets (object storage)

• buckets_read - Allows reading details of bucket objects

Extensions

• extensions_read - Allows reading details of extension objects.

• extensions_write - Allows creation, editing, and deletion of extension objects.