Managing users and permissions#
Security and access control is a very important aspect of any infrastructure. MetalSoft uses two concepts for permission management:
RBAC for admin operations
Delegation for user operations
Separately, MetalSoft uses multiple forms of authentication:
More than one form can be active at any given time. Use Global
Authentication to manage them.
Consult Authentication Overview for more details.
Users that interact with the MetalCloud must have an “account” identified by email and password, API key and - if enabled - protected by 2FA. Accounts can also be created in an external ID provider such as Active Directory, Okta, Auth0. MetalSoft supports LDAP, SAML and Oauth2.
Role based access control (RBAC)#
MetalSoft accounts all have a Role associated with them. Roles are then associated with permissions that enable or disable certain features of MetalSoft. The list is constantly changing, checkout the
MetalSoft provides several built-in roles that cannot be edited:
Root - highest level.
Full Admin - Similar to Root but cannot put the system into maintenance and cannot edit prices
Basic Admin - Primarily read only across all admin resources
User - Access only to infrastructures and the user interface
Custom roles can also be created. In general, the permissions follow the Admin UI providing with
write to the respective resources. For example the
workflow_read will allow a read-only view of the Workflows section. Having
workflow_write will allow you to edit the workflows.
The following is the current list of permissions:
servers_read - Allows read of server object details.
servers_write - Allows change and edit of server object details such as tags.
server_types_read - Allows read of server type object details such as tags.
server_type_utilization_report_read - Allows read of server type utilization report.
switches_read - Allows read of switch object.
switches_write - Allows creation, edit and delete of switch object.
storage_read - Allows read of storage objects.
storage_write - Allows creation,edit and delete of storage objects.
subnets_read - Allows read of subnet objects.
subnets_write - Allows creation, edit and delete of subnet objects.
infrastructures_read - Allows the read of infrastructures details of other users
infrastructures_write - Allows the user to delete or change other user’s infrastructures.
templates_read - Allows the creation of templates
templates_write - Allows the user to create, edit and delete templates
Events & jobs#
events_read - Allows the listing of events
events_write - (Not used)
job_queue_read - Allows the listing of jobs
job_queue_write - Allows operations on jobs such as resume.
workflows_read - Allows listing and details view of workflow objects.
workflows_write - Allows creation, change and delete of workflow objects.
variables_and_secrets_read - Allows listing of variables and secrets and view of only the variables object but not that of secrets.
variables_and_secrets_write - Allows the creation, edit and delete of variables.
Prices & Subscriptions#
prices_read - Allows user to read prices objects for resources (deprecated)
prices_write - Allows user to set prices for resources (deprecated)
subscriptions_read - Allows listing of reservations of all users.
subscriptions_write - Allows creation, edit and delete of reservations for other users.
utilization_reports_read - Allows read of other user’s utilization reports
admin_access - Allows access to the admin interface
suspend_reasons_read - Allows user to see suspend reasons
suspend_reasons_write - Allows user to suspend other users and add reasons
global_configurations_write - Global Configurations Write
global_configurations_read - Global Configurations Read
maintenance_read - Allows the user to view the user interface maintenance flag (deprecated)
maintenance_write - Allows the user to change the user interface maintenance flag (deprecated)
admin_maintenance_read - Allows the user to view the admin interface maintenance flag (deprecated)
admin_maintenance_write - Allows the user to view the admin interface maintenance flag (deprecated)
Deprecated permissions, do not use#
cluster_read - (deprecated)
cluster_write - (deprecated)
container_platform_read - (deprecated)
container_platform_write - (deprecated)
datalake_read - (deprecated)
datalake_write - (deprecated)
dataset_read - (deprecated)
dataset_write - (deprecated)
cloudinit_read - (deprecated)
cloudinit_write - (deprecated)
datastore_read - (deprecated)
datastore_write - (deprecated)
franchises_write - (deprecated)
threshold_write - (deprecated)
threshold_read - (deprecated)
monitoring_agent_write - (deprecated)
emails_write - (deprecated)
resources_write - (deprecated)
Many resources have an owner associated with them. In that case some resources (such as OS templates and Workflows) will not be visible to the other admins until they are published. This is controlled by a property called visibility. Set the visibility to ‘public’ to share the resource with other users.
The “Billable” account#
Only infrastructures that are owned by a
Billable account can be deployed. Normally in an organization only one account will have Billing activated such as by adding a credit card. This flag can also be used by an external Billing system to determine who needs to be invoiced.
Credentials access - DEPRECATED#
All credentials in MetalSoft are encrypted. A special set of permissions are needed to allow an account access to the various credentials for equipment or client instances. Use the Users & Permissions/
Note that in future versions of our software this feature will be combined with the RBAC feature and normal permissions will be created.
Accounts also have various limits associated with them such as the maximum number of servers an account can provision. These are added to prevent abuse or Denial-of-Service type attacks. Use the Users & Permissions/
Account delegate of another user
To help understand delegation consider consider the following scenario:
A billing account (firstname.lastname@example.org) is created using an email that will reach the department in charge with paying the invoices. The department will not actually manage infrastructures but will receive invoices.
An OPS account (email@example.com) is added by the finance department as an account delegate of the finance account.
The ops account is now able to create infrastructures: A Web Infrastructure for the marketing department, a Hadoop infrastructure for the BI department and an ERP infrastructure for the Logistics department
The Ops user then invites user firstname.lastname@example.org form the marketing department to the Web infrastructure using infrastructure delegation.
The Ops user also invites user email@example.com form the logistics department to the ERP infrastructure using infrastructure delegation.
Lastly, the Ops user invites user firstname.lastname@example.org form the BI department to the Hadoop and the ERP infrastructures using infrastructure delegation.
The result of this setup is that:
OPS has the ability to oversee and manage all infrastructures
Marketing and logistics departments each manage their own infrastructures only
BI team has access to it’s infrastructure (the hadoop infrastructure) but also to the ERP infrastructure
The Finance team then receives invoices for all infrastructures.
The detailed infrastructure utilization report will provide a breakdown of consumption for each individual department which enables charge-back to the respective departments.
Managing account delegation#
Many organizations opt to have a finance/procurement department user as the billable user and have a second user as the technical user that actually performs operations “on-behalf-of” the organization. This relationship is called “account delegation”.
If enabled this second user will have all rights that the owner of the infrastructures has.
Any number of users can be account delegates.
To add an account delegate access Account Settings (Infrastructure Editor > Account Settings)
Click on Account sharing (Infrastructure Editor > Account Settings > Account Sharing)
Add the email address of the delegated user that the user uses to login to manage the Metalcloud.
As a delegated account, from this page you can also Impersonate a user in order to perform payments or change credit card information on his/hers behalf.
This mechanism can be used if the primary account is a technical one somebody else needs to perform manual payment, download invoices etc.
Managing infrastructure delegation#
A user can be “invited” by an owner or account delegate of an infrastructure to have access only to that respective infrastructure. This is used in situations where internal users or clients of a company reselling MetalCloud services need to have access to a specific infrastructure.
Users will have full access to manage that infrastructure but the billable account that is the owner of the infrastructure will receive the invoices.
To add a delegate on an infrastructure access the Infrastructure properties dialog by clicking the the cogwheel:
Click on the Sharing tab and enter the login email of the user that is to be granted permissions. The user will receive an invite email on that address.
If the user doesn’t have a MetalCloud account he will be invited to create one but no CC information will be required.
Where to go from here: