Skip to content

Commit 0ac0618

Browse files
markus-hentschmarkus-hentsch
authored
Document IaaS roles (#240)
Signed-off-by: Markus Hentsch <[email protected]>
1 parent 961de1b commit 0ac0618

File tree

1 file changed

+47
-0
lines changed

1 file changed

+47
-0
lines changed

docs/05-iam/iaas-roles.md

+47
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
# IaaS Roles
2+
3+
An SCS-compliant cloud offers the following roles on the Infrastructure as a Service (IaaS) layer:
4+
5+
| Role | Scope | Description |
6+
|---|---|---|
7+
| reader | All OpenStack APIs | Role with read-only access within authentication scope. |
8+
| member | All OpenStack APIs | Role with read-write access within authentication scope. |
9+
| manager | Identity API | Role with self-service capabilites for the Identity API in domain scope. |
10+
| admin | All OpenStack APIs | Most privileged role, reserved for CSP personnel, to administer the OpenStack cloud |
11+
12+
:::info Role Inheritance
13+
14+
The OpenStack Identity API implements automatic role inheritance between admin, manager, member and reader roles where a role with higher privileges inherits all lesser roles automatically.
15+
16+
This means:
17+
18+
- `admin` inherits `manager`, `member` and `reader`
19+
- `manager` inherits `member` and `reader`
20+
- `member` inherits `reader`
21+
22+
:::
23+
24+
## Role Assignment
25+
26+
### Scopes & Targets
27+
28+
Roles can be assigned in different scopes and either to users or groups.
29+
This leads to the following role assignment matrix:
30+
31+
| | User | Group |
32+
|---|---|---|
33+
| Project | single user, permissions in project | all users of group, permissions in project |
34+
| Domain | single user, permissions in domain | all users of group, permissions in domain |
35+
| System | single user, permissions in whole cloud | all users of group, permissions in whole cloud |
36+
37+
(rows are the scopes and columns are the role assignment target entities)
38+
39+
### Assignment Procedure
40+
41+
Roles are assigned to users or groups by administrative personnel.
42+
In most cases, this is either:
43+
44+
- a cloud operator with the admin role, belonging to the provider
45+
- a domain manager with the manager role in domain scope, belonging to the provider or a tenant
46+
47+
A domain manager can only assign and revoke roles within their own domain and is restricted to a specific subset of available roles to prevent privilege escalation.

0 commit comments

Comments
 (0)