Understanding Role
Role structure
Role is a Role Type that specifies the scope of access to resources as shown below and the organization (project or project group) to which the authority is applied. Users can define access rights within each SpaceONE through RoleBinding.
Role Example
Example: Alert Operator Role
---
results:
- created_at: '2021-11-15T05:12:31.060Z'
domain_id: domain-xxx
name: Alert Manager Operator
policies:
- policy_id: policy-managed-alert-manager-operator
policy_type: MANAGED
role_id: role-f18c7d2a9398
role_type: PROJECT
tags: {}
Example : Domain Viewer Role
---
results:
- created_at: '2021-11-15T05:12:28.865Z'
domain_id: domain-xxx
name: Domain Viewer
policies:
- policy_id: policy-managed-domain-viewer
policy_type: MANAGED
role_id: role-242f9851eee7
role_type: DOMAIN
tags: {}
Role Type
Role Type specifies the range of accessible resources within the domain.
- DOMAIN: Access is possible to all resources in the domain.
- PROJECT: Access is possible to all resources in the project added as a member.
Please refer to Add as Project Member for how to add a member as a member in the project.
Add Member
All resources in SpaceONE are hierarchically managed as follows. The administrator of the domain can manage so that users can access resources within the project by adding members to each project. Users who need access to multiple projects can access all projects belonging to the lower hierarchy by being added to the parent project group as a member. For how to add as a member of the Project Group, refer to Add as a Member of Project Group.
Role Hierarchy
If a user has complex Rolebinding within the hierarchical project structure. Role is applied according to the following rules.
For example, as shown in the figure below, the user stark@example.com is bound to the parent Project Group as Project Admin Role, and the lower level project is APAC. When it is bound to Project Viewer Role in Roles for each project are applied in the following way.
- The role of the parent project is applied to the sub-project/project group that is not directly bound by RoleBinding.
- The role is applied to the subproject that has explicit RoleBinding. (overwriting the higher-level role)
Default Roles
All SpaceOne domains automatically include Default Role when created. Below is the list.
Name | Role Type | Description |
---|---|---|
Domain Admin | DOMAIN | You can search/change/delete all domain resources |
Domain Viewer | DOMAIN | You can search all domain resources |
Project Admin | PROJECT | You can view/change/delete the entire project resource added as a member |
Project Viewer | PROJECT | You can search the entire project resource added as a member |
Alert Manager Operator | PROJECT | You can inquire the entire project resource added as a member, and have the alert handling authority of Alert Manager |
Managing Roles
Roles can be managed by the domain itself through spacectl. Please refer to the Managing Roles document.