Understanding Role

This page takes a detailed look at Roles.

Role structure

Role is a Role Type that specifies the scope of access to resources as shown below and the organization (project or project group) to which the authority is applied. is composed. Users can define access rights within each SpaceONE through RoleBinding.

Role Example

Example: Alert Operator Role

---
results:
  - created_at: '2021-11-15T05:12:31.060Z'
    domain_id: domain-xxx
    name: Alert Manager Operator
    policies:
      - policy_id: policy-managed-alert-manager-operator
        policy_type: MANAGED
    role_id: role-f18c7d2a9398
    role_type: PROJECT
    tags: {}

Example : Domain Viewer Role

---
results:
- created_at: '2021-11-15T05:12:28.865Z'
  domain_id: domain-xxx
  name: Domain Viewer
  policies:
  - policy_id: policy-managed-domain-viewer
    policy_type: MANAGED
  role_id: role-242f9851eee7
  role_type: DOMAIN
  tags: {}

Role Type

Role Type specifies the range of accessible resources within the domain.

  • DOMAIN: Access is possible to all resources in the domain.
  • PROJECT: Access is possible to all resources in the project added as a member.

Please refer to Add as Project Member for how to add a member as a member in the project.

Add Member

All resources in SpaceONE are hierarchically managed as follows. The administrator of the domain can manage so that users can access resources within the project by adding members to each project. Users who need access to multiple projects can access all projects belonging to the lower hierarchy by adding them to the parent project group as a member. For how to add as a member of the Project Group, refer to Add as a Member of Project Group.

Role Hierarchy

If a user have complex Rolebinding within the hierarchical project structure. Role is applied according to the following rules.

For example, as shown in the figure below, the user stark@example.com is bound to the parent Project Group as Project Admin Role, and the lower level project is **APAC. When it is bound to Project Viewer Role in ** Roles for each project are applied in the following way.

  • The role of the parent project is applied to the sub-project/project group that is not directly bound by RoleBinding.
  • The role is applied to the subproject that has been explicitly RoleBinding (overwriting the higher-level role)

Default Roles

All SpaceOne domains automatically include Default Role when created. Below is the list.

NameRole TypeDescription
Domain AdminDOMAINYou can search/change/delete all domain resources
Domain ViewerDOMAINYou can search all domain resources
Project AdminPROJECTYou can view/change/delete the entire project resource added as a member
Project ViewerPROJECTYou can search the entire project resource added as a member
Alert Manager OperatorPROJECTYou can inquire the entire project resource added as a member, and have the alert handling authority of Alert Manager

Managing Roles

Roles can be managed by the domain itself through spacectl. Please refer to the Managing Roles document.