Role-based access control#
RBAC roles are customer-managed roles with specific permissions that determine the services a user can access and the types of operations they can complete. For example, an account user with the lbaas:admin role has create, read, update, and delete permissions for the Cloud Load Balancer service.
All RBAC roles are subordinate to the identity:user-admin or the identity:user-manage roles that the Identity service assigns to Rackspace Cloud accounts held by the account owner or by an account designated to manage user accounts. Only Identity administrators and managers can create account users (identity:default) and assign RBAC roles. Account owners cannot hold any additional roles because they already have full access to all services and capabilities. Account managers can have both the identity:user-manage and the identity:default.
Role assignments can be global or custom. Global roles manage access and permissions across multiple API services. Custom roles manage access and permissions on a per-product basis. For both global and custom roles, the user has access only to designated products. The following table describes the RBAC roles available.
Table: Rackspace Cloud RBAC Roles and Capabilities
|Role||Type||Role Description||Example Role|
|admin (full access)||Global||The admin role provides Create, read, update, and delete permissions in all Cloud products, where access is granted. Full access is given to current and future products as they become RBAC-enabled. Each account can have only one admin user.||Admin|
|observer (read-only access)||Global||The observer role provides read permission in all products where access is granted. Read-only access is given to current and future products as they become RBAC-enabled.||observer|
|product:admin||Custom||The product:admin role provides create, read, update, and delete permissions for a specified product, where access is granted.||nova: admin|
|product:creator||Custom||The product:creator role provides create, read, and update permissions for a specified product, where access is granted. The user cannot delete resources.||cloudFiles: creator|
|product:observer||Custom||This product:observer role provides Read permission for a specified product, where access is granted.||cdb: observer|
The account owner,
identity:user-admin can create account users,
identity:default on the account and then assign roles to those
users. The roles grant the account users specific permissions for
accessing the Cloud services and capabilities. Each account has only one
account owner, and that role is assigned by default to any Rackspace
Cloud account when the account is created. Account owners cannot hold
any additional roles because they already have full access to all
services and capabilities.
You can assign roles programmatically through the API or by using the Cloud Control panel interface.
Use the following API operations to add account users and manage role assignments:
For information about implementing RBAC by using the Cloud Control Panel and other RBAC-related topics, see the following Rackspace Knowledge Center articles:
The account owner can assign both multiproduct (global) roles and custom (product-specific). In some cases, the scope of these roles can overlap and cause conflict. When conflicts occur, the role that provides the more extensive permissions takes precedence. Therefore, admin roles take precedence over observer roles, because admin roles provide more permissions.
The following table shows two examples of how potential conflicts between user role assignments are resolved:
|Permission configuration||View of permission in control panel||Can the user perform product Admin functions in the control panel?|
|User is assigned the following roles: multiproduct observer and product admin||Appears that the user has only the multiproduct observer role||Yes, for specified product product only. The user has the observer role for the rest of the products.|
|User is assigned the following roles: multiproduct admin and product observer||Appears that the user has only the multiproduct admin role.||Yes, for all of the products. The specified product observer role is ignored.|
For information about using RBAC with specific products, see the API Developer Guide for each product.