System administrators are presented with several options to control user permissions through the UKCloud Portal. The information below is intended as a brief guide to which permissions are applied using each setting.
Some user permissions are controlled on other pages. See the following articles:
Portal administrator permissions
Select the User is admin? check box to grant the user full administrative privileges across the entire account. This includes all of the permissions listed below.
Permissions for Settings
Update: A user can update all of the account settings. This includes changing the security methods applied to the account, such as updating security restrictions to require password timeout and 2FA. These users can also change the details of the account's primary and secondary contacts.
All: Presently this offers the same capability the update permission.
Leave these boxes unchecked to deny a user these capabilities.
Permissions for Contacts
Contact and user permissions dictate whether the user is able to make changes to who has access to the account, and their role inside of it.
A contact is just contact details, they may not necessarily have an actual user account. To enable a contact to have user access, they must be marked as "active".
|Contact||Can create a new contact for that account.||Can view existing contacts in that account.||Can edit existing contacts but cannot create new ones.||Can delete existing contacts.||All of the above.|
|User||Can create a user associated to a contact for that account and assign permissions.||Can view existing users for contacts.||Can edit existing users and their permissions.||Can delete existing users from contacts.||All of the above.|
Permissions for UKCloud for VMware
UKCloud for VMware service permissions are based on the VMware Cloud Director RBAC (role based access control) permissions. These roles are applied on a service by service basis - for example someone might be a Catalogue Author of one service, and a Console Only user in a second service.
The roles exposed are:
You can find further details of these roles in the VMware Cloud Director Service Provider Admin Portal Guide.
API Only role
In addition to the VMware Cloud Director permissions, UKCloud has created an API Only role that restricts users with VMware Cloud Director permissions to accessing VMware Cloud Director solely via the API, with no GUI access.
The API Only role must be selected in addition to one of the VMware Cloud Director permissions (Admin, Catalogue Author, vApp Author, vApp User or Console Only); you should not select the API Only role on its own.
Permissions for Cloud Storage
Users need to be granted access to the relevant namespace. Once access is granted, the user will be able to see the namespace, list the buckets in the namespace and reset the secret key. The user will also be able to see consumption data for namespaces and buckets.
Permissions for Billing
Users with API permissions can retrieve billing information using the Portal API. For more information, see the GET /api/billing/billing-csv section of the UKCloud Portal API Reference Guide.
If you find a problem with this article, click Improve this Doc to make the change yourself or raise an issue in GitHub. If you have an idea for how we could improve any of our services, send an email to firstname.lastname@example.org.