You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Standards/scs-03XX-v1-standard-roles.md
+15-15Lines changed: 15 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -46,6 +46,21 @@ Meanwhile the standardized roles and permission sets should cover all scenarios
46
46
Due to the high level of modularity and the large amount of available services for OpenStack clouds, this standard cannot address all possible manifestations of OpenStack clouds.
47
47
This standard will therefore only cover IaaS APIs and services that are classified as either mandatory or supported by the SCS project.
48
48
49
+
### Core Roles
50
+
51
+
The following overview will list the roles which are considered core roles by this standard and explain their purposes as well as target scopes.
52
+
Roles marked as "internal" are roles only meant to be assigned to technical user accounts intended for internal use by OpenStack services.
53
+
54
+
Core Roles:
55
+
56
+
| Role | Primary Target(s) | Purpose |
57
+
|---|---|---|
58
+
| reader | customer | read-only access to resources in the scope of authentication (e.g. project) |
59
+
| member | customer | read and write access to resources in the scope of authentication (e.g. project) |
60
+
| manager | customer | identity self-service capability within a domain, to assign/revoke roles between users, groups and projects |
61
+
| admin | CSP | cloud-level global administrative access to all resources (cross-domain, cross-project) |
62
+
| service | internal | internal technical user role for service communication |
63
+
49
64
### Scope Enforcement Compatibility
50
65
51
66
The API policy library used by OpenStack (oslo.policy) introduced two new [configuration options](https://docs.openstack.org/oslo.policy/latest/configuration/#oslo-policy) during the ongoing RBAC rework of OpenStack[^2]:
@@ -141,21 +156,6 @@ The roles mentioned below MUST be present in the Identity API at all times.
141
156
- admin
142
157
- service
143
158
144
-
#### Role Definitions
145
-
146
-
The following overview will explain the roles' purposes and target scopes.
147
-
Roles marked as "internal" are roles only meant to be assigned to technical user accounts intended for internal use by OpenStack services.
148
-
149
-
Core Roles:
150
-
151
-
| Role | Primary Target(s) | Purpose |
152
-
|---|---|---|
153
-
| reader | customer | read-only access to resources in the scope of authentication (e.g. project) |
154
-
| member | customer | read and write access to resources in the scope of authentication (e.g. project) |
155
-
| manager | customer | identity self-service capability within a domain, to assign/revoke roles between users, groups and projects |
156
-
| admin | CSP | cloud-level global administrative access to all resources (cross-domain, cross-project) |
157
-
| service | internal | internal technical user role for service communication |
158
-
159
159
### API configuration
160
160
161
161
All API services MUST be configured to use the Secure RBAC role model by enabling `enforce_new_defaults` and `enforce_scope` of the oslo.policy library.
0 commit comments