Users, Groups and ACLs¶
vOneCloud offers a powerful mechanism for managing, grouping and assigning roles to users. Permissions and Access Control List mechanisms ensures the ability to allow or forbid access to any resource controlled by vOneCloud, being physical or virtual.
User & Roles¶
vOneCloud can manage different types of users, attending to the permissions they have over infrastructure and logical resources.
|Cloud Administrators||enough privileges to perform any operation on any object||vcenter|
|Group Administrators||manage a limited set and users within VDCs||groupadmin|
|End Users||access a simplified view with limited actions to create new VMs||cloud|
VDC is the acronym for Virtual Datacenter
Learn more about user management here.
Group & VDC Management¶
A group of users makes it possible to isolate users and resources. A user can see and use the shared resources from other users. The group is an authorization boundary for the users, but you can also partition your cloud infrastructure and define what resources are available to each group using Virtual Data Centers (VDC).
A VDC defines an assignment of one or several groups to a pool of physical resources. This pool of physical resources consists of resources from one or several clusters, which are logical groups of hosts and virtual networks. VDCs are a great way to partition your cloud into smaller clouds, and asign them to groups with their administrators and users, completely isolated from other groups.
Access Control Lists¶
vOneCloud implements a very useful ACL mechanism that enables fine-tuning of allowed operations for any user, or group of users. Each operation generates an authorization request that is checked against the registered set of ACL rules. There are predefined ACLs that implements default behaviors (like VDC isolation), but they can be altered by the cloud administrator.
Writing (or even reading) ACL rules is not trivial, more information about ACLs here.