Customizing user roles

Symphony offers administrators the ability to choose from a set of predefined permissions and apply them to new or existing user roles.

Scope


Applicability

Details

Operating system

  • Windows

  • Linux

  • Solaris

Exclusions

Does not apply to Symphony DE since the DE version does not require permissions


About user roles

Symphony, out-of-the-box, allows a system user with an authenticated EGO user account to be assigned any of the following roles: cluster administrator, consumer administrator, or consumer user. Each of these roles are associated with a fixed set of permissions that either grant or deny access to specific system controls and operations. For example, consumer users only have access and control over their own workload units and cannot access workload units of other consumers.

At some sites, cluster administrators/users and their functions may not map exactly to Symphony’s preconfigured security model for user roles. It may be desirable to have flexibility in the assignment of privileges. This chapter discusses the permissions available for monitoring and controlling Symphony operations and how to assign them to user roles that you can create.

Permission set

A predefined set of permissions are available for customizing user roles. You can assign any of the following permissions to a role.


Permission

Description

standard reports control

Users with this permission are able to view standard reports via the PMC and produce/export standard reports with access to all cluster data.

custom reports control

Users with this permission are able to view custom reports via the PMC and produce/export custom reports with access to all cluster data.

Symphony debug control

Users with this permission are able to run egosh debug and soamlog commands to change SOAM daemon debug levels across the cluster.

retrieve system log

Users with this permission are able to view the System Logs page via the PMC, and retrieve event and audit log files with access to all cluster data. Users can also run rfa commands.

resource plan control

Users with this permission are able to configure the resource plan. The extent of permission depends on the level of consumer tree specified with the role; if it is "/", the user can configure all resource plans, otherwise the user can only configure a plan for the specified consumer(s) and cannot insert or remove a time interval for time-based resource planning.

deploy package control

Users with this permission are able to deploy service packages. The extent of permission depends on the level of consumer tree specified with the role; if it is "/", the user can deploy packages for all applications, otherwise the user can only deploy packages for the specified consumer(s).

Note:

As a best practice, a role with the deploy package control permission should be combined with a consumer user role to allow the user to log onto the PMC and deploy a service package.


Working with user roles

Roles can be assigned to any user and any user can have more than one role. If a user is assigned one of Symphony’s preconfigured roles and a newly-created role, the effect is that the permissions of both roles are merged.

User role properties are configured through the Platform Management Console. You must be a cluster administrator to perform actions on user roles.

Perform the following steps when you want to implement a new user role:

  1. Identify the role

  2. Associate users with the role

  3. Assign permissions to the role

The following example shows the concept of configuring one role for two users.

The following properties of a user role can be modified using the PMC:

  • description of the role

  • users assigned to the role

  • permissions

User roles can also be removed. Before removing a role, it is important to check that it is not assigned to any users, as this would cause them to lose all privileges associated with the role.

Create a user role

  1. In the Platform Management Console, click Cluster > Configure User Roles.

    The User Role List page displays.

  2. In the Global Actions dropdown list, select Create New Role.

    The Create New Role page displays.

  3. In the User Role textbox, enter the name of the role.
  4. In the Description textbox, enter a description of the role.
  5. Select users from the Available User Accounts list to assign users to the role. Click Add.
  6. Check the permission checkboxes to grant permissions to the role.
    1. If you want to grant all the available cluster-wide permissions, check the Cluster Permissions check box; otherwise, check the individual permission check boxes. Note that these permissions grant access to data and debug level controls for the whole cluster.
    2. If you want to grant consumer tree permissions, under Consumer Tree Permissions, click Add. In the tree list, select the consumer that you want to grant permissions to. Click Add.
    3. If you want to grant all the available consumer permissions, check the Consumer Permissions checkbox; otherwise, check the individual permission checkbox.
    4. If you want to grant permissions to other consumers: 1) click Add; 2) select the consumer from the consumer tree list; 3) choose the permission(s).
  7. Click Create to save your changes.

Modify a user role

  1. In the Platform Management Console, click Cluster > Configure User Roles.

    The User Role List page displays.

  2. From the list of user roles, locate the role you want to modify and click it.

    The Role properties page displays.

  3. Modify the user role property.
  4. Click Apply to save your changes.

Remove a user role

  1. In the Platform Management Console, click Cluster > Configure User Roles.

    The User Role List page displays.

  2. From the list of user roles, locate the role you want to remove and select Actions > Delete role.

    Note that multiple roles cannot be removed at the same time.

  3. Click OK.

Assign a role to a user

  1. Follow the steps for modifying a user role.
  2. In the Role properties page, under Specify users in this role, select the user from the list.
  3. Click Add.

    The role is assigned to the user.

  4. Click Apply.