Symphony, out-of-the-box, allows a system user with an authenticated EGO user account to be assigned any of the following roles: cluster administrator, consumer administrator, or consumer user. Each of these roles are associated with a fixed set of permissions that either grant or deny access to specific system controls and operations. For example, consumer users only have access and control over their own workload units and cannot access workload units of other consumers.
At some sites, cluster administrators/users and their functions may not map exactly to Symphony’s preconfigured security model for user roles. It may be desirable to have flexibility in the assignment of privileges. This chapter discusses the permissions available for monitoring and controlling Symphony operations and how to assign them to user roles that you can create.
A predefined set of permissions are available for customizing user roles. You can assign any of the following permissions to a role.
Roles can be assigned to any user and any user can have more than one role. If a user is assigned one of Symphony’s preconfigured roles and a newly-created role, the effect is that the permissions of both roles are merged.
User role properties are configured through the Platform Management Console. You must be a cluster administrator to perform actions on user roles.
Perform the following steps when you want to implement a new user role:
The following example shows the concept of configuring one role for two users.
The following properties of a user role can be modified using the PMC:
User roles can also be removed. Before removing a role, it is important to check that it is not assigned to any users, as this would cause them to lose all privileges associated with the role.