Pre-defined Roles and Associated Permissions
This page describes the roles supported by the HPE Ezmeral Data Fabric as-a-service platform.
Roles and Permissions When SSO Is Configured
| Role | Permissions | Corresponding ACL Permission Code1 |
|---|---|---|
| Infrastructure Admin | Permission to log in and start or stop services | login, ss |
| Fabric Manager | Full control of the fabric, create volume permission, and login permission2 | login, cv, cp, fc |
| Fabric User | Login permission2 and create volume permission | login, cv, cp |
1Shows the equivalent access control list (ACL) permission code for the HPE Ezmeral Data Fabric – Customer Managed cluster. For more information, see Security Policy Permissions and Creating Cluster-Level ACLs.
2The login user can log in to the Data Fabric UI and issue commands. Includes read access for existing objects.
Resource Actions Supported for the Roles
| Role | Resource | Create | Delete | Modify |
|---|---|---|---|---|
| Fabric Manager | Fabric | Allow | Allow | Allow |
| Volumes | Allow | Allow | Allow | |
| Buckets | Allow | Allow | Allow | |
| Directories | Allow | Allow | Allow | |
| User | Allow | Allow | Allow | |
| Accounts | Allow | Allow | Allow | |
| Groups | Allow | Allow | Allow | |
| S3 Keys | Allow | Allow | Allow | |
| Objects | Allow | Allow | Allow | |
| Security Policies | Allow | Allow | Allow | |
| Storage Policies | Allow | Allow | Allow | |
| Storage Tiers / Remote Targets | Allow | Allow | Allow | |
| SMTP Configuration | Allow | Allow | Allow | |
| IAM Policies | Allow | Allow | Allow | |
| User-defined role | Allow | Allow | Allow | |
| Infrastructure Admin | Resource | Create | Delete | Modify |
| Fabric | Deny | Deny | Allow | |
| Volumes | Deny | Deny | Deny | |
| Buckets | Deny | Deny | Deny | |
| Directories | Deny | Deny | Deny | |
| User | Deny | Deny | Deny | |
| Accounts | Deny | Deny | Deny | |
| Groups | Deny | Deny | Deny | |
| S3 Keys | Allow | Allow | Allow | |
| Objects | Deny | Deny | Deny | |
| Security Policies | Deny | Deny | Deny | |
| Storage Policies | Deny | Deny | Deny | |
| Storage Tiers / Remote Targets | Deny | Deny | Deny | |
| SMTP Configuration | Deny | Deny | Deny | |
| Fabric User | Resource | Create | Delete | Modify |
| Fabric | Deny | Deny | Deny | |
| Volumes | Allow | Allow | Allow | |
| Buckets | Allow | Allow | Allow | |
| Directories | Allow | Allow | Allow | |
| S3 Keys | Allow | Allow | Allow | |
| Objects | Allow | Allow | Allow | |
| Security Policies | Allow | Allow | Allow | |
| Storage Policies | Allow | Allow | Allow | |
| Storage Tiers / Remote Targets | Allow | Allow | Allow | |
| SMTP Configuration | Deny | Deny | Deny |
Displaying Role Information
- Sign in to the Data Fabric UI.
- In the upper right corner of the home screen, click the down arrow next to the user
name. For example:
Limitation for Non-SSO Users
SSO users with sufficient credentials can view and manage resources on all fabrics. Non-SSO users can view and manage resources only on the fabric to which they are signed in. Non-SSO users cannot view or manage resources on other fabrics. The Data Fabric UI does not display these resources to non-SSO users because the UI cannot connect to other fabrics without the same login information.