Pre-defined Roles and Associated Permissions
This page describes the roles supported by the HPE Ezmeral Data Fabric as-a-service platform.
Roles and Permissions When SSO Is Configured
Role | Permissions | Corresponding ACL Permission Code1 |
---|---|---|
Infrastructure Admin | Permission to log in and start or stop services | login, ss |
Fabric Manager | Full control of the fabric, create volume permission, and login permission2 | login, cv, cp, fc |
Fabric User | Login permission2 and create volume permission | login, cv, cp |
1Shows the equivalent access control list (ACL) permission code for the HPE Ezmeral Data Fabric – Customer Managed cluster. For more information, see Security Policy Permissions and Creating Cluster-Level ACLs.
2The login user can log in to the Data Fabric UI and issue commands. Includes read access for existing objects.
Resource Actions Supported for the Roles
Role | Resource | Create | Delete | Modify |
---|---|---|---|---|
Fabric Manager | Fabric | Allow | Allow | Allow |
Volumes | Allow | Allow | Allow | |
Buckets | Allow | Allow | Allow | |
Directories | Allow | Allow | Allow | |
User | Allow | Allow | Allow | |
Accounts | Allow | Allow | Allow | |
Groups | Allow | Allow | Allow | |
S3 Keys | Allow | Allow | Allow | |
Objects | Allow | Allow | Allow | |
Security Policies | Allow | Allow | Allow | |
Storage Policies | Allow | Allow | Allow | |
Storage Tiers / Remote Targets | Allow | Allow | Allow | |
SMTP Configuration | Allow | Allow | Allow | |
IAM Policies | Allow | Allow | Allow | |
User-defined role | Allow | Allow | Allow | |
Infrastructure Admin | Resource | Create | Delete | Modify |
Fabric | Deny | Deny | Allow | |
Volumes | Deny | Deny | Deny | |
Buckets | Deny | Deny | Deny | |
Directories | Deny | Deny | Deny | |
User | Deny | Deny | Deny | |
Accounts | Deny | Deny | Deny | |
Groups | Deny | Deny | Deny | |
S3 Keys | Allow | Allow | Allow | |
Objects | Deny | Deny | Deny | |
Security Policies | Deny | Deny | Deny | |
Storage Policies | Deny | Deny | Deny | |
Storage Tiers / Remote Targets | Deny | Deny | Deny | |
SMTP Configuration | Deny | Deny | Deny | |
Fabric User | Resource | Create | Delete | Modify |
Fabric | Deny | Deny | Deny | |
Volumes | Allow | Allow | Allow | |
Buckets | Allow | Allow | Allow | |
Directories | Allow | Allow | Allow | |
S3 Keys | Allow | Allow | Allow | |
Objects | Allow | Allow | Allow | |
Security Policies | Allow | Allow | Allow | |
Storage Policies | Allow | Allow | Allow | |
Storage Tiers / Remote Targets | Allow | Allow | Allow | |
SMTP Configuration | Deny | Deny | Deny |
Displaying Role Information
- Sign in to the Data Fabric UI.
- In the upper right corner of the home screen, click the down arrow next to the user
name. For example:
Limitation for Non-SSO Users
SSO users with sufficient credentials can view and manage resources on all fabrics. Non-SSO users can view and manage resources only on the fabric to which they are signed in. Non-SSO users cannot view or manage resources on other fabrics. The Data Fabric UI does not display these resources to non-SSO users because the UI cannot connect to other fabrics without the same login information.