Pre-defined Roles and Associated Permissions

This page describes the roles supported by the HPE Ezmeral Data Fabric as-a-service platform.

Roles and Permissions When SSO Is Configured

SSO-configured fabrics support the following pre-defined roles:
Role Permissions Corresponding ACL Permission Code1
Infrastructure Admin Permission to log in and start or stop services login, ss
Fabric Manager Full control of the fabric, create volume permission, and login permission2 login, cv, cp, fc
Fabric User Login permission2 and create volume permission login, cv, cp

1Shows the equivalent access control list (ACL) permission code for the HPE Ezmeral Data Fabric – Customer Managed cluster. For more information, see Security Policy Permissions and Creating Cluster-Level ACLs.

2The login user can log in to the Data Fabric UI and issue commands. Includes read access for existing objects.

Resource Actions Supported for the Roles

The following table shows the create, delete, and modify actions that each role can perform on various resources:
Role Resource Create Delete Modify
Fabric Manager Fabric Allow Allow Allow
Volumes Allow Allow Allow
Buckets Allow Allow Allow
Directories Allow Allow Allow
User Allow Allow Allow
Accounts Allow Allow Allow
Groups Allow Allow Allow
S3 Keys Allow Allow Allow
Objects Allow Allow Allow
Security Policies Allow Allow Allow
Storage Policies Allow Allow Allow
Storage Tiers / Remote Targets Allow Allow Allow
SMTP Configuration Allow Allow Allow
IAM Policies Allow Allow Allow
User-defined role Allow Allow Allow
Infrastructure Admin Resource Create Delete Modify
Fabric Deny Deny Allow
Volumes Deny Deny Deny
Buckets Deny Deny Deny
Directories Deny Deny Deny
User Deny Deny Deny
Accounts Deny Deny Deny
Groups Deny Deny Deny
S3 Keys Allow Allow Allow
Objects Deny Deny Deny
Security Policies Deny Deny Deny
Storage Policies Deny Deny Deny
Storage Tiers / Remote Targets Deny Deny Deny
SMTP Configuration Deny Deny Deny
Fabric User Resource Create Delete Modify
Fabric Deny Deny Deny
Volumes Allow Allow Allow
Buckets Allow Allow Allow
Directories Allow Allow Allow
S3 Keys Allow Allow Allow
Objects Allow Allow Allow
Security Policies Allow Allow Allow
Storage Policies Allow Allow Allow
Storage Tiers / Remote Targets Allow Allow Allow
SMTP Configuration Deny Deny Deny

Displaying Role Information

To display role information for the currently signed-in user:
  1. Sign in to the Data Fabric UI.
  2. In the upper right corner of the home screen, click the down arrow next to the user name. For example:

Limitation for Non-SSO Users

SSO users with sufficient credentials can view and manage resources on all fabrics. Non-SSO users can view and manage resources only on the fabric to which they are signed in. Non-SSO users cannot view or manage resources on other fabrics. The Data Fabric UI does not display these resources to non-SSO users because the UI cannot connect to other fabrics without the same login information.