Users and Roles
Components of a User
A user consists of the following components:
- Login credentials (user name and password)
- One or more roles.
Number of Roles Per User
Users that are not Platform Administrators can have a maximum of one assigned role per tenant or HPE Ezmeral ML Ops project.
A user with more than one role may be a Member of some tenants and a Tenant Administrator of other tenants.
Platform Administrators can access all tenants and projects. While they are accessing a tenant or project, the Platform Administrator automatically assumes the role of Tenant Administrator or Project Administrator.
Planning Considerations
Some of the planning considerations related to users and tenants in a deployment of HPE Ezmeral Runtime Enterprise include the following:
- Tenants
-
The number of tenants and the functions each tenant performs determines how many users with the Tenant Administrator role are needed and, by extension, the number of users with the Tenant Member role that are needed for each tenant.
The reverse is also true, because the number and functions of users that need to run jobs can influence how you define tenants.
For example, different levels of confidentiality might mandate separate tenants.
See also Tenants and Projects.
- Job functions
-
The specific work performed by a given user will directly impact the role they are assigned.
For example, a small organization might designate a single user as the Tenant Administrator for multiple tenants, while a large organization might designate multiple Tenant Administrators per tenant.
- Security clearances
-
You might need to restrict access to information based on the security clearance of a user. The need for this kind of restriction can impact both the tenants a user has access to and the role configured for that user within a given tenant.
Role-Based Access Control in Kubernetes Tenants
For detailed information about role-based access control within Kubernetes tenants, see Kubernetes Tenant RBAC.
Roles and Privileges
The privilege to perform an action is associated with one or more predefined user roles. Roles differ in the scope of the platform or tenant resources that they can affect.
- Tenant Members and Project Members
-
Tenant Members are users that have been assigned the
Member
role for a specific tenant.In ML Ops contexts, tenants that are configured as HPE Ezmeral ML Ops projects are called projects, and users that are assigned the
Member
role are Project Members.Tenant Administrators and Project Members:
- Operate within the tenant-specific or project-specific UI.
- Can view metrics in the tenant or project context.
- Can view, create, and delete workloads within the tenant or project.
- Can view and use DataTaps and FS Mounts. However, Members cannot view the detailed information about the connected storage services, and cannot create, edit, or delete DataTaps or FS Mounts.
- Have access to a kubectl configuration associated with tenant or project member privileges in the tenant or project namespace.
- Tenant Administrators and Project Administrators
-
Tenant Administrators are users that have been assigned the
Admin
role for a specific tenant.In ML Ops contexts, tenants that are configured as HPE Ezmeral ML Ops projects are called projects, and users that are assigned the
Admin
role are Project Administrators.Tenant Administrators and Project Administrators:
- Operate within the tenant-specific UI.
- Have all the capabilities of Tenant Members or Project Members.
- For DataTaps and FS Mounts, can also view the connected storage service details, and can create, edit, and delete DataTaps and FS Mounts.
- Can assign and revoke tenant or project users.
- Have access to a kubectl configuration associated with tenant administrator privileges in the tenant or project namespace.
- Kubernetes Cluster Administrator
-
Kubernetes Cluster Administrators are users that have been assigned the
K8S Admin
role for a specific cluster.Kubernetes Cluster Administrators:
- Can view services status, usage totals, alerts, and metrics in the context of the Kubernetes cluster.
- Have access to the Kubernetes dashboard of the cluster.
- Can view detailed information about the hosts that are acting as Kubernetes cluster nodes.
- Can view detailed information about the Kubernetes tenants or projects associated with the cluster.
- Can assign and revoke users for those associated tenants or projects.
- Have access to the administrative kubectl configuration for the cluster.
- Platform Administrator
-
A user that has been assigned the
Site Admin
role is known as a Platform Administrator. This role is also called the Kubernetes Administrator in the context of managing Kubernetes hosts, clusters, tenants, and users.Platform Administrators:
- Can operate as tenant or project administrator without needing an explicit role assignment.
- Have all the capabilities of Kubernetes Cluster Administrators for each Kubernetes cluster.
- Can view services status, usage totals, alerts, and metrics in a sitewide context.
- Can create, edit, and delete tenants or projects.
- Can add hosts to and remove hosts from the deployment.
- Can create, edit, resize, delete, and upgrade Kubernetes clusters.
- Can modify sitewide user authentication settings (for AD/LDAP group-based users) and manage local user accounts.
- Can assign and revoke all user roles.
- Can control other sitewide configuration, such as security policies, High Availability, gateways, licensing, air gap, and platform upgrades.