ViPR 2.2 - Assign ViPR Roles

Table of Contents

Introduction

There are two levels of roles in ViPR: VDC roles and tenant roles. VDC roles are used to set up the ViPR environment which is shared by all tenants. Tenant roles are used to administrate the tenant-specific settings, such as the service catalog and projects, and to assign additional users to tenant roles. This article describes how to assign users or groups to roles.

You should ensure you are familiar with the main concepts behind roles, described in: Understanding Users, Roles, and ACLs.

ViPR has a local "root" user who has all roles requires to set up the VDC and the root tenant and can be used to bootstrap the system by assigning the required administrator roles. In general, the role administration proceeds as follows:
  • Root user assigns a user to the Security Administrator role.
  • Security Administrator:
    • Creates a System Administrator to set up the VDC
    • Creates a Tenant Administrator for the provider tenant to administrate tenant level resources.
  • Tenant Administrator creates tenant roles for own tenant or for sub-tenants.
Back to Top

Assign a user or group to a VDC role

The ViPR Security Administrator can assign both VDC roles and tenant roles.

Before you begin

Procedure

  1. Select Security > VDC Role Assignments
  2. Select Add.
  3. At the Create VDC Role Assignment page, select Group or User.
  4. Enter the name of the user or of the group to which you want to assign a role.
    User names and group names are in the form: user@mydomain.com and group@mydomain.com.
    Any group from an authentication provider can be assigned to a role. However, the group can comprise users who are mapped into different tenants and, as only members of the provider tenant can be assigned to a VDC role, only members of this group who are also part of the provider tenant will be able to access the role when they log in.
    If an alternate UPN suffix is configured in Active Directory and the authentication provider for the user's domain (for example, mydo for mydomain.com), enter the user name as user@mydo.
  5. Select the VDC role(s) that you want to assign.
  6. Select Save.
Back to Top

Assign a user or group to a tenant role

A user with the Security Administrator role, or Tenant Administrator role for a tenant, can assign roles to users or groups who belong to the tenant.

Before you begin

Procedure

  1. Select Tenant Settings > Tenants.
  2. For the tenant for which you want to perform the assignment, select the Role Assignments button, located in the Edit column of the Tenants table.
  3. At the Tenant drop-down, select the tenant for which you want to assign the tenant role.
  4. Select Add.
  5. Select whether the role is being assigned to a User or Group.
  6. Enter the name of the user or group.
    User names and group names are in the form: user@mydomain.com and group@mydomain.com.
    Any group from an authentication provider can be assigned to a role. However, the members of the group can be mapped into different ViPR tenants and only members of the tenant in which the role assignment has been made (and the provider tenant, in the case of the Tenant Administrator role) will be granted the role when the user logs in.
    If an alternate UPN suffix is configured in Active Directory and the authentication provider for the user's domain (for example, mydo for mydomain.com), enter the user name as user@mydo.
  7. Select the tenant roles that you want to assign.
  8. Select Save.
Back to Top