Cloud user groups

The three types of personas in the Cloud Management application are cloud administrator, cloud operator, and cloud user. Cloud administrators configure and set up the system. Cloud operators perform the day-to-day activities including management and provisioning. Cloud users (typically in IT) request virtual resources.

The privilege to perform a particular task is granted by a user role. A user is assigned a role when an admin adds the user to a user group that includes the role.

To enable admins to manage security, the Cloud Management application adds a number of user groups to the system. Each user group is associated with a user role. When an admin adds a user to one of the groups, the user is granted the role that is assigned to the group. To manage Cloud Management security, an administrator adds a user to the appropriate group or removes a user from the group.

To implement security for a user who must play multiple roles, good practice is to add the user to multiple groups. If the predefined groups do not provide enough granularity, you can create a custom group or grant a particular role directly to an individual user.

User groups are described here in order of increasing privileges.

Cloud user group

Cloud users can request virtual resources from the service catalog and can perform the following actions only on VMs assigned to them.
  • Modify VM (Azure and VMware only)
  • Update Lease End
  • Pause VM
  • Stop VM
  • Start VM
  • Cancel
  • Terminate
  • Take Snapshot
  • Restore from Snapshot
  • Delete Snapshot
Table 1. Cloud User user group
User group Contains the following user role Privileges
Virtual Provisioning Cloud Users cloud_user Request virtual resources from the service catalog and use the My Virtual Assets portal to manage virtual resources that are assigned to them.

Cloud Approvers groups

Cloud Approvers can approve or reject requests for virtual resources. Approvers have no technical responsibilities.

Table 2. Cloud Approver user groups
User group Contains the following user role Privileges
Azure Approvers itil Approve or reject requests for Azure virtual resources. This includes requests for new virtual machines, state changes (start/stop) to existing virtual machines, and lease extensions.
EC2 Approvers itil Approve or reject requests for Amazon EC2 virtual resources. This includes requests for new virtual machines, state changes to existing virtual machines, and lease extensions.
VMware Approvers itil Approve or reject requests for VMware virtual resources. This includes requests for new virtual machines, modifications to existing virtual machines, and lease extensions.

Cloud Operator user groups

Cloud operators use the Cloud Operations portal to perform the day-to-day work of cloud provisioning and management. Cloud operators are typically assigned to particular virtualization providers and must be technically adept with the products they support. Users with the cloud_operator role can perform the following actions on any virtual machine:

  • Modify VM (Azure and VMware only)
  • Update Lease End
  • Pause VM
  • Stop VM
  • Start VM
  • Cancel
  • Terminate
  • Take Snapshot
  • Restore from Snapshot
  • Delete Snapshot
Table 3. Cloud Operator user groups
User group Contains the following user role Privileges
Virtual Provisioning Cloud Operators cloud_operator Fulfill provisioning requests from users by completing tasks that appear on the Cloud Operations Portal.

This group also includes all members of the child groups that are noted in this table.

EC2 Operators

(child group of Virtual Provisioning Cloud Operators)

ec2_operator Fulfill Amazon EC2 provisioning requests from users by completing tasks that appear on the Cloud Operations Portal. Users in the group are members of Virtual Provisioning Cloud Operators parent group.
Azure Operators

(child group of Virtual Provisioning Cloud Operators)

azure_operator Fulfill Azure provisioning requests from users by completing tasks that appear on the Cloud Operations Portal. Users in the group are members of Virtual Provisioning Cloud Operators parent group.
VMware Operators

(child group of Virtual Provisioning Cloud Operators)

vmware_operator Fulfill VMware provisioning requests from users by completing tasks that appear on the Cloud Operations Portal. Users in the group are members of the Virtual Provisioning Cloud Operators parent group.

Cloud Administrator user group

Cloud Administrators own the Cloud Management environment and are responsible for configuring the virtualization products that are supported by the Cloud Management application on your instance. Admins receive both the cloud_admin and the cloud_user roles. Admins can perform the following actions only on VMs assigned to them:

  • Modify VM (Azure and VMware only)
  • Update Lease End
  • Pause VM
  • Stop VM
  • Start VM
  • Cancel
  • Terminate
  • Take Snapshot
  • Restore from Snapshot
  • Delete Snapshot
  • Define vCenters
  • Define catalog offerings
  • Set pricing for the offerings
  • Define provisioning rules
  • Define change control parameters for a virtual machine
  • Approve change requests associated with virtual machine modifications
  • Set properties applicable to cloud management
  • Set up networking information for VMware guest customization
  • Monitor requests and key metrics related to requests surrounding virtual machines
Table 4. Cloud Administrator user group
User group Contains the following user roles Privileges
Virtual Provisioning Cloud Administrators cloud_admin, cloud_user, itil Cloud administrators can monitor the Cloud Management environment using the Cloud Admin Portal.