Permissions management for Cloud Management roles

Permissions are user group-level access rights to various features in the Cloud Management application and to specific records in the instance, such as a blueprint or a cloud account.

You can refine the actions that are allowed or prohibited for users based on the user group they belong to. By default, each role comes with access rights that users with that role can perform, but not all users with the same role can see or edit each others records. For example, by default users with the cloud_designer role have full read and write access to their own blueprints, but they do not have read or write access to blueprints created by other cloud designers. If you want them to have access, you must put the users into a group that has the cloud_designer role, then give that group read and write access to a particular blueprints.

Permission types

Access [Read]
Users can see the record, but not edit or delete.
Manage [Create & Update]
Users can see the record and create and update new records in the same table, but cannot delete any records.
Users can delete specified records or all records in the table.
Users can execute an action on records in the table.
Users have permissions on all records in the table.

Permissions suggestions

Consider granting these permissions in your organization:
Suggested group and role Type of users in the group Suggest permissions Description
Catalog user group

Cloud user [sn_cmp.cloud_service_user]

Users who order similar items from the catalog in the Cloud User portal. Access [read] or Execute Catalog items, even after they are published, cannot be seen by users in the Cloud User Portal until you grant a user group to which that user belongs read access to the items. Grant Access and Execute permissions to cloud users on the Blueprint Catalog Item table and the Cloud Account table.
Blueprint designers

Service Designer [sn.cmp.cloud_service_designer]

Users who design blueprints. Manage [Create and update] Blueprint designers cannot see or edit other blueprints or catalog items by default. To collaborate or reuse existing blueprints and catalog items, blueprint designers need access to each others' blueprints through the Manage permission.
Cloud admins

Cloud administrator [sn_cmp.cloud_admin]

Users who create and manage cloud accounts. Manage [Create and update] Cloud admins must map templates to appropriate resource profiles. To collaborate or reuse existing resource profiles and templates.

Assign a cloud permission

Assign a permission to refine the actions that are allowed or prohibited for users based on the user group they belong to.

Before you begin

  • Role required: sn_cmp.cloud_governor
  • The user group to which you want the permission applied.


  1. Navigate to Cloud Management > Governance > Permission.
  2. Fill out the form fields (see table).
    Figure 1. Read permissions on cloud accounts
    Read permissions on cloud accounts
    Field Description
    Target type Select the cloud table in which the target record belongs.
    All Entities Select this option to apply the permission to all records in the table.
    Permission Select the permission type.
    Target Entity Select the record that the permission is based upon.
    Group Select the user group.
  3. Click Submit.