Action Orchestrator Roles
Overview
In Action Orchestrator, authorization is performed using a Role-Based Access Control System (RBAC). Roles are a collection of permissions, each permission pairs a set of operations that can be performed over some set of Action Orchestrator objects such as workflows, targets, account keys, variables, and so forth. A user assignment gives end users the ability to perform the action. Access rights include Create, View, Update, Delete, Run, and so forth.
A role is assigned to user groups in Action Orchestrator. When Action Orchestrator becomes a part of CloudCenter Suite or another Cisco product, the common RBAC component shall provide APIs to map roles in the host applications to the Action Orchestrator roles.
Typically, roles are defined according to a standardized job function within IT. Examples might include “Level 1 Helpdesk,” “Level 2 Helpdesk,” “Human Resources,” “Network Configuration,” “SAP Basis Expert,” and so on. Security groups already in the directory for the users in these job functions are then typically assigned to the roles.
For more information on roles, see Understand Roles.
Predefined Security Roles
Action Orchestrator provides predefined security roles that ship with the product and cannot be modified. Custom user roles (see Adding Custom Roles) can be created using the Administration view, but the following roles are defined by default:
| Role | Description |
|---|---|
Tenant Admin | These users have almost access to all functionality in the product. Users can view or modify or change owner of any workflow or setting such as automation packs, calendar, category, global variable, queue resource, and so forth. |
Content Author | This is a user who can define workflows. The user cannot update administration settings. |
Operator | This is a classic role for a level 1 Service Desk employee, executing workflows. |
System Admin | Only a small number of users are assigned this role. These users have permissions to modify adapter settings. |
Adapter Author | These users have access to enable or disable atomic workflows in the product. |
For more information, see Roles and Permissions.
Adding Custom Roles
To add a new role, choose Admin > Roles > New Role.
In the New Role panel, perform the following procedure to add a new role.
Under General, specify the appropriate information:
Display Name: Enter the unique name to be displayed in the roles page.
Name: Enter the unique name for the role.
Description: Enter the brief description about the role.
Role Type: By default the role type is custom.
Under Permissions, specify the appropriate action:
Use the toggle buttons to activate or deactivate the list of permissions to be included and/or to be made available for inclusion into the security role.
Click play icon, on the appropriate object type and choose the appropriate powers for the security role from the dropdown list. For more information, see Roles and Permissions.
Click Submit, to add and save the Role.
Roles and Permissions
Object Level Permissions
Object level Permissions define what operations can be performed over workflows. This is similar to file permissions (such as read or update). You can have permissions for each user to access and can be shared to multiple users. When you are logged into Action Orchestrator, you can only access the objects which you have permissions.
Whenever the object shared among users and groups, Action Orchestrator creates a link document in uses collections with the users and groups information with the permission types to that object.
| Permission Type | Type of action supports |
|---|---|
View | Read |
Modify | View, Update |
Manage | View, Update, Delete, Share |
Run | View, Execute, Stop |
The following table contains information about the predefined permissions given to the security roles.
The "x" denotes the permission available to the user role.
Object Type | Object Permissions | Tenant Admin Role | Content Author Role | Operator Role | System Admin Role | Adapter Author |
|---|---|---|---|---|---|---|
Adapter | View | x | x | x | ||
Modify | ||||||
Manage | x | x | ||||
Change Owner | x | |||||
Calendar | View | x | ||||
Modify | ||||||
Manage | x | x | x | |||
Change Owner | x | |||||
Category | View | x | x | x | ||
Modify | ||||||
Manage | x | |||||
Change Owner | x | |||||
Global Variable | View | x | ||||
Modify | ||||||
Manage | x | x | x | |||
Change Owner | x | |||||
Role (Tenant specific) | View | x | x | x | ||
Modify | ||||||
Manage | x | x | ||||
Change Owner | x | x | ||||
Account Key | View | x | ||||
Modify | ||||||
Manage | x | x | x | |||
Change Owner | x | |||||
Schedule | View | x | ||||
Modify | ||||||
Manage | x | x | x | |||
Change Owner | x | |||||
Event | View | x | ||||
Modify | ||||||
Manage | x | x | x | |||
Change Owner | x | |||||
Target | View | x | ||||
Modify | ||||||
Manage | x | x | x | |||
Change Owner | x | |||||
Target Group | View | x | ||||
Modify | ||||||
Manage | x | x | x | |||
Change Owner | x | |||||
Workflow definition Trigger, Actions, Import/Export, and Workflow Variable | View | x | ||||
Modify | ||||||
Manage | x | x | x | |||
Run | x | x | x | x | ||
Change Owner | x | |||||
Workflow instance | View | x | ||||
Modify | ||||||
Manage | x | x | x | |||
Cancel | x | x | x | x | ||
Change Owner | x | |||||
User/role Assignment | View | |||||
Modify | ||||||
Manage | x | |||||
Change Owner | x | |||||
Variable Type | View | x | ||||
Modify | ||||||
Manage | x | x | x | |||
Change Owner | x | |||||
System Environment Variables and Adapter Onboarding | View | x | x | x | ||
Modify | x | |||||
Manage | x | |||||
Change Owner | x | |||||
Atomic Workflow | View | x | x | x | ||
Modify | ||||||
Manage | x | x | ||||
Change Owner | ||||||
Repository (Git Repo) | View | x | x | x | x | |
Modify | ||||||
Manage | x | |||||
Change Owner | x |
- No labels