Access Control Lists
Access Control Lists (ACLs) allow you to modify/view permissions for an API resource. Resources are identified using a unique ID and corresponding. Not all resources are supported by the ACL function. See the ACL-Managed Resources section below for the list of supported resources.
Any user with administration permissions (perms) on a resource can view/modify the ACL for that resource using the ACL Management APIs APIs:
- View ACL Resource Details
- Update ACL Resource Details
The following table identifies the resources that are supported by the ACL function along with the corresponding pages that provide additional information for the resource. This information is identical to the resourceName attribute used by the Workload Manager APIs.
See> Scaling Policies
See >Action Policies
|DEPLOYMENT_ENVIRONMENT||See Deployment Environment|
|REPOSITORY||See Share Artifact Repositories|
|SYSTEM_TAG||See System Tags|
|SECURITY_PROFILE||See Security and Firewall Rules|
|SERVICE||See Manage Services|
|CUSTOM_ACTION||See > |
|IMAGE||See Manage Images|
|See> Sharing Deployments|
|ACI_EXTENSION||See ACI Extensions|
|SERVICE_NOW_EXTENSION||See ServiceNow Extensions (Effective CloudCenter Legacy 4.8.2)|
|ACTION||See Actions Library (Effective CloudCenter Legacy 4.8)|
|VIRTUAL_MACHINE||See VM Management (Effective CloudCenter Legacy 4.8)|
|AGING_POLICY||See Policies (Effective CloudCenter Legacy 4.8.2)|
Default Permissions for ACL Resources
Permissions are tightly controlled by Workload Manager and not all permissions are applicable to all resources. You will receive validation errors in the following cases:
When you apply a permission that is not applicable to a particular resource.
For example, move_in and move_out are only applicable to deployment environments. If you apply either of these two strings to any other resource, you will receive a validation error.
When you apply a random string that is not listed in the perms array. For example, if you assign your own permission value like readwrite, you will receive a validation error.
Imported VMs do not have any default permissions.
ACL Manage Permissions
As this information is identical to the perms attribute used by the Workload Manager APIs, the same information is included here.
resourceName Permissions →
Permissions are divided into the categories that the following table describes:
|Permission Category |
(id and perms)
Tenant & Sub-Tenants
Default ACL Resource Permissions
The following default permissions are automatically granted to ACL resources after each resource is created.
User permissions are granted to the user who created the resource.
Tenant permissions are granted to:
All users of the tenant to which the logged-in user belongs.
All users in sub-tenant hierarchy starting at tenant of the user who created the resource.
If not specified for Vendor and Tenant then default permissions are not available at that level.
The following table describes ACL resource permissions.
UI and API Differences
ACL Configuration differences between the UI and API:
UI – If you have a complicated hierarchy with multiple permission combinations in a tenant hierarchy, then the UI only displays permission for the current level. Permissions for parent and child tenants will not be visible to the logged in user.
API – API users can view or modify permissions for all levels, regardless of this user's level in the tenant hierarchy. Only prerequisite is that the logged in user has administration perms on this resource.
If you are the tenant owner, you can provide any permission to the sub-tenant organization and all its users at the same time.
When providing access to Tenant and Sub-Tenant users, access the Share popup for the required service (Workload Manager UI > Admin > Services > MyService > Share dropdown), click the Tenants tab in the popup, and check the My Tenants & Sub-Tenants check box to provide access to the entire hierarchy.
You also have the option to select just one tenant (if you want to give just one tenant, but not their sub-tenants, and provide access to just that tenant.
- No labels