Role-based access control (RBAC)#

Role-based access control (RBAC) restricts access to the capabilities of Rackspace Cloud services, including the Cloud Servers API, to authorized users only. RBAC enables Rackspace Cloud customers to specify users have access to which Cloud Servers API service capabilities, based on roles defined by Rackspace. The permissions to perform certain operations in Cloud Servers API (create, read, update, delete) are assigned to specific roles. The account owner user assigns these roles, either global (multiproduct) or product-specific (for example, Cloud Servers), to account users.

Assigning roles to account users#

The account owner (identity:user-admin) can create account users on the account and then assign roles to those users. The roles grant the account users specific permissions for accessing the capabilities of the Cloud Servers service. Each account has only one account owner, and that role is assigned by default to any Rackspace Cloud account when the account is created.

See the Identity API guide for information about how to perform the following tasks:

Note

The account owner (identity:user-admin) role cannot hold any additional roles because it already has full access to all capabilities.

Roles available for Cloud Servers#

The following table describes the roles that can be used to access the Cloud Servers API.

Product roles and capabilities#

Role name

Role permissions

nova:admin

This role provides Create, Read, Update, and Delete permissions in Cloud Servers, where access is granted.

lbaas:creator

This role provides Create, Read and Update permissions in Cloud Servers, where access is granted.

lbaas:observer

This role provides Read permission in Cloud Servers, where access is granted.

Multiproduct global roles and permissions#

Additionally, two multiproduct roles apply to all products. Users with multiproduct roles inherit access to future products when those products become RBAC-enabled. The following list describes these roles and their permissions.

Multiproduct (Global) Roles and Permissions

Multiproduct roles and permissions#

Role name

Role permissions

admin

This role provides create, read, update, and delete permissions in all products, where access is granted.

observer

This role provides read permission in all products, where access is granted.

Resolving conflicts between RBAC multiproduct and product-specific roles#

The account owner can set roles for both multiproduct and Cloud Servers scope, and it is important to understand how any potential conflicts between these roles are resolved. When two roles appear to conflict, the role that provides the more extensive permissions takes precedence. Therefore, admin roles take precedence over observer and creator roles, because admin roles provide more permissions.

The following table shows two examples of how potential conflicts between user roles in the Control Panel are resolved.

Example of resolving permissions#

Permission configuration

Control Panel permission view

Control Panel admin capabilities

User is assigned the following roles: multiproduct observer and Cloud Servers admin

Appears that the user has only the multiproduct observer role

User can perform admin functions for Cloud Servers only. The user has the observer role for the rest of the products.

User is assigned to the following roles: multiproduct admin and Cloud Servers observer

Appears that the user has only the multiprodcut admin role

User can perform admin functions for all of the products. The Cloud Servers observer role is ignored.

RBAC permissions cross-reference to Cloud Servers API operations#

API operations for Cloud Servers may or may not be available to all roles. To see which operations are permitted to invoke which calls, please review the Permissions Matrix for Role-Based Access Control (RBAC).