Role-based Access Control in PDS

The PDS platform implements a hierarchical role-based access control (RBAC) system:

• Account Admin: Has full account-level access and management capabilities across all infrastructure components and applications. This role is responsible for creating projects with the necessary infrastructure resources (Clusters, Templates, Backup locations, and so on), enabling the deployment of data services.
• Project Admin:
  • Has access and management capabilities within specific projects. They can manage application resources (data service, backup, and so on) and applications within their assigned projects but do not have global access.
  • Can invite new users to a project and assign them roles, granting access as either Project Admins or Project Users.
• Project User: Has access to and can manage data services and backups within their assigned projects. They have the least permissions, focusing on operational tasks within specific projects.

This structure ensures a balanced distribution of responsibilities, allowing for centralized control by Account Admins while delegating specific project management tasks to Project Admins and operational tasks to Project Users.

This following sections provides a detailed explanation of the roles and responsibilities within the PDS platform, outlining the specific permissions and capabilities of each role:

Account Admin

The Account Admin is a top-level role with extensive permissions and responsibilities within the PDS platform. This role is typically assigned to an employee who oversees the overall management and configuration of the platform. Here are the key aspects of the Account Admin role:

Access and management capabilities

• Accounts: Manage user accounts within the platform, including creating new accounts and managing existing ones.
• Projects: Create, access, and manage projects, which are logical groupings for resources and applications.
• Clusters: Manage clusters, which are groups of connected servers that provide storage and compute resources.
• Namespaces: Manage namespaces within clusters, which provide a mechanism for isolating and organizing resources.
• Cloud Credentials: Manage credentials for accessing cloud services, ensuring secure connections and integrations.
• Backup Locations: Define and manage locations where backups are stored, ensuring data protection and recovery.
• Schedule Policies: Create and manage policies for scheduling tasks such as backups and maintenance operations.
• Templates: Configure and manage templates for data service configurations, resource settings, and storage options, streamlining the deployment of standardized services.

Application management

• Data services: Deploy, configure, and manage various data services within the platform.
• Backups: Manage backup operations, ensuring data is regularly backed up and can be restored as needed.

Role management

The Account Admin has the ability to create and modify the roles of Project Admin and Project User. Project Admin can invite new users to a project and assign them roles. This ensures centralized control over role assignments and permissions.

Configure OIDC provider

To configure the OIDC provider for your organization, you must contact Portworx support. The Portworx support team will create your organization within Portworx Central and add users under it. Additionally, a Portworx Central ADMIN will be assigned to your organization. This ADMIN will be responsible for configuring the OIDC provider for your organization. Once configured with the necessary OIDC credentials, users can sign in to PDS and access its services.

To configure the OIDC provider as the organization ADMIN:

1. Log in to Portworx Central, select the Profile icon and then choose Setup OIDC.

2. On the Setup OIDC page, enter the appropriate values for the Endpoint, Client ID, and Client Secret boxes.

   note

   Portworx Central displays its own Redirect URI. For PDS, For PDS, the redirect URL will be https://cloud.portworx.io/landing/sm-landing?domain={YOUR_ORGANIZATION_DOMAIN}. Here, {YOUR_ORGANIZATION_DOMAIN} represents the domain entered by the organization ADMIN during the OIDC configuration process.

3. Select Save to apply the settings.

4. Share the domain name with users who want to sign in to the PDS platform.

   For example, if the domain name is example.com then users with the example.com domain in their email addresses can sign up to access the PDS platform.

   note

   If you are an existing PDS customer and wish to switch the authentication method for current users to an OIDC provider, you should complete the OIDC configuration steps outlined above and then contact Portworx support to update the authentication method in Portworx Central. Note that the authentication method can only be changed for non-admin Portworx Central users.

Project Admin

The Project Admin role has significant management capabilities but is scoped to specific projects. A Project Admin is responsible for managing resources and applications within the projects they create or are assigned to.

Access and management capabilities

• Can access (view or utilize) all infrastructure components within the projects they create and manage, enabling the deployment of data services and execution of backups.
• The scope of their management is limited to the projects they have created or have been granted access to, ensuring they do not interfere with other projects or global settings.
• Can invite new users to a project and assign them roles, granting access as either Project Admins or Project Users.

Project User

The Project User role is designed for users who need access to and management capabilities within specific projects, but with more limited permissions compared to Project Admins. Key aspects include:

Access capabilities

Can access all infrastructure components and PDS applications within the projects they are part of. This includes viewing projects, clusters, namespaces, cloud credentials, backup locations, schedule policies, and templates.

Management capabilities

• Can create and manage data services and backups within their assigned projects. This allows them to deploy and configure services, as well as ensure data protection through backups.
• Their permissions are restricted to the projects they are assigned to, preventing them from making changes to other projects or global settings.

Here is the table representing the permissions for each role:

Role	Permission	Account	Access Management	User Invitation	Project	Cluster	Namespace	Templates	Credential	Backup Location	Backup Policy	Service Account	Data Service Deployment	Backup	Restore
Account Admin	Create	N	Y	Y	Y	Y	NA	Y	Y	Y	Y	Y (Only using API)	Y	Y	Y
	Get/List	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y (Only using API)	Y	Y	Y
	Update	Y	Y	Y	Y	NA	NA	Y	N	N	N	Y (Only using API)	Y	NA	NA
	Delete	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y (Only using API)	Y	Y	Y
Project Admin	Create	N	Y (for Project only)	Y (for Project only using API)	N	N	NA	N	N	N	N	N	Y (for Project only)	Y (for Project only)	Y (for Project only)
	Get/List	Y	Y (for Project only)	Y (for Project only using API)	Y (for Project only)	Y (for Project only)	Y (for Project only)	Y (for Project only)	N	Y (for Project only)	Y (for Project only)	N	Y (for Project only)	Y (for Project only)	Y (for Project only)
	Update	N	Y (for Project only)	Y (for Project only using API)	Y	NA	NA	N	N	N	N	N	Y (for Project only)	NA	NA
	Delete	N	Y (for Project only)	Y (for Project only using API)	Y	N	N	N	N	N	N	N	Y (for Project only)	Y (for Project only)	Y (for Project only)
Project User	Create	N	N	N	N	N	NA	N	N	N	N	N	Y (for Project only)	Y (for Project only)	Y (for Project only)
	Get/List	Y	N	N	Y (for Project only)	Y (for Project only)	Y (for Project only)	Y (for Project only)	N	Y (for Project only)	Y (for Project only)	N	Y (for Project only)	Y (for Project only)	Y (for Project only)
	Update	N	N	N	N	NA	NA	N	N	N	N	N	Y (for Project only)	NA	NA
	Delete	N	N	N	N	N	N	N	N	N	N	N	Y (for Project only)	Y (for Project only)	Y (for Project only)