Role-based Access Control in PDS
The PDS platform implements a hierarchical role-based access control (RBAC) system:
- Account Admin: Has full account-level access and management capabilities across all infrastructure components and applications. This role is responsible for creating projects with the necessary infrastructure resources (Clusters, Templates, Backup locations, and so on), enabling the deployment of data services.
- Project Admin:
- Has access and management capabilities within specific projects. They can manage application resources (data service, backup, and so on) and applications within their assigned projects but do not have global access.
- Can invite new users to a project and assign them roles, granting access as either Project Admins or Project Users.
- Project User: Has access to and can manage data services and backups within their assigned projects. They have the least permissions, focusing on operational tasks within specific projects.
This structure ensures a balanced distribution of responsibilities, allowing for centralized control by Account Admins while delegating specific project management tasks to Project Admins and operational tasks to Project Users.
This following sections provides a detailed explanation of the roles and responsibilities within the PDS platform, outlining the specific permissions and capabilities of each role:
Account Admin
The Account Admin is a top-level role with extensive permissions and responsibilities within the PDS platform. This role is typically assigned to an employee who oversees the overall management and configuration of the platform. Here are the key aspects of the Account Admin role:
Access and management capabilities
- Accounts: Manage user accounts within the platform, including creating new accounts and managing existing ones.
- Projects: Create, access, and manage projects, which are logical groupings for resources and applications.
- Clusters: Manage clusters, which are groups of connected servers that provide storage and compute resources.
- Namespaces: Manage namespaces within clusters, which provide a mechanism for isolating and organizing resources.
- Cloud Credentials: Manage credentials for accessing cloud services, ensuring secure connections and integrations.
- Backup Locations: Define and manage locations where backups are stored, ensuring data protection and recovery.
- Schedule Policies: Create and manage policies for scheduling tasks such as backups and maintenance operations.
- Templates: Configure and manage templates for data service configurations, resource settings, and storage options, streamlining the deployment of standardized services.
Application management
- Data services: Deploy, configure, and manage various data services within the platform.
- Backups: Manage backup operations, ensuring data is regularly backed up and can be restored as needed.
Role management
The Account Admin has the ability to create and modify the roles of Project Admin and Project User. Project Admin can invite new users to a project and assign them roles. This ensures centralized control over role assignments and permissions.
Project Admin
The Project Admin role has significant management capabilities but is scoped to specific projects. A Project Admin is responsible for managing resources and applications within the projects they create or are assigned to.
Access and management capabilities
- Can access (view or utilize) all infrastructure components within the projects they create and manage, enabling the deployment of data services and execution of backups.
- The scope of their management is limited to the projects they have created or have been granted access to, ensuring they do not interfere with other projects or global settings.
- Can invite new users to a project and assign them roles, granting access as either Project Admins or Project Users.
Project User
The Project User role is designed for users who need access to and management capabilities within specific projects, but with more limited permissions compared to Project Admins. Key aspects include:
Access capabilities
Can access all infrastructure components and PDS applications within the projects they are part of. This includes viewing projects, clusters, namespaces, cloud credentials, backup locations, schedule policies, and templates.
Management capabilities
- Can create and manage data services and backups within their assigned projects. This allows them to deploy and configure services, as well as ensure data protection through backups.
- Their permissions are restricted to the projects they are assigned to, preventing them from making changes to other projects or global settings.
Here is the table representing the permissions for each role:
| Role | Permission | Account | Access Management | User Invitation | Project | Cluster | Namespace | Templates | Credential | Backup Location | Backup Policy | Service Account | Data Service Deployment | Backup | Restore |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Account Admin | Create | N | Y | Y | Y | Y | NA | Y | Y | Y | Y | Y (Only using API) | Y | Y | Y |
| Get/List | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y (Only using API) | Y | Y | Y | |
| Update | Y | Y | Y | Y | NA | NA | Y | N | N | N | Y (Only using API) | Y | NA | NA | |
| Delete | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y (Only using API) | Y | Y | Y | |
| Project Admin | Create | N | Y (for Project only) | Y (for Project only using API) | N | N | NA | N | N | N | N | N | Y (for Project only) | Y (for Project only) | Y (for Project only) |
| Get/List | Y | Y (for Project only) | Y (for Project only using API) | Y (for Project only) | Y (for Project only) | Y (for Project only) | Y (for Project only) | N | Y (for Project only) | Y (for Project only) | N | Y (for Project only) | Y (for Project only) | Y (for Project only) | |
| Update | N | Y (for Project only) | Y (for Project only using API) | Y | NA | NA | N | N | N | N | N | Y (for Project only) | NA | NA | |
| Delete | N | Y (for Project only) | Y (for Project only using API) | Y | N | N | N | N | N | N | N | Y (for Project only) | Y (for Project only) | Y (for Project only) | |
| Project User | Create | N | N | N | N | N | NA | N | N | N | N | N | Y (for Project only) | Y (for Project only) | Y (for Project only) |
| Get/List | Y | N | N | Y (for Project only) | Y (for Project only) | Y (for Project only) | Y (for Project only) | N | Y (for Project only) | Y (for Project only) | N | Y (for Project only) | Y (for Project only) | Y (for Project only) | |
| Update | N | N | N | N | NA | NA | N | N | N | N | N | Y (for Project only) | NA | NA | |
| Delete | N | N | N | N | N | N | N | N | N | N | N | Y (for Project only) | Y (for Project only) | Y (for Project only) |