Role-based Access Control in PDS
The PDS platform implements a hierarchical role-based access control (RBAC) system:
-
Account Admin: The Account Admin oversees account-level administration and acts as the central authority for governance across all organizations within an account. This role is responsible for:
- Creating and managing organizations.
- Assigning Organization Admins to individual organizations.
- Setting up global configurations, such as authentication methods, billing preferences, and account-wide policies.
- Monitoring usage and activity across all organizations under the account.
-
Organization Admin: The Organization Admin manages organization-level resources and configurations. This role is responsible for:
- Creating and managing projects within their assigned organization.
- Configuring infrastructure resources, such as clusters, templates, and backup locations, to enable the deployment of data services.
- Onboarding and configuring clusters into Portworx to ensure seamless integration and operation.
- Managing user roles and permissions specific to their organization.
- Ensuring compliance with organization-specific requirements and policies.
-
Project Admin: The Project Admin manages resources and operations within specific projects. This role includes the following responsibilities:
- Managing application resources such as data services, backups, and related components within their assigned projects.
- Inviting new users to the project and assigning roles as either Project Admins or Project Users.
- Ensuring project-level configurations and permissions align with organizational requirements.
- Limited to project-level access; no permissions for global or organization administration.
-
Project User: The Project User focuses on operational tasks within specific projects. This role includes the following responsibilities:
- Managing data services, backups, and application-related operations within their assigned projects.
- Restricted to the least permissions, allowing access only to specific tasks and resources within the project.
- No access to project-level or global administration capabilities.
This structure ensures a balanced distribution of responsibilities, allowing for centralized control by Account Admins while delegating specific project administration tasks to Project Admins and operational tasks to Project Users.
This following sections provides a detailed explanation of the roles and responsibilities within the PDS platform, outlining the specific permissions and capabilities of each role:
Account Admin
The Account Admin is a top-level role with extensive permissions and responsibilities within the PDS platform. This role is typically assigned to an employee who oversees the overall administration and configuration of the platform. Here are the key aspects of the Account Admin role:
Access and administration capabilities
- Accounts: Manage user accounts within the platform, including creating new accounts and managing existing ones.
- Projects: Create, access, and manage projects, which are logical groupings for resources and applications.
- Clusters: Manage clusters, which are groups of connected servers that provide storage and compute resources.
- Namespaces: Manage namespaces within clusters, which provide a mechanism for isolating and organizing resources.
- Cloud Credentials: Manage credentials for accessing cloud services, ensuring secure connections and integrations.
- Backup Locations: Define and manage locations where backups are stored, ensuring data protection and recovery.
- Schedule Policies: Create and manage policies for scheduling tasks such as backups and maintenance operations.
- Templates: Configure and manage templates for data service configurations, resource settings, and storage options, streamlining the deployment of standardized services.
Application administration
- Data services: Deploy, configure, and manage various data services within the platform.
- Backups: Manage backup operations, ensuring data is regularly backed up and can be restored as needed.
Role administration
The Account Admin has the ability to create and modify the roles of Project Admin and Project User. Project Admin can invite new users to a project and assign them roles. This ensures centralized control over role assignments and permissions.
Configure OIDC provider
To configure the OIDC provider for your organization, you must contact Portworx support. The Portworx support team will create your organization within Portworx Central and add users under it. Additionally, a Portworx Central ADMIN will be assigned to your organization. This ADMIN will be responsible for configuring the OIDC provider for your organization. Once configured with the necessary OIDC credentials, users can sign in to PDS and access its services.
To configure the OIDC provider as the organization ADMIN:
-
Log in to Portworx Central, select the Profile icon and then choose Setup OIDC.
-
On the Setup OIDC page, enter the appropriate values for the Endpoint, Client ID, and Client Secret boxes.
notePortworx Central displays its own Redirect URI. For PDS, For PDS, the redirect URL will be
https://cloud.portworx.io/landing/sm-landing?domain={YOUR_ORGANIZATION_DOMAIN}. Here,{YOUR_ORGANIZATION_DOMAIN}represents the domain entered by the organization ADMIN during the OIDC configuration process. -
Select Save to apply the settings.
-
Share the domain name with users who want to sign in to the PDS platform.
For example, if the domain name is example.com then users with the example.com domain in their email addresses can sign up to access the PDS platform.
noteIf you are an existing PDS customer and wish to switch the authentication method for current users to an OIDC provider, you should complete the OIDC configuration steps outlined above and then contact Portworx support to update the authentication method in Portworx Central. Note that the authentication method can only be changed for non-admin Portworx Central users.
Organization Admin
The Organization Admin role in the PDS platform provides extensive organization-level administration capabilities, enabling efficient oversight and configuration of resources within a specific organization. This role is typically assigned to an employee who manages infrastructure and project configurations within their designated organization.
Here are the key aspects of the Organization Admin role:
Access and administration capabilities
- Projects: Create, access, and manage projects within the organization, establishing logical groupings for resources and applications.
- Clusters: Manage clusters assigned to the organization, ensuring resources are available and properly configured for various projects.
- Namespaces: Oversee namespaces within clusters, providing resource isolation and organization for different teams and applications.
- Cloud credentials: Manage cloud credentials for secure access to external cloud services, facilitating integrations for data services and backup operations.
- Backup locations: Define and manage locations for storing backups within the organization, ensuring robust data protection and recovery options.
- Schedule policies: Create and manage scheduling policies for automated tasks like backups and maintenance, helping maintain resource integrity and availability.
- Templates: Configure and manage templates for standardizing data service configurations, resource allocations, and storage options across projects within the organization.
Application administration
- Data services: Deploy, configure, and manage data services within the organization, enabling seamless access to critical applications.
- Backups: Oversee backup processes to ensure regular data protection, allowing for reliable data recovery when needed.
Role administration
The Organization Admin has the ability to create and manage roles at the project level, including assigning Project Admin and Project User roles within their organization. Project Admins can invite users to specific projects and assign roles, maintaining centralized control over permissions and access within the organization.
Project Admin
The Project Admin role has significant administration capabilities but is scoped to specific projects. A Project Admin is responsible for managing resources and applications within the projects they create or are assigned to.
Access and administration capabilities
- Can access (view or utilize) all infrastructure components within the projects they create and manage, enabling the deployment of data services and execution of backups.
- The scope of their administration is limited to the projects they have created or have been granted access to, ensuring they do not interfere with other projects or global settings.
- Can invite new users to a project and assign them roles, granting access as either Project Admins or Project Users.
Project User
The Project User role is designed for users who need access to and administration capabilities within specific projects, but with more limited permissions compared to Project Admins. Key aspects include:
Access capabilities
Can access all infrastructure components and PDS applications within the projects they are part of. This includes viewing projects, clusters, namespaces, cloud credentials, backup locations, schedule policies, and templates.
administration capabilities
- Can create and manage data services and backups within their assigned projects. This allows them to deploy and configure services, as well as ensure data protection through backups.
- Their permissions are restricted to the projects they are assigned to, preventing them from making changes to other projects or global settings.
Here is the table representing the permissions for each role:
| Role | Permission | Account | Access administration | User Invitation | Project | Cluster | Namespace | Templates | Credential | Backup Location | Backup Policy | Service Account | Data Service Deployment | Backup | Restore |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Account Admin | Create | N | Y | Y | Y | Y | NA | Y | Y | Y | Y | Y (Only using API) | Y | Y | Y |
| Get/List | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y (Only using API) | Y | Y | Y | |
| Update | Y | Y | Y | Y | NA | NA | Y | N | N | N | Y (Only using API) | Y | NA | NA | |
| Delete | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y (Only using API) | Y | Y | Y | |
| Organization Admin | Create | N | N | Y (Within the organization) | Y | Y | Y | Y | Y | Y | Y | NA | Y | Y | Y |
| Get/List | N | N | Y (Within the organization) | Y | Y | Y | Y | Y | Y | Y | NA | Y | Y | Y | |
| Update | N | N | Y (Within the organization) | Y | NA | NA | Y | N | N | N | NA | Y | NA | NA | |
| Delete | N | N | Y (Within the organization) | Y | Y | Y | Y | Y | Y | Y | NA | Y | Y | Y | |
| Project Admin | Create | N | Y (for Project only) | Y (for Project only using API) | N | N | NA | N | N | N | N | N | Y (for Project only) | Y (for Project only) | Y (for Project only) |
| Get/List | Y | Y (for Project only) | Y (for Project only using API) | Y (for Project only) | Y (for Project only) | Y (for Project only) | Y (for Project only) | N | Y (for Project only) | Y (for Project only) | N | Y (for Project only) | Y (for Project only) | Y (for Project only) | |
| Update | N | Y (for Project only) | Y (for Project only using API) | Y | NA | NA | N | N | N | N | N | Y (for Project only) | NA | NA | |
| Delete | N | Y (for Project only) | Y (for Project only using API) | Y | N | N | N | N | N | N | N | Y (for Project only) | Y (for Project only) | Y (for Project only) | |
| Project User | Create | N | N | N | N | N | NA | N | N | N | N | N | Y (for Project only) | Y (for Project only) | Y (for Project only) |
| Get/List | Y | N | N | Y (for Project only) | Y (for Project only) | Y (for Project only) | Y (for Project only) | N | Y (for Project only) | Y (for Project only) | N | Y (for Project only) | Y (for Project only) | Y (for Project only) | |
| Update | N | N | N | N | NA | NA | N | N | N | N | N | Y (for Project only) | NA | NA | |
| Delete | N | N | N | N | N | N | N | N | N | N | N | Y (for Project only) | Y (for Project only) | Y (for Project only) |