Managing Roles and Permissions

CloudShare supports RBAC to control which users can perform specific operations and activities.

A user is assigned a role whenever they are invited to a project. The permissions that are enabled for each role can be changed according to the needs of that project.

CloudShare provides the following distinct user roles:

• Account Manager. This is the highest available user role. An Account Manager controls and manages all aspects of a specific CloudShare account, can view reports on the entire account, and also controls the appearance of the platform, including Viewer branding.
• Project Manager. A Project Manager controls and administers one or more projects in a CloudShare account. This role can add new users to a project, create teams and assign Team Managers, and monitor all project activity. A Project Manager can also create and manage environments, manage policies, and publish blueprints and snapshots, unless prohibited from doing so.
• Team Manager. A Team Manager controls an existing team and can add, manage, and view the activities of all its Team Members. This role cannot have privileges that are higher than those of the Project Manager.
• Team Member. A Team Member is a user who is part of a specific team. This role cannot have privileges that are higher than those of the Team Manager.

Roles are hierarchical, with each role able to access and manage its primary CloudShare elements as well as the elements below it:

• Project Manager
  • Team Manager
    • Team Member

Managing Permissions

An Account Manager or Project Manager can easily implement RBAC by viewing and changing the permissions that are assigned to different user roles for performing specific actions.

CloudShare permissions are flexible and are managed by project. You can change permissions for actions in the following areas:

• Environments
• Snapshots
• Training
• POCs
• External Resources
• End User Activities

Whenever you create a new project, CloudShare uses a default set of user permissions to start.

A Project Manager is able to change any permissions that have been set by another Project Manager for a shared project.

Viewing Permissions for a Project

1. From the Management menu of the CloudShare dashboard, select Projects.
2. Click the name of the project for which you want to view permissions. The Project Details page is displayed.
3. From the Actions list, click Manage Permissions. The Permissions Management page for the project is displayed:
   
   
   
   Each area lists the available actions and indicates which specific roles are permitted to perform them. A checkmark next to an action indicates that permission is granted for the listed role, while an 'X' indicates that permission is denied. The End User area lists the actions available for all end users of the selected project.

Changing Permissions for a Project

1. From the Permissions Management page, click the edit icon in the upper right corner of the area for which you want to change permissions. An editing dialog is displayed for that area:
   
   
2. For each action, select the lowest-level user role that will be able to perform the associated action from the drop-down list. Note that any roles higher than the selected level will also be able to perform the action. If it appears, you can select the Disabled for All list option to prevent all roles from performing the action.
3. When you finish assigning permissions for the selected area, click Submit. The changes will be saved and the editing dialog will be closed.

Using Granular Permissions for Training

For Training permissions, CloudShare provides detailed granular options to enable additional control when a user needs to edit a class.

By default, granular permissions use the same permissions that were set for an associated class. When you change a granular permission, it will override the permission that was set for editing the class. A granular permission always takes precedence over its higher, class-level permission.

Changing some granular settings will display a warning that you will be unable to roll back the permission change later, since it is asymmetrical with another permission. For example, since enabling Decrease Maximum Students can cause a conflict with Increase Maximum Students, you will not be able to reverse the change.

Changing POC Permissions

Permissions for POCs enable a user with the selected role to:

• Create a new POC
• Extend an existing POC
• Cancel an existing POC

Changing External Resources Permissions

Permissions for External Resources enable a user with the selected role to:

• Add a Terraform script
• Edit a Terraform script
• Delete a Terraform script

Changing End User Permissions

Permissions for End Users enable a user with the selected role to:

• Delete an environment
• Extend an environment
• Revert an environment (including any external cloud resources that were created with it)
• Revert or reset a specific CloudShare VM in an environment.

These permissions relate only to actions of each end user on their own components. For example, if you enable the Delete Environment action, an end user will only be able to delete an environment that was created for them in the current project.

When changing end user permissions, only a Yes or No option is available for each action.

1. From the Permissions Management page, click the edit icon in the upper right corner of the End Users area. An editing dialog is displayed:
   
   
   
   
2. For each action, select Yes if you want to enable all end users to perform the action when working in the selected project.
3. When you finish assigning permissions for the End User area, click Submit. The changes will be saved and the editing dialog will be closed.