You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 8
Next »
Background
Currently CloudStack provides very limited IAM services and there are several drawbacks within those services:
- Offers few roles out of the box (user and admin) with prebaked access control for these roles. There is no way to create additional roles with customized permissions.
- Some resources have access control baked into them. E.g., shared networks, projects etc.
Goal for this feature would be to address these limitations and offer true IAM services in a phased manner
Architecture and Design description
IAM Taxonomy
Group
Group contains a number of CloudStack accounts. Customers should be able to Create, Edit, List and Delete Groups. Editing includes adding or removing accounts to or from a group. For backwards compatibility, out of box, CloudStack will provide 3 default groups:
- Root Admin Group
- Domain Admin Group
- End User Group
Account