Currently CloudStack provides very limited IAM services and there are several drawbacks within those services:
Goal for this feature would be to address these limitations and offer true IAM services in a phased manner
Group contains a number of CloudStack accounts. Customers should be able to Create, Edit, List and Delete Groups. Editing includes adding or removing accounts to or from a group. For backwards compatibility, out of box, CloudStack will provide 3 default groups:
Account is just our current CloudStack Account, all the permission controls are done at Account level. We can assign an Account to more than one Group.
CloudStack user just contains login credentials, and this is not the level that we are performing permission control.
Policy is a set of permission. Customer should be able to attach several policies to a Group to define the permission for that group. By default, we have the following 3 types of policy templates:
Other than that, customer should be able to define customized policies by grant or deny permission to customize permissions for the group. So far, for cross-account permission grant, we are currently supporting the following 3 types of granting/denying:
A policy consists of set of Permissions. A Permission is a way of defining access control.
Using Permission, customer defines what actions are allowed or denied, on what resources, under which account or domain.
A single permission definition consists of: