The restrictions set is a customizable group of limitations. Configure restrictions sets to create a sub-admin role, with control over a limited amount of cloud resources. This tool gives cloud administrators more flexibility in limiting resources and operations available to sub-admin role(s). Creating a new restrictions set associates a role or number of roles with certain resources' limitations. The sub-admins can only view and control the part of cloud assigned to them by the cloud administrator. Within that part they have admin permissions. However, they cannot view or use the resources of the whole cloud.
Previously, the exact list of resources and actions that the users were able to handle in their cloud was defined by the following parameters:
- bucket - configures which resources are available to users (e.g. data store zones, recipes, network zones, and so on). If none are added, the user will have unlimited resources.
- roles/permissions - specifies which actions the user can perform with those resources configured by the bucket (e.g. See all data store zones in the cloud, edit own recipes only, etc.).
The restrictions sets add the possibility to tie the user limitations with the user groups. With this new option, you can choose if the particular resources are restricted by the following:
- buckets - if restricted by buckets, the sub-admins will be able to manage only those resources which are added to a bucket. If nothing is added, no resources will be available.
- user groups - if the resource is restricted by user group, the sub-admin will be able to handle only the resources owned by the users of their group.
- Sub-admins cannot create any new zones or resources.
- Sub-admin cannot create roles, therefore, the roles that sub-admin requires have to be created by the cloud administrator. Further corrections to user roles can only be performed by the cloud administrator.
Sub-admin’s users have the same permissions as regular OnApp users.
- We recommend that the cloud administrator grants the sub-admin full access to all resources excluding the following permissions:
- Restrictions Resources group
- Restrictions Sets group
- Create/update/destroy role
- Create new zones or resources