The restrictions set is a customizable group of limitations. Configure restrictions sets to create a sub-admin role, i.e. reseller role, with control over a limited amount of cloud resources. This tool gives cloud administrators more flexibility in limiting resources and operations available to reseller role(s). Creating a new restrictions set associates a role or number of roles with certain resources' limitations. The resellers can only view and control the part of cloud assigned to them by the cloud administrator. Within that part they have admin permissions. However, they cannot view or use the resources of the whole cloud.
Previously, the exact list of resources and actions that the users were able to handle in their cloud was defined by the following parameters:
- bucket - configures which resources are available to users (e.g. data store zones, recipes, network zones, and so on). If none are added, the user will have unlimited resources.
- roles/permissions - specifies which actions the user can perform with those resources configured by the bucket (e.g. See all data store zones in the cloud, edit own recipes only, etc.).
The restrictions sets add the possibility to tie the user limitations with the user groups. With this new option, you can choose if the particular resources are restricted by the following:
- buckets - if restricted by buckets, the resellers will be able to manage only those resources which are added to a bucket. If nothing is added, no resources will be available.
- user groups - if the resource is restricted by user group, the reseller will be able to handle only the resources owned by the users of their group.
- Resellers cannot create any new zones or resources.
- A reseller cannot create roles, therefore, the roles that reseller requires have to be created by the cloud administrator. Further corrections to user roles can only be performed by the cloud administrator.
Reseller’s users have the same permissions as regular OnApp users.
- We recommend that the cloud administrator grants the reseller full access to all resources excluding the following permissions:
- Restrictions Resources group
- Restrictions Sets group
- Create/update/destroy role
- Create new zones or resources