VMmanager: Administrator guide
Documentation
/
VMmanager: Administrator guide
/
Users
/
Managing user roles
en En
es Es
Add to Favorites
Documentation
/
VMmanager: Administrator guide
/
Users
/
Managing user roles

Managing user roles

The platform role model controls user access to features.

By default, preconfigured roles are available in the platform: administrator, advanced user, and user. You cannot change the settings of these roles. For more information about the capabilities of each role, see the User permissions article.

You can create your own ( user) role with flexible access to the platform features. This article contains a description of the platform role model and instructions on how to manage roles.

Function limitations

In the current implementation:

  • it is recommended to use custom roles to familiarize yourself with their capabilities and test role-based access to the platform;
  • assigning custom roles to users from LDAP is not supported.

The role model requires at least one user with a preconfigured administrator role. This will allow you to restore access to the platform in case of insufficient permissions for the user role. If access to the administrator account is lost, contact technical support.

Role model terminology

User — any subject (including administrator) working with the system.

Administrator — a privileged user who has rights to configure roles.

Role — a set of objects and rights.

Rights (privileges) — permissions to perform certain actions with objects.

Object — a managed entity to which rights apply. In VMmanager, objects include virtual machines (VMs), clusters, and systems.

System — а part of the platform that does not involve defining rights for individual objects. In most cases, systems in VMmanager are sections of the platform. For example, in the role settings, you can completely deny access to the Scripts section, but you cannot deny access only to individual scripts.

Preconfigured roles — unchangeable roles that exist in the platform by default - administrator, advanced user, user.

User role — a role created by the administrator.

Work logic

The administrator can create, modify, and delete only user roles. Modifying preconfigured roles is not supported.

Roles can be assigned to specific users or groups. A user can be assigned either one of the preconfigured roles or one or more custom roles. If multiple user roles are assigned to a user, their rights are combined.

The following rights can be set for each object:

  • allowed — action with the object is allowed for members of this role;
  • not allowed — default state. An action with an object is not allowed for that role, but can be issued through another role. For example, if one of the user roles allows VM creation and the other role does not, the user will be able to create VMs;
  • forbidden — action with the object is strictly forbidden. Prohibited has the highest priority when combining the rights of several roles. For example, if one of the user roles allows the creation of VMs and the other one forbids it, the user will not be able to create VMs.

Objects and rights for which a role is configured:

ObjectsRightsComments
Clusters
  • create;
  • view and change settings;
  • delete;
  • add nodes;
  • view and change node settings;
  • run scripts on a node;
  • node maintenance mode;
  • delete nodes.

Permissions can be granted for all clusters or for specific clusters.

Cluster access does not imply automatic access to VMs in these clusters. It allows you to:

  • view and modify cluster settings;
  • select a cluster when creating VMs.
VMs

  • basic operations:

    • renaming;

    • changing password;

    • starting and stopping;

    • reinstalling OS;

    • recovery mode;

    • connecting an ISO image;

    • running a script;

    • creating a snapshot;

    • creating an image;

    • connecting via VNC;

    • connecting via SPICE;

  • advanced operations:

    • cloning;

    • disk creation;

    • disk editing;

    • disk disconnection;

    • network management;

    • snapshot management;

    • image management;

    • IP address management;

    • fine-tuning;

    • note management;

  • administrative operations:

    • create;

    • delete;

    • migrate;

    • protection settings;

    • balancer;

    • VNC and SPICE connection configuration. 

Permissions can be granted for all VMs or for VMs based on specific attributes:

  • VMs of a role member;
  • VMs from specific clusters;
  • specific VMs.
Systems
  • dashboard;
  • Scripts section;
  • Templates section;
  • IP address management;
  • Virtual networks section;
  • Users section;
  • role management;
  • DNSBL management;
  • Grafana;
  • Swagger;
  • notifications;
  • task list;
  • platform settings (menu);
  • Backups section.

If access to a section is not allowed or forbidden, an error will be displayed when navigating to that section.

Role management

To manage roles, go to Users sections → Roles tab.

Tab interface

Role creation

To create a role:

  1. Click Create a role button.
  2. Enter the Name of the role.
  3. Enter the arbitrary role Description.
  4. Select the objects and rights that will be available to participants in this role:
    1. In the Clusters section:
      1. Click Select clusters button.
      2. Select the clusters that should be available in the role:
        • All platform clusters;
        • Selected clusters → check the required clusters in the list.
      3. Click Apply (Select) button.
    2. In the Virtual machines section:
      1. Click Select VMs button.
      2. Select the VMs that should be available in the role:
        • All platform VMs;
        • Selected VMs:
          • Own VMs of the role member;
          • All VMs from the cluster → select clusters;
          • Select VM manually → check the required VMs in the list.
      3. Click Select button.
    3. Configure permissions for each object:
      • by default, all permissions are set to "not allowed" — icon;
      • to set the value to "allowed", click the icon;
      • to set the value to "forbidden", click the  icon;
      • to set all permissions to "allowed”, click the Allow all button.

  5. Click Create a role button.

Role change

To change the role settings:

  1. Select a role on the left side of the window.
  2. Open the Settings tab.
  3. Make the necessary changes.
  4. Click Save button.

Managing role participants

To manage role participants, select the role on the left side of the window and go to the Role participants tab.

To assign a role to users:

  1. Open the Users tab.
  2. Click Add user button.
  3. Select users from the list.
  4. Click Add button. 
    You cannot assign a role to an account through which you logged in to the platform.

To remove a user from the role, in the row with the user, click the icon → Remove from role.

To assign a role to groups of users:

  1. Open the User groups tab.
  2. Click Add group button.
  3. Select groups from the list.
  4. Click Add button.

To remove a group from the role, in the row with the group, click the  icon → Remove from role.

Role deletion

Users with a single role will not be able to log in to the platform after their role is deleted.

To delete a role:

  1. Select a role on the left side of the window.
  2. Open the Settings tab.
  3. Click Delete button.

Log files

Service logs can be useful for identifying problems with the role model:

  • auth — authorization service — is saved in stdout of the auth container;
  • vmr — role management service — is saved in stdout of the vmr container.


The article was last updated on 08.05.2025. The article was prepared by technical writers of ISPsystem