This guide is designed to get administrators started with Role-Based Access Control (RBAC) and to answer questions about the service.
What is RBAC?
RBAC is a secure method of restricting account access to authorized users. This method enables the account owner to add users to the account and assign each user to specific roles. Each role has specific permissions defined by Rackspace. RBAC allows users to perform various actions based on the scope of their assigned role.
Why implement RBAC?
RBAC is important because it provides customers a greater degree of control over cloud resource utilization with the added layer of system security.
What are roles?
Role describes the level of access users have for their account. By assigning roles to users, administrators can allow multiple users to complete tasks safely. RBAC limits risk by ensuring that users do not have access beyond their training or level of control.
Roles grant access across all resources of a single product or for multiple products. RBAC does not restrict access to specific files, directories, or servers.
What roles are available through RBAC?
RBAC provides the following roles.
- Full Access - The full access role has the permissions to create, read, update, and delete resources within multiple designated products where access is granted. These permissions apply to RBAC enabled products and all future RBAC enabled products as they come onboard.
Note: Users with the full access role will have automatic access to all new products that become RBAC enabled, including account administration tasks such as billing.
- Read-only Access - The read-only access role has permissions to view given resources within multiple designated products where access is granted. These permissions apply to RBAC enabled products and all future RBAC enabled products as they come onboard.
Note: The Custom role is a useful mix of permission levels for assigning permissions per product. Once the user is assigned the Custom role, roles can only be changed per product.
- Product:admin - The admin role has the permissions to create, read, update, and delete resources within the designated product where access is granted.
- Product:creator - The creator role has the permissions to create, read, and update resources within the designated product where access is granted. The creator role cannot delete a resource. (Any destructive actions are prohibited.)
- Product:observer - The observer role has the permission to read given resources within the designated product where access is granted. This role is read-only.
What type of users does RBAC have?
RBAC has two types of users.
- Account owner - The account owner is the primary contact for the account and has full permissions to execute all capabilities for every product available. Each account is allowed only one account owner.
- Account user - The account user is a user that has been added by the account owner and has been assigned to specific roles.
What actions are restricted to the account owner role?
Only the account owner role can perform the following actions:
- Create, update, read, and delete users
- Edit credit card or billing address information
- View billing and payments
- View invoices or billing history
- View usage or usage details
- Create new users or modify existing users
When is it beneficial to implement RBAC?
RBAC should be implemented in the following situations:
- In an effort to minimize downtime and accidental changes to the cloud resources, the account owner would like to restrict access to the accounts to only a few people.
- In an effort to synchronize cloud product access to the functions of an employee’s job, the account owner would like to grant access to employees based on the nature of their position.
- In an effort to help prevent unauthorized access to cloud products through the sharing of admin credentials, the account owner would like each user of the cloud accounts to have their own credentials.
When is it not necessary to implement RBAC?
RBAC does not need to be implemented in the following situations:
- Only one credential set is needed for an account.
- The account user needs to access only products that currently do not include RBAC, such as Billing, Cloud Block Storage, Cloud Monitoring, and Cloud DNS. (These products will include RBAC in the future.)
Who can use RBAC?
RBAC is available to all Rackspace customers.
How can I get RBAC?
Adding users to the account activates RBAC. Account owners can add users through the New Cloud Control Panel or through API.
For more information about specific RBAC-related APIs, see the Rackspace API documentation at http://docs.rackspace.com.
Which products are currently RBAC enabled?
Which products will be RBAC enabled in the future?
- Cloud DNS
- Rackspace Deployments Service
- Account Administration Tasks
- New products as they are launched
Which products will not have RBAC?
- Cloud Sites