Role-based access control

RBAC roles are customer-managed roles with specific permissions that determine the services a user can access and the types of operations they can complete. For example, an account user with the lbaas:admin role has create, read, update, and delete permissions for the Cloud Load Balancer service.

All RBAC roles are subordinate to the identity:user-admin or the identity:user-manage roles that the Identity service assigns to Rackspace Cloud accounts held by the account owner or by an account designated to manage user accounts. Only Identity administrators and managers can create account users (identity:default) and assign RBAC roles. Account owners cannot hold any additional roles because they already have full access to all services and capabilities. Account managers can have both the identity:user-manage and the identity:default.

Role assignments can be global or custom. Global roles manage access and permissions across multiple API services. Custom roles manage access and permissions on a per-product basis. For both global and custom roles, the user has access only to designated products. The following table describes the RBAC roles available.

Table: Rackspace Cloud RBAC Roles and Capabilities

Role	Type	Role Description	Example Role
admin (full access)	Global	The admin role provides Create, read, update, and delete permissions in all Cloud products, where access is granted. Full access is given to current and future products as they become RBAC-enabled. Each account can have only one admin user.	Admin
observer (read-only access)	Global	The observer role provides read permission in all products where access is granted. Read-only access is given to current and future products as they become RBAC-enabled.	observer
product:admin	Custom	The product:admin role provides create, read, update, and delete permissions for a specified product, where access is granted.	nova: admin
product:creator	Custom	The product:creator role provides create, read, and update permissions for a specified product, where access is granted. The user cannot delete resources.	cloudFiles: creator
product:observer	Custom	This product:observer role provides Read permission for a specified product, where access is granted.	cdb: observer

Assigning roles

The account owner, identity:user-admin can create account users, identity:default on the account and then assign roles to those users. The roles grant the account users specific permissions for accessing the Cloud services and capabilities. Each account has only one account owner, and that role is assigned by default to any Rackspace Cloud account when the account is created. Account owners cannot hold any additional roles because they already have full access to all services and capabilities.

You can assign roles programmatically through the API or by using the Cloud Control panel interface.

Use the following API operations to add account users and manage role assignments:

• Add account user

• Assign role to account users

• Delete role from account user

For information about implementing RBAC by using the Cloud Control Panel and other RBAC-related topics, see the following Rackspace Knowledge Center articles:

• Getting Started with role-based access control (RBAC)

• Managing role-based access control through Cloud Control Panel

Resolving role conflicts between roles

The account owner can assign both multiproduct (global) roles and custom (product-specific). In some cases, the scope of these roles can overlap and cause conflict. When conflicts occur, the role that provides the more extensive permissions takes precedence. Therefore, admin roles take precedence over observer roles, because admin roles provide more permissions.

The following table shows two examples of how potential conflicts between user role assignments are resolved:

Permission configuration	View of permission in control panel	Can the user perform product Admin functions in the control panel?
User is assigned the following roles: multiproduct observer and product admin	Appears that the user has only the multiproduct observer role	Yes, for specified product product only. The user has the observer role for the rest of the products.
User is assigned the following roles: multiproduct admin and product observer	Appears that the user has only the multiproduct admin role.	Yes, for all of the products. The specified product observer role is ignored.

For information about using RBAC with specific products, see the API Developer Guide for each product.