Permissions matrix for Cloud Orchestration

The Cloud Orchestration permissions matrix displays specific permissions for the following role-based access control (RBAC) roles:

  • Admin provides full access to create, read, update, and delete.
  • Creator provides limited access to create, read, and update.
  • Observer provides read-only access.

The matrix displays the Cloud Orchestration methods grouped by category, their corresponding RESTful API commands, and the RBAC roles that are supported.

Stack operations

Note: Orchestration users need access to any products used in their templates.

MethodAPI actionRoleDescription
Create stackPOST /v1/{tenant_id}/stacksCreator, AdminCreates a stack.
Adopt stackPOST /v1/{tenant_id}/stacksCreator, AdminCreates a stack from existing resources.
List stack dataGET /v1/{tenant_id}/stacksObserver, Creator, AdminLists active stacks.
Find stackGET /v1/{tenant_id}/stacks/{stack_name}Observer, Creator, AdminFinds the canonical URL for a specified stack. This URL works with operations other than GET, so you can perform PUT and DELETE operations on a stack.
Show stack detailsGET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}Observer, Creator, AdminShows details for a specified stack.
Update stackPUT /v1/{tenant_id}/stacks/{stack_name}/{stack_id}Creator, AdminUpdates a specified stack.
Delete stackDELETE /v1/{tenant_id}/stacks/{stack_name}/{stack_id}AdminDeletes a specified stack and any snapshots of that stack.
Preview stackPOST /v1/{tenant_id}/stacks/previewCreator, AdminPreviews a stack.
Abandon stackDELETE /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandonAdminDeletes a specified stack but leaves its resources intact, and returns data describing the stack and its resources.

Stack resources

MethodAPI actionRoleDescription
Find stack resourcesGET /v1/{tenant_id}/stacks/{stack_name}/resourcesObserver, Creator, AdminFinds the canonical URL for the resource list of a specified stack.
List resourcesGET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resourcesObserver, Creator, AdminLists the resources in a stack.
Show resource dataGET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}Observer, Creator, AdminShows the data for a specified resource.
List resource typesGET /v1/{tenant_id}/resource_typesObserver, Creator, AdminLists the supported template resource types.
Show resource schemaGET /v1/{tenant_id}/resource_types/{type_name}Observer, Creator, AdminShows the interface schema for a specified resource type.
Show resource templateGET /v1/{tenant_id}/resource_types/{type_name}/templateObserver, Creator, AdminShows the template representation for a specified resource type.

Stack events

MethodAPI actionRoleDescription
Find stack eventsGET /v1/{tenant_id}/stacks/{stack_name}/eventsObserver, Creator, AdminFinds the canonical URL for the event list of a specified stack.
List stack eventsGET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/eventsObserver, Creator, AdminLists events for a specified stack.
List resource eventsGET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/eventsObserver, Creator, AdminLists events for a specified stack resource.
Show event detailsGET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}Observer, Creator, AdminShows data about a specified event.


MethodAPI actionRoleDescription
Get stack templateGET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/templateObserver, Creator, AdminGets a template for a specified stack.
Validate templatePOST /v1/{tenant_id}/validateCreator, AdminValidates a specified template.

Build information

MethodAPI actionRoleDescription
Show build informationGET /v1/{tenant_id}/build_infoObserver, Creator, AdminShows build information for an Orchestration deployment.

Related article

Role-based Access Control (RBAC) permissions matrix for Cloud Hosting