Role based access control (RBAC)

Role Based Access Control (RBAC) restricts access to the capabilities of Rackspace Cloud services, including the Rackspace Monitoring API, to authorized users only. RBAC enables Rackspace Cloud customers to specify which account users of their Cloud account have access to which Rackspace Monitoring API service capabilities, based on roles defined by Rackspace. The permissions to perform certain operations in the Rackspace Monitoring API – create, read, update, delete – are assigned to specific roles. The account owner assigns these roles, either multiproduct (global) or product-specific (for example, Rackspace Monitoring only) to account users.

Assigning roles to account users

The account owner (identity:user-admin) can create account users on the account and then assign roles to those users. The roles grant the account users specific permissions for accessing the capabilities of the next gen Cloud Servers service. Each account has only one account owner, and that role is assigned by default to any Rackspace Cloud account when the account is created.

See the Identity API guide for information about how to perform the following tasks:

For information about implementing RBAC by using the Cloud Control Panel and other RBAC-related topics, see the following articles in the Rackspace Support how-to collection:

Roles available for Rackspace Monitoring

The following table describes the roles that can be used to access the Rackspace Monitoring API.

Role nameRole permissions
monitoring:adminThis role provides Create, Read, Update, and Delete permissions in Rackspace Monitoring, where access is granted.
monitoring:creatorThis role provides Create, Read, and Update permissions in Rackspace Monitoring, where access is granted.
monitoring:observerThis role provides Read permission in Rackspace Monitoring, where access is granted.

Multiproduct global roles and permissions

Additionally, two multiproduct roles apply to all products. Users with multiproduct roles inherit access to products when those products become RBAC-enabled. The following table describes these roles and their permissions.

Role nameRole permissions
adminThis role provides Create, Read, Update, and Delete permissions in all products, where access is granted.
observerThis role provides Read permission in all products, where access is granted.

Resolving conflicts between RBAC multiproduct versus custom (product-specific) roles

The account owner can set roles for both multiproduct and Rackspace Monitoring scope, and it is important to understand how any potential conflicts between these roles are resolved. When two roles appear to conflict, the role that provides the more extensive permissions takes precedence. Therefore, admin roles take precedence over observer and creator roles, because admin roles provide more permissions.

The following table shows two examples of how potential conflicts between user roles in the Control Panel are resolved.

Permission configurationControl Panel permission viewControl Panel admin capabilities
User is assigned the following roles: multiproduct observer and Rackspace Monitoring adminAppears that the user has only the multiproduct observer roleUser can perform admin functions for Rackspace Monitoring only. The user has the observer role for the rest of the products.
User is assigned to the following roles: multiproduct admin and Rackspace Monitoring observerAppears that the user has only the multiprodcut admin roleUser can perform admin functions for all of the products. The Rackspace Monitoring observer role is ignored.

RBAC permissions cross-reference to Rackspace Monitoring operations

API operations for Rackspace Monitoring may or may not be available to all roles. To see which operations are permitted to invoke which calls, review the Detailed permissions matrix for Rackspace Monitoring article.