Access Control
When creating a tenant you may have noticed mention of an 'owner group' with a UUID returned. This is the default group attached to the tenant where members all have 'owner' permission (described below) to that created tenant and all child sub-tenants. Initially only you will be a member of the group.
If you have at least 'viewer' access to an entity (tenant or environment) and try to do something that requires a higher privilege you will receive a 'HTTP 403 Forbidden' response. If you do not even have 'viewer' access to the entity (or it does not exist) you will receive a 'HTTP 404 Not Found'.
Groups are tied to a single tenant though they affect sub-tenants. You may create more groups by using:
klic group create TENANT-UUID NAME
You may add members with (using username-less realms only such as example.com
captures all users with an email in that realm):
klic group useradd GROUP-UUID example.com sam@megacorp.com jill@bigbank.com
Tip
Recall that a group is tied to a tenant, so there is no need for the TENANT-UUID
as it is explicit
Members are similarly removed using klic group userdel ...
Once you have created a group and managed its members, you can change the permissions of the group to describe what it's members are allowed to do:
klic permission update GROUP-UUID add ROLE SCOPE
You may also pin a permission to an explicit environment with:
klic permission update –environment ENVIRONMENT-UUID GROUP-UUID add ROLE SCOPE
Warning
Scope is ignored for environment pinning and always set to base
Role and Scope
There are three roles:
viewer
: only allowed to read all settings and submit usage dataeditor
: allowed to enrol environments as well as create and renew licenses (in addition toviewer
permissions)owner
: allowed to create sub-tenants, groups and assign roles and permissions (in addition toeditor
permissions)
There are four scopes:
base
: only the listed tenant (no sub-tenant access)sub
: listed tenant and all sub-tenantsone
: only sub-tenants of listed tenant but not sub-sub-tenants or deepersubordinates
: only sub-tenants of listed tenant but inclusive of all sub-sub-tenants or deeper