Role Management
The ZCP console provides the ability to manage roles that apply across the Modernization Platform. There are two types of roles: system roles and project roles. System roles apply to system menus, entire clusters, and entire projects. Project roles apply only to menus, clusters, and tools in that project.
Role lookup​
You can view the roles of system users and search for roles by name and type using the Filter feature at the top of the screen.
- Role Name: The role name is displayed.
- Type: The role type is displayed. Built-in are roles that are provided by default when you install the platform. Custom are roles that you create yourself.
- Description: Displays a brief description of the role.
- Actions: Displays buttons to perform edit actions on the role.
Create a New Role​
System Administrators can create custom roles directly through the Role Management feature. On the List Roles screen, click the New Role button:
On the Create New Role screen, enter information about the new role, and click the Create button in the lower right corner to create the role:
- Name: Type a name for the role. Role names can only contain alphabets, numbers, and "-".
- Description: Allows you to enter a description of the role.
- Creator: Automatically assigned to the currently logged-in user.
A newly created role has no permissions.
Manage Role Information​
The Manage Role Information screen allows you to grant permissions to roles. It is divided into Overview, Tools Permissions, Kubernetes Permissions, and Menus Permissions.
Click the role name or the pencil-shaped button to the right to navigate to the Edit role information screen.
Overview​
You can view information about the role, and the Description item is editable.
Manage Tool Permissions​
This is the screen where you can set permissions for the tools used by the Modernization Platform. We currently support permission management for four tools. System roles can grant system administrator privileges for each tool.
Managing Kubernetes Cluster Permissions​
This screen allows you to set permissions for Kubernetes API calls. You can set detailed permissions, such as create, get, and delete, for Kubernetes resources. Kubernetes Cluster permissions granted to a system role are propagated to all Data Plane clusters.
The settings on this screen are the permissions that apply when using the kubectl CLI through the Kubernetes config provided by the CLI Command. Access to the Workloads, Networking, and Storages screens is managed separately in Menus Permissions.
The meaning of each verb is described below:
- Create: Allows you to create a new resource.
- Get: Allows you to look up individual resources.
- List: Allows you to look up multiple resources.
- Watch: You can watch an individual resource or a collection of resources.
- Update: Allows you to change the entire contents of an existing resource.
- Patch: You can make changes to some of the existing resources.
- Delete: Allows you to delete individual resources.
- DeleteCollection: Allows you to delete multiple resources.
Managing Console menu permissions​
This page allows you to set permissions for ZCP console menus. Menus with no permissions are not visible in the left menu list; they require View or higher permissions to be visible. You can grant permissions by separating Realm (System) / Project.
Here's what each permission means:
- View: You can view the contents by entering the corresponding menu.
- Edit: You can create or modify resources within this menu.
- Delete: You can create, modify, and delete resources within this menu.
- Admin: You can perform all actions within this menu.
Delete a Role​
You can delete custom roles that were created by users. However, you can't delete built-in roles.
Deleting a role removes the role from the users and groups that had it, and any permissions granted by the role disappear.
To delete a role, go to the List Roles page. In the Actions column on the right, click the Delete button:
The Confirm role deletion pop-up window is displayed. Check the name of the role you want to delete and click the OK button to delete the role:
