Role-Based Access Control Overview
Contrail Service Orchestration supports the authentication and authorization of users. Both OpCo and tenant users access the pages within the unified Administration Portal and Customer Portal based on their role and access permissions.
In addition to predefined roles, CSO enables you to add object-based custom roles. You can create custom roles and assign access privileges (read, create, update, delete, and other actions) to each role.
Table 1 shows predefined OpCo and tenant roles and their access privileges.
Table 1: Roles and Access Privileges
Users with the Tenant Admin role have full access to the Customer Portal UI and APIs. They can add one or more users with the Tenant Administrator or Tenant Operator roles.
Users with the Tenant Operator role have read-only access to the Customer Portal UI and APIs.
Users with the OpCo Admin role have full access to the OpCo’s Administration Portal UI and API capabilities. They can use the UI or APIs to add one or more users with OpCo Admin, OpCo Operator, and custom roles. They can onboard tenants, and add the first tenant user during the OpCo’s tenant onboarding process. They can also add tenant administrators or operators by switching the scope to a specific tenant.
Users with the OpCo Operator role have read-only access to the OpCo’s Customer Portal UI and APIs.