Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Role-Based Access Control Overview

Contrail Service Orchestration supports the authentication and authorization of users. Service Provider, OpCo, and tenant users access the pages within the unified Administration Portal and Customer Portal based on their role and access permissions.

In addition to predefined roles, CSO enables you to add object-based custom roles. You can create custom roles and assign access privileges (read, create, update, delete, and other actions) to each role.

Table 1 shows predefined Service Provider, OpCo, and tenant roles and their access privileges.

Table 1: Roles and Access Privileges

Role

Role Scope

Access Privileges

SP Admin

Service Provider

Users with the SP Admin role have full access to the Administration Portal UI or API capabilities.

They can use the UI or APIs to add one or more users with SP Admin, SP Operator, and custom roles. They can onboard tenants, and add the first tenant user during the tenant onboarding process. They can also add tenant administrators or operators by switching the scope to a specific tenant.

Note:

When the SP administrator creates one or more operating companies under the service provider, the service provider is called a global service provider and the SP administrator is called the global SP administrator.

SP Operator

Service Provider

Users with the SP Operator role have read-only access to the Administration Portal UI and APIs.
Note:

Roles in the service provider scope are not applicable when you use CSO as SaaS

Tenant Admin

Tenant

Users with the Tenant Admin role have full access to the Customer Portal UI and APIs. They can add one or more users with the Tenant Administrator or Tenant Operator roles.

Tenant Operator

Tenant

Users with the Tenant Operator role have read-only access to the Customer Portal UI and APIs.

OpCo Admin

Operating Company

Users with the OpCo Admin role have full access to the OpCo’s Administration Portal UI and API capabilities. They can use the UI or APIs to add one or more users with OpCo Admin, OpCo Operator, and custom roles. They can onboard tenants, and add the first tenant user during the OpCo’s tenant onboarding process. They can also add tenant administrators or operators by switching the scope to a specific tenant.

OpCo Operator

Operating Company

Users with the OpCo Operator role have read-only access to the OpCo’s Customer Portal UI and APIs.

Related Documentation