Roles

Overview

Within Morpheus is a wide array of role based access control capabilities. These roles can be managed within the Admin -> Roles section of the morpheus UI as well as through the API or CLI. They are designed to be robust enough to fit within a wide array of enterprise and managed service provider scenarios so they can be a bit hard to grasp at first, but should make sense once a few simple concepts are explained. There are two types of roles within Morpheus called Tenant and User based roles. Both sets of roles allow restrictions to be imposed on a user at the feature access level. Entire sections within the appliance UI can be hidden based on the specified access levels for features within morpheus. Features have different access scopes that can be selected from and can range depending on the specific feature. The most common scope set involves none, read, and full. Instance Type access is also common among both role types which allow the administrator to restrict which service catalog items they are allowed to provision within Morpheus .

There are several handy tricks for creating new roles within morpheus and users can be assigned more than one role. When a user is assigned more than one role, permissions are granted by the role with the highest level of scope access. This allows roles to be built with small subsets of features and combined to grant different individuals relevant permission control.

Note

Feature access control not only applies to the Morpheus UI but also applies to the public developer API. It is sometimes necessary to logout and back in for changes to a users feature access level to be respected.

Role Types

Tenant Roles

A Tenant based role (formerly called an Account based role) is used to ensure access control enforcement across an entire tenant with many sub-users. This allows the subtenant to manage their own set of internal user based roles without worrying master tenant involvement in setting them up. The master tenant is the only tenant able to create and manage these types of roles. When editing a Tenant, a singular tenant role can be assigned to the account. Users within the tenant can be assigned roles but those user based roles will never be able to supersede the level of access granted by the tenant role. This allows a super administrator the ability to restrict access at the department or organization level without having to worry about per user access control within said tenant.

Tenant roles also have an additional section not in User based roles related to Cloud Access. Cloud Access allows the master tenant the ability to assign cloud integration resources to specific subtenants or groups of subtenants. An example would be granting access to a specific VMware cluster only to a subset of tenants using the tenant based role control.

User Roles

User roles can be created by any tenant given permission at the tenant role level. These allow tenants to manage their own sets of users and their levels of access. They also allow tenants to control which users have access to specific “Groups” for provisioning into within morpheus. Groups are not cross tenant and therefore need to be controlled within the individual tenant in Morpheus .

Master tenants are able to create a special type of user role called a multi-tenant user role. A multi-tenant user role is copied / duplicated down to all subtenants within morpheus. These can be viewed as pre-canned role templates available to new tenants when their account is first created. Any changes made to the main role are propagated down to the subtenants version of the shared role so long as the subtenant has not previously adjusted/changed that role. The moment a subtenant makes adjustments to the shared role within their account, it is unlinked from the parent role and treated entirely independently.

Another note about user roles is that when a user role is copied down to a subtenant, the permission scopes cannot supersede the tenants assigned tenant role. If they do they are automatically downgraded when propagated to the specific tenant. Any changes made to the tenant role will automatically ensure roles within the tenant are downgraded appropriately.

Roles and Identity Sources

It is very common for large enterprises to have an existing identity source that they would like to plugin to morpheus for authentication. This includes services like LDAP, Active Directory, OKTA, Jump Cloud, One Login, and SAML. When using these services it becomes important to configure a role mapping between the morpheus role assignments to the equivalent identity source groups/roles the user belongs to. This is configurable within the identity source management UI. Sections are provided allowing things like LDAP groups to be directly mapped to specific roles within morpheus. If a user matches more than one LDAP/role group then both sets of roles are applied to the user automatically. Configuring Identity Sources is done in Tenant management found in Admin -> Tenants, and has to be configured on a per tenant basis.

Resource Limits

While it is possible to restrict usages by roles assigned to a tenant or role with max memory utilizations and max storage utilizations, it is preferred to now control this at the Policy level within a group or cloud. Morpheus provides a large swatch of policy types that can be assigned globally or to specific tenants both globally, and per cloud/group entity.

Role Permissions

Note

Permission options for sub-tenant user roles will only list options permitted by the Tenant role applied to the sub-tenant. Sub-Tenant user roles permissions cannot exceed permissions set by the overriding Tenant Role.

FEATURE ACCESS
Controls Tenant and User access level for sections and features in Morpheus.
GROUP ACCESS
Controls User access level for Groups. (Groups are not Multi-Tenant.)
CLOUD ACCESS
Controls Sub-Tenant access level for Master Tenant publicly visible Clouds.
INSTANCE TYPE ACCESS
Controls Tenant and User access level for Instance Types.

Feature Access Permissions

Feature Access settings control permissions for sections and features in Morpheus. Permission options include:

None
Hidden or inaccessible for user
Read
User can access the section, but cannot edit or create
Full
User has full access
User
User only has access to data from the Instances they have created/own.
Remote Console: Provisioned
Remote Console tab will only appear after instance is successfully provisioned.
Remote Console: Auto Login
RDP and SSH only, controls if user is auto-logged in to Remote Console or presented with login prompt.
  • Admin: Appliance Settings (None, Full)
  • Admin: Backup Settings (None, Full)
  • Admin: Environment Settings (None, Full)
  • Admin: Identity Source (None, Full)
  • Admin: Integrations (None, Read, Full)
  • Admin: License Settings (None, Full)
  • Admin: Log Settings (None, Full)
  • Admin: Monitoring Settings (None, Full)
  • Admin: Provisioning Settings (None, Full)
  • Admin: Roles (None, Read, Full)
  • Admin: Service Plans (None, Read, Full)
  • Admin: Tenant (None, Full)
  • Admin: Tenant - Impersonate Users (None, Full)
  • Admin: Users (None, Read, Full)
  • Admin: Whitelabel Settings (None, Full)
  • Administration: Manage Policies (None, Read, Full)
  • Backups (None, View, Read, User, Full)
  • Billing (None, Read, Full)
  • Infrastructure: Boot (None, Read, Full)
  • Infrastructure: Certificates (None, Read, Full)
  • Infrastructure: Clouds (None, Read, Full)
  • Infrastructure: Groups (None, Read, Full)
  • Infrastructure: Hosts (None, Read, Full)
  • Infrastructure: KeyPairs (None, Read, Full)
  • Infrastructure: Load Balancers (None, Read, Full)
  • Infrastructure: Networks (None, Read, Full)
  • Infrastructure: Security Groups (None, Read, Full)
  • Infrastructure: Storage (None, Read, Full)
  • Logs (None, Read, User, Full)
  • Monitoring (None, Read, User, Full)
  • Operations: Analytics (None, Read, Full)
  • Operations: Approvals (None, Read, Full)
  • Operations: Dashboard (None, Read)
  • Operations: Guidance (None, Read, Full)
  • Operations: Reports (None, Read, Full)
  • Operations: Scheduling - Power (None, Read, Full)
  • Operations: Usage (None, Read, Full)
  • Provisioning: (None, Read, User, Full)
  • Provisioning: Allow Force Delete: (None, Full)
  • Provisioning: Apps: (None, Read, User, Full)
  • Provisioning: Automation Services (None, Read, Full)
  • Provisioning: Deployment Services (None, Read, Full)
  • Provisioning: Deployments (None, Read, Full)
  • Provisioning: Library (None, Read, Full)
  • Provisioning: Migrations (None, Read, Full)
  • Provisioning: Tasks (None, Read, Full)
  • Provisioning: Tasks - Script Engines (None, Full)
  • Provisioning: Blueprints (None, Read, Full)
  • Provisioning: Blueprints - ARM (None, Provision, Full)
  • Provisioning: Blueprints - Terraform (None, Provision, Full)
  • Provisioning: Thresholds (None, Read, Full)
  • Provisioning: Virtual Images (None, Read, Full)
  • Remote Console (None, Provisioned, Full)
  • Remote Console: Auto Login (No, Yes)
  • Services: Archives (None, Read, Full)
  • Services: Cypher (None, Read, Full, Full Decrypted)
  • Services: Image Builder (None, Read, Full)

Adding Roles

Tenant Roles

A Tenant Role sets the highest possible permissions for a Tenant. User Roles within that Tenant cannot exceed those of the Tenants assigned Tenant Role. Tenant Roles can be assigned to single or multiple Tenants, and do not apply to the Mater Account.

To create a Tenant Role:

  1. In the Master Account, navigate to Administration -> Roles
  2. Select the + CREATE ROLE button
  3. Enter a name for the Role and optional Description
  4. For TYPE, select “Tenant Role”
  5. Optionally select an existing Role to copy in the COPY FROM ROLE dropdown. * This will configure the new Role with the same configuration as the selected role to copy. A new role that is not copied from another role will be generated with all permissions set to NONE.
  6. Optionally set Limits for Storage, Memory or CPU Count. These limits will apply for any Tenant the Role is assigned to. 0.0 is default and is equal to no limit.

After saving the Role will be created, and you will be redirected to that Roles Permissions settings.

User Roles

User Roles can be single or multi-tenant. Multi-tenant User Roles will automatically be copied to all current and future Tenants.

Important

Multi-tenant User Roles are copied to Tenants, but each copied Role becomes it own unique role per tenant and needs to be edited in the Tenant. Changes to a Multi-Tenant User Role at the Master Tenant level will not change existing user roles in Tenants created from the Multi-Tenant Role due to unique Role permissions in each Tenant, such as changes from the overriding Tenant Role and unique Group and Instance Type permissions.

Create a Single Tenant User Role

  1. In the Master Account, navigate to Administration -> Roles
  2. Select the + CREATE ROLE button
  3. Enter a name for the Role and optional Description
  4. For TYPE, select “User Role”
  5. Leave the “Multi-tenant Role” checkbox blank.
  6. Optionally select an existing Role to copy in the COPY FROM ROLE dropdown. * This will configure the new Role with the same configuration as the selected role to copy. A new role that is not copied from another role will be generated with all permissions set to NONE.
  7. Optionally set Limits for Storage, Memory or CPU Count. These limits will apply for any User the Role is assigned to. 0.0 is default and is equal to no limit.

After saving the Role will be created, and you will be redirected to the Roles Permissions settings.

Create a Multi Tenant Role

  1. In the Master Account, navigate to Administration -> Roles
  2. Select the + CREATE ROLE button
  3. Enter a name for the Role and optional Description
  4. For TYPE, select “User Role”
  5. Select the “Multi-tenant Role” checkbox.
  6. Optionally select an existing Role to copy in the COPY FROM ROLE dropdown. * This will configure the new Role with the same configuration as the selected role to copy. A new role that is not copied from another role will be generated with all permissions set to NONE.
  7. Optionally set Limits for Storage, Memory or CPU Count. These limits will apply for any User the Role is assigned to. 0.0 is default and is equal to no limit.

After saving the Role will be created, and you will be redirected to that Roles Permissions settings.

Important

While a Multi-tenant role is automatically copied into all existing subtenants as well as placed into any new Tenants, the generated roles inside each Tenant should be treated and managed as their own role. The Group Access configuration of a multi-tenant role only applies to the Tenant the role is being edited in, as Groups are unique to each tenant and not shared across Tenants. The purpose of a multi-tenant role is to facilitate an easy method of generating multiple pre-defined user roles for Tenants, NOT manage Tenant User Roles from the master tenant. When editing the permissions for a sub-tenant user, be sure to edit their user role(s) from inside the sub-tenant, not from the Master account, by impersonating a sub-tenant admin with full Role permissions.