Roles

Overview

Within Morpheus is a wide array of role based access control capabilities. These roles can be managed within the Admin -> Roles section of the Morpheus UI as well as through the API or CLI. They are designed to be robust enough to fit within a wide array of enterprise and managed service provider scenarios so they can be a bit hard to grasp at first, but should make sense once a few simple concepts are explained. There are two types of roles within Morpheus called Tenant and User based roles. Both sets of roles allow restrictions to be imposed on a user at the feature access level. Entire sections within the appliance UI can be hidden based on the specified access levels for features within Morpheus. Features have different access scopes that can be selected from and can range depending on the specific feature. The most common scope set involves none, read, and full. Instance Type access is also common among both role types which allow the administrator to restrict which service catalog items they are allowed to provision within Morpheus .

There are several handy tricks for creating new roles within Morpheus and users can be assigned more than one role. When a user is assigned more than one role, permissions are granted by the role with the highest level of scope access. This allows roles to be built with small subsets of features and combined to grant different individuals relevant permission control.

Note

Feature access control not only applies to the Morpheus UI but also applies to the public developer API. It is sometimes necessary to logout and back in for changes to a users feature access level to be respected.

Role Types

Tenant Roles

A Tenant based role (formerly called an Account based role) is used to ensure access control enforcement across an entire tenant with many sub-users. This allows the subtenant to manage their own set of internal user based roles without worrying master tenant involvement in setting them up. The master tenant is the only tenant able to create and manage these types of roles. When editing a Tenant, a singular tenant role can be assigned to the account. Users within the tenant can be assigned roles but those user based roles will never be able to supersede the level of access granted by the tenant role. This allows a super administrator the ability to restrict access at the department or organization level without having to worry about per user access control within said tenant.

Tenant roles also have an additional section not in User based roles related to Cloud Access. Cloud Access allows the master tenant the ability to assign cloud integration resources to specific subtenants or groups of subtenants. An example would be granting access to a specific VMware cluster only to a subset of tenants using the tenant based role control.

User Roles

User roles can be created by any tenant given permission at the tenant role level. These allow tenants to manage their own sets of users and their levels of access. They also allow tenants to control which users have access to specific “Groups” for provisioning into within Morpheus. Groups are not cross tenant and therefore need to be controlled within the individual tenant in Morpheus.

Master tenants are able to create a special type of user role called a multi-tenant user role. A multi-tenant user role is copied / duplicated down to all subtenants within Morpheus. These can be viewed as pre-canned role templates available to new tenants when their account is first created. Any changes made to the main role are propagated down to the subtenants version of the shared role so long as the subtenant has not previously adjusted/changed that role. The moment a subtenant makes adjustments to the shared role within their account, it is unlinked from the parent role and treated entirely independently.

Another note about user roles is that when a user role is copied down to a subtenant, the permission scopes cannot supersede the tenants assigned tenant role. If they do they are automatically downgraded when propagated to the specific tenant. Any changes made to the tenant role will automatically ensure roles within the tenant are downgraded appropriately.

Multi-Tenant User Role Lock

As discussed above, multi-tenanted user roles are made available within all subtenants as ‘canned’ user role sets. Master tenant administrators can prevent changes to these ‘canned’ user roles by marking the box labeled ‘MULTITENANT LOCKED’ when creating or editing the role. In addition to preventing subtenant administrators from modifying permissions of these roles within their subtenancy, this option also ensures master tenant administrators can propagate new changes to that role. Modification of the role by the subtenant (if allowed) breaks the link back to the master tenant and the copy of the role within the subtenant will become its own unlinked role.

Note

Multi-tenant role lock applies only to permission sets on the ‘FEATURE ACCESS’ tab. Permissions in the ‘GROUP ACCESS’, ‘INSTANCE TYPE ACCESS’, and ‘BLUEPRINT ACCESS’ tabs are not locked. Similarly, changes made to the role on these tabs in the master tenant are not synced down.

Roles and Identity Sources

It is very common for large Enterprises to have an existing identity source that they would like to plugin to Morpheus for authentication. This includes services like LDAP, Active Directory, OKTA, Jump Cloud, One Login, and SAML. When using these services it becomes important to configure a role mapping between the Morpheus role assignments to the equivalent identity source groups/roles the user belongs to. This is configurable within the identity source management UI. Sections are provided allowing things like LDAP groups to be directly mapped to specific roles within Morpheus. If a user matches more than one LDAP/role group then both sets of roles are applied to the user automatically. Configuring Identity Sources is done in Tenant management found in Admin -> Tenants, and has to be configured on a per tenant basis.

Role Permissions

Note

Permission options for sub-tenant user roles will only list options permitted by the Tenant role applied to the sub-tenant. Sub-Tenant user roles permissions cannot exceed permissions set by the overriding Tenant Role.

User Role Permission Sections

FEATURE ACCESS
Controls Tenant and User access level for sections and features in Morpheus.
GROUP ACCESS
Controls User access level for Groups. (Groups are not Multi-Tenant.)
CLOUD ACCESS
Controls Sub-Tenant access level for Master Tenant publicly visible Clouds.
INSTANCE TYPE User only has access to Objects they have created/own.
Controls Tenant and User access level for Instance Types.

BLUEPRINT ACCESS

Feature Access Permissions

Feature Access settings control permissions for sections and objects in Morpheus. Permission options include:

None
Hidden or inaccessible for user
Read
User can view but cannot edit or create
Full
User has full access
User
User can access Objects they have created or own.
Group
User can access Objects assigned to or shared with Groups the User has access to.
Remote Console: Provisioned
Remote Console tab will only appear after instance is successfully provisioned.
Remote Console: Auto Login
RDP and SSH only, controls if user is auto-logged in to Remote Console or presented with login prompt.
Role Mappings
Gives User Access to Role Mappings config in /admin/roles for configuring Identity Source Role Mappings without providing Access to other Identity Source configuration settings.
Permission Access Settings
Admin: Appliance Settings None Full      
Admin: Backup Settings None Read Full    
Admin: Environment Settings None Full      
Admin: Identity Source None Role Mappings Full    
Admin: Integrations None Read Full    
Admin: License Settings None Full      
Admin: Log Settings None Full      
Admin: Message of the day None Full      
Admin: Monitoring Settings None Full      
Admin: Policies None Read Full    
Admin: Provisioning Settings None Full      
Admin: Roles None Read Full    
Admin: Service Plans None Read Full    
Admin: Tenant None Read Full    
Admin: Tenant - Impersonate Users None Full      
Admin: Users None Read Full    
Admin: Whitelabel Settings None Full      
API: Execution Request None Full      
Backups: None View Read User Full
Backups: Integrations None Read Full    
Backups: Services None Read Full    
Billing: None Read Full    
Infrastructure: Boot None Read Full    
Infrastructure: Certificates None Read Full    
Infrastructure: Clouds None Read Full    
Infrastructure: Clusters None Read Full    
Infrastructure: Groups None Read Full    
Infrastructure: Hosts None Read Full    
Infrastructure: KeyPairs None Read Full    
Infrastructure: Load Balancers None Read Full    
Infrastructure: Network Domains None Read Full    
Infrastructure: Network IP Pools None Read Full    
Infrastructure: Network Proxies None Read Full    
Infrastructure: Network Routers None Read Group Full  
Infrastructure: Networks None Read Group Full  
Infrastructure: Policies None Read Full    
Infrastructure: Security Groups None Read Full    
Infrastructure: State None Read Full    
Infrastructure: Storage None Read Full    
Infrastructure: Storage Browser None Read Full    
Infrastructure: Trust Integrations None Read Full    
Integrations: Ansible None Full      
Logs: None Read User Full  
Monitoring: None Read User Full  
Operations: Activity None Read      
Operations: Analytics None Read Full    
Operations: Approvals None Read Full    
Operations: Budgets None Read Full    
Operations: Dashboard None Read      
Operations: Guidance None Read Full    
Operations: Health None Read      
Operations: Reports None Read Full    
Operations: Usage None Read Full    
Operations: Wiki None Read Full    
Provisioning Administrator None Full      
Provisioning: Advanced Node Type Options None Full      
Provisioning: Allow Force Delete: None Full      
Provisioning: Apps: None Read User Full  
Provisioning: Automation Integrations None Read Full    
Provisioning: Automation Services None Read Full    
Provisioning: Blueprints None Read Full    
Provisioning: Blueprints - ARM None Provision Full    
Provisioning: Blueprints - CloudFormation None Provision Full    
Provisioning: Blueprints - Helm None Provision Full    
Provisioning: Blueprints - Kubernetes None Provision Full    
Provisioning: Blueprints - Terraform None Provision Full    
Provisioning: Deployment Integrations None Read Full    
Provisioning: Deployments None Read Full    
Provisioning: Instances None Read User Full  
Provisioning: Job Executions None Read      
Provisioning: Jobs None Read Full    
Provisioning: Library None Read Full    
Provisioning: Scheduling - Execute None Read Full    
Provisioning: Scheduling - Power None Read Full    
Provisioning: Service Mesh None Read User Full  
Provisioning: Tasks None Read Full    
Provisioning: Tasks - Script Engines None Full      
Provisioning: Thresholds None Read Full    
Provisioning: Virtual Images None Read Full    
Remote Console: None Provisioned Full    
Remote Console - Auto Login: No Yes      
Snapshots: None Read Full    
Tools: Archives None Read Full    
Tools: Cypher None Read User Full Full Decrypted
Tools: Image Builder None Read Full    
Tools: Kubernetes (Deprecated) None Read User Full  
Tools: Migrations None Read Full    

Creating Roles

User Roles

User Roles can be single or multitenant. A Multitenant User Role is automatically copied into all existing subtenants as well as placed into a subtenant when created. Useful for providing a set of predefined roles a Customer can use. The Multitenant Locked option prevent subtenant from modifying FEATURE ACCESS settings in the Role. Note Group, Instance Type and Blueprint Access settings will still be editable as Groups are unique per Tenant, and Instance and Blueprints can be a mix of unique and shared items.

Important

Multitenant Roles still need to be configured/managed be each subtenant, as Groups are unique per Tenant, and Instance and Blueprints can be a mix of unique and shared items.

Note

User Roles cannot exceed Tenant Role permissions. If a Multitenant User Role has higher permissions than the Tenant Role assigned to a subtenant, the Multitenant User Role permissions in that Tenant will automatically be reduced to match the Tenant Role permissions.

Create a Single Tenant User Role

  1. In the Master Account, navigate to Administration -> Roles
  2. Select + CREATE ROLE
  3. Enter a name for the Role and optional Description
  4. For TYPE, select “User Role”
  5. Leave the “Multi-tenant Role” checkbox blank.
  6. Optionally select an existing Role to copy in the COPY FROM ROLE dropdown. * This will configure the new Role with the same configuration as the selected role to copy. A new role that is not copied from another role will be generated with all permissions set to NONE.
  7. Select SAVE CHANGES

After saving the Role will be created, and you will be redirected to the Roles Permissions settings.

Create a MultiTenant User Role

A Multitenant User Role is automatically copied into all existing subtenants as well as placed into a subtenant when created. Useful for providing a set of predefined roles a Customer can use. The Multitenant Locked option prevent subtenant from modifying FEATURE ACCESS settings in the Role. Note Group, Instance Type and Blueprint Access settings will still be editable as Groups are unique per Tenant, and Instance and Blueprints can be a mix of unique and shared items.

  1. In the Master Account, navigate to Administration -> Roles
  2. Select + CREATE ROLE
  3. Enter a name for the Role and optional Description
  4. For TYPE, select “User Role”
  5. Optionally select an existing Role to copy in the COPY FROM ROLE dropdown. * This will configure the new Role with the same configuration as the selected role to copy. A new role that is not copied from another role will be generated with all permissions set to NONE.
  6. Select the MULTITENANT ROLE checkbox
  7. Optionally select the MULTITENANT LOCKED checkbox * When enabled, the FEATURE ACCESS settings in the Role will not be editable by subtenants. Group, Instance Type and Blueprint Access settings will still be editable as Groups are unique per Tenant, and Instance and Blueprints can be a mix of unique and shared items.
  8. Select SAVE CHANGES

After saving the Role will be created, and you will be redirected to the Roles Permissions settings.

Important

Multitenant Roles still need to be configured/managed be each subtenant, as Groups are unique per Tenant, and Instance and Blueprints can be a mix of unique and shared items.

Note

User Roles cannot exceed Tenant Role permissions. If a Multitenant User Role has higher permissions than the Tenant Role assigned to a subtenant, the Multitenant User Role permissions in that Tenant will automatically be reduced to match the Tenant Role permissions.

Tenant Roles

A Tenant Role sets the highest possible permissions for a Tenant. User Roles within that Tenant cannot exceed those of the Tenants assigned Tenant Role. Tenant Roles can be assigned to single or multiple Tenants, and do not apply to the Mater Account.

To create a Tenant Role:

  1. In the Master Account, navigate to Administration -> Roles
  2. Select + CREATE ROLE
  3. Enter a name for the Role and optional Description
  4. For TYPE, select “Tenant Role”
  5. Optionally select an existing Role to copy in the COPY FROM ROLE dropdown. * This will configure the new Role with the same configuration as the selected role to copy. A new role that is not copied from another role will be generated with all permissions set to NONE.
  6. Select SAVE CHANGES

After saving, the Role will be created and you will be redirected to the Roles Permissions settings.