Roles

Overview

Within Morpheus is a wide array of role based access control capabilities. These roles can be managed within the Admin -> Roles section of the Morpheus UI as well as through the API or CLI. They are designed to be robust enough to fit within a wide array of enterprise and managed service provider scenarios so they can be a bit hard to grasp at first, but should make sense once a few simple concepts are explained. There are two types of roles within Morpheus called Tenant and User based roles. Both sets of roles allow restrictions to be imposed on a user at the feature access level. Entire sections within the appliance UI can be hidden based on the specified access levels for features within Morpheus. Features have different access scopes that can be selected from and can range depending on the specific feature. The most common scope set involves none, read, and full. Instance Type access is also common among both role types which allow the administrator to restrict which service catalog items they are allowed to provision within Morpheus .

There are several handy tricks for creating new roles within Morpheus and users can be assigned more than one role. When a user is assigned more than one role, permissions are granted by the role with the highest level of scope access. This allows roles to be built with small subsets of features and combined to grant different individuals relevant permission control.

Note

Feature access control not only applies to the Morpheus UI but also applies to the public developer API. It is sometimes necessary to logout and back in for changes to a users feature access level to be respected.

Role Types

Tenant Roles

A Tenant based role (formerly called an Account based role) is used to ensure access control enforcement across an entire tenant with many sub-users. This allows the subtenant to manage their own set of internal user based roles without worrying master tenant involvement in setting them up. The master tenant is the only tenant able to create and manage these types of roles. When editing a Tenant, a singular tenant role can be assigned to the account. Users within the tenant can be assigned roles but those user based roles will never be able to supersede the level of access granted by the tenant role. This allows a super administrator the ability to restrict access at the department or organization level without having to worry about per user access control within said tenant.

Tenant roles also have an additional section not in User based roles related to Cloud Access. Cloud Access allows the master tenant the ability to assign cloud integration resources to specific subtenants or groups of subtenants. An example would be granting access to a specific VMware cluster only to a subset of tenants using the tenant based role control.

User Roles

User roles can be created by any tenant given permission at the tenant role level. These allow tenants to manage their own sets of users and their levels of access. They also allow tenants to control which users have access to specific “Groups” for provisioning into within Morpheus. Groups are not cross tenant and therefore need to be controlled within the individual tenant in Morpheus.

Master tenants are able to create a special type of user role called a multi-tenant user role. A multi-tenant user role is copied / duplicated down to all subtenants within Morpheus. These can be viewed as pre-canned role templates available to new tenants when their account is first created. Any changes made to the main role are propagated down to the subtenants version of the shared role so long as the subtenant has not previously adjusted/changed that role. The moment a subtenant makes adjustments to the shared role within their account, it is unlinked from the parent role and treated entirely independently.

Another note about user roles is that when a user role is copied down to a subtenant, the permission scopes cannot supersede the tenants assigned tenant role. If they do they are automatically downgraded when propagated to the specific tenant. Any changes made to the tenant role will automatically ensure roles within the tenant are downgraded appropriately.

Multi-Tenant User Role Lock

As discussed above, multi-tenanted user roles are made available within all subtenants as ‘canned’ user role sets. Master tenant administrators can prevent changes to these ‘canned’ user roles by marking the box labeled ‘MULTITENANT LOCKED’ when creating or editing the role. In addition to preventing subtenant administrators from modifying permissions of these roles within their subtenancy, this option also ensures master tenant administrators can propagate new changes to that role. Modification of the role by the subtenant (if allowed) breaks the link back to the master tenant and the copy of the role within the subtenant will become its own unlinked role.

Note

Multi-tenant role lock applies only to permission sets on the ‘FEATURE ACCESS’ tab. Permissions in the ‘GROUP ACCESS’, ‘INSTANCE TYPE ACCESS’, and ‘BLUEPRINT ACCESS’ tabs are not locked. Similarly, changes made to the role on these tabs in the master tenant are not synced down.

Roles and Identity Sources

It is very common for large Enterprises to have an existing identity source that they would like to plugin to Morpheus for authentication. This includes services like LDAP, Active Directory, OKTA, Jump Cloud, One Login, and SAML. When using these services it becomes important to configure a role mapping between the Morpheus role assignments to the equivalent identity source groups/roles the user belongs to. This is configurable within the identity source management UI. Sections are provided allowing things like LDAP groups to be directly mapped to specific roles within Morpheus. If a user matches more than one LDAP/role group then both sets of roles are applied to the user automatically. Configuring Identity Sources is done in Tenant management found in Admin -> Tenants, and has to be configured on a per tenant basis.

Role Permissions

Note

Permission options for sub-tenant user roles will only list options permitted by the Tenant role applied to the sub-tenant. Sub-Tenant user roles permissions cannot exceed permissions set by the overriding Tenant Role.

User Role Permission Sections

FEATURE ACCESS
Controls Tenant and User access level for sections and features in morpheus.
GROUP ACCESS
Controls User access level for Groups. (Groups are not Multi-Tenant.)
CLOUD ACCESS
Controls Sub-Tenant access level for Master Tenant publicly visible Clouds.
INSTANCE TYPE User only has access to Objects they have created/own.
Controls Tenant and User access level for Instance Types.

BLUEPRINT ACCESS

Feature Access Permissions

Feature Access settings control permissions for sections and objects in morpheus. Permission options include:

None
Hidden or inaccessible for user
Read
User can view but cannot edit or create
Full
User has full access
User
User can access Objects they have created or own.
Group
User can access Objects assigned to or shared with Groups the User has access to.
Remote Console: Provisioned
Remote Console tab will only appear after instance is successfully provisioned.
Remote Console: Auto Login
RDP and SSH only, controls if user is auto-logged in to Remote Console or presented with login prompt.
Role Mappings
Gives User Access to Role Mappings config in /admin/roles for configuring Identity Source Role Mappings without providing Access to other Identity Source configuration settings.
Feature Access Role Permission Options
Permission None Read Full User Other
Admin: Appliance Settings      
Admin: Backup Settings    
Admin: Environment Settings      
Admin: Identity Source     Role Mappings
Admin: Integrations    
Admin: License Settings      
Admin: Log Settings      
Admin: Message of the day      
Admin: Monitoring Settings      
Admin: Policies    
Admin: Provisioning Settings      
Admin: Roles    
Admin: Service Plans    
Admin: Tenant    
Admin: Tenant - Impersonate Users      
Admin: Users    
Admin: Whitelabel Settings      
API: Execution Request      
Backups View
Backups: Integrations    
Backups: Services    
Billing:    
Infrastructure: Boot    
Infrastructure: Certificates    
Infrastructure: Clouds    
Infrastructure: Clusters    
Infrastructure: Groups    
Infrastructure: Hosts    
Infrastructure: KeyPairs    
Infrastructure: Load Balancers    
Infrastructure: Network Domains    
Infrastructure: Network IP Pools    
Infrastructure: Network Proxies    
Infrastructure: Network Routers   Group
Infrastructure: Networks   Group
Infrastructure: Policies    
Infrastructure: Security Groups      
Infrastructure: State    
Infrastructure: Storage    
Infrastructure: Storage Browser    
Infrastructure: Trust Integrations    
Integrations: Ansible      
Logs:  
Monitoring:  
Operations: Activity      
Operations: Analytics    
Operations: Approvals    
Operations: Budgets    
Operations: Dashboard      
Operations: Guidance    
Operations: Health      
Operations: Reports    
Operations: Usage    
Operations: Wiki    
Provisioning Administrator      
Provisioning: Advanced Node Type Option      
Provisioning: Allow Force Delete:      
Provisioning: Apps:  
Provisioning: Automation Integrations    
Provisioning: Automation Services    
Provisioning: Blueprints    
Provisioning: Blueprints - ARM     Provision
Provisioning: Blueprints - CloudFormation     Provision
Provisioning: Blueprints - Helm     Provision
Provisioning: Blueprints - Kubernetes     Provision
Provisioning: Blueprints - Terraform     Provision
Provisioning: Deployment Integrations    
Provisioning: Deployments    
Provisioning: Instances  
Provisioning: Job Executions      
Provisioning: Jobs    
Provisioning: Library    
Provisioning: Scheduling - Execute    
Provisioning: Scheduling - Power    
Provisioning: Service Mesh  
Provisioning: Tasks    
Provisioning: Tasks - Script Engines      
Provisioning: Thresholds    
Provisioning: Virtual Images    
Reconfigure Servers      
Remote Console:     Provisioned
Remote Console - Auto Login:         Yes/No
Snapshots:    
Tools: Archives    
Tools: Cypher Decrypted
Tools: Image Builder    
Tools: Kubernetes (Deprecated)  
Tools: Migrations    

Creating Roles

User Roles

User Roles can be single or multitenant. A Multitenant User Role is automatically copied into all existing subtenants as well as placed into a subtenant when created. Useful for providing a set of predefined roles a Customer can use. The Multitenant Locked option prevent subtenant from modifying FEATURE ACCESS settings in the Role. Note Group, Instance Type and Blueprint Access settings will still be editable as Groups are unique per Tenant, and Instance and Blueprints can be a mix of unique and shared items.

Important

Multitenant Roles still need to be configured/managed be each subtenant, as Groups are unique per Tenant, and Instance and Blueprints can be a mix of unique and shared items.

Note

User Roles cannot exceed Tenant Role permissions. If a Multitenant User Role has higher permissions than the Tenant Role assigned to a subtenant, the Multitenant User Role permissions in that Tenant will automatically be reduced to match the Tenant Role permissions.

Create a Single Tenant User Role

  1. In the Master Account, navigate to Administration -> Roles
  2. Select + CREATE ROLE
  3. Enter a name for the Role and optional Description
  4. For TYPE, select “User Role”
  5. Leave the “Multi-tenant Role” checkbox blank.
  6. Optionally select an existing Role to copy in the COPY FROM ROLE dropdown. * This will configure the new Role with the same configuration as the selected role to copy. A new role that is not copied from another role will be generated with all permissions set to NONE.
  7. Select SAVE CHANGES

After saving the Role will be created, and you will be redirected to the Roles Permissions settings.

Create a MultiTenant User Role

A Multitenant User Role is automatically copied into all existing subtenants as well as placed into a subtenant when created. Useful for providing a set of predefined roles a Customer can use. The Multitenant Locked option prevent subtenant from modifying FEATURE ACCESS settings in the Role. Note Group, Instance Type and Blueprint Access settings will still be editable as Groups are unique per Tenant, and Instance and Blueprints can be a mix of unique and shared items.

  1. In the Master Account, navigate to Administration -> Roles
  2. Select + CREATE ROLE
  3. Enter a name for the Role and optional Description
  4. For TYPE, select “User Role”
  5. Optionally select an existing Role to copy in the COPY FROM ROLE dropdown. * This will configure the new Role with the same configuration as the selected role to copy. A new role that is not copied from another role will be generated with all permissions set to NONE.
  6. Select the MULTITENANT ROLE checkbox
  7. Optionally select the MULTITENANT LOCKED checkbox * When enabled, the FEATURE ACCESS settings in the Role will not be editable by subtenants. Group, Instance Type and Blueprint Access settings will still be editable as Groups are unique per Tenant, and Instance and Blueprints can be a mix of unique and shared items.
  8. Select SAVE CHANGES

After saving the Role will be created, and you will be redirected to the Roles Permissions settings.

Important

Multitenant Roles still need to be configured/managed be each subtenant, as Groups are unique per Tenant, and Instance and Blueprints can be a mix of unique and shared items.

Note

User Roles cannot exceed Tenant Role permissions. If a Multitenant User Role has higher permissions than the Tenant Role assigned to a subtenant, the Multitenant User Role permissions in that Tenant will automatically be reduced to match the Tenant Role permissions.

Tenant Roles

A Tenant Role sets the highest possible permissions for a Tenant. User Roles within that Tenant cannot exceed those of the Tenants assigned Tenant Role. Tenant Roles can be assigned to single or multiple Tenants, and do not apply to the Mater Account.

To create a Tenant Role:

  1. In the Master Account, navigate to Administration -> Roles
  2. Select + CREATE ROLE
  3. Enter a name for the Role and optional Description
  4. For TYPE, select “Tenant Role”
  5. Optionally select an existing Role to copy in the COPY FROM ROLE dropdown. * This will configure the new Role with the same configuration as the selected role to copy. A new role that is not copied from another role will be generated with all permissions set to NONE.
  6. Select SAVE CHANGES

After saving, the Role will be created and you will be redirected to the Roles Permissions settings.