CloudShell User Permission Levels (RBAC)
This article lists the different actions each user type can perform in CloudShell. In the tables below, supported actions are indicated in green while unsupported actions are red.
For more information about group roles and access levels, see Managing CloudShell Groups.
In the tables below, "View Only access" indicates the permissible actions for users who are members of a group that is defined as View Only in the domain. For more information, see Associating groups with a domain.
Blueprints
The following table shows which actions are available for each CloudShell user type in a blueprint.
The permissible actions in a blueprint for users other than the blueprint owner are determined by a combination of the user type, group's role (regular, domain, external), and the group's access level (whether the group is defined as View Only in the current domain).
For brevity, the "Edit" action indicates the user type can create, edit and delete the element.
* indicates that the action is available to the blueprint owner
** indicates that the option can be hidden from non-admin users with the BlockPackageExportForNonAdmins key
*** If the <add key="OnlyAllowNewEnvironmentsFromTemplates" value="true"/> key is defined on the server , users can only create blueprints from a template but not from scratch (empty blueprints). However, if there are no templates assigned to the domain, users of that domain cannot create new blueprints. For details, see The + Create Blueprint Link is Missing From the Blueprint Catalog.
| Action | System Administrator user | Domain administrator user | Regular user | View-only access | External | Extended external |
|---|---|---|---|---|---|---|
| View the list of blueprints | v | v | v | v | v | v |
| View the blueprint diagram | v | v | v | v | v | v |
| Create blueprints | v *** | v *** | v *** | v *** | x | x |
| Edit blueprints | v | v | x * | x * | x | x |
| Reserve blueprints | v | v | v | x | x | v |
| Export blueprint packages | v | v | v ** | v ** | x | x |
Sandboxes
The permissible actions in a sandbox are determined by a combination of the user type, group's role (regular, domain, external), and the group's access level (whether the group is defined as View Only in the current domain), and the current sandbox status.
Permissible actions according to user type
The following table shows which actions are available for each CloudShell user type in a sandbox (applies to sandbox consumers that are neither Owner nor Permitted User in the sandbox). Note that sandboxes of other users in the domain can be hidden from regular users using the ShowOtherUserInDomainReservations key.
| Action | System Administrator user | Domain administrator user | Regular user | View-only access | External user |
|---|---|---|---|---|---|
| View the list of sandboxes | v | v | v | v | x |
| View the sandbox diagram | v | v | x | x | x |
| Edit the sandbox (form) | v | v | x | x | x |
| Extend the sandbox | v | v | x | x | x |
| End the sandbox | v | v | x | x | x |
| Delete the sandbox | v | v | x | x | x |
| Terminate the sandbox | v | v | x | x | x |
| Execute commands | v | v | x | x | x |
| Interact with the sandbox during setup | v | v | x | x | x |
| Launch applications | v | v | x | x | x |
| Save sandbox as blueprint | v | v | x | x | x |
| Save the sandbox | v | v | x | x | x |
Permissible actions for Owner/Permitted User
The following table shows which actions are available for the sandbox's owner or permitted users (users that were added by the sandbox owner to the sandbox as Permitted Users).
| Sandbox actions | Owner | Permitted - regular | Permitted - view only | Permitted - external | Permitted - extended external |
|---|---|---|---|---|---|
| View the list of sandboxes | v | v | v | v | v |
| View the sandbox diagram | v | v | v | v | v |
| Edit the sandbox (form) | v | v | x | x | v |
| Extend the sandbox | v | v | x | x | v |
| End the sandbox | v | v | x | x | v |
| Delete the sandbox | v | x | x | x | x |
| Terminate the sandbox | v | x | x | x | x |
| Execute commands | v | v | x | v | v |
| Interact with the sandbox during setup | v | v | x | x | v |
| Launch applications | v | v | x | v | v |
| Save sandbox as blueprint | v | v | x | x | x |
| Save the sandbox | v | v | x | x | v |
Permissible actions according to sandbox status
The following table shows the available actions in a sandbox for each sandbox status.
| Action | Pending | Setup | Active | Teardown | Completed | Overtime | Saving |
|---|---|---|---|---|---|---|---|
| View the list of sandboxes | v | v | v | v | v | v | v |
| View the sandbox diagram | v | v | v | v | v | v | v |
| Edit the sandbox (form) | v | v | v | x | x | v | v |
| Extend the sandbox | v | v | v | x | x | v | v |
| End the sandbox | x | v | v | x | x | v | v |
| Delete the sandbox | v | x | x | x | v | x | x |
| Terminate the sandbox | x | x | x | v | x | v | x |
| Execute commands | x | x | v | x | x | v | x |
| Interact with the sandbox during setup | x | v | v | x | x | x | x |
| Launch applications | x | x | v | v | x | v | x |
| Save the sandbox | x | x | v | x | x | x | x |
Saved Sandboxes
The following table shows which actions are available for each CloudShell user type in a saved sandbox.
| Action | System admin | Domain admin | Regular user | View-only access | External user | Extended external user |
|---|---|---|---|---|---|---|
| Restore a saved sandbox | v | v | v | x | x | v |
| Delete a saved sandbox | v | v | v | x | x | v |
| View my saved sandboxes | v | v | v | x | x | v |
| View list of all saved sandboxes | v | v | x | x | x | x |
Job Scheduling dashboard
The following table shows which actions are available for each CloudShell user type in the Job Scheduling dashboard. Note that admins can allow regular users to edit and create suite templates using the AllowRegularUsersToEditSnQ key.
For brevity, the "Edit" action indicates the user type can create, edit and delete the element.
| Action | System Administrator user | Domain administrator user | Regular user | View-only access | External/extended user |
|---|---|---|---|---|---|
| Edit suite template | v | v | x | x | x |
| Customize suite template | v | v | v | x | x |
| View execution reports | v | v | v | x | x |
| Run suite template execution | v | v | v | x | x |
| Extend suite template execution | v | v | v | x | x |
| Stop suite template execution | v | v | v | x | x |
| AdHoc suite | v | v | v | x | x |
Inventory dashboard
The following table shows which actions are available for each CloudShell user type in the Inventory dashboard.
For brevity, the "Edit" action indicates the user type can create, edit and delete the element.
| Action | System Administrator user | Domain administrator user | Regular user | View-only access | External/extended user |
|---|---|---|---|---|---|
| View resources | v | v | v | v | x |
| Edit resources | v | v | x | x | x |
| Reserve resources | v | v | v | x | x |
| Search within resources | v | v | v | v | x |
| View abstract resource templates | v | v | v | v | x |
| Edit abstract resource templates | v | v | x | x | x |
| View services | v | v | v | v | x |
Insight dashboard
If Sisense is configured to work with SSO from CloudShell, the first time a CloudShell user (any user role) logs in to Insight, a user is created in Sisense with Viewer permissions (CloudShell user must have an email). For designer or admin privileges, customize the user’s role in Sisense or contact Quali Support.
For information about Sisense user permissions, see Sisense Documentation.
Manage dashboard
The following table shows which actions are available for each CloudShell user type in the Manage dashboard. This only applies to system administrators and domain administrators as other user types cannot access this dashboard. Note that system admins can allow domain admins to manage drivers using the HideDriversTabInManage key.
For brevity, the "Edit" action indicates the user type can both view and edit the element.
** indicates that the user type can only access the element in their own domain.
| Action | System Administrator user | Domain administrator user | Regular user | View-only access | External/extended user |
|---|---|---|---|---|---|
| Edit Apps | v | v ** | x | x | x |
| Edit Categories | v | x | x | x | x |
| Edit Shells (See Shells below) | v | x | x | x | x |
| View Licensing | v | x | x | x | x |
| Edit Domains | v | v ** | x | x | x |
| Edit Execution Servers | v | x | x | x | x |
| Edit JavaScript Extension | v | x | x | x | x |
| Edit Blueprint Templates | v | v | x | x | x |
| Edit Scripts | v | v ** | x | x | x |
| Edit Drivers | v | v ** | x | x | x |
Shells
The following tables show which Shell management actions are available for each CloudShell user type.
1st Gen Shells
| Action | System Administrator user | Domain administrator user | Regular user | View-only access | External/extended user |
|---|---|---|---|---|---|
| Import | v | v | v | v | x |
| Modify (Resource Manager Client) | v | v | x | x | x |
2nd Gen Shells
| Action | System Administrator user | Domain administrator user | Regular user | View-only access | External/extended user |
|---|---|---|---|---|---|
| Import | v | x | x | x | x |
| Add custom attributes | v | x | x | x | x |
| Upgrade | v | x | x | x | x |
| Download from CloudShell | v | x | x | x | x |
| Delete | v | x | x | x | x |