Note: Please go to docs.rightscale.com to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > Guides > RightScale 101 > Management Tools > RightScale Account and User Role Management

RightScale Account and User Role Management

 

The terms 'accounts', 'user', and 'roles' are used throughout the documentation and can cause some confusion. This page contains detailed descriptions of these terms and provides details about their appropriate usage/application.

Accounts

Each user will likely have two types of accounts.

  • RightScale Account - Create a RightScale Account to log in to the RightScale Dashboard.  Registration requires an email and password.   To view information about your RightScale Account in the Dashboard, go to Settings > Account.  Click the Plan tab to view information about the type of RightScale Plan that is associated with a RightScale Account (Standard, Enterprise, etc.) 
    Note: Unless otherwise specified, the word 'account' in the documentation refers to your RightScale Account.
  • Cloud Account - Before you can use the RightScale Dashboard to manage your server instances in the Cloud, you must first create an account with your cloud provider.  You need to enter valid cloud credentials into the Dashboard in order to launch and manage resources in your cloud through the RightScale Dashboard or API.   For example, in order to launch EC2 instances, you must have valid AWS Credentials.  Each RightScale account can only use a single set of cloud credentials per cloud infrastructure.   For example, if you're managing two sets of AWS credentials, you need to create two RightScale accounts to manage both cloud infrastructure accounts. 

 

In the following diagram, there are three separate users.  John set up the 'Site1.com' RightScale account and invited Ben (who has his own RightScale account) to be a user of the 'Site1.com' RightScale account.  Ben set up his own RightScale account, which he's enabled to manage resources across multiple cloud providers.  Greg is new to RightScale and has never set up his own RightScale account, however Ben invited him to be a user of his 'Site2.com' RightScale account. 

diag-AccountScenarios-v1.png

 

Keep in mind that a RightScale Account is separate from a Cloud Account.  You can register multiple cloud accounts with a single RightScale account.  However, you will be responsible for paying for all cloud and cloud-related cloud usage costs.  If you are a paying customer of RightScale, your cloud usage costs are separate charges from your RightScale Edition subscription fee. 

diag-BillingModel-v1.png

User

RightScale users are identified by their email address.  Each user can have access to multiple RightScale Accounts.  Create your own RightScale Account or accept invitations to be a user of other RightScale Accounts.   To view information about your User settings across all of the RightScale account to which you have access to use in the Dashboard, go to Settings > User.  For an exhaustive list of each role and their associated permissions, see User Role Privileges

In the diagram below, John Doe is identified as 'john@mysite.com' in the RightScale platform.  He currently has access to three RightScale Accounts and has different user role privileges in each of those accounts.

diag-UserRoles-v2.png
 

Each user is identified and distinguished from other users by his/her email.  In the RightScale system, your email address is used as your username or unique identifier.   Email addresses are used in audit entries, changelogs, and histories to identify which user performed a particular action(s) within a RightScale Account.  Therefore, it's important that login credentials (email/password) are never shared or used by multiple users, otherwise it will be impossible to determine who is responsible for tracking user actions within the Dashboard. 

Managing your RightScale Account

If you are an Admin user of a RightScale account, you can use the various user roles to control the permissions of all invited users in order to control their level of access and functionality.  Only 'admin' users can send account invitations.   If you are an 'admin' user, you must specify a user's roles before sending an account invitation.   Later, you can change a user's roles under the SettingsAccount Settings > Users

Note: Only an 'admin' user can revoke another user's 'admin' privileges.

It's important that you never share the email/password that you use to log into the RightScale Dashboard.  For example, if an account (e.g. 'Site1.com') has multiple users, each user should create their own RightScale account.   Later, the 'admin' user of the 'Site1.com' account can invite additional users to that account.  This is the only way that you can have user accountability within an account.   If you share the same email/password with multiple users, there is no way to determine who launched or terminated a server.  It's important that each action can be attributed to a single user.

 

diag-UserRoles2-v2.png

(User) Roles

To view your own user role privileges across all of your accounts, go to Settings > UserInfo.  Remember, user roles are account-specific.

For a complete matrix of what you can/cannot do inside the Dashboard based with your user role privileges, see User Role Privileges.

admin

Administrative control of the RightScale Account.  An account can have multiple users with 'admin' privileges.  Only 'admins' can send and receive account invitations.   Only an 'admin' can add/change public/private cloud infrastructures and credentials, modify user permissions, and accept account group invitations on behalf of a RightScale account.  The RightScale account owner (the person who created the account) cannot have admin privileges revoked by another 'admin' user; the account owner will always have 'admin' user role privileges in the account he/she created.  However, only an 'admin' user can revoke another user's 'admin' privileges.  Ability to view and generate Infrastructure Audit Reports.  View Customer Usage Reports (if the RightScale account is enabled for this feature). 

actor

Ability to manage all cloud related activity. You need 'actor' privileges in order to act on resources and services at the cloud infrastructure level such as launch/terminate servers, create volumes and snapshots, and run scripts on running servers. You will also need this permission to create and manage deployments and server arrays. Note: The ability to create security groups and related firewall rules requires the 'security_manager' user role.

observer

Ability to view the RightScale account. If users do not have at least 'observer' role privileges, they will not be able to log into the Dashboard and view the account.

designer

Ability to create RightScale-specific components such as ServerTemplates, RightScripts, MultiCloud Images, Repositories, Credentials, and Alert Escalations. You will need this permission to essentially perform actions underneath the Design menu of the Dashboard. With this permission you can also browse the MultiCloud Marketplace (MCM) (from within the RightScale Dashboard) for ServerTemplates and RightScripts, but you will need the 'library' user role in order to import an object from the MCM. Note: You can also view publicly-viewable assets in the MCM using http://www.rightscale.com/library.

library

Ability to import objects from the MultiCloud Marketplace into a RightScale account. The ability to view the MultiCloud Marketplace (while logged into the RightScale dashboard) requires the 'designer' role.

security_manager

Ability to manage network and firewall permissions that are used by instances in the cloud. You will need this permission in order to create security groups and define individual firewall rules within those security groups. You will also need this permission in order to create Virtual Private Clouds (VPCs) and subnets. Only trusted users should be granted this permission. You will also be able to view and generate Infrastructure Audit Reports.

server_login

Ability to log into running servers. For Linux servers you can SSH into the instance as yourself. (You are identified by the email address that you use to log into the RightScale Dashboard.) For Windows servers you can create a Remote Desktop Connection using RDP. Your managed SSH Key is used for authentication purposes. In order to establish a remote connection you must also make sure that the running instance has the appropriate firewall permissions to allow SSH (TCP port 22) and RDP (TCP port 3389) connections. See What is Server Login Control?

server_superuser

Ability to log into running servers as the 'root' user. (Applies to Linux-based (not Windows) servers only.) Similar to the 'security_manager' role, only trusted users should be granted this permission. Note: You will still need 'server_login' privileges in order to start an SSH/RDP session. See What is the difference between server_login and server_superuser permissions?

publisher

Ability to create sharing groups and share RightScale objects (ServerTemplates, RightScripts, and Macros) with other users.  If you have a RightScale partner account, you can publish RightScale objects so that they appear in the MultiCloud Marketplace.

enterprise_manager

(Enterprise only) Manages all accounts within the enterprise.  Send account invitations and grant user role privileges across all accounts in the enterprise.  The master enterprise account must have at least one 'enterprise_manager' user.  An 'enterprise_manager' can also grant the same privileges to another user.  'Enterprise_manager' gives the ability to define specific cost quotas for each child account within the Enterprise and receive email alert notifications when one of the child RightScale accounts approaches or exceeds the defined quota.  See Enterprise.
 

Note: To enable the 'enterprise_manager' role, someone that is already an 'enterprise_manager' needs to be enable the role. This is done by going to Settings > Enterprise > User in the Enterprise master account.

billing

By default, each RightScale account is configured so that any user (with 'observer' user role privileges) can view billing related information such as estimated cloud usage costs. For example, users will be able to see the cloud Usage Estimate Report (Reports > Usage Estimate), deployment budget estimates in the Deployment Budget Estimate widget, as well as access to more detailed billing information in the RightScale Cloud Analytics site. This type of information is especially useful for users who are actively launching and managing servers for a deployment to keep track of their estimated infrastructure costs in order to stay within the allotted budget. However, if billing related information should only be viewable for select users, such as Project Managers and not Software Engineers, Enable the Admin-only Billing preference for the account, which will only allow users with 'admin' or 'billing' user role privileges to view billing related information. Note: Only users with 'admin' user role privileges can change the billing setting for the account. 

(Server) Roles

Sometimes the word 'role' refers to a server's role or configuration.  For example, when you launch an instance on a cloud infrastructure like Amazon EC2 you are provisioning a "blank" piece of hardware that you can configure to fulfill a specific type of server role.  Additionally, you can use different  ServerTemplates to configure instances to fulfill certain roles such as dedicated load balancers, application servers, database servers, etc.    

diag-ServerRoles-v1.png

 

You must to post a comment.
Last modified
11:46, 31 Oct 2014

Tags

Classifications

This page has no classifications.

Announcements

None


© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.