diff --git a/umn/source/service_overview/permission.rst b/umn/source/service_overview/permission.rst index a5e5604..a6607ea 100644 --- a/umn/source/service_overview/permission.rst +++ b/umn/source/service_overview/permission.rst @@ -100,94 +100,117 @@ The following table lists fine-grained actions and dependencies for RFS. .. table:: **Table 3** RFS fine-grained actions - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | System-defined Permission | Description | Dependencies | Scenario | - +========================================+===================================================================================================================+=========================================================================================+=================================================================================================================+ - | rf:privateTemplate:create | Grant permissions to create a template | None | Create a template | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:createVersion | Grant permissions to create a template version | None | Create a template version | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:delete | Grant permissions to delete a template | None | Delete a template | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:deleteVersion | Grant permissions to delete a template version | None | Delete a template version | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:list | Grant permissions to list templates | None | List templates | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:listVersions | Grant permissions to list template versions | - rf:privateTemplate:list | List template versions | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:showMetadata | Grant permissions to show template metadata | - rf:privateTemplate:list | Show template properties such as template name, ID and description | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:showVersionContent | Grant permissions to show template version content | - rf:privateTemplate:list | Show template version content | - | | | - rf:privateTemplate:listVersions | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:showVersionMetadata | Grant permissions to show template version metadata | - rf:privateTemplate:list | Show template version properties such as template version ID and description | - | | | - rf:privateTemplate:listVersions | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:privateTemplate:updateMetadata | Grant permissions to update template metadata | None | Update template properties such as template description | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:template:parseTemplateVariables | Grant permissions to parse template variables | None | Parse and return all variable blocks in the template | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:applyExecutionPlan | Grant permissions to apply execution plan | None | Deploy a stack via applying an execution plan | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:createExecutionPlan | Grant permissions to create execution plan | None | Create an execution plan | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:deleteExecutionPlan | Grant permissions to delete execution plan | None | Delete an execution plan | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:getExecutionPlan | Grant permissions to get execution plan | - rf:stack:listExecutionPlans | Get an execution plan which provides a preview of stack changes such as operations to be performed on resources | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:getExecutionPlanMetadata | Grant permissions to get execution plan metadata | - rf:stack:listExecutionPlans | Get execution plan properties such as execution plan name, ID and description | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:listExecutionPlans | Grant permissions to list execution plans | None | List execution plans | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:createStack | Grant permissions to create stack | Required for creating stack from a private template | Create a stack | - | | | | | - | | | - rf:privateTemplate:list | | - | | | - rf:privateTemplate:listVersions | | - | | | - rf:privateTemplate:showVersionContent | | - | | | | | - | | | Required for configuring template variables | | - | | | | | - | | | - rf:template:parseTemplateVariables | | - | | | | | - | | | Required for template resource encryption | | - | | | | | - | | | - kms:cmk:list | | - | | | - kms:dek:create | | - | | | | | - | | | Required for configuring agency | | - | | | | | - | | | - iam:agencies:listAgencies | | - | | | | | - | | | Required for deploying stack directly | | - | | | | | - | | | - rf:stack:deployStack | | - | | | | | - | | | Required for creating an execution plan for change preview before actual stack creation | | - | | | | | - | | | - rf:stack:createExecutionPlan | | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:deleteStack | Grant permissions to delete stack | None | Delete a stack | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:deployStack | Grant permissions to deploy stack | None | Deploy stack directly | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:continueDeployStack | Grant permissions to continue to deploy stack | - rf:stack:deployStack | Retry failed stack deployment | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:continueRollbackStack | Grant permissions to continue to rollback stack. Currently this functionality is only available at the API level. | - rf:stack:deployStack | Retry failed stack rollback | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:getStackMetadata | Grant permissions to get stack metadata | - rf:stack:listStacks | Get stack properties such as stack ID, name and description | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:getStackTemplate | Grant permissions to get stack template | - rf:stack:listStacks | Get stack template | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:listStackEvents | Grant permissions to list stack events | None | List stack events | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:listStackOutputs | Grant permissions to list stack outputs | None | List stack outputs | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:listStackResources | Grant permissions to list stack resources | None | List stack resources | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:listStacks | Grant permissions to list stacks | None | List stacks | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ - | rf:stack:updateStack | Grant permissions to update stack | None | Update stack properties such as description, auto-rollback and deletion protection | - +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | System-defined Permission | Description | Dependencies | Scenario | + +========================================+===================================================================================================================+=====================================================+=================================================================================================================+ + | rf:privateTemplate:create | Grant permissions to create a template | None | Create a template | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:createVersion | Grant permissions to create a template version | - rf:privateTemplate:list | Create a template version | + | | | - rf:privateTemplate:listVersions | | + | | | - rf:privateTemplate:showVersionContent | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:delete | Grant permissions to delete a template | - rf:privateTemplate:list | Delete a template | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:deleteVersion | Grant permissions to delete a template version | - rf:privateTemplate:list | Delete a template version | + | | | - rf:privateTemplate:listVersions | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:list | Grant permissions to list templates | None | List templates | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:listVersions | Grant permissions to list template versions | - rf:privateTemplate:list | List template versions | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:showMetadata | Grant permissions to show template metadata | - rf:privateTemplate:list | Show template properties such as template name, ID and description | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:showVersionContent | Grant permissions to show template version content | - rf:privateTemplate:list | Show template version content | + | | | - rf:privateTemplate:listVersions | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:showVersionMetadata | Grant permissions to show template version metadata | - rf:privateTemplate:list | Show template version properties such as template version ID and description | + | | | - rf:privateTemplate:listVersions | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:privateTemplate:updateMetadata | Grant permissions to update template metadata | - rf:privateTemplate:list | Update template properties such as template description | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:template:parseTemplateVariables | Grant permissions to parse template variables | None | Parse and return all variable blocks in the template | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:applyExecutionPlan | Grant permissions to apply execution plan | - rf:stack:listStacks | Deploy a stack via applying an execution plan | + | | | - rf:stack:getStackMetadata | | + | | | - rf:stack:listExecutionPlans | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:createExecutionPlan | Grant permissions to create execution plan | None | Create an execution plan | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:deleteExecutionPlan | Grant permissions to delete execution plan | - rf:stack:listStacks | Delete an execution plan | + | | | - rf:stack:getStackMetadata | | + | | | - rf:stack:listExecutionPlans | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:getExecutionPlan | Grant permissions to get execution plan | - rf:stack:listStacks | Get an execution plan which provides a preview of stack changes such as operations to be performed on resources | + | | | - rf:stack:getStackMetadata | | + | | | - rf:stack:listExecutionPlans | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:getExecutionPlanMetadata | Grant permissions to get execution plan metadata | - rf:stack:listStacks | Get execution plan properties such as execution plan name, ID and description | + | | | - rf:stack:getStackMetadata | | + | | | - rf:stack:listExecutionPlans | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:listExecutionPlans | Grant permissions to list execution plans | - rf:stack:listStacks | List execution plans | + | | | - rf:stack:getStackMetadata | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:createStack | Grant permissions to create stack | Required for creating stack from a private template | Create a stack | + | | | | | + | | | - rf:privateTemplate:list | | + | | | - rf:privateTemplate:listVersions | | + | | | - rf:privateTemplate:showVersionContent | | + | | | | | + | | | Required for configuring template variables | | + | | | | | + | | | - rf:template:parseTemplateVariables | | + | | | | | + | | | Required for template resource encryption | | + | | | | | + | | | - kms:cmk:list | | + | | | - kms:dek:create | | + | | | | | + | | | Required for configuring agency | | + | | | | | + | | | - iam:agencies:listAgencies | | + | | | | | + | | | Required for stack creation using direct deployment | | + | | | | | + | | | - rf:stack:deployStack | | + | | | | | + | | | Required for stack creation using execution plan | | + | | | | | + | | | - rf:stack:createExecutionPlan | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:deleteStack | Grant permissions to delete stack | - rf:stack:listStacks | Delete a stack | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:deployStack | Grant permissions to deploy stack | None | Deploy stack directly | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:continueDeployStack | Grant permissions to continue to deploy stack | - rf:stack:listStacks | Retry failed stack deployment | + | | | - rf:stack:deployStack | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:continueRollbackStack | Grant permissions to continue to rollback stack. Currently this functionality is only available at the API level. | - rf:stack:listStacks | Retry failed stack rollback | + | | | - rf:stack:deployStack | | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:getStackMetadata | Grant permissions to get stack metadata | - rf:stack:listStacks | Get stack properties such as stack ID, name and description | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:getStackTemplate | Grant permissions to get stack template | - rf:stack:listStacks | Get stack template | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:listStackEvents | Grant permissions to list stack events | None | List stack events | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:listStackOutputs | Grant permissions to list stack outputs | None | List stack outputs | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:listStackResources | Grant permissions to list stack resources | None | List stack resources | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:listStacks | Grant permissions to list stacks | None | List stacks | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + | rf:stack:updateStack | Grant permissions to update stack | - rf:stack:listStacks | Update stack properties such as description, auto-rollback and deletion protection | + +----------------------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+ + +.. note:: + + - If an agency is configured for the stack, make sure that all necessary permissions are configured for the agency, which are required for stack deployment. + - If there is no configured agency for the stack, make sure that all necessary permissions are assigned to the user, which are required for stack deployment. + - These permissions can be: + + - Different cloud service specific permissions depending on the resources and the operations described in the terraform template. + - If the resource encryption is enabled in the terraform template, the **kms:dek:crypto** permission must be assigned to the user. Related Documents -----------------