Permissions
Permissions can be assigned to groups individually. This applies both to general permissions for accessing your products and projects in the NWS Customer Interface and to product‑specific permissions, such as access to APIs, e.g. the OpenStack API.
General Permissions
The following permissions can be assigned to groups for accessing your projects in the NWS Customer Interface:
Access: Allows the product to be displayed in the NWS Customer Interface.Manage: Allows changing product settings, resources, and other options. For example, an app can be restarted, a virtual machine can be created or deleted, and a Kubernetes cluster can be upgraded.Destroy: Allows deleting the product and terminating the contract.Billing: Allows viewing and downloading issued invoices.
OpenStack
Groups can be assigned the following OpenStack roles, which grant them use of the OpenStack APIs as well as the OpenStack web interface.
Member: Allows creating, modifying, and deleting resources.Reader: Allows listing and viewing resources.
Info
The Reader role is not yet available!
If a group’s access to an OpenStack project is revoked, the access for the members of that group will remain for up to 8 hours within their active session.
Kubernetes
Groups can be assigned the following Kubernetes roles, which grant them use of the Kubernetes API. These rights apply to all clusters in the Kubernetes project.
Admin: Allows creating, modifying, and deleting resources.Reader: Allows listing and viewing all resources.Custom: The group is made available in the Kubernetes cluster and can be used for custom Role Bindings.
Viewing existing roles
With kubectl get clusterrole <name> -o yaml you can display details of existing cluster roles,
e.g. cluster-admin or view.
Viewing your own permissions
With kubectl auth can-i --list you can display the permissions in the active user context for a cluster.
Viewing user information
With kubectl auth whoami you can display information about the current user context for a cluster.