IdentityAccess Management (IAM) is user management and the permissions structure for the Console. IAM provides granular role based access and flexibility in setting up access to your iland Secure Cloud environments. IAM makes it easy to see and manage all Console users within your company. In your iland Secure Cloud environment, it's very important to keep in mind how you want to setup console access, not just from a security and compliance perspective, but also to control users' ability to make changes that could potentially cause problems across the entire environment. In older cloud environments, administrators were very limited by the lack of a granular permissions structure. It was essentially all or nothing, or just pre-defined generic roles. With iland's Console Identity Access Management (IAM), you have permissions controls that are completely customizable, and it ensures that your users are only able to interact with your environment the way that you choose down to a very granular level.
The iland Secure Cloud Console is the primary cloud management interface for your iland cloud services including IaaS, DRaaS With Zerto, Cloud Backup, and Object Storage. As more product and services are being added to your iland Console access management is controlled from the highest level down. This company centric view enables much more to be exposed via the console as we build the platform going forward. Previously user management was isolated within individual products in the console. Now customers can see all of their company users in a single place allowing for more global user and access management.
To access IAM User and Role Management you must have Company Admin rights or similar access at the Company level via a custom role. From the top menu in the Console that has your company name, click the drop down menu and select "User Management." This will take you to the IAM screen.
This screen contains both the User Management and Role Management widgets.
User Management allows you to:
Role Management allows you to:
|Entity||A generic term that is used to refer to any of the following conceptually distinguishable elements within a customer’s environment: Company, Datacenter, Cloud Tenant, Org, vDC, vApp, VM, Internal Network, vApp Network, Edge Gateway, Catalog, Media, vApp Template, VPG.|
The conceptual tiers of a customer’s iland Cloud environment, with levels and relationships depicted by the following diagram:
The most granular authorization directive. A permission is always tied to one specific type of entity and always dictates access to actions or properties of the entity exclusive of any other permissions.
A composable authorization directive that is associated with an entity and that consists of a set of entity permissions, either express or implied, depending on the Policy Type.
Four types of policies have been defined in order to permit maximum flexibility and ease of use.
A composable authorization directive that is associated with a company and that consists of a set of entity policies for all entities within the company’s entity hierarchy.
There are a few roles that have been preconfigured with policies to choose from and assign to console users. These roles cannot be modified. For custom role options see below.
|Company Administrator||A user with full access to all data and features available to your company within the iland Cloud environment. This role allows for full administration of everything from the company level down. You can perform any and all administrative functions, are able to view and change all company settings, user management, and can access all areas of the console including all subscribed products.|
|Read-Only Company User|
A user with full access to all data available to your company within the iland Cloud environment, but with no ability to make any modifications.
|Secure Cloud Administrator*|
A user with full access to all data and features within the iland Secure Cloud IaaS product.
Cloud Backup Administrator*
|A user with full access to all data and features within the iland Cloud Backup product.|
|Object Storage Administrator*||A user with full access to all data and features within the iland Object Storage product.|
*Note - You will only see these roles available in IAM if you are currently subscribed to those products
Extremely powerful and flexible custom roles can now be built using the new IAM role management feature. This allows any iland customer to get as granular as needed to match internal security policies and business workflows.
Creating a Role
1. Click the "Add new role" option in the role management action menu
|2. Provide a name and description for this new role|
3. From the entity view review and decide which areas of your iland Cloud Console you will include as part of this role.
4. Click on the entity you want to use to construct a policy for your new role, and click "Create Policy"
5. Select Admin, Read only, or Custom
6. In the case where a custom policy is used, select which permissions should be allowed by selecting the checkboxes
7. Repeat steps 4 - 6 for all of the entities you need to construct policies for this new role.
8. Once all of your policies have been added, click submit to save the new role.
9. Your role is now ready to assign to users.
|10. Make sure to test your new custom role by using the "Test role" option in the role management widget.|
For more information and details on each permission and any related implications see the article here: IAM Permissions Implications
|Creating a User|
From the user management action menu, select "Create User". A window will open asking for the First and Last name of the user you wish to create, as well as an email address, a password, and a confirmation of that password. Please keep the following in mind when creating a user:
The minimum password length is 8 characters, and passwords must contain characters from 3 of the following 4 categories:
Assigning a Role
In IAM a user must have permissions assigned via a role before they can access any product or service area within the Console. Without an assigned role users will only have limited access to their own user profile information within the console when they login.
Click "Assign Role" option in the line level menu for the user you would like to update.
Select which role the user should have. If no existing built-in or custom role is applicable for this user's access then create a new policy first and then come back to assign that policy to this user.
Un-assigning a Role
This option simply unassigns the role from the user, and removes access to any company and product areas of the console for that user.
Deleting a User
This option removes the user from the system permanently. As mentioned above in order to edit a user to change their name, username, or email you will have to delete them and recreate their user with the correct information.
Here are a few things to keep in mind as you get familiar with IAM within the iland Console:
The iland Console is a custom management tool that allows for configuration of the underlying VMware vCloud Director (VCD) infrastructure that powers our environments. Since our custom console allows for more control, and more configuration, we are able to create several user roles that are not available in the VMware interface. If you create a user within the iland Console, that user will not immediately be granted access to the underlying VCD infrastructure. If, for some reason, you want a user to access the legacy VCD interface, a user with VCD Admin rights will need to add them manually from within VCD. You will need to assign them a role from within VCD, you will not be able to give them the same named role permissions as the iland Console, as there are only three levels of permissions in the legacy VCD interface. If you are using our custom roles, you may want to consider adding them as a local user, so as not to interfere with the permissions granted in our iland Console. In VCD you can import the user from LDAP so their login credentials remain the same between both interfaces. To read more about creating or importing users in VCD, please refer to the VMware Documentation Center.
Here are a few of the more common issues experienced when managing users in the iland Console.
If you are still having issues with User or Role Management through IAM, please contact our support team using chat in the Console, accessing the support page in the Console to open a ticket, or https://www.iland.com/support/