Roles and rights status
Role Name | Description of competencies | Rule | Who can set the role |
|---|---|---|---|
Common account | |||
VoAdmin The role can be assigned to a single user or a group of users. | It has full control over a virtual organization that is associated with the role.
VO administrators are able to set up roles associated with the Vo:
VO administrator is not allowed to
| Manually assigned to users for whom the PerunAdmin/VO admin wants to set rights to define rules for VO. Automatically assigned to all members of a group where this role has been set. | PerunAdmin VoAdmin in the same VO |
VoObserver The role can be assigned to a single user or a group of users. | Can see everything that VO admin sees, but the observer is not able to perform any changes in the VO. | Manually assigned to users who are supposed to have read-only rights for VO. Automatically assigned to all members of a group where this role has been set. | PerunAdmin VoAdmin in the same VO |
Sponsorship Automatic role | Role that is set for all members who are sponsored by the principal. | Automatically assigned to every sponsored member in any VO. | - |
Sponsor The role can be assigned to a single user or a group of users. | Users or groups of a VO can provide other users with VO membership even without them passing the VO registration. However, Sponsors are not allowed to delegate this role to other users or groups. | Manually assigned to users who are supposed to have right to sponsor members in his VO. Automatically assigned to all members of a group where this role has been set. | PerunAdmin VoAdmin in the same VO |
FacilityAdmin The role can be assigned to a single user or a group of users. | Role has complete control over a facility that is associated with the role. For example, Facility administrators have a right
On the other hand, Facility administrators is not allowed to manage groups that are assigned to the resource (facility) and members of the group(s). | Manually assigned to users who are supposed to have right to full access to specific Facility. Automatically assigned to all members of group where this role has been set. This role is strictly connected to facilities created on the instance. Every new Facility has at least 1 admin and there should be the whole managed group of them. Each Facility has its own admins. | PerunAdmin FacilityAdmin (associated with the same facility) |
FacilityObserver The role can be assigned to a single user or a group of users. | The role has access to all information, to which has access Facility admin, but Facility observer is not able to perform any changes. | Manually assigned to users who are supposed to have read-only access to specific facilities. Automatically assigned to all members of group where this role has been set. Should be distributed by Facility Admins. Groups are greatly preferred.
| PerunAdmin FacilityAdmin (associated with the same facility) |
TrustedFacilityAdmin The role can be assigned to a single user or a group of users. | Only VO administrator is able to set this role, but only in his own VO. User with role Trusted facility admin has privileges to assign group(s) to resource(s) and remove group(s) from resource(s), but only if the user has the role Facility Admin for the specific facility at the same time. In this case Trusted facility admin also has rights to set roles Resource admin and Resource self service. The role can not operate with entities connected to users or members of the group(s). For example if any user want to add his groups to the service and Facility Admin has to do some preparations first (creating and setting a new Resource, etc.). Specific service account used for automatization. | Manually assigned to users who are supposed to have a trust in the combination of all their facilities and specific Vo. Automatically assigned to all members of group where this role has been set.
| PerunAdmin VoAdmin in the same VO |
ResourceAdmin The role can be assigned to a single user or a group of users. | The role can assign groups to and remove them from the resources with which this role is connected. The group and the resource have to be in the same VO in order to make an assignment or to remove it. The role is not allowed to assign resource to a service. Also it can not create new resource. | Manually assigned to users who are supposed to have full access to specific resource. Automaticaly assigned to all members of a group where this role has been set. | PerunAdmin VoAdmin ResourceAdmin TrustedFacilityAdmin + FacilityAdmin (must have both roles at the same time and for specific facility and specific VO) |
ResourceObserver The role can be assigned to a single user or a group of users. | The role has access to all information, to which has access Resource admin, but Resource observer is not able to perform any changes. | Manually assigned to users who are supposed to have read-only access to specific resources. Automatically assigned to all members of a group where this role has been set. | PerunAdmin VoAdmin in the same VO ResourceAdmin of the same Resource |
ResourceSelfservice The role can be assigned to a single user or a group of users. | The role has the same privileges as the Resource administrator role, but users with this role are able to manage group on resources only when they are Group administrators for that group. A user with Resource self-service role cannot delegate this role further. If the user/group should be able to assign and remove his/their own groups to the Resource, this role is useful. | Manually assigned to users who are supposed to have partial access to specific resources. Automatically assigned to all members of a group where this role has been set. | PerunAdmin VoAdmin in the same VO ResourceAdmin of the same Resource |
GroupAdmin The role can be assigned to a single user or a group of users. | The role can create subgroups for the group which is associated with this role and add members to the group and its subgroups. Users with this role are also able to send group invitations to other VO members, and to create a registration sheet for group membership (Manager can copy Applications forms and Notifications only from groups where he/she is a manager.) The GroupAdmin can not set roles for members of the group or the whole group, but it can set other user as the group’s manager. The GroupAdmin can not operate with group’s resources. | Manually assigned to users who are supposed to have right to full access to specific Facility. Automatically assigned to all members of group where this role has been set. Each Group has its own admins. The role applies to all current and future sub-groups. | PerunAdmin VoAdmin in the same VO GroupAdmin of the same Group |
GroupObserver The role can be assigned to a single user or a group of users. | The role has access to all information, to which has access Group admin, but Group observer is not able to perform any changes. | Manually assigned to users who need read-only access to specific Groups. Automatically assigned to all members of a group where this role has been set. | PerunAdmin VoAdmin in the same VO GroupAdmin of the same Group |
TopGroupCreator The role can be assigned to a single user or a group of users. | The role is able to create a new top-level group in a VO (a group which does not have a parent group). By creating a group, the user automatically becomes its manager. | Manually assigned to users who are supposed to have a right to create a new group in specific VO. Automatically assigned to all members of a group where this role has been set. | PerunAdmin VoAdmin in the same VO |
GroupMembershipManager The role can be assigned to a single user or a group of users. | The role manages activities related to members: it can approve or reject group applications, invite, add, extend or remove member from a group. The role can not manage items connected for example to resources, notifications, roles of the groups(s), or external resources. | Manually assigned to users who are supposed to have a more restrict role to operate only with memberships of specific Group (where GroupAdmin is just too strong role). Automatically assigned to all members of a group where this role has been set. | PerunAdmin VoAdmin in the same VO GroupAdmin of the same Group |
Membership Automatic role | The role represents principal's membership in a group, VO or association with facility. | Automatically assigned to every member of any Group. These rules are created dynamically and are not saved in the database. | - |
Self Automatic role | The role is a user’s primary role through which the user is able to read and to change only their personal information. It is assigned to all the authenticated users and cannot be removed. | Automatically assigned to every user in the Perun system. These rules are created dynamically and are not saved in the database. | - |
ServiceUser Automatic role | The role can be assigned to a certain process, service, or user. It is a sign of an account with a Self role being created by someone else. ServiceUser cannot access Perun GUI. | Automatically assigned to every service user in the Perun system. These rules are created dynamically and are not saved in the database. | PerunAdmin or VoAdmin can create a Service User. |
Super administrator account | |||
PerunAdmin | Performs all the actions possible in the Perun system | Manually assigned to specific list of users. | PerunAdmin |
PerunObserver | It has access to all the information, but it is not able to perform any changes. | Manually assigned to specific list of users. | PerunAdmin |
Support: perun@cesnet.cz