Authorization¶

Dune uses a role based system to determine if a user has enough rights to do something.

Global Roles¶

A user can have one ore more global roles. A global role gives certain rights across the whole tenant.

Currently there are two global roles:

TenantAdmin: TenantAdmin is the highest role available within a Tenant. It gives access to almost all functions. Only a few users should have this role.
TenantReader: TenantReader is the default role, a new user normally gets, when he first signs in to his tenant. The role gives read access to the most parts of the Dune tenant.

Note

If a user is assigned a new global role and he already has a dune session open, he needs to sign in again.

Roles and Privileges¶

There are also (local) roles which can be given on a certain element and are inherited through the structure (see Structure). For example: an Owner role for a certain collection can be given to a user. The user with this role is then also Owner on all Deployments and Resources which are within this collection.

A role is a bundle of privileges. There are predefined roles like Owner and Operator but the Role & Privilege system is flexible enough to allow new roles to be built when needed.

Predefined roles:

Operator

Privileges: ["Read","Operate"]

Configure on: Collection, Deployment, ResourceGroup or Resource level

Gives: read and operate access (e.g. Start/Stop, Enable/Disable Alerting)

Owner

Privileges: ["Read","Deploy","CreateChild","Edit","Operate","Delete","EditPermissions","EditTags"]

Configure on: Collection, Deployment, ResourceGroup or Resource level

Gives: read, operate, edit and create access (in addition to the Operator, the owner can edit, create and delete)