Users and projects
In this article:
Users and projects#
General information#
Navigate to IAM to create a new project, register users who will work thereon, assign to users roles in projects, configure project grants and notifications.
User actions in the IAM section are logged by the Activity Log service.
Attention
For security reasons, we strongly recommend to use the administrator account for working in the IAM section only. For operating with other cloud services, we recommend you to use only additional accounts, created without administrator grants.
Users#
In the Users subsection, you can create new users and manage existing ones.
Note
To perform service functions, system user is created, along with the account.
Create user#
To give a user an access to NGN Cloud resources go to the main menu, select Users subsection and click Create. In the dialog window, fill in all the fields.
ID. User ID has the following format: <username>@<customer>, where customer is the company name specified at the registration in the cloud. User ID may only contain Roman letters, digits, and characters:
.
,_
and-
.Name. Both Roman and Cyrillic letters, as well as various characters, may be used.
email. It is strongly recommended to always specify user’s email, since notifications of updates, events, works, backup errors and other failures will be sent to this address.
The Require two-factor authentication (2FA) checkbox. When creating a user, you can require them to use mandatory two-factor authentication. In this case, when the user logs in to the cloud for the first time, a requirement to enable 2FA and relevant instructions are displayed.
Password. You can automatically generate a password or set your own. When setting a password, take into account requirements for its strength.
Change user profile#
Go to the user page by clicking on the user ID in the user table. In the Information tab that opens, you can perform the following operations on the user:
Change personal data.
Disable or delete.
Change password.
Enable or disable the two-factor authentication enforcement.
Disable two-factor authentication if it was enabled by user.
Change a list of notifications, to which a user is subscribed.
Configure user privileges#
In the Admin grants tab, you can give the user administrative privileges to the Billing and Users services.To do this, click Add. To restrict user’s administrative privileges for a specific service, click Remove.
We recommend granting administrative privileges wisely. Users with administrative privileges for accessing billing service can view tariff information, generate charges reports, and configure related notifications. Administrative privileges for accessing user service enables management of all company users and projects.
Add user to a project#
On the Projects tab of the user page, you can add users to a project and assign role to them. Click Add and select Project and Roles in project. Once a user is added to a project, it is granted a set of role-based privileges.
After assigning a project, you can specify the actions that will be available to the user in the project. To do this, select a project and click Set up.
On the user privilege configuration page, you can expand or restrict the user’s access to services (infrastructure, monitoring, object storage, remote console (via web), Activity Log, Kubernetes clusters, PaaS or Auto Scaling). To do this, click Add and select Service and Action. To restrict user’s privileges, select the service(s) and click Remove.
Important
Activity log grants allow users to control events in all projects of the company, no matter for which project they’ve been given.
If you want to restrict the user’s access in all projects, you can just delete this user from NGN Cloud.
Projects#
You can create projects and manage users in this subsection.
To add a new project, navigate to Projects subsection and click Create. Specify the project ID and name. Project ID is used when operating with NGN Cloud API. Project ID restrictions are the same as for User ID.
Note
When creating a project, the system user is granted necessary project privileges to perform service functions.
To give a new user access to the project, follow the project ID link and, in the Users tab, click Add. In the dialog window, select a user from the list and specify their role(s) in the project. To remove a user from the project, select the user in the table and click Remove.
Roles#
Role is a set of privileges, or actions the user is permitted to perform on project resources. For example, the user may launch and stop instances but may not delete them.
You can change the set of privileges for a role template, but these changes will affect only new role assignments to users. The set of privileges for users who were previously assigned this role template will not change.
The following role templates are defined by default in NGN Cloud:
Role template |
Description |
---|---|
Auto Scaling administrator |
Full set of grants to work with group of instances and to manage scaling policies |
Cloud administrator |
The full set of privileges for all project resources, except for Activity log service |
CloudTrail administrator (Activity log administrator) |
Full set of grants to operate with Activity log service |
DNSaaS administrator (administrator for the Route53 service) |
Full set of privileges to work with DNS zones |
ELB administrator (administrator for load balancers) |
Full set of grants to operate with load balancers |
Kubernetes EBS Provider User |
The required set of privileges for the EBS provider user and for working with Kubernetes clusters |
Kubernetes Administrator (admin for the Kubernetes cluster service) |
Full set of grants to operate with Kubernetes clusters |
PaaS administrator (admin for the PaaS service) |
Full set of grants to work with database clusters |
PaaS backup user (special user) |
The required set of privileges for writing database backups to the object storage |
Storage administrator |
Full set of grants to operate with cloud object storage |
VM administrator |
Full set of grants to operate with instances |
Important
CloudTrail administrator role allows users to control events in all projects of the company, regardless of which project they have been added to.
Important
Kubernetes Administrator has the full set of rights to work with Kubernetes clusters service. Still, it does not include many actions with resources in the cloud, so other sections of the web interface may not be available.
You may also create your roles and use them in day-to-day work. Open Roles subsection and click Create. To create your roles, you need to understand the NGN Cloud API.
To add privileges to the created role, click on its name in the role table and, on the page that opens, click Add. In the dialog window, select the service and allowed actions.
You can delete role templates that you have created (default role templates cannot be deleted). To do this, select the role(s) in the role table and click Delete.
Notifications#
NGN Cloud sends to users notifications about events, maintenance works, issues and etc. You can manage notification subscriptions in Notifications subsection.
In this subsection you can create, edit and delete contacts - e-mail addresses for Cloud notifications. Users who have email field filled are also displayed in this subsection. You can select event types for specified e-mail address on the contact information editing form.
Quotas#
Quotas – cloud service limits. This subsection shows service limits: number of users, projects, trails in Activity log, or buckets in an object storage. To increase your quotas, please contact your manager or NGN Cloud Helpdesk.