Role Based Access Control
Role Based Access Control (RBAC) lets you provide limited access to your Joyent Cloud account and Manta storage to other members of your organization.
Role Based Access Control is made up of four elements:
We'll take them from the bottom up to see how they fit together.
Resources are the things you want to grant access to. In Manta resources are Manta objects. In Joyent Cloud, resources are CloudAPI endpoints.
Policies are lists of rules that describe access to resources. The rules are written in a human readable language that describes the action that is allowed and the context in which that rule is valid.
The default policy for all objects is to deny access always. Rules are written in terms of what is allowed. For example, the following rules say that getting a Manta object and listing a Manta directory is allowed:
CAN getobject CAN getdirectory
Users are login credentials that are associated with your Joyent Cloud account. We also use the term subuser to distinguish users subject to access control from the account owner. While each subuser name must be unique within an account, they do not need to be globally unique.
If there is a Joyent Cloud account named
and another one named
both can have a user named
Roles bring users, policies, and resources together. Roles are lists of users and lists of policies. To allow access to a resource, you associate, or tag, a resource with a role.
When a subuser wants to access a resource, the access system checks whether they belong to a role associated with the resource. If so, the access system checks the policies associated with the role to determine whether the user can access the resource.
The account owner always has complete access to every resource in the account.
To get a sense of how things work, continue with either