Bug 2053401

Summary: System Scope Secure Role Based Access Control
Product: Red Hat OpenStack Reporter: Giulio Fidente <gfidente>
Component: openstack-swiftAssignee: Swift bugzilla team <swiftbugzilla>
Status: NEW --- QA Contact:
Severity: medium Docs Contact: Andy Stillman <astillma>
Priority: unspecified    
Version: 18.0 (Zed)CC: derekh, zaitcev
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Giulio Fidente 2022-02-11 08:34:15 UTC 
Implement System Scope Secure Role Based Access Control as per https://issues.redhat.com/browse/OSP-9820

system-admin

This is someone who has full access to deployment-level APIs. Today, these users are typically represented as project administrators (anyone with the 'admin' role a project within OpenStack.

system-member

This is someone who has some access to deployment-level APIs. The member role is meant to provide some ability for administrators to delegate some subset of functionality down to additional users. This depends on the security requirements of the deployment, but potentially makes things easier for operations by scaling responsibilities across users.

system-reader

This is someone who has read-only access to deployment-level APIs. This persona has the ability to view nearly all resources within the deployment, which can be powerful for performing audits without granting third-party auditors full administrative rights to the deployment.