Example: Define permission scopes

In the previous step, Corporate IT identified ten permissions. Six permissions are restricted by four distinct scopes. Corporate IT needs to create four scopes: VM Cloud, SRV Cloud, Human Resources and Finance.
Department Function Permission Role Permission Scope

Corporate IT

Senior technologists

Infrastructure administrator

All resources

Corporate IT

Server administrator

Server administrator

All resources

Corporate IT

Network administrator

Network administrator

All resources

Corporate IT

Storage administrator

Storage administrator

All resources

Finance

OS/Application administrators

Server profile operator

Finance

Human Resources

OS/Application administrators

Server profile operator

Human Resources

SRV Cloud IT

Server Cloud administrators

Server profile architect

SRV Cloud

SRV Cloud IT

Server Cloud administrators

Scope operator

SRV Cloud

VM Cloud IT

Server administrator

Server administrator

VM Cloud

VM Cloud IT

Network administrator

Network administrator

VM Cloud

VM Cloud IT is responsible for managing their enclosures. The following table summarizes the results of the analysis performed by Corporate IT to determine the resources that must be assigned to the VM Cloud scope.
Operation Analysis

Create networks

Created by VM Cloud IT and automatically added to the VM Cloud scope. SANs are considered as shared resources and not restricted by scope. VM Cloud IT is allowed to assign SANs to Fibre Channel (FC) and Fibre Channel over Ethernet (FCoE) networks.

Create network sets

Created by VM Cloud IT and automatically added to the VM Cloud scope. VM Cloud IT is only allowed to assign networks created by VM Cloud IT to the VM Cloud network sets.

Create logical interconnect groups

Created by VM Cloud IT and automatically added to the VM Cloud scope. VM Cloud IT is only allowed to assign networks created by VM Cloud to the uplink sets.

Create enclosure groups

Created by VM Cloud IT and automatically added to the VM Cloud scope. VM Cloud IT is only allowed to assign logical interconnect groups created by VM Cloud IT to enclosure groups.

Create logical enclosures

Created by VM Cloud IT and automatically added to the VM Cloud scope. The logical interconnects created during this operation are automatically added to the VM Cloud scope. VM Cloud IT needs access to the enclosures assigned to the VM Cloud pilot. Corporate IT must assign the three enclosures to the VM Cloud scope. As the firmware bundles are restricted by scope, VM Cloud IT needs access to approved firmware bundles. Corporate IT must assign the authorized firmware bundles to the VM Cloud scope.

Power on/off/Refresh interconnects

To allow VM Cloud IT to manage the VM Cloud interconnects, Corporate IT must assign the interconnects in the VM Cloud enclosures to the VM Cloud scope.

Power on/off/Refresh drive enclosures

To allow VM Cloud IT to manage the drive enclosures in the VM Cloud enclosures, Corporate IT must assign the drive enclosures to the VM Cloud scope.

Launch console/Power on/off/Reset/Refresh server hardware

Corporate IT must assign the blades in the VM Cloud enclosures to the VM Cloud scope.

Create server profile templates

Created by VM Cloud IT and automatically added to the VM Cloud scope. In order to assign resources to the server profile templates, VM Cloud IT needs access to firmware bundles, networks, network sets and volume templates. Corporate IT must assign the authorized volume templates to the VM Cloud scope. Image Streamer is not configured for this pilot. Therefore, access to the OS deployment plans is not required.

Create server profiles

Created by VM Cloud IT and automatically added to the VM Cloud scope. In addition to rights granted above, VM Cloud IT needs access to the server hardware.

Corporate IT performed a similar analysis for the SRV Cloud scope. SRV Cloud IT users are only allowed to perform server-related operations. The following table summarizes the results:
Operation Analysis

Launch console/Power on/off/Reset/Refresh server hardware

Corporate IT needs to assign the blades in the SRV Cloud enclosures to the SRV Cloud scope.

Create server profile templates

Created by SRV Cloud IT and automatically added to the SRV Cloud scope. In order to assign resources to server profile templates, SRV Cloud IT needs access to firmware bundles, networks and network sets. Corporate IT must assign firmware bundles, networks and network sets to the SRV Cloud scope.

Create server profiles

Created by SRV Cloud IT and automatically added to the SRV Cloud scope. In addition to rights granted above, SRV Cloud IT needs access to server hardware.

Assign SRV Cloud resources to Human Resources and Finance scopes

Both an Update and Use authorization check are performed when assigning a resource to a scope. For example, to assign a blade to the Human Resources scope, SRV Cloud IT needs Update rights on the Human Resources scope and Use rights on the server hardware. Additionally, both the Human Resources scope and the blade must be assigned to the SRV Cloud scope. SRV Cloud IT is only allowed to update the Human Resources and Finance scopes.

When assigning a resource to a scope there is no concept of a hierarchy. Assigning a scope to a scope restricts operations that can be performed on the scope; it does not affect access to resources assigned to either scope.

Corporate IT must assign the Human Resources and Finance scope instances to the SRV Cloud scope.

Finally, Corporate IT completes the analysis of the Human Resources and Finance scopes.
Operation Analysis

Launch console/Power on/off/Reset/Refresh server hardware

SRV Cloud IT is responsible for assigning SRV Cloud server hardware to the Human Resources and Finance scopes.

Update server profiles

SRV Cloud IT is responsible for assigning SRV Cloud server profiles to the Human Resources and Finance scopes. SRV Cloud IT is also allowed to assign SRV Cloud firmware bundles to the Human Resources and Finance scopes. SRV Cloud IT is still debating on whether or not Human Resources and Finance users are allowed to update server firmware.

To summarize, the authentication model for the pilot defines four permission scopes and nine directory group accounts with associated permissions.
Permission Scope Resources explicitly assigned to the scope by Corporate IT

Finance

None

Human Resources

None

SRV Cloud

The blades contained in the two enclosures dedicated to the SRV Cloud pilot.

The firmware bundles and networks approved for use by SRV Cloud IT.

The Finance and Human Resources scope resource instance. This is required to allow SRV Cloud IT to assign SRV Cloud resources to the Finance and Human Resources scopes.

VM Cloud

The three enclosures dedicated to the VM Cloud pilot.

The blades contained in the three enclosures.

The interconnects contained in the three enclosures.

The drive enclosures contained in the three enclosures.

The firmware bundles and volume templates approved for use by VM Cloud IT.

Directory Group Permissions
CorpIT-FULL (Infrastructure administrator, All resources)
CorpIT-NA (Network administrator, All resources)
CorpIT-SA (Server administrator, All resources)
CorpIT-StA (Storage administrator, All resources)
Finance-Admins (Server profile operator, Finance)
HR-Admins (Server profile operator, Human Resources)
SRVCloudIT-Admins (Server profile architect, SRV Cloud); (Scope operator, SRV Cloud)
VMCloudIT-SA (Server administrator, VM Cloud)
VMCloudIT-NA (Network administrator, VM Cloud)