Role management

Introduction

Hint

Roles are currently identical to groups in functionality. This tutorial is a summarised version of Group and access management.

JAAS provides role management capabilities, this allows JAAS administrators to assign roles to users granting them access to resources.

In this tutorial we will show you how to manage roles in JAAS.

Prerequisites

For this tutorial you will need the following:

• At least one controller connected to JIMM (see JAAS: Add a controller)

• jimmctl CLI (installed via Snap)

Role management

For this part of the tutorial we will assume the following user exists in an organisation:

• alice@canonical.com

Next, let us create a role. Run:

jimmctl auth role add model-admin

To assign this role to Alice run:

jimmctl auth relation add [email protected] assignee role-model-admin

Now Alice is assigned the model-admin role. Note that the role has no permissions yet (see Granting access to roles).

To view all available roles run:

jimmctl auth role list

we will see the model-admin role.

Renaming a role does not affect role membership or any access rights a role might already have in JAAS.

To rename the role, run (the remainder of this doc will assume the name remains as model-admin):

jimmctl auth role rename model-admin model-writer

To remove role model-admin from JAAS, run:

jimmctl auth role remove model-admin

Granting access to roles

Now that we know how to manage roles and roles membership let’s take a look at how we can grant roles access to resources in JIMM.

This section assumes the model-admin role was created and alice@canonical.com was assigned the role.

Because roles are currently identical to groups, our model-admin role needs to be assigned access to individual resources.

Assuming a model bob@canonical.com/foo exists, run:

jimmctl auth relation add role-model-admin#assignee administrator [email protected]/foo

Now let us check if alice@canonical.com has administrator access to the model by running:

jimmctl auth relation check [email protected] administrator [email protected]/foo

We should get a positive result since alice@canonical.com is member of role model-admin.

To remove role model-admin’s access to the model we can run:

jimmctl auth relation remove role-model-admin#assignee administrator [email protected]/foo

Finally, to list the users who have been assigned the model-admin role we can run:

jimmctl auth relation list --target role-model-admin

Conclusion

This tutorial taught you the basics of role management in JAAS.