Tenant management permissions
Before you create a tenant group, consider which permissions you want to assign to that group. Tenant management permissions determine which tasks users can perform using the Tenant Manager or the Tenant Management API. A user can belong to one or more groups. Permissions are cumulative if a user belongs to multiple groups.
To sign in to the Tenant Manager or to use the Tenant Management API, users must belong to a group that has at least one permission. All users who can sign in can perform the following tasks:
-
View the dashboard
-
Change their own password (for local users)
For all permissions, the group's Access mode setting determines whether users can change settings and perform operations or whether they can only view the related settings and features.
If a user belongs to multiple groups and any group is set to Read-only, the user will have read-only access to all selected settings and features. |
You can assign the following permissions to a group. Note that S3 tenants and Swift tenants have different group permissions.
Permission | Description |
---|---|
Root access |
Provides full access to the Tenant Manager and the Tenant Management API. Note: Swift users must have Root access permission to sign in to the tenant account. |
Administrator |
Swift tenants only. Provides full access to the Swift containers and objects for this tenant account Note: Swift users must have the Swift Administrator permission to perform any operations with the Swift REST API. |
Manage your own S3 credentials |
Allows users to create and remove their own S3 access keys. Users who don't have this permission don't see the STORAGE (S3) > My S3 access keys menu option. |
Manage all buckets |
Note: You can only assign the Manage all buckets permission to Swift groups from the Tenant Management API. You can't assign this permission to Swift groups using the Tenant Manager. |
Manage endpoints |
Allows users to use the Tenant Manager or the Tenant Management API to create or edit platform service endpoints, which are used as the destination for StorageGRID platform services. Users who don't have this permission don't see the Platform services endpoints menu option. |
Manage objects with S3 Console |
When combined with the Manage all buckets permission, allows users to access the Experimental S3 Console from the Buckets page. Users who have this permission but who don't have the Manage all buckets permission can still navigate directly to the Experimental S3 Console. |