1.1. Management Function

1.1.1. Overview

Enterprise Cloud 2.0 (called “ECL2.0” hereafter) provides various management functions to check the usage status, as well as to utilize the service via Customer Portal / API.
This document describes the overview of management function of ECL2.0 and the prerequisite information for Customers to utilize ECL2.0.

1.1.2. Subscription Method

This section describes how Customers can subscribe ECL2.0.

1.1.2.1. For Customers Who Have NTT Com Business Portal Subscription

First, Customers need to request a creation of Business Portal account to their Business Portal administrator.
They can start to subscribe ECL2.0 by logging in to Business Portal with the account.
They can order multiple ECL2.0 subscriptions with one Business Portal.
Please contact NTT Com sales team for further information.

1.1.2.2. For Customers Who Do Not Have NTT Com Business Portal Subscription

First, Customers need to sign up for Business Portal for subscription.
Please contact NTT Com sales team for more details on Business Portal subscription.
Once activated, they can start to subscribe Enterprise Cloud 2.0 as mentioned above.

1.1.2.3. Needed Information on Subscription

Customers need following information (called “contract information” hereafter) for ECL2.0 subscription. Customers can see the information below via Customer Portal after subscription.

Category

Item

Contract Information

Postal Code

 

Address

 

Department

 

PIC Name

 

Phone Number

 

Email Address

Billing Information

Postal Code

 

Address

 

Company Name

 

Department

 

PIC Name

 

Phone Number

 

Email Address


1.1.3. GUI/API

Two types of interfaces are provided in ECL2.0: GUI and API.
GUI/API enables Customers to utilize various management functions, as well as resource management of each service menu of ECL2.0.

1.1.3.1. GUI

GUI Configuration

Following diagram shows the configuration of GUI provided in Enterprise Cloud 2.0.
GUI
Single sign-on for ECL2.0 Customer Portal is available by logging in to NTT Com Business Portal (called Business Portal hereafter).
ECL2.0 provides the management function mainly related to the overall contract.
Customer can utilize each menu’s resources such as Baremetal Server, Virtual Server and Monitoring by specifying relevant control panel.
Besides, Business Portal has the links to both Cloud Management Portal and Ticket System, and ECL2.0 Customer Portal has the link to Ticket System.
Following are the details of available functions for each GUI screen.

GUI

Function

Overview

ECL2.0 Customer Portal

Tenant Management

Customers can select the Tenant to operate. Admin User can add/delete the Tenant, and can specify the accessible users per Tenant.

 

User Management

Customers can view the user information. (For Admin User only)

 

Billing Management

Customers can view the detais of billing statement. (For Admin User only)

 

Profile Management

Customers can view their profile information such as login ID. They can also check the API key information.

 

Contract Management

Customers can view the contract information. (For Admin User only)

Cloud Management Platform

Unified Management of Multi-Cloud Services

Customers can perform unified management of various resources by grouping their systems configured across multiple cloud services, and consolidating them onto one dashboard.

Ticket System

Ticket System Inquiry Management

Customers can create inquiry tickets to contact the support center regarding failures and technical support.

Cloud Computing Control Panel

Operation of each menu, resource management

Customers can view their resource usage status of each service menu, as well as add/delete/update the resources.
Here you can operate bare metal server, virtual server, image storage, storage, network, SD - Exchange resources.

Monitoring Control Panel

Management of Monitoring menu

NTT Com provides functions to collect and report information on various resources which allows Customers to evaluate the health/performance of each service.

Cloud Foundry Control panel

Management of Cloud Foundry menu

Customer can deploy application, add/delete resources assigned to application, and manage resource status.

DNS Control panel

Management of DNS menu

You can operate the DNS menu.

Security Control panel

Management of Security menu

You can operate the Security menu.

Backup Control panel

Management of Backup menu

You can operate the Backup menu.

HC with Microsoft Azure Control panel

Management of Hybrid Cloud with Microsoft Azure menu

You can operate the Hybrid Cloud with Microsoft Azure menu.

Middle ware Control panel

Management of Middle ware menu

You can request the middle ware menu and check the contract contents.


Terms and Conditions of Use

Item

Contents

Available Browses

Mozilla Firefox (the latest version)
Google Chrome (the latest version)

Available Languages

English, Japanese (Language is automatically selected depending on the browser settings.)

1.1.3.2. API

ECL2.0 provides API depending on Customers’ purposes, and they can control almost al the functions via API.
API enables Customers to control resources, and utilize management functions such as checking billing status via API.
These kind of operations can be performed via control panel of GUI, but API allows Customers to further automate their operations.
For detailed information about the API, please check the API Reference <https://ecl.ntt.com/documents/api-references/>

API Configuration

Both “API key” and “API secret key” are required for API usage. Both of them are assigned per user.
Additionally, Customers can control their API requests via the Internet by accessing to API endpoint.

Item

Descriptions

API Key

This is the ID necessary for authentication to enable API access. Authentication by API key enables Customers to access to each resource via API endpoint, and send API requests.
Unique value per user is assigned and Customers can regenerate it as needed.

API Secret Key

This is the secret key necessary for authentication to enable API access. API secret key is needed in conbination with API key.
Unique value per user is assigned and Customers can regenerate it as needed.

API Endpoint

This is the defined URL for API access.
You can control various resources by accessing this URL.The end point of API depends on each region and service menu.
API

Menus providing API

The menu that is provided by the API is API Reference <https://ecl.ntt.com/documents/api-references/>

Terms and Conditions of Use

NTTCom limits the number of API request to ensure the health condition of our infrastructure and Customers’ environment.

  • “200 requests/second/source IP address” or “1,000 requests/minute/user”

Once the number of API request from Customers exceeds the limit, the safeguard runs on against their API requests and restrict them temporally.

1.1.4. Contract Management

1.1.4.1. View Contract Details

Customers can confirm their contract details when they have filled out for subscription of ECL2.0 via Customer Portal.

1.1.4.2. Terms and Conditions of Use

Only Admin User is allowed to use this function.

1.1.5. Tenant Management

1.1.5.1. Tenant

Tenant is a logical management unit for managing various resources of ECL2.0. Resources such as Baremetal Server, Virtual Server, and Logical Network are deployed within a Tenant.
Tenant belongs to Region, and Customers can create one or multiple Tenants under one ECL2.0 contract.
Basically, Customers need to create Tenants first when they utilize each menu of ECL2.0.
And they can set up the access permission to the Tenant per user.
テナント

1.1.5.2. Tenant Management

Customers can create/delete Tenants, as well as set up access permissions by Tenant management function of ECL2.0 Customer Portal.
Only Admin User has the access permission to a new created Tenant. To grant access permission to other users, they need to assign the user after created the Tenant.

1.1.5.3. Terms and Conditions of Use

When Customers create Tenants, they need to specify the Region that the Tenant belongs to, and they cannot create Tenant located accress the multiple Regions.
Admin User has the access permission to all of the tenants, and customer cannot be modified.
Only Admin user can utilize this management function, however, other users cannot.

1.1.6. User Management

1.1.6.1. User Type

There are two types of users: Admin User & User.
When you subscribe to ECL 2.0 service, one user is created based on that contract.This first user is called an admin user and can access administrative functions such as tenant management, API permission management, billing management and so on.An admin user is a special user that exists only for a contract and is also called a contract owner.
Concretely, the user who first accessed ECL 2.0 from the business portal and executed the sign up of the ECL 2.0 contract becomes the admin user (contract owner) of the contract.The user who logged in from the business portal after creating the contract can be called a User (General User) and can create multiple Users within a contract.

User Type

Access Permission to Management Function

Access Permissions to Tenants

Available Number of Users per Contract

admin user (contract owner)

Access permissions to all the management function of the contract

Access permissions to all the Tenants that belong to the contract

User

No Access permission to the management function

Admin User grant the access permission for the relevant Tenant after creating the User account. User cannot access to the Tenants where Admin User does not grant the access permission.

0〜199
ユーザー管理

1.1.6.2. Add User

Only the Admin User exists just after Customers start subscription, and no Users exist. Admin User can add the Users via Business Portal.
Following is the procedure from subscribing ECL2.0 to create Users via BUsiness Portal.
1.Once the user A of Business Portal subscribes ECL2.0, the ECL2.0 contract is created and user A becomes the Admin User of ECL 2.0 contract A.
2.After Admin User grant the access permission to another Business Portal user (called user B) via Business Portal, user B can access to ECL2.0 as User.
3.The user B accesses the particular ECL2.0 contract.
4.The user B will be added as User of the particular ECL2.0 contract.

※For user-created as ECL2.0 only, the access to the ECL2.0 contract on the business portal has not been completely granted. The first time that the appropriate user actually access to ECL2.0 by the portal ECL2.0, It will be recognized as a user.
ユーザー追加

1.1.6.3. Terms and Conditions of Use

Customers need the administrative permission of Business Portal for the operation above.

1.1.6.4. change of the contract owner (admin user)

As mentioned above, the contract owner (admin user) is the only user in the contract, but you can change it to another user as needed.
To change, specify the user who will newly become the contract owner.
When you do this, the current contract owner will be changed to General User and access to the management function will be restricted.

1.1.7. API permission management

1.1.7.1. API permission management is provided in ECL2.0

In ECL2.0, the ability to control the execution authority of various API is provided.
Customers can control the API execution permission of the user by using this function with a variety of conditions.
Example of conditions:
· Only specific APIs are executable (Limited to Read Only, etc.)
· Only executable for a particular resource
· A particular transmission can be run, etc only from the original global IP address.

Note

The GUI provided in the ECL2.0, internally, has been achieved by executing the API to the appropriate operation of the on-screen in the operation.Therefore, By using this API permission management function, customers can also execute permission on the GUI to limit in the same way.


By 3 elements, such as the following, User, IAM (Identity and Access Management) Group, IAM Role, the authority is controlled.

Item

Descriptions

User

individual users belonging to the agreement of the ECL2.0 (administrative user, or, general users)

IAM role

The use terms of API and the conditions to run API are defined in the white list format.
1 IAM role can have multiple authorization API.

IAM Group

Grouping the IAM roles
Serve to characterize the string of the user and the IAM role.

As shown in the following figure, a user can belong to multiple IAM groups, the IAM Group is defined by 1 or multiple IAM roles.

User/Group/Role

1.1.7.2. Authority definition of IAM role

IAM roles are defined primarily by the following factors.
Information other than the following is held at each API also can be specified as any element, customers can also specify a wild card by specifying the asterisk (*) as the value.

The GUI provides examples of typical role settings as templates, so you can select and configure this template.

Item

Descriptions

ipAddress

Access the original global IP address that is allowed to use

basePath

API name that is permitted to use

path

API resource name that is permitted to use

verb

Method name that is permitted to use


The following is a setting example of a role if you want to set permissions for read-only (Read Only).

IAM_Role #1

1.1.7.3. Default IAM group, default IAM role

At the moment of creation of the ECL2.0 contract, the default IAM group and the default IAM role will be created by the system, and soon after that all the users created will be tied to the default IAM group.
In the default IAM roles, the execute permission to all the API are defined. Since it’s tied to a default IAM group, execution permission of all the executable API to the Initially all users in that user type.

The default of the IAM group and the default of the IAM role, can not be deleted.
In addition, the administrative user, can not be deviated from the default IAM group.

1.1.7.4. Judgment of authority

If one user is tied to more than 1 authority setting, based on the following determination method, the authority decision is done.

Note

The setting of API permission management is evaluated together with authority by user type (admin user or general user) and authority by tenant access permission.For example, general users can not create tenants.In addition, operations on resources belonging to tenants who do not have tenant access permission can also be set but can not be executed.Please refer to “User management” for user type and “Tenant management” for tenant access permission.


1.If a IAM role is composed by multiple authority definitions → A or B

pattern_1

In the following example, a user that is tied to this group, will be set as “Creating a virtual server (POST), or, edit (PUT) is possible”.

pattern_1_config

2.User belongs to 1 of the IAM group, if IAM group is defined in more than 1 IAM role → A and B

pattern_2

In the following example, the authority specified can be run in the IAM Role #2-1, but by IAM Role # 2-2, customers can set the AND conditions like [the case of a tenant ID is” 123456789 “].

pattern_2_config

3.If a user belongs to more than 1 IAM group, IAM group is defined by a multiple IAM roles → A or B

pattern_3

In the following example, on that granted read-only privileges for the entire contract at the IAM Group # 1, it will be configured to allow the creation and editing virtual of the servers belonging to the tenant ID 1234567890 by Group # 2.

pattern_3_config

1.1.7.5. Terms and Conditions of Use

-This function can be set only by administrative users, general user can not set it.
-The execution authority of functions that administrative users can only run in this function can not be granted to the general users.
-IAM role as control content is the execution authority of the API request, customers will not be able to limit the execution result of the API request (response).
-For the following menu, this function cannot be used.
Security, backup, Hyper-v (Hybrid Cloud for Azure)

Note

Please check for more detailed procedure How to use API authority management function .


1.1.8. Approval Function

1.1.8.1. Function Overview

The approval function is a function that can issue approval requests and answer approval / rejection of requests.
In the approval function, approval requests for tenants, contracts and users are issued.
For example, in ECL 2.0, all resources are usually placed in the tenant, and the scope of the impact of the operation is limited to the tenant, but if the user tries to perform an operation that exceeds the tenant and affects the resources of other tenants It is necessary to obtain approval from the user of the counter tenant.
In this case, the executor of the operation issues a request, which can be realized when the user of the opposing tenant approves it.The approval function can be used beyond the contract.

As an application scene of the approval function, there is an Enterprise Cloud 2.0 Connection that connects tenants.
This is to provide network connectivity beyond tenants by connecting the firewall of the connection source tenant and the logical network of the counter tenant.
For the Enterprise Cloud 2.0 connection, please see here Enterprise Cloud 2.0 connection

1.1.8.2. Approval request parameters

Approval requests include the following parameters.
The parameters that can be specified by the user depend on the menu of the side issuing the approval request.

Parameter

Descriptions

request ID

will be automatically granted

Status

Current status of Approval Request
Details will be explained in the next section.

Approval target ID

ID indicating approval target
Specify tenant ID, contract ID, user ID by the following types.

Approval type

Actual approval actions can be executed by any user specified by the approval type and the above approval target ID.
The approval types are as follows.

tenant: All users who can access the tenant with the specified tenant ID
tenant_owner: Admin user of the contract with the specified tenant ID
contract: All users belonging to the contract with the specified contract ID
contrct_owner: Admin user of the contrct with the specified contract ID
user: User with the specified user ID

Action

details of action to be execute after approval

Response deadline of approval request

Requests that have expired will be in the status of “expired”, and approval etc. can not be executed.

Approval expiration date

Expiration date of valid period of approved request
The date and time after 30 days from the approval date are registered and can not be changed.
After this deadline, the action once approved is also invalid.

1.1.8.3. Status of Approval request

The status of the approval request information is as follows.

Status

Descriptions

registered

The state immediately after the approval request is generated by the requesting user

cancelled

the state where the requesting user has canceled the approval request
After changing to this status, you can not change to another status.

approved

A state in which the approval request has been approved by the requesting user
This status is retained until the expiration date expires.

denied

The state where the approval request was rejected by the requesting user
After changing to this status, you can not change to another status.

expired

Approval request expired
if the approval request’s response deadline has passed, approval etc. will not be executed, will shift to this status.

approval_expired

Approval expired
Move to this status if the expiration date of the specified approval has passed.

1.1.8.4. Notification of approval request

When the approval request is registered, we will send an e-mail notification to the user specified as the request registrant and approver.
Also, even if the request is approved, rejected or canceled, you will be notified by e-mail.


1.1.9. Billing Management

1.1.9.1. View Billing Statement

Customers can confirm the billing statement of ECL2.0 via Customer Portal.
The billing statement is displayed on the Customer Portal per Tenant, menu and resources, based on the usage result until the previous day.
You can display the past 24 months.
In addition, billing information displayed on the portal can be downloaded as a CSV file. You can also get billing information by using API.

1.1.9.2. Terms and Conditions of Use

Only Admin User is allowed to use this function.