IAM Role and IAM Group¶

API Authority Management Function is realized by IAM Role and IAM Group. By linking IAM Role with IAM Group and/or IAM Group and the user, the execution authority of general users are available to be controlled.

IAM Role¶

IAM Role shows API execution permission and conditions. These are described in whitelist style.

The administrator can set an IAM Role by setting the parameters below to resources of request bodies.

basePath	basePath specifies each API end point which permits execution. Description methods are shown in the another table below.
ipAddress	ipAddress specifies the global IP address of the access source client that permits execution.
path	path specifies the URL's path that permits execution.
verb	verb specifies a method that to permits execution. Four description such as GET/PUT/POST/DELETE are available.
Optional Elements	The value which is included in each API's query parameter or request body such as Tenant ID, User ID, etc. can be specified.

For each parameter, * (asterisk) is acceptable as a wild card.
Resources of an IAM Role accepts descriptions of multiple authorities. In this case, the OR condition is applied. (See AND/OR Condition at Authority Description for details.)
The following table shows description correspondence of each API end point and basePath:

Function Name	End point URL	basePath
Keystone	keystone-[Region Name]-ecl.api.ntt.com	/ecl-keystone
Management Function	sss-[Region Name]-ecl.api.ntt.com	/ecl-sss
Network/Colocation Interconnectivity (1000BASE-LX/10GBASE-LR)	network-[Region Name]-ecl.api.ntt.com	/ecl-network
Provider Connectivity	provider-connectivity-[Region Name]-ecl.api.ntt.com	/ecl-provider-connectivity
Baremetal Server	baremetal-server-[Region Name]-ecl.api.ntt.com	/ecl-baremetal-server
Remote Console Access	rca-[Region Name]-ecl.api.ntt.com	/ecl-rca
Image Storage	glance-[Region Name]-ecl.api.ntt.com	/ecl-glance
Virtual Server	nova-[Region Name]-ecl.api.ntt.com cinder-[Region Name]-ecl.api.ntt.com	/ecl-nova /ecl-cinder
Storage	storage-[Region Name]-ecl.api.ntt.com	/ecl-storage
Wasabi Object Storage	api.ntt.com	/ecl-objectstorage
Colocation Interconnectivity (1000BASE-T)/EnterpriseCloud Interconnectivity	interconnectivity-[Region Name]-ecl.api.ntt.com	/ecl-interconnectivity
Dedicated Hyper-Visor	dedicated-hypervisor-[Region Name]-ecl.api.ntt.com	/ecl-dedicated-hypervisor
Hybrid Cloud for Azure	hc-azure-[Region Name]-ecl.api.ntt.com	/ecl-hc-azure
Red Hat OpenShift Platform	api.ntt.com	/ecl-scduo
Monitoring	monitoring-[Region Name]-ecl.api.ntt.com	/ecl-monitoring
DNS	dns-[Region Name]-ecl.api.ntt.com	/ecl-dns
WebRTC Platform	webrtc-[Region Name]-ecl.api.ntt.com	/ecl-webrtc
Security	(Order API) mss-rfg-[Region Name]-ecl.api.ntt.com (Portal API) mss-msa-[Region Name]-ecl.api.ntt.com	/ecl-mss-rfg /ecl-mss-msa
Backup	backup-[Region Name]-ecl.api.ntt.com	/ecl-backup
Deployment Manager(heat)	heat-[Region Name]-ecl.api.ntt.com	/ecl-heat
For Middleware / GSLB / Power Systems	soi-[Region Name]-ecl.api.ntt.com	/ecl-soi

IAM Group¶

An IAM Group consists of some IAM Roles. The user belongs to any IAM Group. Execution Authority Control conducted by the IAM Role that is linked with IAM Group will be applied to the user.

Inter-relationship between IAM Group and User¶

The user belongs to any IAM Group. A newly created user will belong to Default Group at first. (See the Default Group and Default Role for the details of Default Group.)
The authority relating to the IAM Role, which is linked to the IAM Group that the user belongs, will be applied to the user. The administrator can link general users to the IAM Group or delete the linkage. The administrator cannot change the Group(s) which he/she belongs to.
An user can belong to multiple IAM Groups. In this case, each IAM Group's OR condition will be applied to the user. (See AND/OR Condition at Authority Description for details.)

Warning

Users who do not belong to any group cannot perform Smart Data Platform.

Inter-relationship between IAM Group and IAM Role¶

IAM Role also belongs to IAM Group like the user. Execution authority of the user belonging to an IAM Group will be controlled by the IAM Role that links to the IAM Group.
An IAM Role can link to multiple IAM Groups. If one particular group links with some IAM Roles, the AND condition will be applied to those roles. (See AND/OR Condition at Authority Description for details.)
At initial settings, Default Role is given allocated. (See Default Group and Default Role for details.)

Overviews

Default Group and Default Role