Overview
itopia's Cloud Automation Stack (CAS) admin console (cas.itopia.com) allows you to create and manage Cloud Desktop deployments. The admin portal also lets you create additional administrator accounts and assign them specific permissions.
The CAS admin portal includes several built-in roles for broad permissions on individual deployments or on your overall CAS organization. The portal also allows you to create and assign custom roles that have granular permissions to specific portions of the admin portal.
This article describes the built-in roles and the custom permissions available for the CAS admin portal, and also provides step-by-step instructions on creating and assigning custom roles to administrator accounts.
NOTE: This process is only required administrative access to the CAS admin console. End-user accounts for Cloud Desktops are managed from the Users module in the admin portal; information on managing end-user accounts are available here: Managing Users
Built-In Roles
When a new CAS organization is created (as part of signing up for itopia CAS), CAS provides four built-in roles that can be used to assign high-level permissions to the organization or to one or more projects:
Organization Owner - Members of this role have full read/write access to all aspects of the CAS organization and all deployments. Only members of this group can create custom admin roles. This is the role assigned to the user account used when signing up for itopia CAS.
Deployment Owner - Members of this role have full read/write access to all CAS modules for one or more deployments. Owners of a deployment can create additional administrator accounts and assign permissions on that deployment.
Deployment Editor - Members of this role have full read-write access to all CAS modules for one or more deployments. Editors of a deployment cannot create additional administrator accounts or assign permissions on that deployment.
Deployment Viewer - Members of this role have read-only access to all CAS modules for one or more deployments. Users with this role cannot change settings, create or delete resources, or perform any actions.
Members of the Organization Owner, Deployment Owner, or Deployment Editor role also receive a Domain Admin Active Directory account in the deployment(s) to which they have access. This user account is created the first time they perform a password reset for their corresponding AD account, as described in the Reset Admin Passwords article.
Custom Roles
If you want to assign more granular permissions to your CAS organization or to specific deployments, you can create custom roles in the admin portal. Custom roles allow you to provide read-only or read-write access on specific modules in the CAS admin portal, as well as to control other administrative access such as the creation of a "Domain Admin" account in the deployment's Active Directory. The full list of permissions is provided in the table below.
Creating Custom Roles
To create a custom role in CAS:
Log in to the CAS admin console (cas.itopia.com) as a member of the Organization Owners role.
From the top navigation bar, click on your user name. From the drop-down, select Manage Organization.
On the Organization Settings screen, click the Admins tab.
In the Admin Roles section, click Create.
Provide a unique Name for the role and, optionally, a description.
Select the checkbox next to each permission you would like to enable for the role.
Click Create.
Note that roles in the CAS admin console are not deployment-specific. When you assign the role to an administrator, you will selected the deployments to which the user will have the specified access.
Creating Administrators and Assigning Roles
When creating a new administrator for your CAS organization, you must provide a unique itopia username (in email address format); you can, however, use the same email address for administrator accounts in multiple deployments. The new administrator receives an email invitation to join your organization.
To create an administrator in CAS:
Log in to the CAS admin console (cas.itopia.com) as a member of the Organization Owners role.
From the top navigation bar, click on your user name. From the drop-down, select Manage Organization.
On the Organization Settings screen, click the Admins tab.
In the Administrators section, click Create.
Provide the required information for the account: First Name, Last Name, Email Address, itopia username (this should be the same as the email address, unless the email address was used for a different CAS organization).
From the dropdown list, select the CAS admin role that should be assigned to the user.
In the Deployments section, specify either All deployments or Select deployments and check the box next to the desired deployments. Note that any roles with organization-wide permissions will apply to the organization regardless of the deployments selected.
When you are finished, click Send Invite.
Considerations and Limitations
At this time, the following considerations and limitations exist for delegating administrative access in CAS:
Users can only be assigned to a single role, and the assignment is the same for all deployments to which they are granted access. That is, a user cannot have different role assignments for different deployments.
Editing certain organization-wide settings (such as the CAS authentication method) can only be performed by members of the Organization Owner role, and cannot be delegated to custom admin roles.
If you delete a custom role that is currently assigned to users, those users will lose access to the CAS admin console. To restore their access, you must assign them to a new role.
Related articles: