Introduction to Cloud Accounts and System Roles
To implement granular role-based access control (RBAC), Relyt adopts hierarchical cloud accounts and system roles.
Cloud accounts
A cloud account, sometimes simply referred to as an account, is a set of credentials that are used to authenticate a user's access to specific Relyt resources.
For security purposes, Relyt classifies cloud accounts into the following layers:
-
Main account: is the logical representation of an organization and uniquely identifies the organization in Relyt. A main account can invite others to create subaccounts. By default, a main account is a member of the
ACCCOUNTADMINrole. It can be changed to temporarily belong to theSYSTEMADMINrole. -
Subaccount: is a segregated account under the control of a main account. Subaccounts can be created only through invitations of the main account and are tied to the main account. A subaccount is a member of the
SYSTEMADMINrole, and thus can manage DW service units.
System roles
Currently, Relyt provides two system roles, namely ACCOUNTADMIN and SYSTEMADIM. The following table describes each system role.
| System role | Description |
|---|---|
ACCOUNTADMIN | Has privileges to manage subaccounts. |
SYSTEMADIM | Has full privileges to use, manage, and control DW service units. |
The following table describes the privileges granted to each system role.
| Privilege | Description | Granted to |
|---|---|---|
CREATE ACCOUNT | Invites others to create subaccounts. | ACCOUNTADMIN |
DELETE ACCOUNT | Deletes subaccounts. | ACCOUNTADMIN |
ASSIGN ROLE | Assigns system roles to subaccounts. | ACCOUNTADMIN and SYSTEMADMIN |
VIEW USAGE | Views the resource usage of the current account. | SYSTEMADMIN |
CREATE DW SERVICE | Creates DW service units. | SYSTEMADMIN |
USE DW SERVICE | Uses DW service units, including managing data and performing queries. | SYSTEMADMIN |
ADD ACCOUNT AS DW USER | Adds cloud accounts as DW users. | SYSTEMADMIN |
CREATE DPS | Creates DPS clusters. | SYSTEMADMIN |
DELETE DPS | Deletes DPS clusters. | SYSTEMADMIN |
EDIT DPS | Configures DPS clusters. | SYSTEMADMIN |
START/STOP DPS | Activates or suspends DPS clusters. | SYSTEMADMIN |
Relationship between cloud accounts and system roles
A cloud account must have one system role. The default system role of a main account is ACCOUNTADMIN, and that of a subaccount defaults to SYSTEMADMIN and can only be SYSTEMADMIN.
ACCOUNTADMIN can be temporarily switched to ACCOUNTADMIN. Then the system role of the main account can be manually switched back, or it will be automatically switched back upon next sign-in.