Identity and Access Management

Overview

The Identity and Access Management module of ZStack ZSphere provides unified user identity management and access control. It supports centralized management of regular users, configuration of a unified authentication system for single sign-on with ZStack ZSphere, and management of access permissions for all users to platform resources.

Centralized User Management

It supports the unified creation and management of users and user groups.

Precise Role-Based Access Control

Different role permissions can be granted to different users and user groups, allowing you to precisely control the operations that specific users or user groups can perform on particular resources, thereby assisting in maintaining the security of the environment.

Integration with Unified Authentication Systems

It supports configuring a unified authentication system based on OIDC, AD, LDAP protocols for single sign-on (SSO). This allows direct use of users from the unified identity authentication system without the need to create additional users, enhancing management efficiency and reducing security risks.

Preparation

Before using the ZStack ZSphere identity and access management features, ensure that the platform version and license authorization meet the requirements.

Make sure the installed software version is ZStack ZSphere 4.10.0 or later.
To use the single sign-on system, roles, and user group features, ensure that the ZStack ZSphere is installed with a valid Advanced Edition license.

Single Sign-On

ZStack ZSphere provides unified identity authentication login services, supporting seamless access to the unified authentication login system. Corresponding unified authentication users can log in directly to the virtualization platform and conveniently use platform resources. Currently, OIDC, AD, and LDAP authentication servers are supported.

OIDC Authentication: OIDC (OpenID Connect) is an authentication protocol built on the OAuth2 framework, allowing clients to verify user identities and obtain basic user configuration information. Through the OIDC authentication server, user information can be synchronized to the platform according to mapping rules, and OIDC authentication system users can log in to the platform without a password.
AD Authentication: AD (Active Directory) is a directory service for Windows Standard Server, Windows Enterprise Server, and Windows Datacenter Server, providing a standalone and standardized login authentication system for increasingly diverse enterprise office applications. Through the AD authentication server, AD users can be synchronized to the virtualization platform, supporting direct login to the platform using specified AD login attributes.
LDAP Authentication: LDAP (Lightweight Directory Access Protocol) is a protocol for accessing directory services, providing a standardized directory service for increasingly diverse enterprise office applications. Through the LDAP authentication server, LDAP users can be synchronized to the virtualization platform, supporting direct login to the platform using specified LDAP login attributes.

Add OIDC SSO Server

Before you begin

Make sure ZStack ZSphere is installed with a valid Advanced Edition license.

Procedure

In the navigation pane, choose System Management > Single Sign-On.
On the Single Sign-On page, click Add SSO Server.
In the Add SSO Server dialog, set the following parameters:
Basic Information
- Name: Set a name for the unified authentication server.
- Description: Optionally fill in a description for the unified authentication server.
- Type: Select OIDC.
Configuration Information
- Client ID: The unique identifier assigned to the platform by the unified authentication system.
- Client Secret: The secret key assigned to the platform by the unified authentication system.
- Authorization Request URL: The request URL used to obtain authorization under the authorization code grant type.
- Token Request URL: The request URL used to obtain an access token from the authentication server.
- User Mapping Rules: Establishes the mapping relationship between unified authentication attributes and local attributes, including username and description.
  - Username: Maps the virtualization platform user name to a specific attribute of users in the unified authentication server.
  - Description: Optional, maps the platform user description to a specific attribute of users in the unified authentication server.
Review the configuration and click OK.

Add AD SSO Server

Before you begin

Make sure ZStack ZSphere is installed with a valid Advanced Edition license.

Procedure

In the navigation pane, choose System Management > Single Sign-On.
On the Single Sign-On page, click Add SSO Server.
In the Add SSO Server dialog, set the following parameters:
Basic Information
- Name: Set a name for the unified authentication server.
- Description: Optionally fill in a description for the unified authentication server.
- Type: Select AD.
Server Information
- SSL/TLS Encryption: Choose whether to enable SSL/TLS encryption. This is enabled by default.
  When enabled, port 636 is used by default, with support for custom modifications. When disabled, port 389 is used by default, with support for custom modifications.
- Primary Server IP/Domain: Enter the primary server IP address or domain along with the corresponding port.
- Backup Server IP/Domain: Enter the backup server IP address or domain along with the corresponding port.
Configuration Information
- Base DN: Enter the base DN used to search for AD users' root nodes, defining the scope of synchronized AD users.
- User DN: Enter the DN of a special user who has permission to query all users within the base DN scope. This user is used to log in to the AD server and retrieve relevant data.
- Password: The password corresponding to the User DN for logging in.
- Filter Rule: Enter the filter rule used when synchronizing user information to filter users within the base DN. By default, the (objectClass=person) rule is added.
  Note:
  - Filter rules can be set as single or combined rules, with syntax matching AD filter syntax.
  - You can control whether the filter acts as a allowlist or blocklist using the ! symbol. With allowlist filtering, only the user information configured in the filter rules will be synchronized to the platform. With blocklist filtering, user information specified in the filter rules will not be synchronized.
  - The length of filter rules is subject to AD server configuration limits. Exceeding these limits may cause the filter rule to fail, so please confirm in advance.
- Login Attribute: Specify the AD user attribute used for logging into the platform.
Review the configuration and click OK.

Add LDAP SSO Server

Before you begin

Make sure ZStack ZSphere is installed with a valid Advanced Edition license.

Procedure

In the navigation pane, choose System Management > Single Sign-On.
On the Single Sign-On page, click Add SSO Server.
In the Add SSO Server dialog, set the following parameters:
Basic Information
- Name: Set a name for the unified authentication server.
- Description: Optionally fill in a description for the unified authentication server.
- Type: Select LDAP.
Server Information
- SSL/TLS Encryption: Choose whether to enable SSL/TLS encryption. This is enabled by default.
  When enabled, port 636 is used by default, with support for custom modifications. When disabled, port 389 is used by default, with support for custom modifications.
- Primary Server IP/Domain: Enter the primary server IP address or domain along with the corresponding port.
- Backup Server IP/Domain: Enter the backup server IP address or domain along with the corresponding port.
Configuration Information
- Base DN: Enter the base DN used to search for LDAP users' root nodes, defining the scope of synchronized LDAP users.
- User DN: Enter the DN of a special user who has permission to query all users within the base DN scope. This user is used to log in to the LDAP server and retrieve relevant data.
- Password: The password corresponding to the User DN for logging in.
- Filter Rule: Enter the filter rule used when synchronizing user information to filter users within the base DN. By default, the (objectClass=person) rule is added.
  Note:
  - Filter rules can be set as single or combined rules, with syntax matching LDAP filter syntax.
  - You can control whether the filter acts as a allowlist or blocklist using the ! symbol. With allowlist filtering, only the user information configured in the filter rules will be synchronized to the platform. With blocklist filtering, user information specified in the filter rules will not be synchronized.
  - The length of filter rules is subject to LDAP server configuration limits. Exceeding these limits may cause the filter rule to fail, so please confirm in advance.
- Login Attribute: Specify the LDAP user attribute used for logging into the platform.
Review the configuration and click OK.

Manage SSO Server

Procedure

In the navigation pane, choose System Management > Single Sign-On.
On the Single Sign-On page, perform the following steps as required:
- If you need to modify the general information, configuration information, or user information mapping rules of the unified authentication server, click Edit Configuration.
  Note: After modifying the configuration information, unified authentication users who have been synchronized to the platform may no longer be able to log in without a password.
- To edit the name and description of the unified authentication server, select More Actions > Edit Name and Description.
- To delete the unified authentication server, select More Actions > Delete.
  Note: Deleting the unified authentication server will also remove related existing unified authentication user information from the platform, while users in the source unified authentication server remain unaffected.

Role Management

A role is a collection of permissions that, when granted to users and user groups, enables them to invoke related APIs for resource operations. ZStack ZSphere adopts a Role-Based Access Control (RBAC) authorization model, defining resource permissions based on the user's job function (role). Through roles, you can achieve fine-grained control over user permissions.

System Predefined Roles

ZStack ZSphere provides predefined roles as shown in the following table.

User Type	Role Name	Description
Admin User	System Admin	Manages daily system operations and maintenance.
	Security Admin	Manages users, security policies, and security attributes.
	Auditor	Manages system event information and auditing.
	Read-Only Role	Has read-only access to system resources without write permissions
Regular User	VM User	Supports regular users in creating virtual machines and basic VM management.

Create Custom Role

To meet diverse access control requirements, you can create custom roles.

Before you begin

Make sure ZStack ZSphere is installed with a valid Advanced Edition license.

Procedure

In the navigation pane, choose System Management > Role.
On the Role page, click New Role.
In the New Role dialog, set the following parameters:
Basic Information
- Name: Set a name for the role.
- Description: Fill in a description for the role as needed.
Permission Configuration
Select the interface permissions you want to grant to this role as required. There may be dependencies between different interface permissions. It is recommended to use platform predefined roles or select all interface permissions.
Review the configuration and click OK.

Clone Role

To meet diverse access control requirements, in addition to creating custom roles, you can clone existing roles.

Before you begin

Make sure ZStack ZSphere is installed with a valid Advanced Edition license.

Procedure

In the navigation pane, choose System Management > Role.
On the Role page, select the target role and then click Actions > Clone Role.
In the Clone Role dialog, enter a name and description.
Review the configuration and click OK.

Modify Role Permissions

Edit the interface and API permissions of custom roles.

Before you begin

Make sure ZStack ZSphere is installed with a valid Advanced Edition license.
The selected role is not a system default role.

Procedure

In the navigation pane, choose System Management > Role.
On the Role page, click the target role name to enter the Overview details page.
On the Overview tab, click the Edit icon, and then modify the role's UI permissions as needed.
Click API Permissions to enter the API Permissions tab.
On the API Permissions tab, click the Edit icon, and then modify the role's API permissions as needed.

Delete Role

Before you begin

Make sure ZStack ZSphere is installed with a valid Advanced Edition license.
The selected role is not a system default role.
The selected role has been detached from its associated users or user groups.

Procedure

In the navigation pane, choose System Management > Role.
On the Role page, select the target role and then click Actions > Delete.
Review the selected items and click OK.

User Management

A user represents an individual and is the basic unit in identity and access management. Users are created by admins or synchronized from a unified authentication system, and are managed by admins. By sharing resources with users and assigning roles to them, you can achieve fine-grained control over resource ownership and permissions.

Some key features of users include:

Users can be either local users or SSO users. Local users are created directly by admins, while SSO users are synchronized from a unified authentication server to the platform.
User quotas are standards set by admins to control the total amount of resources allocated to users, including compute resources, data storage resources, network resources.
Users can be a member of one or more user groups.
Users can be assigned one or more roles. When a user is assigned multiple roles, they will have the combined permissions of those roles. Additionally, once a user joins a user group, they will inherit the roles associated with that group, in addition to any roles they are already assigned.

New User

Create a local user, assign resource ownership and roles, and then use the user to log in.

Before you begin

You need to have admin permissions.
If you need to use the roles and user groups functionality, Make sure ZStack ZSphere is installed with a valid Advanced Edition license.

Procedure

In the navigation pane, choose System Management > User Management > User.
On the User page, click New User.
In the New User dialog, set the following parameters:
Basic Information
- Username: Set a username for the regular user, which serves as the unique identifier for logging into the platform.
- Description: Optionally fill in a description for the user.
- Password: Set a login password for the user.
  The password setting requirements can be adjusted by modifying the Platform Login Password Strength. For more information, see Security Settings.
- Confirm Password: Re-enter the login password for confirmation.
- Role: Assign roles to the user. After binding, the user will have the permissions associated with the role.
- User Group: Add the user to a user group. After joining, the user will inherit all roles and shared resources from the user group.
Share Resource
Specify the resources to be shared with the current user, including virtual machines, images, templates, distributed switches, and distributed port groups.
Review the configuration and click OK.

Disable/Enable User

After disabling a regular user, the user will not be able to log in to ZStack ZSphere unless the admin enables the user.

Before you begin

You need to have admin permissions.

Procedure

In the navigation pane, choose System Management > User Management > User.
On the User page, select the target user and then click Actions > Disable.
Review the selected items and click OK.
To enable the user later, click Actions > Enable.

Modify User Configuration

Edit the user's basic information, such as the roles assigned to the user, the user groups they joined, and the resources shared with the user.

Before you begin

You need to have admin permissions.

Procedure

In the navigation pane, choose System Management > User Management > User.
On the User page, select the target user and then click Actions > Modify Configuration.
In the Modify Configuration dialog, make the necessary changes to the configuration.

Change User Password

Before you begin

You need to have admin permissions.

Procedure

In the navigation pane, choose System Management > User Management > User.
On the User page, select the target user and then click Actions > Change Password.
In the Change Password dialog, enter the new password and confirm it again, then click OK.

Change a Regular User to an Admin User

Procedure

In the navigation pane, choose System Management > User Management > User.
On the User Management page, select the target user, and then click Actions > Change to Admin User.
After you read and confirm the risk information, click OK.

Results

Note:

Once a regular user is changed to an admin user, the change cannot be undone.
After the change, the previously assigned roles, associated user groups, and shared resources will be automatically removed from the regular user.

Delete a User

Before you begin

You need to have admin permissions.

Procedure

In the navigation pane, choose System Management > User Management > User.
On the User page, select the target user and then click Actions > Delete.
In the Delete User? dialog, carefully read the risk warnings.

Results

Note:

The deleted user will no longer be able to log in to the platform, and ownership of their resources will be transferred to admin.
Deleting an SSO user does not affect the user information in the source authentication server.

User Group Management

A user group is a collection of users that supports permission control at the group level. With user groups, you can assign permissions to multiple users for easier management. For example, if you have a user group named UserGroup-1 and associate it with roles that involve storage resource permissions, then all users within this group will automatically inherit the role permissions from UserGroup-1. If there's a new user who needs storage resource permissions, you can achieve the necessary permission allocation by adding this user to the UserGroup-1 user group. In case of changes in users, such as replacing old users with new ones, you don't need to modify permissions for each old user individually; instead, you can simply remove the old users from the user group.

Some key features of user groups include:

A user group can contain multiple users, and a user can belong to multiple user groups.
User groups cannot be nested. User groups can only contain users, not other user groups.
A user group can be assigned multiple roles. When a user group is assigned multiple roles, users within the group will inherit the combined permissions of those roles.

New User Group

Create a user group, add users to the group, so that all users under the user group can obtain the corresponding permissions, facilitating unified permission management.

Before you begin

You need to have admin permissions.
Make sure ZStack ZSphere is installed with a valid Advanced Edition license.

Procedure

In the navigation pane, choose System Management > User Management > User Group.
On the User Group page, click New User Group.
In the New User Group dialog, set the following parameters:
Basic Information
- Name: Set a name for the user group.
- Description: Optionally fill in a description for the user group.
- User: Add users to this user group. After joining, users will inherit all roles and shared resources from this user group.
- Role: Assign roles to the user group. After assigning, all users within the group will inherit the permissions associated with these roles.
Share Resource
Share resources with the user group. After sharing, all users within the user group will have read access to the shared resources.
Review the configuration and click OK.

Modify User Group Configuration

Edit the basic information of a user group, such as the users within the group, roles assigned to the group, and resources shared with the group.

Before you begin

You need to have admin permissions.
Make sure ZStack ZSphere is installed with a valid Advanced Edition license.

Procedure

In the navigation pane, choose System Management > User Management > User Group.
On the User Group page, select the target user group and then click Actions > Modify Configuration.
In the Modify Configuration dialog, make the necessary changes as required.

Delete User Group

Before you begin

You need to have admin permissions.
Make sure ZStack ZSphere is installed with a valid Advanced Edition license.

Procedure

In the navigation pane, choose System Management > User Management > User Group.
On the User Group page, select the target user group and then click Actions > Delete.
In the Delete User Group? dialog, carefully read the risk warnings.

Results

Note: After a user group is deleted, all users within the group will no longer have the roles and shared resources inherited from that group.

上一篇System Management 下一篇Security Access Settings