Settings

Concepts

• admin: The admin has super privileges over resources and shall be owned by the IT system administrator.
  • The admin can share instance offerings, disk offerings, networks, images, and other cloud resources with sub-accounts or revoke the resources from sub-accounts. Sub-accounts can only manage resources to which they are granted access.
  • The admin can modify resource quotas granted to a sub-account based on different business scenarios.
  • After the admin created a VXLAN pool, sub-accounts can create VXLAN networks based on the VXLAN pool.
  • Changing the owner of a VM instance will change the owner properties of the EIPs associated with the VM instance.
• Sub-account:
  • Sub-accounts can be categorized into local sub-accounts and SSO sub-accounts:
    • A local sub-account is created by the admin. An SSO sub-account is synced from an SSO authentication server.
      • SSO authentication: The SSO authentication service, powered by the Cloud, supports seamless access to SSO authentication systems. Through the service, related users can directly login to the Cloud and manage cloud resources. Currently, OIDC servers can be added.
        • OIDC server: An SSO authentication server that applies the OIDC protocol. It authenticates and authorizes SSO users to log into the Cloud without password and syncs user information to the Cloud based on the mapping rule.
    • A sub-account has management permissions on VM instances, images, volumes, and security groups created under the sub-account. A sub-account can perform read operations on resources shared by the admin, but cannot delete the resources.
    • Deleting a sub-account will delete all resources created by the sub-account, such as VM instances, volumes, and images.
    • The names of sub-accounts must be unique.
    • Resource quotas that the admin shares with a sub-account is displayed on the homepage of the sub-account.
    • Before a sub-account can create a VM instance, the admin must share an instance offering, disk offering, network, and other required resources with the sub-account. Otherwise, a VM instance cannot be created.
    • A sub-account can use an image that it adds to the Cloud or use an image shared by the admin.
• Quota:

  Resource quotas that the admin shares with a sub-account specify the maximum resources that the sub-account can manage, including computing resource quotas, storage resource quotas, network resource quotas, and other resource quotas.

  The admin uses the preceding resource quota settings to manage the maximum resources granted to sub-accounts. If a resource is deleted but not expunged, the resource still occupies storage space of primary storage and volumes.

SSO Rename