Roles and Capabilities
Every member of a hub has an assigned role. The role dictates what capabilities the account has when viewing or managing resources within the hub. Every hub has a set of default roles, however new roles with custom capabilities can be added. Default roles can be edited or removed. Roles are also assigned to hub API keys.
Rank
A role's rank is it's hierarchy in relation to other roles in the hub. The rank doesn't determine anything about what capabilities are given to its members, but does determine what other roles it can manage or give access to. The rank is a number between 0-9, tho the special Owner role has rank 10.
For example, a rank 6 role could not create an invite for a rank 9 role. Ranks also are incapable of inviting members of the same rank to the hub.
Default Roles
The default roles and their ranks created for every hub are
| Role | Rank |
|---|---|
| Owner / Root | 10 (This is a special super user role, so it's above the standard 0-9 rank.) |
| Admin | 7 |
| DevOps Engineer | 5 |
| Developer | 4 |
| Consultant | 2 |
| Analyst | 1 |
Capabilities
Roles are made up of capabilities - granular permissions that define what a member or API key is capable of within a hub. A capability dictates whether or not the role has permission to perform an action at all within the hub, but can be further limited using ACLs.
When a new role is created, its exact capabilities can be selected, providing a highly customizable system for managing access within a hub.
Nearly everything on Cycle has an associated capability.
| Capability | Description |
|---|---|
| api-keys-manage | Ability to manage API keys |
| apionly-jobs-view | Ability to view jobs (API keys only) |
| apionly-notifications-listen | Ability to listen to notifications (API keys only) |
| autoscale-groups-manage | Ability to manage autoscale groups |
| autoscale-groups-view | Ability to view autoscale groups |
| billing-credits-view | Ability to view billing credits |
| billing-invoices-pay | Ability to pay billing invoices |
| billing-invoices-view | Ability to view billing invoices |
| billing-methods-manage | Ability to manage billing methods |
| billing-services-manage | Ability to manage billing services |
| billing-services-view | Ability to view billing services |
| containers-backups-manage | Ability to manage container backups |
| containers-backups-view | Ability to view container backups |
| containers-console | Ability to access container console |
| containers-deploy | Ability to deploy containers |
| containers-instances-migrate | Ability to migrate container instances |
| containers-lock | Ability to lock containers |
| containers-ssh | Ability to SSH into containers |
| containers-manage | Ability to manage containers |
| containers-view | Ability to view containers |
| containers-functions-trigger | Ability to trigger container functions |
| containers-volumes-manage | Ability to manage container volumes |
| containers-volumes-view | Ability to view container volumes |
| dns-certs-view | Ability to view DNS certificates |
| dns-manage | Ability to manage DNS |
| dns-view | Ability to view DNS |
| environments-deployments-manage | Ability to manage environment deployments |
| environments-manage | Ability to manage environments |
| environments-scopedvariables-manage | Ability to manage environment scoped variables |
| environments-scopedvariables-view | Ability to view environment scoped variables |
| environments-services-manage | Ability to manage environment services |
| environments-view | Ability to view environments |
| environments-vpn | Ability to manage environment VPN |
| environments-vpn-manage | Ability to manage environment VPN settings |
| hubs-delete | Ability to delete hubs |
| hubs-integrations-manage | Ability to manage hub integrations |
| hubs-integrations-view | Ability to view hub integrations |
| hubs-invites-manage | Ability to manage hub invites |
| hubs-invites-send | Ability to send hub invites |
| hubs-members-manage | Ability to manage hub members |
| hubs-members-view | Ability to view hub members |
| hubs-roles-manage | Ability to manage hub roles |
| hubs-roles-view | Ability to view hub roles |
| hubs-usage-view | Ability to view hub usage |
| hubs-update | Ability to update hubs |
| hubs-auditlog-view | Ability to view hub audit logs |
| images-manage | Ability to manage images |
| images-sources-manage | Ability to manage image sources |
| images-sources-view | Ability to view image sources |
| images-view | Ability to view images |
| ips-manage | Ability to manage IP addresses |
| servers-console | Ability to access server console |
| servers-decommission | Ability to decommission servers |
| servers-login | Ability to login to servers |
| clusters-manage | Ability to manage clusters |
| clusters-view | Ability to view clusters |
| servers-provision | Ability to provision servers |
| servers-manage | Ability to manage servers |
| servers-view | Ability to view servers |
| monitor-manage | Ability to manage monitor settings |
| monitor-view | Ability to view monitor settings |
| pipelines-manage | Ability to manage pipelines |
| pipelines-trigger | Ability to trigger pipelines |
| pipelines-view | Ability to view pipelines |
| sdn-networks-manage | Ability to manage SDN networks |
| sdn-networks-view | Ability to view SDN networks |
| security-manage | Ability to manage security settings |
| security-view | Ability to view security events |
| stacks-builds-deploy | Ability to deploy stack builds |
| stacks-builds-manage | Ability to manage stack builds |
| stacks-manage | Ability to manage stacks |
| stacks-view | Ability to view stacks |
Resource ACLs
In addition to the capabilities above, individual resources have their own customizable controls. ACLs further limit a role's access on a per-resource basis.
See the ACL documentation for more information.
API Keys
API keys are assigned a role when they are created. This unified system makes it much simpler to manage all access to a hub, no matter what interface (Portal, API, CLI) is used.