Role Mappings (nCloudDriver-RoleMappings)

Roles are used to specify the authorization to station resources for System Commands.

Figure 56. Example Cloud Role Mappings properties

The roles that are authorized in the cloud application are contained in the security token sent with a System Command. These are in a claim called "cloudroles", which is a comma separated list of text strings. For example: "cloudroles": "CloudRole-Manager, CloudRole-Operator". The Role Mappings component provides a way to match the cloud roles to actual roles on the station. So if the cloud role is "CloudRole-Operator", it can be mapped to the role of "CloudOperator" on the station.

Once configured, the station is ready to receive commands with the specified cloud roles. You need to add one role mapping for each cloud role contained in your security token. More than one cloud role can be mapped to the same station role if necessary.

Standard pre-configured roles

The Role Mappings component creates three standard station roles as a convenience. These are CloudReadonly, CloudOperator and CloudManager.

Figure 57. Standard pre-configured cloud roles

By default, each cloud role is “enabled” and has Viewable hierarchies set to “none”. The default values for the permissions of these roles are shown in the following table.

Standard role name	Default permissions
CloudReadonly	`1=r; 2=r`
CloudOperator	`1=rwi; 2=r`
CloudManager	`1=rwiRWI; 2=rwi`

These can be removed if necessary. Any role can be created for use with the Role Mappings component.

To prevent these standard roles from being created upon station start up, set the property Reassert Missing Standard Roles in the Role Mappings component to “false”.

To recreate these standard roles, set the property Reassert Missing Standard Roles in the Role Mappings component to “true”. The standard roles will be created upon station start. If the standard roles are already present in the Role Service, they will not be replaced.

NOTE: If the permissions of the standard roles are modified, the modified permissions will remain in effect. If the Standard Role is being used by any RoleMapping in the Cloud Authentication Scheme, then the role will be disabled in that Role Mapping upon the next station start. A warning (like the example shown) is logged in the Application Director when this event occurs:

WARNING [12:18:24 28-Nov-18 EST][ncloud.security] Permissions for role CloudOperator (1=rwi;2=rwiRWI) have been changed from default value of 1=rwi;2=r. The RoleMapping (RoleMapping-Operator) that maps to this role has been disabled.

Name	Value	Description
Reassert Missing Standard Roles	true (default), false	Enables/disables creation of the standard pre-configured roles. Setting this to “false” will prevent the standard roles from being created upon station start. When set to “true” a check is made (only on station startup), and for each of the three standard roles: if the role is missing, it is created with the default permissions if the role exists with the default permissions, nothing is done if the role exists with permissions different than the default, any Cloud RoleMapping that references this role will have the Station Role property cleared. The role itself is not changed. If the role permissions are changed during station operation, nothing is done until the next station start.
RoleMapping	Name you give the component when you add it to the role mappings. For example, “RoleMapping-Operator”.	Matches a cloud role to an actual role on the station.
Cloud Role		Set this property to the exact name of one of the cloud roles specified in the claim in your security token (described in the section, “Standard pre-configured roles”).
Station Role	additional properties	Set this property to the exact name of an existing role in the Role service of the station. NOTE: Do not enter the default “Admin” role for the Station Role. Any role mapping with a station role of Admin will be ignored for security reasons. For details on standard roles, see the section on “Standard pre-configured roles”.