Konzepte
Users
Access accounts for the Console are created by the sponsor's master account via invitation (regardless of the authentication repository used).
Credentials are global to your Organization.
Note: Identity federation is managed at the organization level
Erstellung eines Benutzerkontos in Ihrer Organisation
Die Erstellung eines Benutzerkontos in Ihrer Organisation erfolgt über eine Einladung. Um einen Benutzer in einer Organisation einzuladen, navigieren Sie im linken Menüband (grüner Balken) zu 'Administration' und dann zum Untermenü 'Benutzer'.
Klicken Sie auf die Schaltfläche 'Neuer Benutzer' auf der Benutzerseite.
Geben Sie anschließend die E-Mail-Adresse des Benutzers ein.
Der Benutzer erhält dann eine E-Mail zur Bestätigung.
Nach Abschluss der Überprüfung kann sich der Benutzer auf der Konsole anmelden.
Zuweisung von Berechtigungen an einen Benutzer
Die Verwaltung von Benutzerberechtigungen erfolgt über die Benutzerseite.
Standardmäßig hat ein Benutzer keine Berechtigungen. Der Administrator, der die Einladung versandt hat, muss daher die erforderlichen Berechtigungen für die Tätigkeit des Benutzers erteilen. Dazu klicken Sie einfach auf das Menü 'Aktionen' des Benutzers und wählen die Option 'Bearbeiten'.
Das Menü zur Aktivierung von Berechtigungen wird nun angezeigt:
Die Konfiguration der Berechtigungen muss für jeden Tenant der Organisation separat durchgeführt werden.
Die Liste der Berechtigungen und ihre Definitionen ist hier verfügbar.
Re-registration of a user
When a user has been provisioned but did not validate their registration within the expiration period of the email sent by the Console, they can no longer confirm their registration. In such cases, it is possible to resend a link allowing the user to renew their initial registration.
To re-register a user, go to the 'User' tab in the Administration panel, located in the lower-left corner of the screen.
Select the user you wish to re-register, then click the action button at the end of the corresponding row and choose 'Re-registration'.
Warning: Make sure you are the original requester of the re-registration for your user account. Please report any requests that do not originate from you via a support ticket.
Update your profile
This action is only available for local accounts (non-SSO).
Go to your 'Profile', located in the top right corner of the screen, then select 'User Settings' and choose the 'Update your profile' action.
Next, go to your email inbox and click on the link generated by the Console. Simply follow the steps to update your profile.
Warning: Make sure you are the original requester of the profile update. Please report any requests that do not originate from you via a support ticket.
Password Reset
This action is available only for local accounts (non-SSO).
Go to your 'Profile', located in the top right corner of the screen, then select 'User Settings' and choose the 'Reset Password' action.
Next, go to your email inbox and click on the link generated by the Console. Simply follow the steps to update your password.
Warning: Make sure you are the one initiating the password reset request. Please report any requests that do not originate from you via a support ticket.
Reset of Two-Factor Authentication
This action is only available for local accounts (non-SSO).
Go to your 'Profile', located in the top right corner of the screen, then select 'User Settings' and choose the 'Reset MFA' action.
Next, go to your email inbox and click on the link generated by the Console. Simply follow the steps to update your two-factor authentication.
Warning: Make sure you are the one initiating the request to reset your two-factor authentication. Please report any requests that do not originate from you via a support ticket.
Deleting a user
To delete a user, go to the 'Users' tab in the Administration panel, located in the lower-left corner of the screen.
Select the user you wish to delete, then click the action button at the end of the row and choose 'Delete'.
Note: You cannot delete yourself, and you cannot delete a user marked as 'Owner'.
Disconnect
To log out a user, go to their 'Profile', located in the top right corner of the screen, and select 'Log out'.
Automatic logout occurs when the session's JWT token expires.
Change the language of a user
Changing a user's language is done in their 'Profile', located in the top right corner of the screen, under 'User Settings'.
The configuration is set individually for each tenant Tenant.
Thematic Notifications Subscription
Managing subscriptions allows you to receive emails related to activated themes, which are automatically sent when corresponding events occur.
This feature is accessible in the user profile, under the "My Subscriptions" tab:
For example, in the event of an incident, specific email notifications related to this theme will be generated.
The list of available themes may evolve and gradually expand to adapt to changing operational needs and environment requirements.
Permissions
The Console allows for fine-grained management of user rights within an organization, with segregation by tenant.
Initially, it is the primary account of the sponsor that enables the initial configuration of accounts and associated permissions.
Subsequently, the 'iam_write' permission allows an account to manage the permissions of other users.
Available permissions for users in your organization
When a user is created, they have no permissions by default. Each permission is assigned individually and operates in isolation, without overlap with other permissions. Permissions are applied in conjunction, meaning a user must have all required permissions to perform a specific action.
The following permissions are configurable for each user and for each tenant in your organization:
-
"read" permissions: allow only reading resources, without the ability to modify them.
-
"write" permissions: permit modification of configurations.
-
"management" permissions: enable advanced management of resources.
-
"console_access" permissions: allow PMAD-style connections to resources.
-
"virtual_machine_power" permissions: enable power management of a virtual machine.
-
These are permissions, not roles. As such, both READ and WRITE permissions are required to modify a configuration.
Last updated: 16/07/2025
| Permission name | Permission description |
|---|---|
| activity_read | View logs and activity records |
| activity_write | Manage logs and activity records |
| backup_iaas_opensource_read | View backup resources – OpenIaaS offering |
| backup_iaas_opensource_write | Modify backup resources – OpenIaaS offering |
| backup_iaas_spp_read | View backup resources – VMware offering |
| backup_iaas_spp_write | Modify backup resources – VMware offering |
| bastion_read | View bastion resources |
| bastion_write | Manage bastion resources (appliances, sessions, etc.) |
| bastion_console_access | Grant access to the console (SSH/RDP) of a resource protected by a bastion appliance |
| compute_iaas_opensource_console_access | Open the console of a virtual machine – OpenIaaS offering |
| compute_iaas_opensource_infrastructure_read | View advanced data of Xen Orchestra resources – OpenIaaS offering |
| compute_iaas_opensource_infrastructure_write | Advanced management of Xen Orchestra resources – OpenIaaS offering |
| compute_iaas_opensource_read | View virtual machine resources – OpenIaaS offering |
| compute_iaas_opensource_management | Manage virtual machine resources – OpenIaaS offering |
| compute_iaas_opensource_virtual_machine_power | Manage power state of a virtual machine – OpenIaaS offering |
| compute_iaas_opensource_replication_recover | Manage replication – OpenIaaS offering |
| compute_iaas_vmware_console_access | Open the console of a virtual machine – VMware offering |
| compute_iaas_vmware_infrastructure_read | View advanced data of VMware resources (affinity/anti-affinity rules, DRS configuration, etc.) – VMware offering |
| compute_iaas_vmware_infrastructure_write | Advanced management of VMware resources – VMware offering |
| compute_iaas_vmware_read | View virtual machine resources – VMware offering |
| compute_iaas_vmware_management | Manage virtual machine resources – VMware offering (includes virtual machine encryption) |
| compute_iaas_vmware_virtual_machine_power | Manage power state of a virtual machine – VMware offering |
| baremetal_management | Manage bare metal resources – Bare Metal offering |
| baremetal_read | View bare metal resources – Bare Metal offering |
| baremetal_console_access | Open console of a bare metal server – Bare Metal offering |
| console_public_access_read | View IP addresses authorized to access the console |
| console_public_access_write | Add IP addresses authorized to access the console |
| documentation_read | View Confluence documentation resources |
| housing_read | View colocation resources |
| iam_offline_access | Create and delete Personal Access Tokens (PATs) |
| iam_read | View user permissions |
| iam_write | Manage user permissions |
| intervention_read | View planned changes and production deployments on the platform |
| inventory_read | View inventory resources |
| inventory_write | Manage inventory resources |
| monitoring_read | View monitoring data |
| monitoring_write | Manage monitoring |
| metric_read | View health metrics for virtual machines and hosts |
| network_read | View network resources |
| network_write | Manage network resources |
| order_read | View infrastructure orders |
| order_write | Create infrastructure orders |
| object-storage_iam_management | Manage storage accounts on the S3 product |
| object-storage_read | View buckets and bucket configurations |
| object-storage_write | Edit buckets and bucket configurations |
| openshift_management | Connect to OpenShift platforms (scoped to tenant) |
| support_management | View all support tickets for the tenant |
| support_read | View own support tickets for the tenant |
| support_write | Create a support ticket for the tenant |
| tag_read | View tags, excluding RTMS tags |
| tag_write | Manage tags, excluding RTMS tags |
| ticket_comment_read | View comments |
| ticket_comment_write | Manage comments |
| ticket_read | View tickets |
| ticket_write | Manage tickets |
| incident_management | Manage incidents |
| incident_read | View incidents |
Organizations
Die Organisation ist mit Ihrem Sponsorenkonto und dem zugehörigen Cloud Temple-Vertrag verknüpft. Sie stellt Ihre Einheit (Unternehmen, Abteilung, Team, ...) dar, die die vertragliche Beziehung zwischen Cloud Temple und Ihnen trägt.
Principle of an Organization
An organization has four major roles:
- It represents the contractual entity for tracking and billing purposes,
- It defines the global configuration of the authentication mechanism: authentication can be local at the Console level or remote via an identity federation service,
- It manages all user accounts,
- It federates tenants (Production, Preproduction, Dev, Application 1, Application 2, ...) that you define for your Cloud architecture needs.
User roles (rights/permissions) are configurable for each tenant defined within your organization. For example, a user account may be authorized to provision resources in one tenant but not in another.
Authentication Mechanisms
The Console allows you to configure the authentication mechanism at the organization level. You can use the Console's built-in local authentication directory, or connect your organization to one of your external authentication directories.
The following external authentication directories are supported:
- OpenID Connect-compatible directories,
- SAML-compatible directories,
- Microsoft ADFS
- Microsoft EntraID (Microsoft Azure Active Directory)
- Amazon AWS Cognito
- Okta
- Auth0
- Keycloak
An email address is required for all accounts originating from an identity federation. Accounts created without an email address will not be able to log in and may be automatically deleted.
Tenant
Der Tenant ist eine Gruppierung von Ressourcen innerhalb einer Organisation. Eine Organisation verfügt mindestens über einen Tenant (der Standard-Tenant, der umbenannt werden kann). In der Regel werden mehrere Tenants verwendet, um Verantwortlichkeiten oder technische Bereiche zu segmentieren.
Beispiele:
- Ein Tenant Produktion
- Ein Tenant Vorproduktion
- Ein Tenant Test
- Ein Tenant Qualifizierung
Es ist jedoch auch möglich, die Struktur anhand einer Anwendungsperspektive oder nach Kritikalität zu organisieren:
- Ein Tenant Anwendung 1 oder Kritikalität 1
- Ein Tenant Anwendung 2 oder Kritikalität 2
- ...
Technische Ressourcen, die bestellt werden, werden einem bestimmten Tenant zugeordnet und sind mit anderen Tenants nicht geteilt. Zum Beispiel sind ein Hypervisor-Cluster und die zugehörigen L2-Netzwerke nur innerhalb eines einzelnen Tenants verfügbar.
Bezüglich Netzwerke ist es möglich, "cross-tenant"-Netzwerke anzufordern, um eine kontinuierliche Netzwerkverbindung zwischen verschiedenen Tenants sicherzustellen.
Die Berechtigungen von Benutzern müssen jeweils innerhalb jedes Tenants definiert werden. Daher sollte jede Organisation sorgfältig über die gewünschten Tenants nachdenken. Dieser Punkt wird in der Regel in einem Initialisierungsworkshop behandelt, zum Zeitpunkt der Organisationserstellung.
Es ist möglich, die Architektur durch Hinzufügen oder Entfernen von Tenants zu erweitern.
Ein Tenant darf nicht leer sein. Er muss zwingend mit mindestens folgenden Ressourcen initialisiert werden:
- Eine Verfügbarkeitszone (AZ, also ein physischer Rechenzentrumsstandort),
- Ein Berechnungscluster,
- Ein Speicherplatz,
- Ein VLAN-Netzwerk.
| Befehlsreferenz | Einheit | SKU |
|---|---|---|
| TENANT - (REGION) - Aktivierung eines Tenants | 1 Tenant | csp:tenant:v1 |
| TENANT - (REGION) - Aktivierung einer Verfügbarkeitszone | 1 Tenant | csp:(region):iaas:az:v1 |
Owner Management for a Tenant
Each tenant has at least one owner, ensuring clear accountability and efficient management of associated resources. Additionally, it is possible to designate multiple owners for a single tenant, enabling collaboration and shared decision-making. Below are important considerations to keep in mind when managing these owners.
Important information regarding owner management
1. Number of Owners
- There is no technical limit on the number of owners that can be defined for the tenant.
- The management interface (UI) issues a warning when more than 3 owners are present, encouraging the limitation of the number of owners for security reasons and optimal access management.
2. Adding a new owner
- When adding a new owner, updating their permissions may take up to 60 minutes.
- This propagation time is normal and ensures that access rights are correctly applied across all associated services and resources.
2. Permissions of a owner
- An owner will be assigned all permissions associated with the products enabled in their tenant.
- It is not possible to modify the permissions of an owner.
3. Removal of a owner
- To remove an owner from the tenant, the user must submit a request to support.
- This procedure ensures that changes to access rights are carried out securely and in accordance with best practices for access management.
Access Authorization for a Tenant: Allowed IPs
Access to the cloud management console is strictly limited to previously authorized IP addresses, in compliance with the SecNumCloud certification requirements. This restriction ensures a heightened level of security by allowing access only from specified IP ranges, thereby minimizing the risk of unauthorized access and protecting the cloud infrastructure according to the highest security standards.
Note: Removing an authorized IP requires a support request via the Cloud Temple console.
Resource Consumption within a Tenant
It is possible to visualize the cloud resources consumed within a tenant, providing a detailed view of the usage of various deployed services. This feature enables users to monitor resource consumption in real time, identify the most heavily used services, and optimize their usage according to their needs.
In the console menu, click on "Consumption Report" and select the desired time period. You will then be able to view detailed cloud resource consumption over the specified period, allowing you to analyze service usage and optimize your management accordingly:
