Concepts
Users
Access accounts to the Console are created by the sponsor's master account via invitation (regardless of the authentication repository).
Credentials are global to your Organization.
Note: Identity federation is managed at the organization level
Creating a User Account in Your Organization
Creating a user account in your organization is done via invitation. To invite a user to an Organization, go to the 'Administration' menu on the left side of your screen, on the green banner, then select the 'Users' submenu.
Click the 'New User' button from the Users page.
Next, enter the user's email address.
The user will then receive a verification email.
Once verification is complete, the user will be able to log in to the console.
Assigning Permissions to a User
User rights management is performed from the user page.
By default, a user has no rights. Therefore, the administrator who sent the invitation must assign the necessary rights for the user's activities. Simply click on the user's 'Actions' menu and select the 'Edit' option.
The permissions activation menu then appears:
Permission configuration must be done for each Tenant within the Organization.
The list of permissions and their definitions is available here.
Re-enrollment of a User
When a user has been provisioned but did not validate their registration within the expiration period of the email sent by the Console, they can no longer confirm their registration. In such cases, it is possible to resend a link so the user can renew their initial registration.
To re-enroll a user, go to the 'User' tab in the Administration panel, located at the bottom-left of the screen.
Select the user you wish to re-enroll, then click the action button at the end of the row and choose 'Re-enrollment'.
Warning: Make sure you are the original requester of the re-enrollment for your user account. Please report any requests that do not originate from you via a support ticket.
Update Your Profile
This action is available only for local accounts (non-SSO).
Go to your 'Profile', located in the top-right corner of the screen, then select 'User Settings' and choose the 'Update Your Profile' action.
Next, go to your email inbox and click on the link generated by the Console. Simply follow the steps to update your profile.
Warning: Make sure you are the original requester of the profile update. Please report any requests that do not originate from you via a support ticket.
Password Reset
This action is available only for local accounts (non-SSO).
Go to your 'Profile', located in the top-right corner of the screen, then select 'User Settings' and choose the 'Reset Password' action.
Next, go to your email inbox and click on the link generated by the Console. Simply follow the steps to update your password.
Warning: Make sure you are the one initiating the password reset request. Please report any requests that do not come from you via a support ticket.
Reset Multi-Factor Authentication (MFA)
This action is available only for local accounts (non-SSO).
Go to your 'Profile', located in the top-right corner of the screen, then select 'User Settings' and choose the 'Reset MFA' action.
Next, go to your email inbox and click on the link generated by the Console. Simply follow the steps to update your multi-factor authentication.
Warning: Ensure you are the one initiating the MFA reset request. Please report any requests that do not originate from you via a support ticket.
Deleting a User
To delete a user, go to the 'Users' tab in the Administration panel, located in the bottom-left corner of the screen.
Select the user you wish to delete, then click the action button at the end of the row and choose 'Delete'.
Note: You cannot delete yourself, and you cannot delete a user marked as 'Owner'.
Sign Out
To sign out a user, go to their 'Profile', located in the top right corner of the screen, then select 'Sign Out'.
Automatic sign out occurs when the session's JWT token expires.
Change a user's language
Changing a user's language is done in their 'Profile', located in the top-right corner of the screen, under 'User Settings'.
The configuration is set individually for each tenant Tenant.
Thematic Notifications Subscription
Managing subscriptions allows you to receive emails related to activated themes, automatically sent when corresponding events occur.
This feature is accessible in the user profile, under the "My Subscriptions" tab:
For example, in case of an incident, specific email notifications related to this theme will be generated.
The list of available themes may evolve and gradually expand to adapt to changing operational needs and environment requirements.
Permissions
The Console enables fine-grained management of user rights within an organization, with segregation by tenant.
Initially, it is the primary account of the sponsor that allows the initial configuration of accounts and associated permissions.
Subsequently, the 'iam_write' permission enables an account to manage the permissions of other users.
Available Permissions for Users in Your Organization
When a user is created, they have no permissions by default. Each permission is assigned individually and operates independently, without overlap with other permissions. Permissions are applied in conjunction, meaning a user must possess all required permissions to perform a specific action.
The following permissions are configurable for each user and for each tenant in your organization:
-
"read" permissions: Allow only viewing of resources, with no ability to modify them.
-
"write" permissions: Permit modification of configurations.
-
"management" permissions: Enable advanced management of resources.
-
"console_access" permissions: Allow PMAD-style connections to resources.
-
"virtual_machine_power" permissions: Permit management of a virtual machine's power state.
-
These are permissions, not roles. As such, both READ and WRITE permissions are required to modify a configuration.
Last updated: 07/16/2025
| Permission Name | Permission Description |
|---|---|
| activity_read | View logs and activity records |
| activity_write | Manage logs and activity records |
| backup_iaas_opensource_read | View backup resources – OpenIaaS offering |
| backup_iaas_opensource_write | Modify backup resources – OpenIaaS offering |
| backup_iaas_spp_read | View backup resources – VMware offering |
| backup_iaas_spp_write | Modify backup resources – VMware offering |
| bastion_read | View bastion resources |
| bastion_write | Manage bastion resources (appliances, sessions, etc.) |
| bastion_console_access | Grant access to the console (SSH/RDP) of a resource protected by a bastion appliance |
| compute_iaas_opensource_console_access | Open the console of a virtual machine – OpenIaaS offering |
| compute_iaas_opensource_infrastructure_read | View advanced data of Xen Orchestra resources – OpenIaaS offering |
| compute_iaas_opensource_infrastructure_write | Advanced management of Xen Orchestra resources – OpenIaaS offering |
| compute_iaas_opensource_read | View virtual machine resources – OpenIaaS offering |
| compute_iaas_opensource_management | Manage virtual machine resources – OpenIaaS offering |
| compute_iaas_opensource_virtual_machine_power | Manage the power state of a virtual machine – OpenIaaS offering |
| compute_iaas_opensource_replication_recover | Manage replication – OpenIaaS offering |
| compute_iaas_vmware_console_access | Open the console of a virtual machine – VMware offering |
| compute_iaas_vmware_infrastructure_read | View advanced data of VMware resources (affinity/anti-affinity rules, DRS configuration, etc.) – VMware offering |
| compute_iaas_vmware_infrastructure_write | Advanced management of VMware resources – VMware offering |
| compute_iaas_vmware_read | View virtual machine resources – VMware offering |
| compute_iaas_vmware_management | Manage virtual machine resources – VMware offering (includes virtual machine encryption) |
| compute_iaas_vmware_virtual_machine_power | Manage the power state of a virtual machine – VMware offering |
| baremetal_management | Manage bare metal resources – Bare Metal offering |
| baremetal_read | View bare metal resources – Bare Metal offering |
| baremetal_console_access | Open the console of a bare metal server – Bare Metal offering |
| console_public_access_read | View IP addresses authorized to access the console |
| console_public_access_write | Add IP addresses authorized to access the console |
| documentation_read | View Confluence documentation resources |
| housing_read | View colocation resources |
| iam_offline_access | Create and delete Personal Access Tokens (PATs) |
| iam_read | View user permissions |
| iam_write | Manage user permissions |
| intervention_read | View planned changes and production deployments on the platform |
| inventory_read | View inventory resources |
| inventory_write | Manage inventory resources |
| monitoring_read | View monitoring data |
| monitoring_write | Manage monitoring |
| metric_read | View health metrics for virtual machines and hosts |
| network_read | View network resources |
| network_write | Manage network resources |
| order_read | View infrastructure orders |
| order_write | Create infrastructure orders |
| object-storage_iam_management | Manage storage accounts on the S3 product |
| object-storage_read | View buckets and bucket configurations |
| object-storage_write | Edit buckets and bucket configurations |
| openshift_management | Connect to OpenShift platforms (scoped to tenant) |
| support_management | View all support tickets for the tenant |
| support_read | View your own support tickets for the tenant |
| support_write | Create a support ticket for the tenant |
| tag_read | View tags, excluding RTMS tags |
| tag_write | Manage tags, excluding RTMS tags |
| ticket_comment_read | View comments |
| ticket_comment_write | Manage comments |
| ticket_read | View tickets |
| ticket_write | Manage tickets |
| incident_management | Manage incidents |
| incident_read | View incidents |
Organizations
An organization is linked to your sponsor account and the associated Cloud Temple contract. It represents your entity (company, department, team, etc.) that holds the contractual relationship between Cloud Temple and you.
Principle of an Organization
An organization has four main roles:
- It represents the contractual entity for tracking and billing purposes,
- It defines the global configuration of the authentication mechanism: authentication can be local at the Console level or remote via an identity federation service,
- It manages all user accounts,
- It federates tenants (Production, Preproduction, Dev, Application 1, Application 2, ...) that you define for your Cloud architecture needs.
User roles (rights/permissions) are configurable for each tenant defined within your organization. For example, a user account may be authorized to provision resources in one tenant but not in another.
Authentication Mechanisms
The Console allows you to configure the authentication mechanism at the organization level. You can use the Console's built-in local authentication directory, or connect your organization to one of your external authentication directories.
The following external authentication directories are supported:
- OpenID Connect-compatible directories
- SAML-compatible directories
- Microsoft ADFS
- Microsoft EntraID (Microsoft Azure Active Directory)
- Amazon AWS Cognito
- Okta
- Auth0
- Keycloak
An email address is required for all accounts originating from an identity federation. Accounts created without an email address will not be able to log in and may be automatically deleted.
Tenant
A tenant is a grouping of resources within an organization. An Organization has at least one tenant (called the default tenant, which can be renamed). Typically, multiple tenants are used to segment responsibilities or technical boundaries.
For example:
- A Production tenant
- A Pre-production tenant
- A Testing tenant
- A Qualification tenant
It is also possible to organize tenants based on an application view or by criticality:
- An Application 1 or Criticality 1 tenant
- An Application 2 or Criticality 2 tenant
- ...
Technical resources ordered are assigned to a specific tenant and are not shared with other tenants. For example, a hypervisor cluster and its associated L2 networks are available only within one tenant.
Regarding networks, it is possible to request cross-tenant networks to ensure network continuity across tenants.
User permissions must be defined within each tenant. Therefore, each organization must carefully consider the desired tenants. This aspect is typically addressed during the initial workshop, at the time of organization creation.
It is possible to evolve the architecture by adding or removing tenants.
A tenant cannot be empty. It must be initialized with a minimum set of resources:
- A zone of availability (AZ, i.e., a physical datacenter),
- A compute cluster,
- A storage space,
- A network VLAN.
| Order reference | Unit | SKU |
|---|---|---|
| TENANT - (REGION) - Activate a tenant | 1 tenant | csp:tenant:v1 |
| TENANT - (REGION) - Activate a zone of availability | 1 tenant | csp:(region):iaas:az:v1 |
Owner Management on a Tenant
Each tenant has at least one owner, ensuring clear accountability and efficient management of associated resources. Additionally, it is possible to designate multiple owners for a single tenant, enabling collaboration and shared decision-making. Below are important considerations to keep in mind when managing these owners.
Important Information on Owner Management
1. Number of Owners
- There is no technical limit on the number of owners that can be defined for the tenant.
- The management interface (UI) issues a warning when more than 3 owners are present, encouraging the limitation of the number of owners for security reasons and optimal access management.
2. Adding a new owner
- When adding a new owner, updating their permissions may take up to 60 minutes.
- This propagation time is normal and ensures that access rights are correctly applied across all associated services and resources.
2. Owner Permissions
- An owner will be granted all permissions associated with the products enabled in their tenant.
- It is not possible to modify the permissions of an owner.
3. Removing a Owner
- To remove an owner from the tenant, the user must submit a request to support.
- This procedure ensures that changes to access rights are made securely and in compliance with best practices for access management.
Access Permission to a Tenant: Allowed IPs
Access to the cloud management console is strictly limited to previously authorized IP addresses, in compliance with the SecNumCloud certification requirements. This restriction ensures a heightened level of security by allowing access only from specified IP ranges, thereby minimizing the risk of unauthorized access and protecting the cloud infrastructure according to the highest security standards.
Note: Removing an authorized IP requires a support request via the Cloud Temple console.
Resource Consumption within a Tenant
It is possible to visualize cloud resources consumed within a tenant, providing a detailed view of the usage of various deployed services. This feature enables users to monitor resource consumption in real time, identify the most heavily used services, and optimize resource utilization according to their needs.
In the console menu, click on "Consumption Report" and then select the desired time period. You will then be able to view detailed cloud resource consumption over the specified period, allowing you to analyze service usage and optimize your management accordingly:
