Operational Management

Tenant Management #

What is Tenant Management? #

Tenant Management allows users to create and manage their organization structures based on their actual business scenarios. It also provides features such as project-based resource access control, ticket management, and independent zone management.

The Tenant Management feature is provided in a separate module. Before you can use this feature, you need to purchase the Plus License of Tenant Management, in addition to the Base License.

Definitions #

Definitions related to Tenant Management:

• Personnel and Permissions: The Tenant Management system is structured on the basis of personnel and permissions. You can create departments and roles based on your business needs, and grant a variety of permissions to your users.
• Organization: Organization is the basic unit in Tenant Management. You can create an organization or synchronize an organization through 3rd-party authentication. The organizations can be categorized into the default department and the customized department. You can customize a new team and a sub-department. The new team, usually a company or subcompany (subsidiary), can be used to create multi-level departments. An organizational structure tree is displayed in cascade, and you can directly get a complete picture of the organization structure.Note: Notice that project members can only view the organization structure where their team belongs to.
• User: A user is a natural person that constructs the most basic unit in Tenant Management. There are local user and the 3rd-party user on ZStack Cloud.
  • Local User: A user that is created on the Cloud. A local user can be added to an organization or a project, and attached to a role.
  • 3rd-Party User: A user is that is synchronized to the Cloud through 3rd-party authentication. A 3rd-party user can be added to an organization or a project, and attached to a role, and changed to a local user.
  Note:
  • To log in to the Cloud, tenant management users need to use the Tenant login entry.
    • Local users log in to the Cloud via the Local User entry.
    • AD/LDAP users log in to the Cloud via the AD/LDAP User entry.
    • OIDC/OAuth2/CAS users log in to the Cloud from the 3rd-party application without the password.
  • The admin and platform manager can view the list of all users.
  • If you created an organizational structure tree on the Cloud, platform members can view only the list of users belonging to the organizational structure. If you did not create any organizational structure tree, platform members can view all users.
• User Group: A user group is a collection of natural persons or a collection of project members. You can use a user group to grant permissions.
• Role: A role is a collection of permissions that can be granted to users. A user that assumes a role can call API operations based on the permissions specified by the role. Roles are categorized into platform roles and project roles.
  • Platform Role: After a user has a platform role attached, the user will have the management permission of the corresponding zone. Permissions of a platform role take effect only in the zone managed by the user.
  • Project Role: After a user joins a project and have a project role attached, the user will have the permission to use the project and manage the data in the project.
  Note:
  • One user can have both platform roles and project roles attached.
  • One user can have more than one platform role or project role attached.
  • In a project, if a user has multiple project roles attached, the user will have all the permissions attached to the project roles.
• 3rd-party Authentication: The 3rd-party authentication service provided by the Cloud. It supports seamless access to 3rd-party authentication systems. Through the service, related users can directly log in to the Cloud and manage cloud resources. Currently, AD/LDAP/OIDC/OAuth2/CAS servers can be added.
  • AD authentication:Active Directory (AD) is a directory service designed for Windows Standard Server, Windows Enterprise Server, and Windows Datacenter Server. AD provides an independent, standard login authentication system for increasingly diverse office applications.AD users or organizations can be synchronized to the user list or organization of ZStack Cloud via an AD server, while specified AD login attributes can be used to directly log in to ZStack Cloud.
  • LDAP authentication:Lightweight Directory Access Protocol (LDAP) can provide a standard directory service that offers an independent, standard login authentication system for increasingly diverse office applications.LDAP users can be synchronized to the user list of ZStack Cloud via an LDAP server, while specified LDAP login attributes can be used to directly log in to ZStack Cloud.
  • OIDC authentication:OpenID Connect (OIDC) is a set of authentication protocols based on the OAuth2 protocol, and it allows the clients to verify the user identity and obtain basic user configuration information.The user information can be synchronized to the Cloud according to the mapping rules via an OIDC server, and users of the OIDC authentication system can log in to the Cloud without the password.
  • OAuth2 authentication:Open Authorization 2.0 (OAuth2) is a set of authorization protocol standards that can authenticate and authorize users to access related resources. The Cloud currently only supports authorization through the authorization code.The user information can be synchronized to the Cloud according to the mapping rules via an OAuth2 server, and users of the OAuth2 authentication system can log in to the Cloud without the password.
  • CAS authentication:Central Authentication Service (CAS) is a set of single sign-on protocols that allow website applications to authenticate users.The user information can be synchronized to the Cloud according to the mapping rules via a CAS server, and users of the CAS authentication system can log in to the Cloud without the password.
• Project Management: Project management allows you to schedule resources based on projects. You can create an independent resource pool for a specific project. By this way, you can better manage the project lifecycle (including determining time, quotas, and permissions) to improve cloud resource utilizations at granular, automatic level and strengthen mutual collaborations between project members.
• Project: A project is a task that needs to be accomplished by specific personnel at a specified time. In Tenant Management, you can plan resources at the project granularity and allocate an independent resource pool to a project. The word Tenant in Tenant Management mainly refers to projects. A project is a tenant.
  • When you create a project, you need to specify the resource quotas and reclaim policy, and add project members.
  • The basic resources (instance offering, image, network, and other resources) on the Cloud are suggested to shared or created in advance.
• Ticket Management: To better provide basic resources efficiently for each project, project members (project admins, project managers, or regular project members) can apply for tickets to obtain cloud resources. Tickets are reviewed and approved according to custom ticket review processes of each project. Finally, the admin, project admins, department managers, and the customized approvers approve the tickets. Currently, five types of ticket are available: apply for VM instances, delete VM instances, modify VM configurations, modify project cycles, and modify project quotas.
• Process Management: Process management is part of ticket management that manages the processes related to the resources of projects. Processes can be categorized into default processes and custom processes.
  • Default process: The project member submits a ticket to the admin, and then the admin approves the ticket. This process applies to the following scenarios:
    • The tickets that are not configured with a ticket process.
    • The tickets which apply for modifications on the project cycle.
    • The tickets which apply for modifications on the project quota.
    • If the custom ticket process is deleted, the tickets will be resubmitted automatically via the default ticket process.
  • Custom process: The project member submits a ticket. The project member makes process settings via process management. Finally, the admin or project admin approves the ticket. This process applies to the following scenarios:
    • The tickets created to apply for VM instances, delete VM instances, and change VM configurations will be prioritized to be submitted via the configured, custom ticket process.
    • If you modify the valid ticket process, the tickets will be automatically resubmitted via this modified, custom ticket process.
    • If you modify the invalid ticket process, you need to resubmit the tickets manually by using this modified, custom ticket process.
• My Approval: In the Cloud, only the administrator and project administrators are granted approval permissions. the administrator and project administrators can approve or reject a ticket. If a ticket is approved, resources are automatically deployed and allocated to the specified project.Note: The platform admin and regular platform members do not have the permission for ticket management, and the menu My Approval is not supported for these two roles.

Architecture #

The Tenant Management mainly includes four subfeatures, including project management, ticket management, independent zone management, and 3rd-party authentication.

• Platform Management:To effectively manage the Cloud, the platform user (platform admin/regular platform member) can cooperate with the super administrator to manage and operate the Cloud together. ZStack Cloud provides various system roles such as Platform Admin Role and Dashboard Role. You can also satisfy various usage scenarios by creating custom roles at the API level.
• Project Management:The project management is project-oriented to plan for resources. Specifically, you can create an independent resource pool for a specific project. Project lifecycles can be managed (including determining time, quotas, and permissions) to improve cloud resource utilizations at granular, automatic level and strengthen mutual collaborations between project members.
• Ticket Management:To better provide basic resources efficiently for each project, project members (project admins, project managers, or regular project members) can submit tickets to obtain cloud resources. Tickets are reviewed and approved according to custom ticket review processes of each project. Finally, the admin, project admins, department managers, and the customized approvers approve the tickets. Currently, five types of ticket are available, including applying for VM instances, deleting VM instances, modifying VM configurations, modifying project cycles, and modifying project quotas.
• Independent Zone Management:Usually, a zone corresponds to an actual data center in a place. If you isolated resources for zones, you can specify the corresponding zone admins for each zone to achieve independent managements of various machine rooms. In addition, the admin can inspect and manage all zones.
• 3rd-Party Authentication:The 3rd-party authentication is a third-party authentication service provided by ZStack Cloud. You are allowed to seamlessly access the third-party login authentication system. The corresponding account system can directly log in to the Cloud to conveniently use cloud resources. Currently, you can add an AD/LDAP/OIDC/OAuth2/CAS server.

Differences in Roles and relevant Permissions #

Definitions related to Tenant Management Account System:

• admin: A super administrator who owns all permissions. Usually, the admin is the IT system administrator who have all the permissions.
• Local User: A user that is created on the Cloud. A local user can be added to an organization, added to a project, and attached to a role.
• 3rd-Party User: A user that is synchronized to the Cloud through 3rd-party authentication. A 3rd-party user can be added to an organization, added to a project, and attached to a role.
• Platform User: A user that is not added to a project yet, including platform admin and the regular platform member.
• Platform Admin: A user that has the platform admin role attached. A platform admin who has been allocated a specified zone or all zones manages the data center of the allocated zone or zones.
• Head of Department: The admin can assign a head for the department, and this role is used for identification only. When a head of department becomes a project member, the head of a department has the permission to check department bills.
• Project User: A user who has joined a project, including project admin, project operator, and regular project member.
• Project Admin: A user that has the project admin role attached. A project admin is responsible for managing users in a project, and has the highest permission in a project.
• Project Manager: A user that has the project manager role attached. A project manager assists project admins to manage projects. One or more project members in the same project can be specified to act as project managers.
• Department Manager: The admin can assign a department manager for the new team. It is a type of platform role and is responsible for the operation management of the entire department, including project management, ticket management, checking bills, and department critical resource monitoring.
• Root Role: The root role is used to limit the permission scope of the custom role. The permission of a custom role is inherited from its root role, and is a subset of the root role permission.
• Quota: A measurement standard that determines the total quantity of resources for a project. A quota mainly includes the VM instance count, CPU count, memory capacity, maximum number of data volumes, and maximum capacity of all volumes.
• Project Reclaim Policy: You need to specify a project reclaim policy when you create a project. There are three types of project reclaim policy, including unlimited, reclaim by specifying time, and reclaim by specifying cost.
  • Unlimited: After you create a project, resources within the project will be in the enabled state by default.
  • Reclaim by Specifying Time:
    • When the expiration date for a project is less than 14 days, the smart operation assistant will prompt you for The license will be expired after a project member logs in to the Cloud.
    • After the project expired, resources within the project will be collected according to the specified policy. The policy includes disabling login, preventing project members from logging in to the Cloud, stopping resources, and deleting projects.
  • Reclaim by Specifying Cost: When the project spending reaches the maximum limit, resources within the project will be collected according to the specified policy. The policy includes disabling login, preventing project members from logging in to the Cloud, stopping resources, and deleting projects.
• Access Control: When you create a project, you can specify whether to allow or prohibit project members to or from logging in to the project within a specified time period. There are two types of access control policy: login allowed time and login prohibited time.
  • Login Allowed Time: You can set the time when members in the project can log in to the project by day or week. After setting, the project members can log in to the project only during the login allowed time period.
  • Login Prohibited Time:You can set the time when members in the project cannot log in to the project by day or week. After setting, the project members cannot log in to the project during the login prohibited time period.
• Security group constraint: If you enable security group constraint, when a project member creates a VM instance, the VM instance must have one or more security groups attached.
  • Before you can enable security group constraint for the project, make sure that the project security group quota is set to 1 or higher.
  • If you enable the security group constraint for the project, a default security group is created when the project is created.

The tenant management system grants users a variety of permissions. The permissions of different user roles are as follows:

• Differences in Accounts Login in Tenant Management
  • Admin can log in to the Cloud via Account Login.By using Chrome or Firefox, go to the Account Login page via http://management_node_ip:5000/#/login. To log in to the Cloud, the admin must enter the corresponding user name and password.Figure 1. Main Login Page
  • For users (platform admin, platform user, project admin, project manager, regular project member, or department manager), log in to the Cloud via Project Login.By using Chrome or Firefox, go to the Project Login page via http://management_node_ip:5000/#/ project. To log in to the Cloud, enter the corresponding user name and password. Specifically, the Cloud has two login entrances for Project Login as follows:
    • Local user: the user created on the Cloud. Log in to the Cloud via Local User.
    • AD/LDAP user: the 3rd-party user synchronized to the Cloud via the 3rd-party authentication. Log in to the Cloud via AD/LDAP User, as shown in Project Login Page.
    After the successful login, you can select the platform or project to be managed to log in to the corresponding management interface.Figure 2. Tenant Login Page
• Feature Differences from Various PerspectivesFeature Menuadmin/Platform Admin/Regular Platform MemberProject Admin/ Project ManagerDepartment ManagerRegular Project MemberOrganization○○○○User○○○×Role○○○○Project Member×○×○User Group○○○○3rd-Party Authentication○×××Project○×○×Process Management○×××My Tickets×○×○My Approval○○○×
• Differences in Permissions of Platform/Project Roles
  • Platform Roles: admin, platform admin, department manager, and regular platform user. The permissions corresponding to these roles are differentiated as follows:RoleDifferenceadminA super administrator who owns all permissions.Platform AdminA platform admin is a type of administrator who has been allocated a specified zone or all zones, and assists the admin to jointly manage the Cloud. A platform admin has all the permissions that the admin has, except the following:
    • A platform admin is allocated a specified zone or all zones, and has the permissions to manage resources in the zone or zones only. Currently, a platform admin is not granted relevant permissions to create or delete zones.
    • A platform admin does not have the permissions related to ticket management, and the menu My Approval is not displayed for this role.
    • A platform admin does not have the permissions related to certificate management, and cannot perform actions such as uploading a certificate.
    Department ManagerThe department manager is a role who has been allocated a specified department, which can be designated by the admin for the new team and responsible for managing the whole department. A department manager has the following permissions:
    • View homepage: Allows you to view the summary of project resources in the department under the management only.
    • View the Cloud monitor: Allows you to view the monitoring information of critical resources of the department under your management.
    • View organizations: Allows you to view the organizational structure of the Cloud, but not to perform related operations.
    • View users: Allows you to view the user information on the Cloud, but not to perform related operations.
    • View user groups: Allows you to view the user group information, but not to perform related operations.
    • Viewing roles: Allows you to view the system project roles of the Cloud, the project roles whose owner is the admin, and the project roles whose owner is the management department (and sub-departments).
    • View projects and project-based operations: For projects under the managed department (and sub-departments), you can view, edit, and add project members. Setting a department, changing billing prices, generating project templates, and setting logon time limits for projects are not supported.
    • Ticket approval: Supports ticket approval, but the menu Process Management is not displayed.
    • View/Export bills: Allows you to view or export project bills and departmental bills of the department (and sub-departments) under your management.
    Regular Platform MemberPlatform members other than the platform admin. A Platform member has all the permission that the admin has, except the following:
    • A regular platform member does not have the permissions related to ticket approval, and the menu My Approval is not displayed for this role.
    • A regular platform member can view users who are in the same organizational structure only.
    • Ungranted permissions.
  • Project Roles: project admin, project manager, and project member. The permissions corresponding to these roles are differentiated as follows:
    • A project admin can specify one or more project members in the same project to act as project managers, assisting project admins to manage projects.
    • A project manager has all the permissions that a project admin has, but

Advantages #

The Tenant Management of ZStack Cloud has the following advantages:

• Full-featured: Tenant Management provides users with a range of features such as organization structure managements, project-based resource access control, ticket management, and independent zone management.
• User-friendly: Tenant Management allows you to manage the operation permissions of different roles in a multi-level organizational structure, making the organizational management more flexible and user-friendly.
• Cost-effective: Each organization has different kinds of departments. In a traditional IT company, resources are allocated to these departments based on their actual needs, and permissions are assigned as needed as well. Against the backdrop of cloud migration, the management over the departments is achieved on the cloud to minimize the management costs.

Scenarios #

Each organization has its own administrative departments. In a traditional IT company, resources are allocated to administrative departments based on their actual needs, and permissions are assigned as needed as well. After companies migrate their business to the cloud, they expect to enjoy the same experience in resources allocation and permissions assignment on the cloud, which is compatible with the management by administrative departments.

The Tenant Management of ZStack Cloud provides users with a range of features such as organization structure managements, project-based resource access control, ticket management, and independent zone management. Through the division of the organizational structure, it provides the same management as the administrative department and minimizes the management costs.

Organization #

Create an Organization #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > Organization. On the Organization page, click the plus sign to the right of Organization. Then, the Create Organization page is displayed.

On the displayed page, set the following parameters:

• Name: Enter a name for the organization.
• Description: Optional. Enter a description for the organization.
• Type: Choose the type of the organization. You can add a new team (by default) or add a subdepartment.Note: To add Subdepartment, you need to specify Upper Department from the subdepartment or new team that are already added.
• Admin: Optional. Specify an appropriate user as the admin.
• Department Manager: Optional. Specify a department manager for the new team to assist the admin to manage the department.Note:
  • A department manager is in charge of the operational management of the whole department, including project management, ticket approval, bill checks, and key resource monitoring.
  • A user cannot be specified as the department manager if the user is already attached to other roles.
  • A user cannot be attached to other roles if the user is specified as the department manager.
• Quota Setting: The quota settings can be configured manually, and you can configure the quota settings for the following resources:
  • Compute Resource: including memory, and the number of VM instances, running VM instances, CPU, GPU devices, elastic baremetal instances, and VM scheduling polices.
  • Storage Resource: including the quantity of data volume, volume snapshot, available storage capacity, image, total image size, backup data, and available backup capacity.
  • Network Resource: including the quantity of VXLAN network, L3 network, security group, VIP, EIP, port forwarding, load balancer, and listener.
  • Other: including scheduled job, scheduler, resource alarm, event alarm, endpoint, and tag.

Manage an Organization #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > Organization. Then, the Organization page is displayed.

The following table lists the actions that you can perform on an organization.

Action	Description
Add Sub-Department	Add a sub-department to the current organization.
Edit Organization	Edit the name and description of an organization.
Change Department Admin	Reassign a user as the department admin.
Remove Department	Change the upper-department of a sub-department.
Add User	Add one or more users to an organization.
Remove User	Remove one or more users from an organization.Note: Removing a department admin from an organization also removes its role of department admin.
Join Project	Add one or more immediate members to a specified project.
Delete Organization	Delete an organization.Note: Deleting departments also deletes all their sub-departments. Proceed with caution.

User #

Create a Local User #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > User. On the User page, click Create User. Then, the Create User page is displayed.

ZStack Cloud allows you to create a local user by one of the following methods:

• Custom
• Template Import

Custom #

On the Create User page, select Custom and set the following parameters:

• Name: Enter a name for the user.
• DescriptionOptional. Enter a name and description for the user
• User Name: Specify a user name for the user as an unique identifier for logging in to the Cloud.
• Password: Specify a password for login.
• Confirm Password: Enter again the password for confirmation.
• Immediate Department: Optional. You can add the user directly to an corresponding department.
• Phone Number: Optional. Enter a phone number of the user.
• Email Address: Optional. Enter a email address of the user.
• Identifier: Optional. Enter an identifier of the user, such as an employee ID.
• Platform Role: Optional. You can specify one or multiple platform role for a user. If specified, you need to set the management zone.Note:
  • After the platform role is bound to users, these users can act as the manager to manage the Cloud. The platform role that has the zone attribute can manage data centers of the assigned zones.
  • After the platform role is bound to users, these users can log in to the Cloud via Project Login.
  • Management Zone: Specify a zone to the platform role.Note:
    • After a zone is specified to users, these users can only manage the zones specified to them.
    • One platform role can manage a group of zones, while one zone can be co-managed by multiple platform roles.
• Project: Optional. You can add a user to one or multiple projects.Note: After a user is bound to a project, this user will have corresponding permissions of the project, and manage corresponding data within the project.

Template Import #

On the Create User page, select Template Import as the method to create a user. The detailed steps are as follows:

1. Download the template.Click Download Template to download a template in the .csv format.Figure 2. Template
   
   Note: User name, name, and password are required parameters, and the user name must be globally unique.
2. Fill in the configuration information of users according to the prescribed format.The user template includes a header and an example row, which needs to be deleted or overwritten when editing the template.On the template, set the following parameters:
   • Name: Enter a name for the user.
   • User Name: Enter the user name as an unique identifier for logging in to the Cloud.
   • Password: Set a user login password.
   • Description: Optional. Enter a description for the user.
   • Phone Number: Optional. Enter a phone number of the user.
   • Email Address: Optional. Enter an email address of the user.
   • Identifier: Optional. Enter a user ID, such as the job ID.
   • Organization: Optional. A user can be added to one or multiple organizations.Note:
     • The organization that you fill in has to be an existing organization. Note that organizations must be separated by /. For example: Company/Dev.
     • If the organization path duplicates, attach the UUID of a upper-department, such as Company(f11444d42701483791370e9f8b9300b9)/Dev.
     • If a user is added to multiple organizations simultaneously, separate these organizations by &&, such as Company/Dev&&Company/QA.
   • Project: Optional. A user can be added to one or multiple projects.Note:
     • The project that you fill in has to be an existing project. When a single project is added, enter the project name directly, such as project-01.
     • If a user is added to multiple projects simultaneously, separate these projects by &&, such as project-01&&project-02.
3. After finishing the configurations in the template, you can directly upload the template to the Cloud by the browser. Confirm the template and click OK. The Cloud automatically creates users according to the uploaded template configuration file.Figure 3. Upload Template
   

Manage a Local User #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > User. Then, the Local User page is displayed.

The following table lists the actions that you can perform on a local user.

Action	Description
Create User	Create one or more local users.
Edit User	Edit the name and description of a user.
Change Password	Modify the user login password.
Join Department	Add one or more users to one or more departments.
Join User Group	Add a user to one or more user groups.
Modify Platform Role	Associate one or more roles for a user.
Join Project	Add one or more users to one or more projects.
Set Zone for User	Set a zone for a user. After a zone is specified to users, these users can only manage the zone specified to them.
Delete User	Delete a user.Note:If a user is Department Admin, Project Admin, or Project Manager, deleting this user will deprive him of these roles (Department Admin, Project Admin, or Project Manager).If a user is part of a ticket flow, removing this user will disable this ticket flow, and all tickets associated with this flow will be recalled.

Manage a 3rd-Party User #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > User. On the User page, click 3rd-Party User. Then, the 3rd-Party User tab is displayed.

The following table lists the actions that you can perform on a 3rd-party user.

Action	Description
Join Department	Add one or more users to one or more departments.
Join User Group	Add a user to one or more user groups.
Modify Platform Role	Associate one or more roles for a user.
Join Project	Add one or more users to one or more projects.
Set Zone for User	Set a zone for a user. After a zone is specified to users, these users can only manage the zone specified to them.
Change to Local User	After synchronizing an AD server, the non-existent users are in the deleted state and cannot be used to log in. You can change the deleted AD users to local users.Note:After 3rd-party users are changed to local users, they will inherit and continue to use the original user data, such as original project and original permissions.After 3rd-party users are changed to local users, modify their passwords. Otherwise, you cannot log in to the Cloud via these local users.
Delete User	Delete a user.Note:If a user is Department Admin, Project Admin, or Project Manager, deleting this user will deprive him of these roles (Department Admin, Project Admin, or Project Manager).If a user is part of a ticket flow, removing this user will disable this ticket flow, and all tickets associated with this flow will be recalled.If you delete a 3rd-party user, the source user in the 3-rd party authentication server is not affected.

User Group #

Create a User Group #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > User Group. On the User Group page, click Create User Group. Then, the Create User Group page is displayed.

On the displayed page, set the following parameters:

• Name: Enter a name for the user group.
• Description: Optional. Enter a description for the user group.
• User: Optional. Select one or more users to the user group.
• Project: Optional. Add one or more projects for the user group.

Manage a User Group #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > User Group. Then, the User Group page is displayed.

The following table lists the actions that you can perform on a user group.

Action	Description
Create User Group	Create a user group to manage users in groups.
Edit User Group	Edit the name and description of a user group.
Add User	Add one or more users to a user group.
Join Project	Add a user group to a specified project.
Delete User Group	Deleting a user group also removes the group relationships among relevant users.

Role #

Create a Role #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > Role. On the Role page, click Create Role. The Create Role page appears.

To create a role, follow these three steps:

1. Configure basic info.Set the following parameters:
   • Name: Enter a name for the role.
   • Description: Optional. Enter a description for the role.
   • Role Type: Select a role type for the role. Valid values: Platform Role and Project Role.Note:
     • Platform Role: After a user has a platform role attached, the user will have the management permission of the corresponding zone. Permissions of a platform role take effect only in the zone managed by the user.
     • Project Role: After a user joins a project and have a project role attached, the user will have the permission to use the project and manage the data in the project.
     • Notice:
       1. One user can have two types of role attached.
       2. One user can have more than one platform role or project role attached.
       3. In a project, if a user has multiple project roles attached, the user will have all the permissions attached to the project roles.
   • Root Role: Specify a root role to limit the permission range of custom roles whose permissions are inherited from the root role. Permissions of these custom roles are a sub-collection of those of the root role.
   Figure 1. Configure Basic Info
   
2. Specify UI permissions.Specify permission services for the role.Note: Permission services are a collection of permissions categorized by resources, and there may be dependencies between different permission services. We recommend that you use the system roles preset in the Cloud or select all permissions.Figure 2. Specify UI Permissions
   
3. Preview.Confirm the role that you are about to create. You can modify the configurations by clicking the Edit icon.Figure 3. Preview
   

Manage a role #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > Role. Then, the Role page is displayed.

The following table lists the actions that you can perform on a role.

Action	Description
Create Role	Create a role.
Edit Role	Edit the name and description of a role.
Modify UI Permissions	Modify the UI permissions of a role.
Delete Role	Delete a role.Note: After a role is deleted, the related users will automatically unbind the role. Proceed with caution.

3rd-Party Authentication #

Add a 3rd-Party Authentication Server #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Personnel and Permissions > 3rd-Party Authentication. On the 3rd-Party Authentication page, click Add 3rd-Party Authentication Server. Then, the Add 3rd-Party Authentication Server page is displayed.

The following lists the 3rd-party authentication servers that you can add:

• Add an AD server.
• Add a LDAP server.
• Add an OIDC server.
• Add an OAuth2 server.
• Add a CAS server.

Add an AD server #

On the displayed page, set the following parameters:

1. Type: Select AD.
2. Server Configurations: Set the basic information and configuration of an AD server.Set the following parameters:
   • Name: Enter a name for the AD server.
   • Description: Optional. Enter a description for the AD server.
   • Type: AD is displayed.
   • Primary Server IP/Domain: Enter an IP address or domain of the primary server.
   • Primary Server Port: Enter the corresponding port of the primary server.
   • SSL/TLS Encryption: Choose whether to select SSL/TLS encryption. By default, the SSL/TLS encryption is selected.
     • If selected, the SSL/TLS encryption is used, which uses port 636 by default and supports custom modification.
     • If not selected, no encryption is used, which uses port 389 by default and supports custom modification.
   • Secondary Server IP/Domain: Optional. Enter an IP address or domain of the secondary server.
   • Secondary Server Port: Optional. Enter the corresponding port of the secondary server.
   • Configuration Info: To configure related range information of synchronizing AD users, set the following parameters:
     • Base DN: Enter a base DN to specify the root for search AD users and organization structures and defining the range of synchronizing them.
     • User DN: Enter a user DN. A particular user who owns all user permissions to check the base DN range. It can be used to access AD servers and obtain associated data.
     • Password: Specify the login password associated with the user DN.
     • Filter Policy: Choose whether to filter user information during synchronization. By default, the filter is disabled.
     • Filter Mechanism: Choose to apply the filtering mechanisms of blocklist and allowlist.Note:
       • If you select Blocklist, when synchronizing user information, the user information configured in the filter rule will not be synchronized to the Cloud.
       • If you select Allowlist, when synchronizing user information, only the user information configured in the filter rule can be synchronized to the Cloud.
     • Filter Rule: Enter a filter rule for the authentication server.Note:
       • The filter rule length is subject to the configurations of AD servers. Exceeding the length will filter rules not to take effect. Make sure that the user-defined length falls within the length.
       • The following are examples of the filter rule:
         • Single rule: (name=filterName)
         • Combination rule: (&(name=filterName)(description=departure))
   Figure 1. AD Server Configurations
   
   After the AD server configurations are completed, click Next and the Cloud automatically tests the connection and goes to the next step, or you can manually click Test Connection to test the configuration accuracy and connection of AD servers.
   • If the connection test succeeds, you can click Next to configure other parameters.
   • If the connection test fails, you can edit the configuration according to the error messages on the upper-right corner until the connection test succeeds.
3. Synchronize Mapping Rule: Specify login attribute, user mapping rule, and synchronize organization mapping.Set the following parameters:
   • Login Attribute: Specify AD user attributes for Cloud logins.For example, if cn is used as the login attribute, AD users can use the value (such as John) matching cn as their login name in the Cloud.
   • User Mapping Rule: Select or enter a rule to map AD user attributes to Cloud local attributes. Set the following parameters:
     • User Name: Specify a rule to map AD usernames to Cloud usernames.For example: If a User Name maps cn, the User Name whose user is created in the Cloud can use the value (such as John) matching cn to log in to the Cloud.Note: The user name of ZStack Cloud users cannot be duplicated. If the synchronized AD users has the identical user name with that of Cloud users, the Cloud will automatically adds a random code in the user name of the synchronized AD users.
     • Name: Specify a rule to map the name of AD users to that of Cloud users.For example: If a Name maps name, the Name whose user is created in the Cloud can use the value (such as Jack) matching name.
     • Mobile Phone: Optional. Specify a rule to map the mobile phone of AD users to that of Cloud users.For example: If a Mobile Phone maps telephoneNumber, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching telephoneNumber.
     • Email: Optional. Specify a rule to map the email of AD users to that of Cloud users.For example: If a Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.
     • Identifier: Optional. Specify a rule to map the identifier of AD users to that of Cloud users.For example: If a Identifier maps employeeID, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeID.
     • Description: Optional. Specify a rule to map the description of AD users to that of Cloud user.For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-John) matching description.
     • Custom Attribute: You can customize a rule to map 3rd-party attributes of a 3rd-party user to Cloud local attributes.
       • System User Attribute: Specify a system user attribute, which can be identical with the original attribute, such as Identifier.
       • AD/LDAP User Attribute: Specify an AD/LDAP user attribute, such as employeeID.
   • Synchronize Organization Mapping: Choose whether to synchronize organization. By default this option is disabled. If enabled, AD organizations in the user-based DN range will be synchronized to the organization list in the Cloud.
     • Organization Mapping Method: Select a organization mapping method.
       • Group: Subtrees of an organization tree are distinguished by Group parameters, and AD groups will be synchronized to the organizational list in the Cloud (Recommended).
       • OU: Subtrees of an organization structure tree can be distinguished by OU parameters, and AD groups will be synchronized to the organizational list in the Cloud.
     • Organization Mapping Rule:
       • Name: Specify a rule to map the name of AD organizations to that of Cloud organizations.For example: If an organization name maps cn, the organization name whose organization is created in the Cloud can use the value (such as dev-department) matching cn.
       • Description: Optional. Specify a rule to map the description of AD organizations to that of Cloud organizations.For example: If an organization description maps description, the organization description whose organization is created in the Cloud can use the value (such as dev-backend) matching description.
   Figure 2. Synchronize Mapping Rule
   
   Click Next, and the Cloud automatically tests whether the login attribute, user mapping rule, and synchronize organization mapping can be successfully created. After the test succeeds, the Cloud automatically adds the mapping rules.Note: Make sure that all AD attributes are specified. Otherwise, the test may fails. If the test fails, you need to edit the mapping rule configurations according to the error messages until the mapping rules are successfully added.
4. Preview: Confirm the relevant information and configurations of the AD server to be added. You can edit the configuration by clicking the edit icon.Figure 3. Preview
   
   Click Complete to add an AD server, create 3rd-party users, and add organizations.

Add a LDAP server #

On the displayed page, set the following parameters:

1. Type: Select LDAP.
2. Server Configurations: Set the basic information and configuration of a LDAP server.Set the following parameters:
   • Name: Enter a name for the LDAP server.
   • Description: Optional. Enter a description for the LDAP server.
   • Type: LDAP is displayed.
   • Primary Server IP/Domain: Enter an IP address or domain of the primary server.
   • Primary Server Port: Enter the corresponding port of the primary server.
   • SSL/TLS Encryption: Choose whether to select SSL/TLS encryption. By default, the SSL/TLS encryption is selected.
     • If selected, the SSL/TLS encryption is used, which uses port 636 by default and supports custom modification.
     • If not selected, no encryption is used, which uses port 389 by default and supports custom modification.
   • Secondary Server IP/Domain: Optional. Enter an IP address or domain of the secondary server.
   • Secondary Server Port: Optional. Enter the corresponding port of the secondary server.
   • Configuration Info: To configure related range information of synchronizing LDAP users, set the following parameters:
     • Base DN: Enter a base DN to specify the root for search LDAP users and organization structures and defining the range of synchronizing them.
     • User DN: Enter a user DN. A particular user who owns all user permissions to check the base DN range. It can be used to access LDAP servers and obtain associated data.
     • Password: Specify the login password associated with the user DN.
     • Filter Policy: Choose whether to filter user information during synchronization. By default, the filter is disabled.
     • Filter Mechanism: Choose to apply the filtering mechanisms of blocklist and allowlist.Note:
       • If you select Blocklist, when synchronizing user information, the user information configured in the filter rule will not be synchronized to the Cloud.
       • If you select Allowlist, when synchronizing user information, only the user information configured in the filter rule can be synchronized to the Cloud.
     • Filter Rule: Enter a filter rule for the authentication server.Note:
       • The filter rule length is subject to the configurations of LDAP servers. Exceeding the length will filter rules not to take effect. Make sure that the user-defined length falls within the length.
       • The following are examples of the filter rule:
         • Single rule: (name=filterName)
         • Combination rule: (&(name=filterName)(description=departure))
   Figure 4. LDAP Server Configuration
   
   After the LDAP server configurations are completed, click Next and the Cloud automatically tests the connection and goes to the next step, or you can manually click Test Connection to test the configuration accuracy and connection of LDAP servers.
   • If the connection test succeeds, you can click Next to configure other parameters.
   • If the connection test fails, you can edit the configuration according to the error messages on the upper-right corner until the connection test succeeds.
3. Synchronize Mapping Rule: Specify login attribute and user mapping rule.Set the following parameters:
   • Login Attribute: Specify LDAP user attributes for Cloud logins.For example, if cn is used as the login attribute, LDAP users can use the value (such as John) matching cn as their login name in the Cloud.
   • User Mapping Rule: Select or enter a rule to map LDAP user attributes to Cloud local attributes. Set the following parameters:
     • User Name: Specify a rule to map LDAP usernames to Cloud usernames.For example: If a User Name maps cn, the User Name whose user is created in the Cloud can use the value (such as John) matching cn to log in to the Cloud.Note: The user name of ZStack Cloud users cannot be duplicated. If the synchronized LDAP users has the identical user name with that of Cloud users, the Cloud will automatically adds a random code in the user name of the synchronized LDAP users.
     • Name: Specify a rule to map the name of LDAP users to that of Cloud users.For example: If a Name maps cn, the Name whose user is created in the Cloud can use the value (such as Jack) matching cn.
     • Mobile Phone: Optional. Specify a rule to map the mobile phone of LDAP users to that of Cloud users.For example: If a Mobile Phone maps mobile, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching mobile.
     • Email: Optional. Specify a rule to map the email of LDAP users to that of Cloud users.For example: If an Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.
     • Identifier: Optional. Specify a rule to map the identifier of LDAP users to that of Cloud users.For example: If an Identifier maps employeeNumber, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeNumber.
     • Description: Optional. Specify a rule to map the description of LDAP users to that of Cloud user.For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-John) matching description.
     • Custom Attribute: You can customize a rule to map 3rd-party attributes of a 3rd-party user to Cloud local attributes.
       • System User Attribute: Specify a system user attribute, which can be identical with the original attribute, such as Identifier.
       • AD/LDAP User Attribute: Specify an AD/LDAP user attribute, such as employeeNumber.
   Figure 5. Synchronize Mapping Rule
   
   Click Next, and the Cloud automatically tests whether login attribute and user mapping rules can be successfully created. After the test succeeds, the Cloud automatically adds the mapping rules.Note: Make sure that all LDAP attributes are specified. Otherwise, the test may fails. If the test fails, you need to edit the mapping rule configurations according to the error messages until the mapping rules are successfully added.
4. Preview: Confirm the relevant information and configuration of the LDAP server to be added. You can edit the configuration by clicking the edit icon.Figure 6. Preview
   
   Click Complete to add an LDAP server and create 3rd-party users.

Add an OIDC server #

On the displayed page, set the following parameters:

1. Type: Select OIDC.
2. Server Configurations: Set the basic information and configuration of an OIDC server.Set the following parameters:
   • Name: Enter a name for the OIDC server.
   • Description: Optional. Enter a description for the OIDC server.
   • Type: OIDC is displayed.
   • Redirect URL: The URL used to redirect to the Cloud when the authentication server is certified.
   • Redirect Template: The redirect template used to realize a password-free login inside the cloud platform system. You can modify the IP address and port of this parameter when the Cloud is configured with a reverse proxy.
   • Configuration Info: To configure the required information of synchronizing an OIDC authentication server, set the following parameters:
     • Client ID: Enter the unique ID that the authentication system assigns to the Cloud.
     • Client Secret: Enter the secret that the authentication system assigns to the Cloud.
     • Authorization Request URL: Enter the request URL used to obtain an authorization grant in authorization code mode.
     • Token Request URL: Enter the request URL used to obtain an access token from the authentication server.
     • Userinfo Request URL: The request URL used to obtain the user information from the authentication server.
     • Logout URL: The URL used to log off sessions after logging out of the Cloud. When logging in to the Cloud again, you need to re-enter the authentication server. If left blank, the login information will not be immediately cleared after logging out of the Cloud, and you can still log in to the Cloud without a password as long as the session is valid.
   Figure 7. OIDC Server Configuration
   
3. Synchronize Mapping Rule: Specify user mapping rules for an OIDC authentication server.Set the following parameters:
   • User Mapping Rule: Through the mapping rule, the third-party user has local user attributes after it is synced to the Cloud. The rule is used to map third-party attributes of a third-party user to Cloud local attributes.
     • User Name: Specify a rule to map the attribute of OIDC users to the username of Cloud users. The username is the unique identification of a user. Make sure that the username that you fill in also has a unique identity in the authentication system.For example: If a User Name maps username, the User Name whose user is synced to the Cloud can use the value (such as John) matching username.
     • Name: Specify a rule to map the attribute of OIDC users to the name of Cloud users.For example: If a Name maps name, the Name whose user is created in the Cloud can use the value (such as Jack) matching name.
     • Mobile Phone: Optional. Specify a rule to map the attribute of OIDC users to the mobile phone of Cloud users.For example: If a Mobile Phone maps telephoneNumber, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching telephoneNumber.
     • Email: Optional. Specify a rule to map the attribute of OIDC users to the email of Cloud users.For example: If an Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.
     • Identifier: Optional. Specify a rule to map the attribute of OIDC users to the identifier of Cloud users.For example: If an Identifier maps employeeID, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeID.
     • Description: Optional. Specify a rule to map the attribute of OIDC users to the description of Cloud users.For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-backend) matching description.
     • User Group: Optional. Specify a rule to map the user group of a third-party authentication server to the user group of the Cloud.For example: If a User Group maps usergroup, the User Group created in the Cloud can use the value (such as group-1, group-2) matching usergroup.Note: If the Cloud has multiple user groups that share the same name as the mapped user group, the third-party user will directly join the existing user groups after logging in to the Cloud. If you do not want the synced user to be added to multiple user groups, you can edit the user group name or delete unnecessary user groups.
   Figure 8. Synchronize Mapping Rule
   
4. Preview: Confirm the relevant information and configuration of the OIDC server to be added.Figure 9. Preview
   
   Click Complete to add an OIDC server and synchronize 3rd-party user information.

Add an OAuth2 server #

On the displayed page, set the following parameters:

1. Type: Select OAuth2.
2. Server Configurations: Set the basic information and configuration of an OAuth2 server.Set the following parameters:
   • Name: Enter a name for the OAuth2 server.
   • Description: Optional. Enter a description for the OAuth2 server.
   • Type: OAuth2 is displayed.
   • Redirect URL: The URL used to redirect to the Cloud when the authentication server is certified.
   • Redirect Template: The redirect template used to realize a password-free login inside the cloud platform system. You can modify the IP address and port of this parameter when the Cloud is configured with a reverse proxy.
   • Configuration Info: To configure the required information of synchronizing an OAuth2 authentication server, set the following parameters:
     • Client ID: Enter the unique ID that the authentication system assigns to the Cloud.
     • Client Secret: Enter the secret that the authentication system assigns to the Cloud.
     • Authorization Request URL: Enter the request URL used to obtain an authorization grant in authorization code mode.
     • Token Request URL: Enter the request URL used to obtain an access token from the authentication server.
     • Userinfo Request URL: The request URL used to obtain the user information from the authentication server.
     • Logout URL: The URL used to log off sessions after logging out of the Cloud. When logging in to the Cloud again, you need to re-enter the authentication server. If left blank, the login information will not be immediately cleared after logging out of the Cloud, and you can still log in to the Cloud without a password as long as the session is valid.
   Figure 10. OAuth2 Server Configuration
   
3. Synchronize Mapping Rule: Specify user mapping rules for an OAuth2 authentication server.Set the following parameters:
   • User Mapping Rule: Through the mapping rule, the third-party user has local user attributes after it is synced to the Cloud. The rule is used to map third-party attributes of a third-party user to Cloud local attributes.
     • User Name: Specify a rule to map the attribute of OAuth2 users to the username of Cloud users. The username is the unique identification of a user. Make sure that the username that you fill in also has a unique identity in the authentication system.For example: If a User Name maps username, the User Name whose user is synced to the Cloud can use the value (such as John) matching username.
     • Name: Specify a rule to map the attribute of OAuth2 users to the name of Cloud users.For example: If a Name maps name, the Name whose user is created in the Cloud can use the value (such as Jack) matching name.
     • Mobile Phone: Optional. Specify a rule to map the mobile phone of OAuth2 users to that of Cloud users.For example: If a Mobile Phone maps telephoneNumber, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching telephoneNumber.
     • Email: Optional. Specify a rule to map the attribute of OAuth2 users to the email of Cloud users.For example: If an Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.
     • Identifier: Optional. Specify a rule to map the attribute of OAuth2 users to the identifier of Cloud users.For example: If an Identifier maps employeeID, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeID.
     • Description: Optional. Specify a rule to map the attribute of OAuth2 users to the description of Cloud users.For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-backend) matching description.
     • User Group: Optional. Specify a rule to map the user group of a third-party authentication server to the user group of the Cloud.For example: If a User Group maps usergroup, the User Group created in the Cloud can use the value (such as group-1, group-2) matching usergroup.Note: If the Cloud has multiple user groups that share the same name as the mapped user group, the third-party user will directly join the existing user groups after logging in to the Cloud. If you do not want the synced user to be added to multiple user groups, you can edit the user group name or delete unnecessary user groups.
   Figure 11. Synchronize Mapping Rule
   
4. Preview: Confirm the relevant information and configuration of the OAuth2 server to be added.Figure 12. Preview
   
   Click Complete to add an OAuth2 server and synchronize 3rd-party user information.

Add a CAS server #

On the displayed page, set the following parameters:

1. Type: Select CAS.
2. Server Configurations: Set the basic information and configuration of an CAS server.Set the following parameters:
   • Name: Enter a name for the CAS server.
   • Description: Optional. Enter a description for the CAS server.
   • Type: CAS is displayed.
   • Configuration Info: To configure the required information of synchronizing a CAS authentication server, set the following parameters:
     • Server Login URL: Enter the login address of the CAS authentication server, for example, https://sso.cloud.com/login.
     • Server Login Prefix: Enter the prefix of the CAS authentication server address, for example, https://sso.cloud.com/.
   Figure 13. CAS Server Configuration
   
3. Synchronize Mapping Rule: Specify user mapping rules for a CAS authentication server.Set the following parameters:
   • User Mapping Rule: Through the mapping rule, the third-party user has local user attributes after it is synced to the Cloud. The rule is used to map third-party attributes of a third-party user to Cloud local attributes.
     • User Name: Specify a rule to map the username of OIDC users to that of Cloud users. The username is the unique identification of a user. Make sure that the username that you fill in also has a unique identity in the authentication system.For example: If a User Name maps username, the User Name whose user is synced to the Cloud can use the value (such as John) matching username.
     • Name: Specify a rule to map the attribute of CAS users to the name of Cloud users.For example: If a Name maps name, the Name whose user is created in the Cloud can use the value (such as Jack) matching name.
     • Mobile Phone: Optional. Specify a rule to map the attribute of CAS users to the mobile phone of Cloud users.For example: If a Mobile Phone maps telephoneNumber, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching telephoneNumber.
     • Email: Optional. Specify a rule to map the attribute of CAS users to the email of Cloud users.For example: If an Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.
     • Identifier: Optional. Specify a rule to map the attribute of CAS users to the identifier of Cloud users.For example: If an Identifier maps employeeID, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeID.
     • Description: Optional. Specify a rule to map the attribute of CAS users to the description of Cloud users.For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-backend) matching description.
   Figure 14. Synchronize Mapping Rule
   
4. Preview: Confirm the relevant information and configuration of the CAS server to be added.Figure 15. Preview
   
   Click Complete to add a CAS server and synchronize 3rd-party user information.

Manage a 3rd-Party Authentication Server #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > 3rd-Party Authentication. Then, the 3rd-Party Authentication page is displayed.

The following table lists the actions that you can perform on a 3rd-party authentication server.

Action	Description
Edit 3rd-Party Authentication Server	Edit the name and description of a 3rd-party authentication server.
Synchronize 3rd-Party Authentication Server	Synchronizing the 3rd-party authentication server will reacquire the latest user list and organization structures.Note: After synchronization, the non-existent users will be placed into Deleted state and cannot be used to log in to the Cloud.
Test Connection	Test the connection of a 3rd-party authentication server. If the connection test fails, it may be the following reasons:The 3rd-party authentication server fails to verify the IP port. Check whether the 3rd-party authentication server is working properly and whether there is an IP address or port change.User DN or password connection fails. Replace it with the latest user DN and password that has the permission to query all users within the base.
Delete 3rd-Party Authentication Server	Delete a 3rd-party authentication server.Note: Deleting a third-party authentication server also deletes the related third-party user information. The source user and organization information is not affected.

Project #

Create a Project #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Project Management > Project. On the Project page, click Create Project. Then, the Create Project page is displayed.

On the displayed page, set the following parameters:

• Name: Enter a name for the project.
• Description: Optional. Enter a description for the project.
• Project Configuration: You can choose manual or project template for the project configuration.If you choose Manual for the project configuration, set the following parameters:
  • Quota Setting: Specify quota settings to control the total resources in the project.
    • Compute Resource: including memory, and the number of VM instances, running VM instances, CPU, GPU devices, elastic baremetal instances, and VM scheduling polices.
    • Storage Resource: including the quantity of data volume, volume snapshot, available storage capacity, image, total image size, backup data, and available backup capacity. Notice that the Backup Service Plus License is required for the quota settings of backup data and available backup capacity.
    • Network Resource: including the quantity of VXLAN network, L3 network, security group, VIP, EIP, port forwarding, load balancer, and listener.
    • Other: including scheduled job, scheduler, resource alarm, event alarm, endpoint, and tag.
    Figure 1. Quota Setting
    
  If you choose Project Template for the project configuration, set the following parameters:
  • Project Template: If you choose the project template for the project configuration, you need to select an existing project template, which is used to directly apply the quota settings defined in that template for the project.Figure 2. Project Template
    
• Zone: Specify a zone to which the project belongs, and a project can only belong to one zone.
• Reclaim Policy: Default values: Unlimited. You can also select Reclaim by specifying time and Reclaim by specifying cost.
  • Unlimited::After you create a project, resources within the project will be in the enabled state by default.
  • Reclaim by specifying time:
    • When the expiration date for a project is less than 14 days, a project member will receive a project expiration reminder that the project is about to expire after logging in to the Cloud.
    • After the project expired, resources within the project will be reclaimed according to the specified reclaim policy.
    To reclaim by specifying time, you need to set the following parameters:
    • Deadline: Set a deadline for the project.
    • Reclaim Policy: Three reclaim policies are supported:
      • Disable Project Member Login: After the project is expired, all project members are prohibited from logging in to the project, and the resources (VM instances and VPC vRouters) in the project are still running normally.
      • Disable Project Member Login and Stop Project Resource: After a project is expired, all project members are prohibited from logging in to the project, and all the resources (VM instances and VPC vRouters) in the project are in the stopped state.
      • Delete Project: A project is deleted after expiration, and the project is in the Deleted status. All project members are prohibited from logging in to the project, and all the resources (VM instances and VPC vRouters) in the project are in the stopped state.
      Note: After the VPC vRouter in the project is stopped, the network services it provides will stop correspondingly, and VM instances cannot access the external network.
  • Reclaim by specifying cost：A project is expired when the project total spending reaches the maximum limit. After the project is expired, the resources within the project will be reclaimed according to the specified reclaim policy.To reclaim by specifying cost, you need to set the following parameters:
    • Spending Limit: Set a spending limit for the project.
    • Reclaim Policy: Three reclaim policies are supported:
      • Disable Project Member Login: After the project is expired, all project members are prohibited from logging in to the project, and the resources (VM instances and VPC vRouters) in the project are still running normally.
      • Disable Project Member Login and Stop Project Resource: After the project is expired, all project members are prohibited from logging in to the project, and all the resources (VM instances and VPC vRouters) in the project are in the stopped state.
      • Delete Project: A project is deleted after expiration, and the project is in the Deleted status. All project members are prohibited from logging in to the project, and all the resources (VM instances and VPC vRouters) in the project are in the stopped state.
      Note: After the VPC vRouter in the project is stopped, the network services it provides will stop correspondingly, and VM instances cannot access the external network.
• Access Control: Optional. You can specify whether to allow or prohibit project members to or from logging in to the project within a specified time period.If not set, the time for project members to login in to the project is unlimited. You can configure the access control by setting the login allowed time and login prohibited time.
  • Login Allowed Time: You can set the time when members in the project can log in to the project by day or week. After setting, the project members can log in to the project only during the login allowed time period.
  • Login Prohibited Time: You can set the time when members in the project cannot log in to the project by day or week. After setting, the project members cannot log in to the project during the login prohibited time period.
  Note:
  • If the time period you set is earlier than or includes the current platform time, the access control policy takes effect in the next time period.
  • If you apply both the reclaim policy and access control policy, the reclaim policy has a higher priority.
• Project Admin: Optional. Assign a corresponding user as the project admin.
• Member: Optional. Add relevant users into the project as project members
• Department: Optional. Load the project to the department,and then the billing is made by departments.
• Pricing List: Optional. Select the pricing list used by the project. If not specified, the default pricing list is applied.
• Security Group Constraint: By default, the security group constraint is disabled. If you enable security group constraint, when a project member creates a VM instance, the VM instance must have one or more security groups attached.Note:
  • Before you can enable security group constraint for the project, make sure that the project security group quota is set to 1 or higher.
  • If you enable the security group constraint for the project, a default security group is created when the project is created.
  • You can use the Project Security Group Constraint setting in Global Setting to make the setting take effect globally. By default, the Project Security Group Constraint setting is disabled. If you enable the setting, projects are enabled the security group constraint by default when they are created.
  • Rule: Optional. If you enable the security group constraint for the project, you can directly set the rules of security group when you create the project, or set the rules later.

Manage a Project #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Project Management > Project. Then, the Project page is displayed.。

The following table lists the actions that you can perform on a project.

Action	Description
Create Project	Create a project.
Edit Project	Edit the name and description of a project.
Enable Project	Enable a disabled project.
Disable Project	Disable a enabled project.
Restore Expired Project	Restore an expired project. After an expired project is restored, the project is normal for logging in and the resources in the project work properly.
Set Access Control	Specify whether to allow or prohibit project members to or from logging in to the project within a specified time period.
Generate Project Template	Generate a project template from an existing project. When creating a project, you can use a project template to set project quotas.
Add Project Member	Add one or more users to a project.
Set Project Admin	Specify a user as the project admin.
Set Department	After a project is attached to a department, you can view department bills. Removing department also removes project bills from the department bills.
Change Pricing List	Change a pricing list for a project and bills according to the latest pricing list.
Disable All Resources	Disabling resources of a project disables all VM instances and router resources in this project. Proceed with caution.
Delete Project	Delete a project.After a project is deleted, this project will be placed into the Deleted state. Hence, project members in this project cannot log in to the Cloud, and all resources within this project will be disabled, including VM instances and VPC vRouter.After VPC vRouters in this project stopped, all network services running on these vRouters will be stopped, and then VM instances cannot reach the outside network.

Process Management #

Create a Ticket Process #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Ticket Approval > Process Management. On the Process Management page, click Create Ticket Process. Then, the Create Ticket Process page is displayed.

On the displayed page, set the following parameters:

• Name: Enter a name for the ticket process.
• Description: Optional. Enter a description for the ticket process.
• Project: Select a project for the ticket process.
• Ticket Type: Select one or more ticket types for the ticket process. Valid values: Apply for VM Instance, Delete VM Instance, and Modify VM Configuration.Note:
  • You can use the same ticket process for multiple ticket types, including Apply for VM Instance, Delete VM Instance, and Modify VM Configuration.
  • Tickets of the same ticket type correspond to one ticket process.
• Process Setting: Display the details of the ticket process.The initial process setting interface includes two basic steps: Submit Ticket and Execution Flow. You can select admin, project admin, and department manager as the approver of the execution flow.
  • Execution Flow: Select an approver. Valid values: admin, project admin, and department manager.Note:
    • when admin is selected as the approver of the execution flow, you need to add flow in the process setting. When project admin or department manager is selected, you can skip the flow addition in the process setting.
    • For tickets that apply for VM instances, admin can configure advanced settings by clicking Advanced Deployment, while project admin cannot configure advanced settings.
  You can add a flow by click the plus sign in the process setting. Set the following parameters:
  • Flow Name: Enter a name for the added flow.
  • Approver: Select an approver for the ticket. You can select an approver from the specified project.
  Note: You can delete a flow by click the delete sign to the right of the Flow Name.

Manage a Ticket Process #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Ticket Approval > Process Management. Then, the Process Management page is displayed.

The following table lists the actions that you can perform on a ticket process.

Action	Description
Create Ticket Process	Create a ticket process.
Edit Ticket Process	Edit the name and description of a ticket process.
Enable Ticket Process	Enable a disabled ticket process.
Disable Ticket Process	Disable a enabled ticket process. After a ticket process is disabled, you cannot perform actions on the unfinished ticket until the ticket process is enabled.
Modify Ticket Process	Add or delete one or more ticket types and ticket flows.Note:After an enabled ticket process is modified, the ticket will be automatically re-submitted using the modified custom ticket process.After a disabled ticket process is modified, you need to re-submit the ticket using the modified custom ticket process.Deleting a ticket type in the ticket process equals to deleting a custom ticket process of this ticket type. After modification, the ticket will be automatically re-submitted according to the default process.Adding a ticket type in the ticket process equals to creating a custom ticket process of this ticket type. After modification, the ticket will be re-submitted according to the modified custom ticket process.
Delete Ticket Process	After a ticket process is deleted, the projects using this process will use the default process (Submit->admin). All tickets associated with this process will be resubmitted based on the default process.

My Approval #

On the main menu of ZStack Cloud, choose Operational Management > Tenant Management > Ticket Approval > My Approval. Then, the My Approval page is displayed.

On the My Approval page, there are three tabs including Pending, Resolved, and Archived.

• Pending:This tab displays pending tickets that can be approved or rejected.
• Resolved:This tab displays resolved tickets, including approved or rejected tickets.
• Archived:This tab displays archived tickets. When a project member deletes a resolved ticket, admin can view this ticket on the Archived tab.

Admin can approve or reject a ticket on the My Approval page.

• Approve: Approve a ticket. The Cloud automatically creates resources for the applicant according to the applied configuration.Note: When deploying resources, admin can set advanced configurations on resources.
• Reject: Reject a ticket with remarks.