One of the benefits of self-service automation is the ability to limit access to the underlying private or public cloud virtual infrastructure, which we call cloud accounts (for example, Amazon Web Services accounts, or VMware vCenter). Commander's role-based access control means that your administrative users don't require direct access to the cloud account — they can do everything they need to in Commander instead. For more information, see Commander Access Control.
Self-service automation enables users to view and manage VMs, to request new VMs, or request changes to existing VMs. Using the web-based Service Portal, cloud infrastructure administrators provide stakeholders with an information-rich view of their assets without the need for direct access to the underlying private or public cloud infrastructure. End-user access to the Service Portal can be customized to your needs. Commander also provides powerful workflow capabilities, such as quota management, which ensures predefined resource limits for organizations and end users. For more information, see Customize Service Portal Roles for Users.
Commander provides:
- An unlimited number of customizable Service Portal roles to provide delegated administration for each organization and fine-grained control over permissions.
- Four administrative roles to control access to Commander and the administrative tasks that each user can perform.
- Six levels of infrastructure access rights to control visibility of cloud accounts and the tasks each administrative user can perform on your infrastructure.
Design considerations
Who needs administrative access to Commander? What Commander role and access rights do these users require?
Who needs direct access to the cloud accounts?
Do you need to delegate administrative tasks to one or more organization managers, enabling you to lighten the load on the Commander administrators? These users need a Service Portal role with delegated admin and/or management permissions.
Which of the following tasks would it make sense to delegate?
- Adding and removing members
- Modifying members' roles
- Assigning the primary contact for an organization
- Managing the media library
- Assigning quotas to members
- Approving members' service requests
- Monitoring quota usage
Best practices
Once you select the small number of users who require access to the cloud account and to Commander, all other users should have access through the Service Portal only.
Typically the person responsible for a business unit, the organization manager has extended permissions for managing an organization's members, quota and assets. Tailor these permissions to the technical abilities of your organization managers.
