• Local User: A user that is created on the Cloud. A local user can be added to an organization or a project, and attached to a role.
• 3rd-Party User: A user is that is synchronized to the Cloud through 3rd-party authentication. A 3rd-party user can be added to an organization or a project, and attached to a role, and changed to a local user.

Note:

• To log in to the Cloud, enterprise management users need to use the project login entry.
  • Local users log in to the Cloud via the Local User entry.
  • AD/LDAP users log in to the Cloud via the AD/LDAP User entry.
  • OIDC/OAuth2/CAS users log in to the Cloud from the 3rd-party application without the password.
• The admin and platform manager can view the list of all users.
• If you created an organizational structure tree on the Cloud, platform members can view only the list of users belonging to the organizational structure. If you did not create any organizational structure tree, platform members can view all users.

• Platform Role: After a user has a platform role attached, the user will have the management permission of the corresponding zone. Permissions of a platform role take effect only in the zone managed by the user.
• Project Role: After a user joins a project and have a project role attached, the user will have the permission to use the project and manage the data in the project.

Note:

• One user can have two types of role attached.
• One user can have more than one platform role or project role attached.
• In a project, if a user has multiple project roles attached, the user will have all the permissions attached to the project roles.

• AD authentication:

  Active Directory (AD) is a directory service designed for Windows Standard Server, Windows Enterprise Server, and Windows Datacenter Server. AD provides an independent, standard login authentication system for increasingly diverse enterprise office applications.

  AD users or organizations can be synchronized to the user list or organization of ZStack Cloud via an AD server, while specified AD login attributes can be used to directly log in to ZStack Cloud.

• LDAP authentication:

  Lightweight Directory Access Protocol (LDAP) can provide a standard directory service that offers an independent, standard login authentication system for increasingly diverse enterprise office applications.

  LDAP users can be synchronized to the user list of ZStack Cloud via an LDAP server, while specified LDAP login attributes can be used to directly log in to ZStack Cloud.

• OIDC authentication:

  OpenID Connect (OIDC) is a set of authentication protocols based on the OAuth2 protocol, and it allows the clients to verify the user identity and obtain basic user configuration information.

  The user information can be synchronized to the Cloud according to the mapping rules via an OIDC server, and users of the OIDC authentication system can log in to the Cloud without the password.

• OAuth2 authentication:

  Open Authorization 2.0 (OAuth2) is a set of authorization protocol standards that can authenticate and authorize users to access related resources. The Cloud currently only supports authorization through the authorization code.

  The user information can be synchronized to the Cloud according to the mapping rules via an OAuth2 server, and users of the OAuth2 authentication system can log in to the Cloud without the password.

• CAS authentication:

  Central Authentication Service (CAS) is a set of single sign-on protocols that allow website applications to authenticate users.

  The user information can be synchronized to the Cloud according to the mapping rules via a CAS server, and users of the CAS authentication system can log in to the Cloud without the password.

• When you create a project, you need to specify the resource quotas and reclaim policy, and add project members.
• The basic resources (instance offering, image, network, and other resources) on the Cloud are suggested to shared or created in advance.

• Default process: The project member submits a ticket to the admin, and then the admin approves the ticket. This process applies to the following scenarios:
  • The tickets that are not configured with a ticket process.
  • The tickets which apply for modifications on the project cycle.
  • The tickets which apply for modifications on the project quota.
  • If the custom ticket process is deleted, the tickets will be resubmitted automatically via the default ticket process.
• Custom process: The project member submits a ticket. The project member makes process settings via process management. Finally, the admin or project admin approves the ticket. This process applies to the following scenarios:

  • The tickets created to apply for VM instances, delete VM instances, and change VM configurations will be prioritized to be submitted via the configured, custom ticket process.

  • If you modify the valid ticket process, the tickets will be automatically resubmitted via this modified, custom ticket process.
  • If you modify the invalid ticket process, you need to resubmit the tickets manually by using this modified, custom ticket process.

To effectively manage the Cloud, the platform user (platform admin/regular platform member) can cooperate with the super administrator to manage and operate the Cloud together. ZStack Cloud provides various system roles such as Platform Admin Role and Dashboard Role. You can also satisfy various usage scenarios by creating custom roles at the API level.

The project management is project-oriented to plan for resources. Specifically, you can create an independent resource pool for a specific project. Project lifecycles can be managed (including determining time, quotas, and permissions) to improve cloud resource utilizations at granular, automatic level and strengthen mutual collaborations between project members.

To better provide basic resources efficiently for each project, project members (project admins, project managers, or regular project members) can submit tickets to obtain cloud resources. Tickets are reviewed and approved according to custom ticket review processes of each project. Finally, the admin, project admins, department managers, and the customized approvers approve the tickets. Currently, five types of ticket are available, including applying for VM instances, deleting VM instances, modifying VM configurations, modifying project cycles, and modifying project quotas.

Usually, a zone corresponds to an actual data center in a place. If you isolated resources for zones, you can specify the corresponding zone admins for each zone to achieve independent managements of various machine rooms. In addition, the admin can inspect and manage all zones.

The 3rd-party authentication is a third-party authentication service provided by ZStack Cloud. You are allowed to seamlessly access the third-party login authentication system. The corresponding account system can directly log in to the Cloud to conveniently use cloud resources. Currently, you can add an AD/LDAP/OIDC/OAuth2/CAS server.

• Unlimited: After you create a project, resources within the project will be in the enabled state by default.
• Reclaim by Specifying Time:
  • When the expiration date for a project is less than 14 days, the smart operation assistant will prompt you for The license will be expired after a project member logs in to the Cloud.
  • After the project expired, resources within the project will be collected according to the specified policy. The policy includes disabling login, preventing project members from logging in to the Cloud, stopping resources, and deleting projects.
• Reclaim by Specifying Cost: When the project spending reaches the maximum limit, resources within the project will be collected according to the specified policy. The policy includes disabling login, preventing project members from logging in to the Cloud, stopping resources, and deleting projects.

• Login Allowed Time: You can set the time when members in the project can log in to the project by day or week. After setting, the project members can log in to the project only during the login allowed time period.
• Login Prohibited Time:You can set the time when members in the project cannot log in to the project by day or week. After setting, the project members cannot log in to the project during the login prohibited time period.

• Before you can enable security group constraint for the project, make sure that the project security group quota is set to 1 or higher.
• If you enable the security group constraint for the project, a default security group is created when the project is created.

• Admin can log in to the Cloud via Main Login.

  By using Chrome or Firefox, go to the Account Login page via http://management_node_ip:5000/#/login. To log in to the Cloud, the admin must enter the corresponding user name and password.

  
  
  

• For users (platform admin, platform user, project admin, project manager, regular project member, or department manager), log in to the Cloud via Project Login.
  By using Chrome or Firefox, go to the Project Login page via http://management_node_ip:5000/#/ project. To log in to the Cloud, enter the corresponding user name and password. Specifically, the Cloud has two login entrances for Project Login as follows:

  • Local user: the user created on the Cloud. Log in to the Cloud via Local User.
  • AD/LDAP user: the 3rd-party user synchronized to the Cloud via the 3rd-party authentication. Log in to the Cloud via AD/LDAP User, as shown in Project Login Page.

  After the successful login, you can select the platform or project to be managed to log in to the corresponding management interface.