Advanced permissions and item types
In some situations, you may need to configure more granular role permissions, beyond the options available through the Tasks tab in the Roles editor. The Advanced tab provides more thorough control over tasks a role can complete.
Permission types
| Permission | Description |
|---|---|
| Read | Role can view a given type of resource or functional area. For example, if you assign the role ReadTargetGroups, the role can view the targets you specify, as well as details about each target. |
| Run | Role can run a given type of operation. The type of operation permitted can vary, for instance you can assign permission to run arbitrary commands on minions, or to run commands on Salt controllers. |
| Write | Role can create and edit a given type of resource or functional area. For example, you might assign WriteFileServer to an advanced user role, so the role can create or edit files in the file server. Users with Write access can edit resources they have created, without needing any specific resource access settings. |
| Delete | Role can delete a given type of resource or other item in a given functional area. For example, you might assign DeletePillar to a role, so the role can delete a pillar that’s no longer in use. Users with Delete permission can delete resources they have created, without needing any specific resource access settings. |
Items
When setting permissions for a role in the advanced editor, the above actions can apply to the following resources or functional areas.
| Resource type/Functional area | Description | See also | |
|---|---|---|---|
| All Minions Commands | Run commands on the All Minions target. The All Minions target can vary based on the combination of minions the role has permission to access. | ||
| Admin | Grants administrative privileges in the Tanzu Salt user interface only. Be aware that this does not include administrative access to the API (RaaS). As a best practice, use caution when granting this level of access to a role. | How do I define user roles | |
| Audit Log | The audit log is a record of all activity in Tanzu Salt that includes details of each user’s actions. | See rpc_audit or contact an administrator for assistance. | |
| Commands | A command is the task (or tasks) executed as part of a job. Each command includes target information, a function, and optional arguments. | Jobs | |
| File Server | The file server is a location for storing both Salt-specific files, such as top files or state files, as well as files that can be distributed to minions, such as system configuration files. | File Server | |
| Groups | Groups are collections of users who share common characteristics, and need similar user access settings. | How do I define user roles | |
| Jobs | Jobs are used to run remote execution tasks, apply states, and start Salt runners. | Jobs | |
| License | Your license includes usage snapshots, as well as details such as number of Salt controllers and minions licensed for your installation, and when the license expires. | See rpc_license, or contact an administrator for assistance. | |
| Salt Controller Configuration | The Salt controller configuration file contains details about the Salt controller (formerly called the Salt master), such as its Salt controller ID, publish port, caching behavior, and more. | Salt Master Configuration Reference | |
| Salt Controller Resources | The Salt controller is a central node used to issue commands to minions. | Salt Master Reference | |
| Metadata auth | The AUTH interface is used for managing users, groups, and roles through the RPC API. | See rpc_auth, or contact an administrator for assistance. | |
| Minion Resources | Minions are nodes running the minion service, which can listen to commands from a Salt controller and perform the requested tasks. | ||
| Pillar | Pillars are structures of data defined on the Salt controller and passed through to one or more minions, using targets. They allow confidential, targeted data to be securely sent only to the relevant minion. | How do I define user roles | |
| Returner Data | Returners receive the data minions return from executed jobs. They allow for the results of a Salt command to be sent to a given data store such as a database or log file for archival. | Returner Reference | |
| Roles | Roles are used to define permissions for multiple users who share a common set of needs. | How do I define user roles | |
| Runner Commands | A command is the task (or tasks) executed as part of a job. Each command includes target information, a function, and optional arguments. Salt runners are modules used to execute convenience functions on the Salt controller. | Jobs | |
| Compliance Assessment | An assessment is an instance of checking a collection of nodes for a given set of security checks, as specified in a Tanzu Salt Compliance Cloud policy. | How do I use Tanzu Salt Compliance | |
| Compliance Policy | Compliance policies are collections of security checks, and specifications for which nodes each check applies to, in Tanzu Salt Compliance Cloud. | How do I use Tanzu Salt Compliance | |
| Compliance Remediation | Remediation is the act of correcting noncompliant nodes in Tanzu Salt Compliance Cloud. | How do I use Tanzu Salt Compliance | |
| Compliance Content Ingest - Tanzu Salt | Ingesting Tanzu Salt Compliance Cloud content is to download or update the Tanzu Salt Compliance security library. | How do I use Tanzu Salt Compliance | |
| Compliance Content Ingest - Custom | Custom Compliance content allows you to define your own security standards, to supplement the library of security benchmarks and checks built into Tanzu Salt Compliance Cloud. Ingesting custom content is to upload custom checks and benchmarks. | How do I use Tanzu Salt Compliance | |
| Compliance Custom Content | Custom Compliance content allows you to define your own security standards, to supplement the library of security benchmarks and checks built into Tanzu Salt Compliance Cloud. | How do I use Tanzu Salt Compliance | |
| Schedules | Schedules are used to run jobs at a predefined time or specific interval. | Jobs | |
| SSH Commands | Secure Shell (SSH) commands run on minions that do not have the minion service installed. | Salt SSH Reference | |
| Target Groups | A target is the group of minions, across one or many Salt controllers, that a job’s Salt command applies to. A Salt controller can also be managed like a minion and can be a target if it is running the minion service. | Using the Targets workspace | |
| Users | Users are individuals who have an Tanzu Salt account with your organization. | How do I define user roles | |
| Vulnerability Assessment | A vulnerability assessment is an instance of scanning a collection of nodes for vulnerabilities as part of a Tanzu Salt Vulnerability Cloud policy. | How do I use Automation for Tanzu Salt Vulnerability | |
| Vulnerability Policy | A vulnerability policy is comprised of a target and an assessment schedule. The target determines which minions to include in an assessment and the schedule determines when assessments will be run. A security policy also stores the results of the most recent assessment in Tanzu Salt Vulnerability Cloud. | How do I use Automation for Tanzu Salt Vulnerability | |
| Vulnerability Remediation | Remediation is the act of patching vulnerabilities in Tanzu Salt Vulnerability Cloud. | How do I use Automation for Tanzu Salt Vulnerability | |
| Vulnerability Content Ingest | Tanzu Salt Vulnerability Cloud content is a library of advisories based on the latest Common Vulnerabilities and Exposures (CVE) entries. Ingesting Tanzu SaltVulnerability Cloud content is to download the latest version of the content library. | How do I use Automation for Tanzu Salt Vulnerability | |
| Vulnerability Vendor Import | Tanzu Salt Vulnerability Cloud supports importing security scans generated by a variety of third-party vendors. This permission allows a user to import vulnerability scan results from a file, or through a connector. By default, all Tanzu Salt users can access the Connectors workspace. However, permission to run Vulnerability Vendor Import, as well as a Tanzu Salt Vulnerability Cloud license, are required for a user to successfully import vulnerabilities from a connector. | How do I use Automation for Tanzu Salt Vulnerability | |
| Wheel Commands | Wheel commands control how the Salt controller operates, and are used to manage keys. | Salt Wheel Reference |
Resource access in the API
Access to the following resource types must be defined using the API (RaaS):
- Files in the file server
- Pillar data
- Authentication configuration
All other resource types, excluding jobs, targets, and those listed above, do not require any specific resource access settings.
