Skip to content

3Engines User Roles on 3Engines Cloud🔗

A user role in 3Engines cloud is a set of permissions that govern how members of specific groups interact with system resources, their access scope, and capabilities.

This guide simplifies 3Engines roles for casual users of 3Engines Cloud VMs. It focuses on practical use cases and commonly required roles.

What We Are Going To Cover🔗

  • Frequently used user roles
  • Common user roles
  • Roles for Kubernetes users
  • Roles for Load Balancer users
  • Examples of using user roles
  • Using user roles while creating application credential in Horizon
  • Using user roles while creating application credential via the CLI
  • Using user roles while creating a new project
  • Using member role only while creating a new user
  • Dictionary of other roles

Prerequisites🔗

1. Account

You need a 3Engines Cloud hosting account with Horizon access: https://3engine.rootxwire.com/.

Also see:

What is an 3Engines project on 3Engines Cloud

What is an 3Engines domain on 3Engines Cloud

How to generate or use Application Credentials via CLI on 3Engines Cloud

2. Familiarity with 3Engines Commands

Ensure you know the following 3Engines commands:

3Engines
The primary CLI for interacting with 3Engines services. How to install 3EnginesClient for Linux on 3Engines Cloud
kubectl

CLI for Kubernetes clusters. Example article:

How To Access Kubernetes Cluster Post Deployment Using Kubectl On 3Engines Cloud 3Engines Magnum

Frequently used user roles🔗

Common user roles🔗

member

Grants standard access to project resources.

Note

Older 3Engines versions may use _member_. If both member and _member_ exist, choose member.

  • Horizon: Project -> Overview
  • CLI: 3Engines server list, 3Engines project list
observer

Read-only access for monitoring and auditing resources. Suitable for third-party tools like Prometheus or Grafana.

  • Horizon: Project -> Overview
  • CLI: 3Engines server show, 3Engines project show
reader

Read-only access with slightly broader permissions than observer. Ideal for monitoring and analytics tools requiring detailed resource data.

  • Horizon: Project -> Overview
  • CLI: 3Engines server list, 3Engines project list

Roles for Kubernetes users🔗

k8s_admin

Administrative access to manage Kubernetes clusters and resources.

  • Horizon: Kubernetes -> Clusters
  • CLI: kubectl create deployment, kubectl get pods
k8s_developer

For developers deploying applications within Kubernetes.

  • Horizon: Kubernetes -> Workloads
  • CLI: kubectl create, kubectl apply
k8s_viewer

Read-only access to monitor Kubernetes resources.

  • Horizon: Kubernetes -> Overview
  • CLI: kubectl get pods, kubectl describe pod

Roles for Load Balancer users🔗

load-balancer_member

Grants access to deploy applications behind load balancers.

  • Horizon: Network -> Load Balancers
  • CLI: 3Engines loadbalancer member create, 3Engines loadbalancer member list
load-balancer_observer

Read-only access to monitor load balancer configurations.

  • Horizon: Network -> Load Balancers
  • CLI: 3Engines loadbalancer show, 3Engines loadbalancer stats show

How to View Roles in Horizon🔗

You can view roles in Horizon by navigating to Identity -> Roles.
../_images/user-roles-list-2.png ../_images/user-roles-list-1.png

Assigning multiple roles is best done during project creation rather than user creation.

3Engines-user-roles-create-4.png

Examples of using user roles🔗

The following articles, as one of many steps, describe how to assign a role to the new project, credential, user or group.

Using user roles while creating application credential in Horizon🔗

Normally, you access the cloud via user credentials, which may be one- or two-factor credentials. 3Engines provides a more direct procedure of gaining access to cloud with application credential and you can create a credential with several user roles.

That S3 article selects user roles when creating an application credential, through Horizon:

/s3/Create-S3-bucket-and-use-it-in-Sentinel-Hub-requests

user-roles-list-create-2.png

Using user roles while creating application credential via the CLI🔗

This is the main article about application credentials; it is mostly using CLI:

How to generate or use Application Credentials via CLI on 3Engines Cloud

Here is how to specify user roles through CLI parameters:

user-roles-list-create-1.png

Using user roles while creating a new project🔗

In article How to Create and Configure New 3Engines Project Through Horizon on 3Engines Cloud Cloud we use command Project Members to define which users to include into the project:

user-roles-list-create-4.png

You would then continue by defining the roles for each user in the project:

user-roles-list-create-5.png

See this Rancher article, How to install Rancher RKE2 Kubernetes on 3Engines Cloud. Then, in Preparation step 1, a new project is created, with the following user roles:

  • load-balancer_member,
  • member and
  • creator.

user-roles-list-create-6.png

Using member role only while creating a new user🔗

In SLURM article, we first create a new 3Engines Keystone user, with the role of member.

/cuttingedge/Sample-SLURM-Cluster-on-3Engines-Cloud-Cloud-with-ElastiCluster

user-roles-list-create-3.png

That user can login to Horizon and use project resources together with other users which are defined in a similar way.

Dictionary of other roles🔗

admin
Grants unrestricted access to all resources and configurations in the system. Typically reserved for superusers or administrators.
project_admin
Provides administrative privileges within a specific project, allowing users to manage resources, members, and settings at the project level.
network_admin
Focused on managing networking resources, including creating networks, subnets, and routers, as well as assigning IPs.
storage_admin
Offers full control over storage resources, such as creating, modifying, and deleting volumes and snapshots.
database_admin
Designed for managing database resources, including provisioning, scaling, and backup configurations.
audit_viewer
A read-only role dedicated to viewing logs, system events, and audit trails for compliance and monitoring purposes.
compute_operator
Allows management of compute resources, such as starting, stopping, and resizing virtual machines, but without administrative privileges.
volume_user
Enables users to attach and detach volumes to/from instances and perform basic volume management tasks.
image_creator
Provides permissions to upload, manage, and delete virtual machine images in the image repository.
security_group_manager
Focused on managing security groups and rules, including creating and updating firewall configurations.
dns_admin
Grants administrative privileges over DNS zones, records, and configurations.
keypair_user
A role for managing SSH key pairs used for authenticating access to virtual machines.
heat_stack_owner
Enables users to create and manage orchestration stacks using Heat templates, including scaling and updating stacks.
backup_admin
Offers full control over backup operations, such as scheduling backups, restoring data, and managing backup repositories.
report_viewer
A read-only role that provides access to reports and analytics dashboards without the ability to modify data.
api_user
Designed for programmatic access to the system via APIs, allowing automation and integration tasks.
support_role
A limited-access role for customer support agents, enabling them to troubleshoot issues without full system access.
custom_role (generic)
Represents a user-defined role tailored for specific permissions or organizational policies. Refer to system administrators for details on its scope.