Example: Define permission scopes

In the previous step, Corporate IT identified ten permissions. Six permissions are restricted by four distinct scopes. Corporate IT needs to create four scopes: VM Cloud, SRV Cloud, Human Resources and Finance.

Department	Function	Permission Role	Permission Scope
Corporate IT	Senior technologists	Infrastructure administrator	All resources
Corporate IT	Server administrator	Server administrator	All resources
Corporate IT	Network administrator	Network administrator	All resources
Corporate IT	Storage administrator	Storage administrator	All resources
Finance	OS/Application administrators	Server profile operator	Finance
Human Resources	OS/Application administrators	Server profile operator	Human Resources
SRV Cloud IT	Server Cloud administrators	Server profile architect	SRV Cloud
SRV Cloud IT	Server Cloud administrators	Scope operator	SRV Cloud
VM Cloud IT	Server administrator	Server administrator	VM Cloud
VM Cloud IT	Network administrator	Network administrator	VM Cloud

VM Cloud IT is responsible for managing their enclosures. The following table summarizes the results of the analysis performed by Corporate IT to determine the resources that must be assigned to the VM Cloud scope.

Operation	Analysis
Create networks	Created by VM Cloud IT and automatically added to the VM Cloud scope. SANs are considered as shared resources and not restricted by scope. VM Cloud IT is allowed to assign SANs to Fibre Channel (FC) and Fibre Channel over Ethernet (FCoE) networks.
Create network sets	Created by VM Cloud IT and automatically added to the VM Cloud scope. VM Cloud IT is only allowed to assign networks created by VM Cloud IT to the VM Cloud network sets.
Create logical interconnect groups	Created by VM Cloud IT and automatically added to the VM Cloud scope. VM Cloud IT is only allowed to assign networks created by VM Cloud to the uplink sets.
Create enclosure groups	Created by VM Cloud IT and automatically added to the VM Cloud scope. VM Cloud IT is only allowed to assign logical interconnect groups created by VM Cloud IT to enclosure groups.
Create logical enclosures	Created by VM Cloud IT and automatically added to the VM Cloud scope. The logical interconnects created during this operation are automatically added to the VM Cloud scope. VM Cloud IT needs access to the enclosures assigned to the VM Cloud pilot. Corporate IT must assign the three enclosures to the VM Cloud scope. As the firmware bundles are restricted by scope, VM Cloud IT needs access to approved firmware bundles. Corporate IT must assign the authorized firmware bundles to the VM Cloud scope.
Power on/off/Refresh interconnects	To allow VM Cloud IT to manage the VM Cloud interconnects, Corporate IT must assign the interconnects in the VM Cloud enclosures to the VM Cloud scope.
Power on/off/Refresh drive enclosures	To allow VM Cloud IT to manage the drive enclosures in the VM Cloud enclosures, Corporate IT must assign the drive enclosures to the VM Cloud scope.
Launch console/Power on/off/Reset/Refresh server hardware	Corporate IT must assign the blades in the VM Cloud enclosures to the VM Cloud scope.
Create server profile templates	Created by VM Cloud IT and automatically added to the VM Cloud scope. In order to assign resources to the server profile templates, VM Cloud IT needs access to firmware bundles, networks, network sets and volume templates. Corporate IT must assign the authorized volume templates to the VM Cloud scope. Image Streamer is not configured for this pilot. Therefore, access to the OS deployment plans is not required.
Create server profiles	Created by VM Cloud IT and automatically added to the VM Cloud scope. In addition to rights granted above, VM Cloud IT needs access to the server hardware.

Corporate IT performed a similar analysis for the SRV Cloud scope. SRV Cloud IT users are only allowed to perform server-related operations. The following table summarizes the results:

Operation	Analysis
Launch console/Power on/off/Reset/Refresh server hardware	Corporate IT needs to assign the blades in the SRV Cloud enclosures to the SRV Cloud scope.
Create server profile templates	Created by SRV Cloud IT and automatically added to the SRV Cloud scope. In order to assign resources to server profile templates, SRV Cloud IT needs access to firmware bundles, networks and network sets. Corporate IT must assign firmware bundles, networks and network sets to the SRV Cloud scope.
Create server profiles	Created by SRV Cloud IT and automatically added to the SRV Cloud scope. In addition to rights granted above, SRV Cloud IT needs access to server hardware.
Assign SRV Cloud resources to Human Resources and Finance scopes	Both an `Update` and `Use` authorization check are performed when assigning a resource to a scope. For example, to assign a blade to the Human Resources scope, SRV Cloud IT needs `Update` rights on the Human Resources scope and `Use` rights on the server hardware. Additionally, both the Human Resources scope and the blade must be assigned to the SRV Cloud scope. SRV Cloud IT is only allowed to update the Human Resources and Finance scopes. When assigning a resource to a scope there is no concept of a hierarchy. Assigning a scope to a scope restricts operations that can be performed on the scope; it does not affect access to resources assigned to either scope. Corporate IT must assign the Human Resources and Finance scope instances to the SRV Cloud scope.

Finally, Corporate IT completes the analysis of the Human Resources and Finance scopes.

Operation	Analysis
Launch console/Power on/off/Reset/Refresh server hardware	SRV Cloud IT is responsible for assigning SRV Cloud server hardware to the Human Resources and Finance scopes.
Update server profiles	SRV Cloud IT is responsible for assigning SRV Cloud server profiles to the Human Resources and Finance scopes. SRV Cloud IT is also allowed to assign SRV Cloud firmware bundles to the Human Resources and Finance scopes. SRV Cloud IT is still debating on whether or not Human Resources and Finance users are allowed to update server firmware.

To summarize, the authentication model for the pilot defines four permission scopes and nine directory group accounts with associated permissions.

Permission Scope	Resources explicitly assigned to the scope by Corporate IT
Finance	None
Human Resources	None
SRV Cloud	The blades contained in the two enclosures dedicated to the SRV Cloud pilot. The firmware bundles and networks approved for use by SRV Cloud IT. The Finance and Human Resources scope resource instance. This is required to allow SRV Cloud IT to assign SRV Cloud resources to the Finance and Human Resources scopes.
VM Cloud	The three enclosures dedicated to the VM Cloud pilot. The blades contained in the three enclosures. The interconnects contained in the three enclosures. The drive enclosures contained in the three enclosures. The firmware bundles and volume templates approved for use by VM Cloud IT.

Directory Group	Permissions
CorpIT-FULL	(Infrastructure administrator, All resources)
CorpIT-NA	(Network administrator, All resources)
CorpIT-SA	(Server administrator, All resources)
CorpIT-StA	(Storage administrator, All resources)
Finance-Admins	(Server profile operator, Finance)
HR-Admins	(Server profile operator, Human Resources)
SRVCloudIT-Admins	(Server profile architect, SRV Cloud); (Scope operator, SRV Cloud)
VMCloudIT-SA	(Server administrator, VM Cloud)
VMCloudIT-NA	(Network administrator, VM Cloud)