Skip to main content
IMHCloud Logo
Back to glossary

Role

A role is a predefined set of permissions that determines what actions a user or group can perform on cloud resources within a project.

Security

What is a Role in cloud hosting?

A role is a predefined set of permissions that determines what actions a user can perform on cloud resources within a project. Roles define the boundaries of access, specifying whether a user can create, modify, view, or delete resources such as instances (virtual machines), volumes, networks, and security groups.

In OpenStack-based cloud platforms, roles are assigned to users within specific projects. A single user can have different roles in different projects, allowing fine-grained access control across an organization's cloud infrastructure.

Related Terms

  • User: An individual identity that authenticates to the cloud platform and receives role assignments, such as a developer account or a service account used by automation scripts.
  • Project: A logical container that groups cloud resources and users together, such as a development environment where a team deploys and manages their applications.
  • Keystone: The OpenStack identity service that manages authentication, authorization, and role assignments, such as validating user credentials and enforcing role-based permissions.
  • Identity Management: The system responsible for creating, storing, and verifying user identities and their associated roles, such as integrating with corporate directories for centralized authentication.

Why Roles Exist

Without roles, every user would either have full administrative access or no access at all. This creates two problems: excessive permissions expose the cloud environment to accidental or malicious damage, while insufficient permissions prevent users from doing their work.

Roles solve this by creating named permission sets that match job functions. A developer might need to launch and manage instances but should not be able to modify network routing or billing settings. An operator might need read-only access to monitor resources without the ability to change them.

Roles also simplify administration. Instead of configuring permissions for each user individually, administrators assign roles. When job responsibilities change, updating a user's role immediately grants or revokes the appropriate permissions.

What Do Roles Actually Do?

  • Grant specific API permissions: Each role maps to a set of allowed API operations, controlling which actions users can perform through the dashboard, CLI, or API calls.
  • Restrict resource modifications: Roles determine whether a user can create, update, or delete resources such as instances, volumes, and networks.
  • Control visibility: Some roles provide read-only access, allowing users to view resource status and metrics without making changes.
  • Enable delegation: Roles allow administrators to delegate specific responsibilities to team members without sharing full administrative access.
  • Scope permissions to projects: A user's role applies within a specific project, so the same user can have admin access in a test project but only reader access in production.

When Would I Use Roles?

You assign roles whenever you need to control what users can do in your cloud environment. Common scenarios include:

  • Onboarding new team members: Assign an appropriate role based on their job function, such as "member" for developers who need to create and manage instances.
  • Separating production and development access: Give developers admin roles in test projects but read-only roles in production projects.
  • Creating service accounts: Assign minimal roles to automated processes that only need specific permissions, such as a backup script that only needs to create snapshots.
  • Granting temporary access: Assign a role to a contractor or auditor who needs time-limited access to view or modify specific resources.
  • Implementing least privilege: Use roles to ensure users have only the permissions they need, reducing the risk of accidental changes or security breaches.

When Would I NOT Use Roles?

Roles may not be the right solution in these situations:

  • Single-user environments: If you are the only user, managing roles adds overhead without providing security benefits.
  • When you need resource-level permissions: Roles apply to entire resource types within a project. If you need to restrict access to specific individual resources, you may need additional mechanisms such as separate projects.
  • For network-level access control: Roles control API access, not network traffic. Use security groups and firewall rules to control which network connections are allowed.
  • When standard roles do not fit: If the predefined roles do not match your requirements, you may need to request custom roles from your cloud provider or implement additional access controls at the application level.

Real-World Example

Company A runs an e-commerce platform on a cloud VPC with three projects: production, staging, and development.

Their cloud administrator creates user accounts for the team:

  • Operations lead: Admin role in production (full control), member role in staging (can make changes), reader role in development (view only)
  • Developers: Admin role in development (full control), member role in staging (can deploy updates), reader role in production (can view logs but not modify)
  • External auditor: Reader role in production only (can view resources and configurations but cannot make any changes)

When a developer accidentally tries to delete an instance in production, the action fails because their reader role does not include delete permissions. The same developer can freely create and delete instances in the development project where they have the admin role.

Frequently Asked Questions

What are the most common roles in cloud platforms?

Most cloud platforms provide three standard roles: admin (full control over all resources), member (can create, modify, and delete resources), and reader (view-only access). Some platforms offer additional roles for specific functions such as billing access or network administration. Your cloud provider's documentation lists the exact permissions each role grants.

Can a user have multiple roles in the same project?

Yes. A user can be assigned multiple roles within a single project. The effective permissions are the combination of all assigned roles. If one role grants create permission and another grants delete permission, the user has both abilities.

What happens if I remove a user's only role?

The user loses all access to that project. They will not be able to view, create, or modify any resources in that project until a new role is assigned. Existing resources they created remain in the project and can be managed by other users with appropriate roles.

Can I create custom roles with specific permissions?

This depends on your cloud provider. Some platforms allow administrators to define custom roles with specific permission sets. Others provide only predefined roles. Contact your cloud provider to learn whether custom roles are available and how to configure them.

How do roles interact with quotas?

Roles and quotas are separate concepts. Roles determine what actions a user can perform, while quotas limit how many resources can be created. A user with admin role can still be blocked from creating more instances if the project has reached its instance quota. Both systems work together to control resource access and consumption.

Summary

  • A role is a predefined set of permissions that controls what actions users can perform on cloud resources.
  • Common roles include admin (full control), member (create and manage resources), and reader (view-only access).
  • Roles are assigned to users within specific projects, allowing different permission levels across environments.
  • Roles implement the principle of least privilege by giving users only the permissions they need for their job function.
  • Assigning and revoking roles is the primary method for managing user access in cloud environments.