Users and permissions

The authorization philosophy in DCD is based on the creation of roles and groups. Users inherit permissions and access rights granted to the group or groups of which they are members.

Roles

Permissions are associated with roles and groups. Roles define what users are allowed to do and to which part of the DCD they have access.

The following roles can be attributed:

  • Contract owner

    • All users who register with IONOS are automatically the Contract Owner.

    • Only Contract Owners have access to the User Manager. They can view the resource and cost overview and change the payment method of the contract.

    • They can add or remove users from your contract, create groups, and grant permissions and access rights.

  • Administrator

    • The Contract Owner or an Administrator can grant users, in their contract, Administrator rights by activating the respective checkboxes in the User Manager.

    • Administrators have the same permissions as Contract Owners. However, they cannot change the payment method.

    • Administrators can assign administrator rights to other users.

    • Administrators do not need to be managed in groups as they automatically have access to all resources associated with the contract.

  • User

    • A User is any member who has been added to the contract by the Contract Owner. After a User has been assigned to a group, they have at a minimum, read access to the resources assigned to the group.

    • Permissions are required for some activities in the DCD.

The following table provides an overview of the available roles and their permissions:

Overview of permissions per role

​

​

​

​

Role

​

​

Permission

Contract owner

Administrator

User

Manage Users

+

+

-

Manage Groups

+

+

-

Grant Administrator Rights

+

+

-

Manage Resources

+

+

(+)

Access to/changes in:

​

​

​

User Manager

+

+

-

Resource Overview

+

+

-

Cost and Usage

+

+

-

Start Center

+

+

-

Payment Method

+

-

-

FTP Upload

+

+

+

Create data centers

+

+

(+)

Create Snapshots

+

+

(+)

Access Activity Log

+

+

(+)

Reserve IP Blocks

+

+

(+)

Use S3 Object Storage

+

+

(+)

Create Cross-Connect elements

+

+

(+)

Create Internet Access

+

+

(+)

with appropriate authorization by an Administrator or Contract Holder

Groups

The Groups facility allows a Contract Owner or an Administrator to:

  • Define what Users are allowed to do in the DCD.

  • Define which resources (VDC, images, snapshots, IP blocks) they have access.

Administrators do not need to be managed in groups. They automatically have access to all resources associated with the contract.

There is no limit to the number of Groups and Users that can be created.

User manager

The User Manager allows Contract Owners and Administrators to organize Users. From the User Manager, the Administrator can provide Users with permissions, and access to the resources of an IONOS account.

To access User Manager, go to the Menu Bar > Resource Manager > User Manager

The following operations are possible in the User Manager:

Managing users

Contract Owners and Administrators can create and organize the users in their IONOS account in the DCD User Manager.

Prerequisites

  • The Contract Owner or Administrator must be logged in to the DCD. (?)​

  • You are the contract owner or an administrator. (?)​

How to create a user

Step

Action

Result

1

Log in to the DCD - https://dcd.ionos.com/​

DCD Dashboard displays.

2

Select Manager Resources from the menu bar.

Drop-down list displays.

3

Select User Manager from the drop-down list.

User Manager panel displays.

4

Select Create in the Users tab.

User details panel displays.

5

Enter required data.

Create button is activated.

6

Select Create.

New User is created.

How to modify properties

Step

Action

Result

1

Select the target user from the Users tab in the User Manager panel.

Properties panel for the User displays.

2

Edit the User properties in the Meta Data tab.

Selected property modifications display.

3

Select the Groups tab.

Groups panel displays.

4

Select Add to Group.

Group search box displays.

  • Modify properties

    • Select the required user.

    • In the Metadata tab, edit properties such as:

      • Administrator rights. (?)​

      • 2-factor authentication. (?)​

    • Add a user to one or more groups

      • Select the required user.

      • Open the Groups tab.

      • Add:

        • From the + Add to Group list, select the required group(s).

      • Remove:

        • Select the required group.

        • Click on Remove from Group.

        The user now has access rights and permissions according to the groups to which they were assigned.

    • Deactivate a user If you want to disable a user without deleting the user entirely, you may deactivate them. To do so:

      • Select the required user.

      • Deactivate the Active check box in order to disable the user.

      • Save your changes.

        The user is disabled and can not log in to their account. Their resources are retained. You may enable the user by activating the respective check box.

    • Delete a user β„Ή Before you delete a user or all of their Object Storage Keys from your account, please ensure that the content in their S3 Object Storage is accessible so that you can continue to use it or delete it by adjusting the access rights accordingly.

Content set to "private", and that has not been removed before the user or all of their Object Storage Keys have been deleted is no longer accessible. However, you will continue to be charged. In this case, please contact the IONOS enterprise support team. To delete a user:

  • Select the required user.

  • Click on Delete.

  • In the dialog that appears, confirm your action by clicking OK.

    The user is deleted and cannot be restored. Their resources are transferred to the contract owner.

A new user cannot be created with the e-mail address of a deleted user.

Assign administrator rights

Administrators have permissions similar to contract owners, which also allows them to assign administrator rights to other users.

See also:

Prerequisites

  • You are logged on to the DCD. (?)​

  • You are the contract owner or an administrator. (?)​

How to assign administrator rights

  • Open the User Manager.

    Menu Bar > Resource Manager > User Manager

  • Open the Users tab.

  • Select the required user.

  • In the Meta Data tab, activate the Administrator checkbox.

  • Save your changes.

    The selected user is now an administrator.

Managing groups

By assigning a user to a group, a contract owner or administrator not only defines which actions a user is authorized to perform in the DCD, but also which resources (virtual data centers, images, snapshots, IP blocks) members of this group can access.

Administrators do not need to be managed in groups as they automatically have access to all resources associated with the contract.

The number of groups and users you may create is not limited.

See also:

Prerequisites

  • You are logged on to the DCD. (?)​

  • You are the contract owner or an administrator. (?)​

How to manage groups

  • Open the User Manager.

    Menu Bar > Resource Manager > User Manager

  • Open the Groups tab.

  • Create a group

    • Click on + Create

    • Enter a name for the group.

      You may change this name later.

    • Confirm your entry by clicking Create.

      The group is created. You can now assign permissions, users, and resources to it.

  • Manage permissions

    • Select the required group.

    • In the Privileges tab, activate or deactivate the checkboxes of the privilege that you wish to grant to or remove from members of the selected group.

  • Add users to a group

    • Select the required group.

    • Open the Members tab.

    • To add users:

      • Select the required users from the + Add User list.

    • To remove users:

      • Select the required user.

      • Click on Remove User.

      Users assigned to the group now have permissions and access rights to resources corresponding to their group membership.

  • Delete a group

    • Select the required group.

    • Click on Delete.

    • In the dialog box that appears, confirm your action by clicking OK.

      The group is deleted. Permissions and access rights to resources associated with the group are revoked from users in this group.

Managing permissions

Permissions are required for certain actions in the DCD.

These are as follows:

  • Create a data center.

  • Create snapshots.

  • Reserve IP blocks.

  • Access Activity-Log-API,

  • Create Cross-Connect elements.

  • Use object storage.

  • Create Managed Kubernetes Clusters.

Contract owners and administrators have these permissions by default. They can manage and assign them to other users in the User Manager.

Prerequisites

  • You are logged on to the DCD. (?)​

  • You are the contract owner or an administrator. (?)​

How to manage permissions

  • Create a new group. (?)​

    • or -

  • Open an existing group.

    Menu Bar > Resource Manager > User Manager > Groups

  • Select the required group.

  • Grant permission:

    • In the Privileges tab, activate the checkbox of the appropriate privilege.

    • In the Members tab, add users to the group that you wish to authorize. (?)​

    Members of the selected group now have the required authorization.

  • Remove permission:

    • Remove user(s) from the group with the privilege in question.

      • or -

    • Deactivate the check box of the privilege for the group.

    The privilege is no longer available to the selected users.

Managing access to resources

Users who are not contracted owners or administrators need access rights to view, use, or edit resources in a virtual data center. These access rights are assigned to groups and inherited to group members.

Access to the following resources can be managed:

  • Data centers,

  • Images,

  • Snapshots,

  • Private Cross Connects,

  • IP addresses,

  • Managed Kubernetes Clusters.

Access rights

Users can access a resource with the following access rights:

  • Read: Users may see and use but not modify the resource. Read access is automatically granted as soon as a user is assigned to a group with this access right.

  • Edit: Users may modify and delete the resource.

  • Share: Users may share the resource including their access rights with groups to which they belong.

Resource owner

A user who created a resource is the owner of that resource and can specify its access rights.

The owner is shown in the Security tab of a resource.

Access restriction using 2-factor authentication

In addition to enabling access to resources for users of authorized groups only, data centers and snapshots can be even further protected by restricting access to users who have 2-factor authentication activated. Other users cannot see or select these resources - even if they belong to an authorized group.

See also:

Depending on their role, users can: set access rights

Set access rights at the resource level

Prerequisites

  • You are the contract owner or an administrator. (?)​

    • or -

  • You have permission to share the required resource. (?)​

  • You need to be a member of the group for which you want to specify the access rights of a resource.

  • You are logged on to the DCD. (?)​

How to manage access to resources

  • Select the required resource:

    • Data Center: Open the data center. (?)​

    • Images: Menu Bar > Resource Manager > Image Manager >Image tab.

    • Snapshots: Menu Bar > Resource Manager > Image Manager > Snapshot tab.

    • IP addresses: Menu Bar > Resource Manager > IP Manager.

    • Cross-Connects: Menu Bar > Resource Manager > Cross Connect Manager.

    • Kubernetes Cluster: Menu Bar > Resource Manager > Kubernetes Manager

  • Select the required resource.

  • Open Security > Visible to Groups.

  • Enable access:

    • From the + Add Group menu, select the required groups.

      Read access is granted. Users may see and use, but not modify the resource.

    • (Optional) Select further permissions ("Edit", "Share"). You may only share permissions that you have yourself.

  • Restrict or disable access:

    • Select the required group.

    • Deactivate the checkbox of the permission.

      Read access is retained.

      • or -

    • Click on Remove group.

      Access is disabled for all members of the selected group.

  • (Optional) To protect the resource (data center, snapshots) more thoroughly by only allowing access to users whose login is secured with 2-factor authentication, activate the 2-Factor Protected check box. (?)​

Set access rights in the user manager

Contract owners and administrators can also define in the User Manager who may access a resource to what extent.

Prerequisites

  • You are the contract owner or an administrator. (?)​

  • You are logged on to the DCD. (?)​

How to set access rights in the user manager

  • Open the User Manager.

    Menu Bar > Resource Manager > User Manager

  • Assign groups to a resource

    • In the Resources tab, select the required resource.

    • Open the Visible to Groups tab.

    • Enable access:

      • From the + Add Group list, add the required groups.

      • (Optional) To enable write access or sharing of a resource, activate the respective check box.

    • Disable access:

      • Deactivate the checkbox of the permission.

        • or -

      • Click on Remove Group.

    • (Optional) To protect the resource (data center, snapshots) more thoroughly by only allowing access to users whose login is secured with 2-factor authentication, activate the 2-Factor Protected check box. (?)​

  • Assign resources to a group

    • In the Groups tab, select the required group.

    • Open the Resources of Group tab.

    • Enable access:

      • Select the required resource by clicking on + Grant Access.

        This enables read access to the selected resource.

      • (Optional) To enable write access or sharing of a resource, activate the respective check box.

    • Disable access:

      • Select the required resource.

      • Deactivate the checkbox of the appropriate permission.

        • or -

      • Click on Revoke Access.