Organization and permission management

Scenarios

To meet the needs of some customers for isolating organization permissions and resources, OCP V4.3.4 has restructured the permission module, providing more comprehensive management of organizations and permissions. If you have multiple users and organizations, you can refer to the information in this section.

Concepts

Organization

In practical scenarios, an organization is a key logical concept that plays a significant role. For example, in a large corporate group, each organization can correspond to different subsidiaries, and each subsidiary can manage its own resources based on its organization, without interfering with others. Similarly, in a large company, different departments can be considered different organizations, allowing for independent management of departmental resources. Users can create multiple organizations to achieve resource isolation between them, with each organization acting as an independent "resource space" that has clear boundaries, enhancing the security and precision of resource management.

Resource

Resources are components controlled by OCP, including hosts, clusters, tenants, OBProxy clusters, Binlog clusters, and arbitration services. Each resource belongs to one or more organizations, with resources isolated between organizations.

Role

A role is a collection of permissions that need to be assigned to users to take effect. Users assigned roles can only operate within their authorized scope, preventing misoperations by non-professionals and information leakage, thereby ensuring information security and data security. Roles are isolated between organizations.

The relationships between organizations, users, roles, and permissions are illustrated in the following figure.

Prerequisites

OCP must be V4.3.4 or later.

Best practices

Practice 1: Create an organization

A user with the ADMIN role can create an organization and specify an organization administrator.

Create an organization

1. Log in to the User Management page and create an organization named ORG_A as the user with the ADMIN role.

2. The system creates a default ORG_ADMIN role for the organization.

Specify an organization administrator

Log in to the User Management page as the user with the ADMIN role, create a user named org_a_admin, and assign the ORG_ADMIN role to the user.

Practice 2: Isolate resources of different organizations

Resources are isolated between organizations. Only organization administrators can create hosts, OceanBase clusters, OBProxy clusters, Binlog clusters, and arbitration services in an organization.

Share resources

1. A user with the ADMIN role can share any resources with any organization. Log in to the User Management > Organization page, click Share Resource Configurations in the configuration section of an organization, and share a cluster with the ORG_A organization.

2. Log in to OCP as the organization administrator org_a_admin to view the resources of the cluster.

Practice 3: Sell tenant-level services

Organization administrators can grant the management permissions of a single tenant to a role and then grant the role to a user to ensure that the user has only the management permissions of the tenant, thereby achieving tenant-level service sales.

Create a tenant management role

Create a role named tenant_man and grant only the management permissions of a single tenant to the role.

Create a tenant management user

Create a user named tenant_man_user and grant the tenant_man role to the user.

Log in to OCP as the tenant_man_user user. The user has only the management permissions of the tenant.

Practice 4: Create roles and users as an organization administrator

As an organization administrator, you can create roles and users in an organization and grant the roles to users in the organization.

Create a role

Log in to OCP as the organization administrator org_a_admin and create a cluster administrator role named CLUSTER_MANAGER in the organization. Grant the role the management permissions of all OceanBase clusters in the organization and all necessary primary and secondary menu permissions for cluster management.

Create a user

1. Log in to OCP as the organization administrator org_a_admin and create a user named xiaoming in the organization and grant the cluster administrator role to the user.

2. Log in to OCP as the xiaoming user to manage all OceanBase clusters in the organization.