User roles and access permissions
This document describes the Skytap permissions model and explains the differences between different user roles.
Watch Managing users (for administrators)
Overview: Access to templates, environment, and assets
Most activity in Skytap centers on templates, environments, and assets (resources). Generally, a user’s permissions to edit and use an environment, template, or asset depends on his or her user role and whether or not the user owns the resource.
Default access and permissions
Users create resources by importing VMs, uploading asset files, or cloning existing resources. When a user creates a resource, the user becomes the resource owner.
- Standard users and user managers have permission to view, edit, share, or delete the resources they own. By default, users can’t view the resources owned by other users.
- Administrators have permission to view, edit, share, or delete all of the resources created in the account.
Extending access and permissions to other Skytap users
An administrator can give other, non-administrator users the ability to generate reports.
Additionally, a user or administrator can share a resource with other Skytap users by adding the resource to a project. The project members can view, use, and/or manage the resource, depending on their project role and user role. For more information, see Understanding project roles.
Public templates and assets
- Public templates can’t be added to projects, but they can be copied (and their copies can be shared).
- Administrators can enable or restrict each user’s access to public templates and assets (see Additional user permissions below).
- Administrators can’t edit or delete public templates or assets.
When you create a user, you assign one of four user roles: Restricted, Standard, User Manager, or Administrator, with the following permissions.
|Restricted||Standard||User Manager||Administrator||Can do this|
|Access shared project resources|
|*||Create and own projects|
|†||Create environments, templates, and assets|
|Create and edit users and groups|
|‡||‡||Create and view reports.|
|Create and edit departments|
|Create and edit account-wide settings (password policies, access policies, usage limits, etc.)|
|Edit and delete environments, templates, and assets owned by all users in the account.|
* A restricted user can’t create a project, but another user can make a restricted user a project owner. For information specific to project roles, see Understanding project roles.
† Restricted users have limited permission to create environments.
‡ An administrator must grant reporting privileges for a user to create and view reports.
- The restricted role is best for users who need tightly-controlled access to a limited number of resources.
- The standard role is best for most users.
- The user manager role is best for users who need to manage and organize users and groups but who don’t need full administrator capabilities.
- The administrator role is best for trusted users in your organization who need to manage users, resources, and account-wide settings.
Administrators can restrict a user’s ability to connect Skytap Cloud virtual environments to a VPN in the account. For more information, see Configuring access to a VPN.
Additional user permissions
Skytap has additional permissions that you can enable or disable for each user. Some of these permissions are displayed only when specific features are enabled in your account.
The table below shows the additional permissions that are optional (O) for each type of user.
- Most permissions are mandatory (M) for administrators and can’t be disabled.
- Restricted users can’t have most permissions enabled.
|O||O||O||M||This user is able to access public templates and public assets.|
|- -||O||O||M||This user is able to import VMs into Skytap.|
|- -||O||O||M||This user is able to export VMs from Skytap.|
|- -||O||O||M||This user is able to generate reports from Skytap.
Reporting can be enabled for the entire account or just the user's department.
|- -||O||O||O||This user is able to set promiscuous mode on VM network adapters for Skytap.
This permission is displayed when your customer account is enabled for promiscuous mode.
|- -||O||O||M||This user is able to create courses and schedule classes.
This permission is displayed when your customer account is enabled for the Classrooms extension.
For instructions, see Editing users.
Viewing owned and shared resources in Skytap
Every resource page has filters that display resources by access level:
- My – displays the resources you own.
Company – displays the resources you have access to.
- If you are a user, this includes resources you own and resources shared with you through projects.
- If you are an administrator, this includes all of the resources owned by you and your users.
- Skytap – displays all of the public templates or assets that you have access to. If you don’t have access to public templates and assets, this tab does not display.
- All – displays all of the personal, company, and public resources that you have access to. If you don’t have access to public templates and assets, this tab does not display.
You can only see resources that you have access to.