Pivotal Platform User Types
This topic describes the types of Pivotal Application Service (PAS) users in a Pivotal Platform deployment. It also describes the roles and permissions for PAS users and who creates and manages their user accounts.
PAS users are app developers, managers, and auditors who work within orgs and spaces, the virtual compartments within a deployment where PAS users can run apps and locally manage their roles and permissions.
A Role-Based Access Control (RBAC) system defines and maintains the different PAS user roles:
- Org Manager, Org Auditor, Org Billing Manager
- Space Manager, Space Developer, Space Auditor
For more information about PAS user roles and what actions they can take within the orgs and spaces they belong to, see Orgs, Roles, Spaces, Permissions.
All PAS users use system tools such as the Cloud Foundry Command Line Interface (cf CLI), Pivotal Platform Metrics, and Apps Manager, a dashboard for managing PAS users, orgs, spaces, and apps. Space Developer PAS users work with their software development tools and the apps deployed on host VMs.
For more information about Apps Manager, see Using Apps Manager.
When an operator configures PAS for the first time, they specify one of the following authentication systems for PAS user accounts:
Internal authentication, using a new UAA database created for PAS. This system-wide UAA differs from the Ops Manager internal UAA, which only stores Ops Manager Admin accounts.
External authentication, through an existing identity provider accessed through SAML or LDAP protocol.
In either case, PAS user role settings are saved internally in the Cloud Controller Database, separate from the internal or external user store.
Org and Space Managers then use Apps Manager to invite and manage additional PAS users within their orgs and spaces. PAS users with proper permissions can also use the Cloud Foundry CLI (cf CLI) to assign user roles. For more information, see Managing User Roles with Apps Manager.
The following table summarizes PAS user types, their roles, the tools they use, the System of Record (SOR) that stores their accounts, and what accounts they can provision.
|User Type||Available Roles||Tools They Use||Account SOR||Accounts They Can Provision|
||PAS user store through UAA
External store through SAML or LDAP
|PAS users within permitted orgs and spaces, and
end users of the app