Permissions

When managing user access via Fine-grained authorization, you add identities to groups and then grant entitlements against specific LXD API resources to these groups.

Each LXD API resource has a particular entity type, and each entity type has a set of entitlements that can be granted against API resources of that type.

Below is a description of each entity type, and a list of entitlements that can be granted against entities of that type.

Server

Entity type name: server

The server entity type is the top-level entity type for the LXD system. Entitlements that are granted at this level might cascade to projects and other resources:

admin

Grants full access to LXD as if via Unix socket.

viewer

Grants access to view all resources in the LXD server.

can_edit

Grants permission to edit server configuration, to edit cluster member configuration, to update the state of a cluster member, to create, edit, and delete cluster groups, to update cluster member certificates, and to edit or delete warnings.

permission_manager

Grants permission to view permissions, to create, edit, and delete identities, to view, create, edit, and delete authorization groups, and to view, create, edit, and delete identity provider groups. Note that clients with this permission are able to elevate their own privileges.

can_view_permissions

Grants permission to view permissions.

can_create_identities

Grants permission to create identities.

can_view_identities

Grants permission to view identities.

can_edit_identities

Grants permission to edit identities.

can_delete_identities

Grants permission to delete identities.

can_create_groups

Grants permission to create authorization groups.

can_view_groups

Grants permission to view authorization groups.

can_edit_groups

Grants permission to edit authorization groups.

can_delete_groups

Grants permission to delete authorization groups.

can_create_identity_provider_groups

Grants permission to create identity provider groups.

can_view_identity_provider_groups

Grants permission to view identity provider groups.

can_edit_identity_provider_groups

Grants permission to edit identity provider groups.

can_delete_identity_provider_groups

Grants permission to delete identity provider groups.

storage_pool_manager

Grants permission to create, edit, and delete storage pools.

can_create_storage_pools

Grants permission to create storage pools.

can_edit_storage_pools

Grants permission to edit storage pools.

can_delete_storage_pools

Grants permission to delete storage pools.

project_manager

Grants permission to view, create, edit, and delete projects, and to create, edit, and delete any resources that are owned by those projects.

can_create_projects

Grants permission to create projects.

can_view_projects

Grants permission to view projects, and all resources within those projects.

can_edit_projects

Grants permission to edit projects, and all resources within those projects.

can_delete_projects

Grants permission to delete projects.

can_override_cluster_target_restriction

If a project is configured with restricted.cluster.target, clients with this permission can override the restriction.

can_view_privileged_events

Grants permission to view privileged event types, such as logging events.

can_view_resources

Grants permission to view server and storage pool resource usage information.

can_view_metrics

Grants permission to view all server and project level metrics.

can_view_warnings

Grants permission to view warnings.

Project

Entity type name: project

Entitlements that are granted at the project level might cascade to project specific resources (such as instances):

operator

Grants permission to create, view, edit, and delete all resources belonging to the project, but does not grant permission to edit the project configuration itself.

viewer

Grants permission to view all resources belonging to the project.

can_view

Grants permission to view the project.

can_edit

Grants permission to edit the project.

can_delete

Grants permission to delete the project.

image_manager

Grants permission to create, view, edit, and delete all images belonging to the project.

can_create_images

Grants permission to create images.

can_view_images

Grants permission to view images.

can_edit_images

Grants permission to edit images.

can_delete_images

Grants permission to delete images.

image_alias_manager

Grants permission to create, view, edit, and delete all image aliases belonging to the project.

can_create_image_aliases

Grants permission to create image aliases.

can_view_image_aliases

Grants permission to view image aliases.

can_edit_image_aliases

Grants permission to edit image aliases.

can_delete_image_aliases

Grants permission to delete image aliases.

instance_manager

Grants permission to create, view, edit, and delete all instances belonging to the project.

can_create_instances

Grants permission to create instances.

can_view_instances

Grants permission to view instances.

can_edit_instances

Grants permission to edit instances.

can_delete_instances

Grants permission to delete instances.

can_operate_instances

Grants permission to view instances, manage their state, manage their snapshots and backups, start terminal or console sessions, and access their files.

network_manager

Grants permission to create, view, edit, and delete all networks belonging to the project.

can_create_networks

Grants permission to create networks.

can_view_networks

Grants permission to view networks.

can_edit_networks

Grants permission to edit networks.

can_delete_networks

Grants permission to delete networks.

network_acl_manager

Grants permission to create, view, edit, and delete all network ACLs belonging to the project.

can_create_network_acls

Grants permission to create network ACLs.

can_view_network_acls

Grants permission to view network ACLs.

can_edit_network_acls

Grants permission to edit network ACLs.

can_delete_network_acls

Grants permission to delete network ACLs.

network_zone_manager

Grants permission to create, view, edit, and delete all network zones belonging to the project.

can_create_network_zones

Grants permission to create network zones.

can_view_network_zones

Grants permission to view network zones.

can_edit_network_zones

Grants permission to edit network zones.

can_delete_network_zones

Grants permission to delete network zones.

profile_manager

Grants permission to create, view, edit, and delete all profiles belonging to the project.

can_create_profiles

Grants permission to create profiles.

can_view_profiles

Grants permission to view profiles.

can_edit_profiles

Grants permission to edit profiles.

can_delete_profiles

Grants permission to delete profiles.

storage_volume_manager

Grants permission to create, view, edit, and delete all storage volumes belonging to the project.

can_create_storage_volumes

Grants permission to create storage volumes.

can_view_storage_volumes

Grants permission to view storage volumes.

can_edit_storage_volumes

Grants permission to edit storage volumes.

can_delete_storage_volumes

Grants permission to delete storage volumes.

storage_bucket_manager

Grants permission to create, view, edit, and delete all storage buckets belonging to the project.

can_create_storage_buckets

Grants permission to create storage buckets.

can_view_storage_buckets

Grants permission to view storage buckets.

can_edit_storage_buckets

Grants permission to edit storage buckets.

can_delete_storage_buckets

Grants permission to delete storage buckets.

can_view_operations

Grants permission to view operations relating to the project.

can_view_events

Grants permission to view events relating to the project.

can_view_metrics

Grants permission to view project level metrics.

Storage pool

Entity type name: storage_pool

can_edit

Grants permission to edit the storage pool.

can_delete

Grants permission to delete the storage pool.

Identity

Entity type name: identity

can_view

Grants permission to view the identity.

can_edit

Grants permission to edit the identity.

can_delete

Grants permission to delete the identity.

Group

Entity type name: group

can_view

Grants permission to view the group. Identities can always view groups that they are a member of.

can_edit

Grants permission to edit the group.

can_delete

Grants permission to delete the group.

Identity provider group

Entity type name: identity_provider_group

can_view

Grants permission to view the identity provider group.

can_edit

Grants permission to edit the identity provider group.

can_delete

Grants permission to delete the identity provider group.

Certificate

Entity type name: certificate

can_view

Grants permission to view the certificate.

can_edit

Grants permission to edit the certificate.

can_delete

Grants permission to delete the certificate.

Instance

Entity type name: instance

user

Grants permission to view the instance, to access files, and to start a terminal or console session.

operator

Grants permission to view the instance, to access files, start a terminal or console session, and to manage snapshots and backups.

can_edit

Grants permission to edit the instance.

can_delete

Grants permission to delete the instance.

can_view

Grants permission to view the instance.

can_update_state

Grants permission to change the instance state.

can_manage_snapshots

Grants permission to create and delete snapshots of the instance.

can_manage_backups

Grants permission to create and delete backups of the instance.

can_connect_sftp

Grants permission to get an SFTP client for the instance.

can_access_files

Grants permission to push or pull files into or out of the instance.

can_access_console

Grants permission to start a console session.

can_exec

Grants permission to start a terminal session.

Image

Entity type name: image

can_edit

Grants permission to edit the image.

can_delete

Grants permission to delete the image.

can_view

Grants permission to view the image.

Image alias

Entity type name: image_alias

can_edit

Grants permission to edit the image alias.

can_delete

Grants permission to delete the image alias.

can_view

Grants permission to view the image alias.

Network

Entity type name: network

can_edit

Grants permission to edit the network.

can_delete

Grants permission to delete the network.

can_view

Grants permission to view the network.

Network ACL

Entity type name: network_acl

can_edit

Grants permission to edit the network ACL.

can_delete

Grants permission to delete the network ACL.

can_view

Grants permission to view the network ACL.

Network zone

Entity type name: network_zone

can_edit

Grants permission to edit the network zone.

can_delete

Grants permission to delete the network zone.

can_view

Grants permission to view the network zone.

Profile

Entity type name: profile

can_edit

Grants permission to edit the profile.

can_delete

Grants permission to delete the profile.

can_view

Grants permission to view the profile.

Storage volume

Entity type name: storage_volume

can_edit

Grants permission to edit the storage volume.

can_delete

Grants permission to delete the storage volume.

can_view

Grants permission to view the storage volume.

can_manage_snapshots

Grants permission to create and delete snapshots of the storage volume.

can_manage_backups

Grants permission to create and delete backups of the storage volume.

Storage bucket

Entity type name: storage_bucket

can_edit

Grants permission to edit the storage bucket.

can_delete

Grants permission to delete the storage bucket.

can_view

Grants permission to view the storage bucket.