Chapter 4.
19
Accounts
4.1. Accounts, Users, and Domains
Accounts
An account typically represents a customer of the service provider or a department in a large
organization. Multiple users can exist in an account.
Domains
Accounts are grouped by domains. Domains usually contain multiple accounts that have some logical
relationship to each other and a set of delegated administrators with some authority over the domain
and its subdomains. For example, a service provider with several resellers could create a domain for
each reseller.
For each account created, the Cloud installation creates three different types of user accounts: root
administrator, domain administrator, and user.
Users
Users are like aliases in the account. Users in the same account are not isolated from each other, but
they are isolated from users in other accounts. Most installations need not surface the notion of users;
they just have one user per account. The same user cannot belong to multiple accounts.
Username is unique in a domain across accounts in that domain. The same username can exist in
other domains, including sub-domains. Domain name can repeat only if the full pathname from root is
unique. For example, you can create root/d1, as well as root/foo/d1, and root/sales/d1.
Administrators are accounts with special privileges in the system. There may be multiple
administrators in the system. Administrators can create or delete other administrators, and change the
password for any user in the system.
Domain Administrators
Domain administrators can perform administrative operations for users who belong to that domain.
Domain administrators do not have visibility into physical servers or other domains.
Root Administrator
Root administrators have complete access to the system, including managing templates, service
offerings, customer care administrators, and domains
Resource Ownership
Resources belong to the account, not individual users in that account. For example, billing, resource
limits, and so on are maintained by the account, not the users. A user can operate on any resource in
the account provided the user has privileges for that operation. The privileges are determined by the
role. A root administrator can change the ownership of any virtual machine from one account to any
other account by using the assignVirtualMachine API. A domain or sub-domain administrator can do
the same for VMs within the domain from one account to any other account in the domain or any of its
sub-domains.