Roles and Permissions

The Enterprise Service Cloud comes with 8 different roles that are offered to the customers:

There is also an additional role, the Tenant Owner, which is normally entitled to a Swisscom partner. This role is responsible for permission requests and the access management. Along with the tenant managers they can support whenever there is a new request/issue regarding the access management and permissions. If you don't know who is your tenant owner please ask the relevant account manager from Swisscom.

Roles

Business Group Admin

The Business Group Admin is the administrator of a business group.

  • He can consume all the catalog items/blueprints that are entitled to his business group for himself but also on behalf of others.
  • He can check all the requests from all the members of his business group.
  • He can assign users/groups to the business group.
  • He is allowed to create/edit/delete/assign entitlements to his business group.

Business Group User

The Business Group User is the user of a business group.

  • He can consume all the catalog items/blueprints that are entitled to his business group.
  • He can edit any VM that is owned by a user in this business group.

Tenant Manager

The Tenant Manager role has rights to manipulate (create, read, update, delete) business groups. He can do the following:

  • add/remove services from a business group
  • add/remove networks from a business group
  • add/remove users/admins from a business groups
  • edit the business group description

NSX Firewall Administrator

The NSX Firewall Administrator role has rights to manipulate (create, read, update, delete) the following NSX assets:

  • add/remove/edit firewalls
  • add/remove/edit IP sets
  • add/remove/edit security groups

NSX Firewall Read-only User

The NSX Firewall Read-only User role allow the user to see (read-only) NSX assets like firewalls, IP Sets and Security groups without be able to modify them.

Consumption Manager

The Consumption Manager role has the rights to see the consumption of provisioned products and services for the entire tenant. Find more here about Consumption

Consumption Manager BG

The consumption manager role has the right to access the consumption report page and is able to see the consumption of provisioned products in the business groups he has access to. As a Consumption Manager BG a user does not have access to any business group. This access needs to be granted with the role ‘BG User’ or ‘BG Manager’

Find more here about Consumption

Compliance Manager

With the Compliance Manager role the user can get an overview about their provisioned VM's which have a CID (Customer Identifying Data) status. This servcice must be explicitly enabled.

Managing Roles and Permissions

For a simpler permission management it is recommended to setup a corresponding group for each of the roles in the attached identity provider, e.g. the active directory.

It is recommended to have a group for at least the following roles:

  • Tenant Manager
  • NSX Firewall Administrator
  • NSX Firewall Read-only User
  • Consumption Manager
  • Consumption Manager BG
  • Compliance Manager

With this approach, the key roles can be managed independently from Swisscom directly in the corresponding directory with the already existing means and processes.

Groups for the above roles can be entitled for the corresponding roles by Swisscom via the Tenant Owner.

Generally it is recommended to also setup groups for the Business Group Admin and for the Business Group Users for each business group to offload the permission management completely to the identity provider. But this may vary based on the use-case.

Frequently asked questions (FAQ)

  • I cannot access my tenant: Access denied, you don't have permissions to access that tenant.
    • Check that your credentials are correct.
    • Check with the tenant manager and tenant owner whether you are part of any business group. If not ask the tenant manager to add you to a business group.
Last Updated: