The Managed Cloud security roles

Abstract

Learn more about access rights in Managed Cloud container deployments.

When you request the Managed Cloud environment in Sitecore Support & Self-Service Portal, you must identify your users for the three different security roles by entering their email addresses. Sitecore assigns the relevant access rights for each role. For users to develop for and manage Managed Cloud deployments, they must be assigned one of the following security roles for that Managed Cloud deployment:

  • Devops engineer - usually the technical contact of a Managed Cloud deployment. You must have this super-user security role assigned to one of your users, to be able to work with Managed Cloud.

  • System administrator - user who specializes in specific system management and maintains and scales infrastructure and configurations. They have access to logs and dashboards in addition to the permissions available to developers.

  • Developer - user who is responsible for customizing and deploying solutions into the Managed Cloud deployment. They can introduce changes to the Managed Cloud deployment by creating a git branch and pull request. Pull requests must be approved by a Devops engineer in order to be completed and deployed.

    Note

    You can use the Get Access - User service request in Sitecore Support & Self-Service Portal to change the status of a user.

Managed Cloud deployments include one other security role: the Cloudops engineer. This security role is used by Sitecore staff to manage and support your Managed Cloud deployment. Only a limited number of Sitecore employees have the Cloudops engineer role and this role is highly protected within the Sitecore organization.

Note

For non-production environments, all roles mentioned will have ReaderNoACM at the subscription level and ContributorNoACM at the resource group level.

The following table lists the access rights for the security roles in Managed Cloud deployments:

System admin

Devops engineer

Developer

Cloudops engineer

(Sitecore employee)

Git repository for Infrastructure as code

Read access

Yes

Yes

Yes

Yes

Create branches

No

Yes

No

Yes

Create pull request

No

Yes

No

Yes

Approve pull request

No

Yes (Required approval)

No

Yes (For Self Service Portal requests)

Devops pipelines for deployment automation

Run pipeline

No

Yes

No

Yes (For Self Service Portal requests)

Stop pipeline

No

Yes

No

Yes (For Self Service Portal requests)

Modify pipeline

No

Yes

No

Yes (For maintenance purpose)

Create additional pipelines

No

Yes

No

Yes (For Self Service Portal requests)

Azure Portal

View MCC resources

Yes

Yes

Yes

Yes

Modify MCC resources

No

No

No

No

View other resources

Yes

Yes

No

Yes

Modify other resources

No

No

No

No

Kubernetes

View deployments using CLI

Yes

Yes

No

Yes

Modify deployments using CLI

No

No

No

No

Delete workload

No

Yes

No

Yes

Connect underlying infrastructure (for example VMs)

No

Yes

No

Yes

Key Vault containing secrets

Read credentials

Yes

Yes

No

Yes

Modify credentials

No

Yes

No

Yes

Storage

Read content

Yes

Yes

No

Yes

Modify content

No

Yes

No

Yes

Azure Container Registry with custom images

Push image

Yes

Yes

Yes

Yes

Pull image

Yes

Yes

Yes

Yes

Delete image

No

No

No

No

Elastic (stores logs)

View logs

Yes

Yes

No

Yes

Configure indexes

No

Yes

No

Yes

SearchStax (provides Solr-as-a-Service)

Query data

Yes

Yes

No

Yes

Management API

No

Yes

No

Yes

Grafana (displays performance metrics)

View dashboards

Yes

Yes

No

Yes

Edit dashboards

No

Yes

No

No

Admin

No

Yes

No

No

Sitecore Experience Platform

Login

Yes

Yes

Yes

Y