The Managed Cloud security roles
Learn more about access rights in Managed Cloud container deployments.
When you request the Managed Cloud environment in Sitecore Support & Self-Service Portal, you must identify your users for the three different security roles by entering their email addresses. Sitecore assigns the relevant access rights for each role. For users to develop for and manage Managed Cloud deployments, they must be assigned one of the following security roles for that Managed Cloud deployment:
Devops engineer - usually the technical contact of a Managed Cloud deployment. You must have this super-user security role assigned to one of your users, to be able to work with Managed Cloud.
System administrator - user who specializes in specific system management and maintains and scales infrastructure and configurations. They have access to logs and dashboards in addition to the permissions available to developers.
Developer - user who is responsible for customizing and deploying solutions into the Managed Cloud deployment. They can introduce changes to the Managed Cloud deployment by creating a git branch and pull request. Pull requests must be approved by a Devops engineer in order to be completed and deployed.
Note
You can use the Get Access - User service request in Sitecore Support & Self-Service Portal to change the status of a user.
Managed Cloud deployments include one other security role: the Cloudops engineer. This security role is used by Sitecore staff to manage and support your Managed Cloud deployment. Only a limited number of Sitecore employees have the Cloudops engineer role and this role is highly protected within the Sitecore organization.
Note
For non-production environments, all roles mentioned will have ReaderNoACM at the subscription level and ContributorNoACM at the resource group level.
The following table lists the access rights for the security roles in Managed Cloud deployments:
System admin | Devops engineer | Developer | Cloudops engineer (Sitecore employee) | |
|---|---|---|---|---|
Git repository for Infrastructure as code | ||||
Read access | Yes | Yes | Yes | Yes |
Create branches | No | Yes | No | Yes |
Create pull request | No | Yes | No | Yes |
Approve pull request | No | Yes (Required approval) | No | Yes (For Self Service Portal requests) |
Devops pipelines for deployment automation | ||||
Run pipeline | No | Yes | No | Yes (For Self Service Portal requests) |
Stop pipeline | No | Yes | No | Yes (For Self Service Portal requests) |
Modify pipeline | No | Yes | No | Yes (For maintenance purpose) |
Create additional pipelines | No | Yes | No | Yes (For Self Service Portal requests) |
Azure Portal | ||||
View MCC resources | Yes | Yes | Yes | Yes |
Modify MCC resources | No | No | No | No |
View other resources | Yes | Yes | No | Yes |
Modify other resources | No | No | No | No |
Kubernetes | ||||
View deployments using CLI | Yes | Yes | No | Yes |
Modify deployments using CLI | No | No | No | No |
Delete workload | No | Yes | No | Yes |
Connect underlying infrastructure (for example VMs) | No | Yes | No | Yes |
Key Vault containing secrets | ||||
Read credentials | Yes | Yes | No | Yes |
Modify credentials | No | Yes | No | Yes |
Storage | ||||
Read content | Yes | Yes | No | Yes |
Modify content | No | Yes | No | Yes |
Azure Container Registry with custom images | ||||
Push image | Yes | Yes | Yes | Yes |
Pull image | Yes | Yes | Yes | Yes |
Delete image | No | No | No | No |
Elastic (stores logs) | ||||
View logs | Yes | Yes | No | Yes |
Configure indexes | No | Yes | No | Yes |
SearchStax (provides Solr-as-a-Service) | ||||
Query data | Yes | Yes | No | Yes |
Management API | No | Yes | No | Yes |
Grafana (displays performance metrics) | ||||
View dashboards | Yes | Yes | No | Yes |
Edit dashboards | No | Yes | No | No |
Admin | No | Yes | No | No |
Sitecore Experience Platform | ||||
Login | Yes | Yes | Yes | Y |