The Managed Cloud security roles

Version:

When you request the Managed Cloud environment in Sitecore Support & Self-Service Portal, you must identify your users for the three different security roles by entering their email addresses. Sitecore assigns the relevant access rights for each role. For users to develop for and manage Managed Cloud deployments, they must be assigned one of the following security roles for that Managed Cloud deployment:

  • Devops engineer - usually the technical contact of a Managed Cloud deployment. You must have this super-user security role assigned to one of your users, to be able to work with Managed Cloud.

  • System administrator - user who specializes in specific system management and maintains and scales infrastructure and configurations. They have access to logs and dashboards in addition to the permissions available to developers.

  • Developer - user who is responsible for customizing and deploying solutions into the Managed Cloud deployment. They can introduce changes to the Managed Cloud deployment by creating a git branch and pull request. Pull requests must be approved by a Devops engineer in order to be completed and deployed.

    Note

    You can use the Get Access - User service request in Sitecore Support & Self-Service Portal to change the status of a user.

Managed Cloud deployments include one other security role: the Cloudops engineer. This security role is used by Sitecore staff to manage and support your Managed Cloud deployment. Only a limited number of Sitecore employees have the Cloudops engineer role and this role is highly protected within the Sitecore organization.

Note

For non-production environments, all roles mentioned will have ReaderNoACM at the subscription level and ContributorNoACM at the resource group level.

The following table lists the access rights for the security roles in Managed Cloud deployments:

System adminDevops engineerDeveloperCloudops engineer

(Sitecore employee)
Git repository for Infrastructure as code
Read accessYesYesYesYes
Create branchesYesYesYesYes
Create pull requestYesYesYesYes
Approve pull requestYesYes (Required approval)YesYes (For Self Service Portal requests)
Devops pipelines for deployment automation
Run pipelineNoYesNoYes (For Self Service Portal requests)
Stop pipelineNoYesNoYes (For Self Service Portal requests)
Modify pipelineNoYesNoYes (For maintenance purpose)
Azure Portal
View MCC resourcesYesYesNoYes
Modify MCC resourcesNoNoNoNo
View other resourcesYesYesNoYes
Modify other resourcesYesYesNoNo
Kubernetes
View deployments using CLIYesYesNoYes
Modify deployments using CLINoNoNoNo
Connect underlying infrastructure (for example VMs)YesYesNoYes
Key Vault containing secrets
Read credentialsNoYesNoYes
Modify credentialsNoYesNoYes
Storage
Read contentNoYesNoYes
Modify contentNoYesNoYes
Azure Container Registry with custom images
Push imageNoYesNoYes
Pull imageYesYesYesYes
Delete imageNoYesNoNo
Elastic (stores logs)
View logsYesYesNoYes
Configure indexesYesYesNoYes
SearchStax (provides Solr-as-a-Service)
Query dataNoYesNoYes
Management APIYesYesNoYes
Grafana (displays performance metrics)
View dashboardsYesYesNoYes
Edit dashboardsYesYesNoNo
AdminYesYesNoNo
Sitecore Experience Platform
LoginNoYesNoNo
Disaster Recovery
ExecutionNoNoNoYes
If you have suggestions for improving this article, let us know!