Roles

In addition to the default roles admin and developer, you can use an account associated with the admin role to log in to the CSE console and perform operations listed in Table 1 based on service requirements.

**Table 1** Role management operations
Operation	Description
Creating a Role	Creates a role and configures permission actions for the role in different service groups. A maximum of 100 roles can be created.
Editing a Role	Modifies the permissions of the created role.
Deleting a Role	Deletes a role that is no longer used. NOTE: Deleted roles cannot be restored. Exercise caution when performing this operation. Before deleting a role, ensure that the role is not associated with any account. For details about how to cancel the association between a role and an account, see Editing an Account.
Viewing a Role	Displays the created roles of the microservice engine based on the keyword of the role name.

Creating a Role

Log in to ServiceStage and choose Cloud Service Engine > Engines.
Select the target microservice engine with security authentication enabled from the Microservice Engine drop-down list in the upper part of the page.
Choose System Management.
In the displayed Security Authentication dialog box, enter the name and password of the account associated with the admin role under the microservice engine, and click OK.
- If you connect to the microservice engine for the first time, enter the account name root and the password entered when creating the microservice engine.
- For details about how to create an account, see Adding an Account.
On the Roles tab page, click Create Role.
Enter a role name.

The role name cannot be changed after the role is created.

Configure permissions.

Set Service Group.

If you select All Services:
You can perform corresponding permission actions on all microservices of the microservice engine.

If you select Custom Service Groups, set the parameters according to Table 2.

**Table 2** Custom service group operations
Operation	Description
Adding a Matching Rule	Click Add Service Group Matching Rule. Select Application, Environment, and Service based on service requirements to filter the microservices on which the role can perform permission actions. NOTE: Application, Environment, and Service are three parameters of a microservice: If only one parameter is set for a single matching rule, the role has the operation permission on the microservice that matches the parameter value. For example, if you add Environment: production, the role has the operation permission only on the microservice whose environment name is production. If more than one parameter is set for a single matching rule, the role has the operation permission on the microservices that match all parameter values. For example, if you add Environment: production Application: abc, the role has the operation permission on the microservice whose environment name is production and application name is abc. When automatic discovery is enabled, microservices query the instance addresses of services such as the registry center, configuration center, and dashboard through the registry center. When you grant the query permission to a microservice, the permission of the default application must be included. In this case, add the matching rule Application: default. After the microservice matching rule is set, click OK.
Editing a Matching Rule	Click next to the matching rule to be edited. You can reconfigure Service Group and Action of the matching rule based on service requirements. After the service group matching rule is configured, click OK.
Deleting a Matching Rule	Click next to the matching rule to be deleted. You can delete the matching rule based on service requirements.

A maximum of 20 microservice matching rules can be set for a custom service group.

If multiple matching rules are set for a custom service group, the role has the operation permission on the microservice as long as the microservice meets any of the matching rules.

Set Action.
Configure the permission actions that can be performed by the role on the selected service group based on service requirements. You can select multiple permission actions.
- All: Add, delete, modify, and query resources in the service group.
- Add: Add resources to the service group.
- Delete: Delete resources from the service group.
  
  If only Delete is selected, you cannot delete resources in the service group. You must select View at the same time.
- Modify: Modify resources in the service group.
  
  If only Modify is selected, you cannot modify resources in the service group. You must select View at the same time.
- View: View resources in the service group.

Click Create.

Editing a Role

Log in to ServiceStage and choose Cloud Service Engine > Engines.
Select the target microservice engine with security authentication enabled from the Microservice Engine drop-down list in the upper part of the page.
Choose System Management.
In the displayed Security Authentication dialog box, enter the name and password of the account associated with the admin role under the microservice engine, and click OK.
- If you connect to the microservice engine for the first time, enter the account name root and the password entered when creating the microservice engine.
- For details about how to create an account, see Adding an Account.
On the Roles tab page, click Edit in the Operation column of the role to be edited.
Modify Service Group and Action based on service requirements.
Click Save.

Deleting a Role

Log in to ServiceStage and choose Cloud Service Engine > Engines.
Select the target microservice engine with security authentication enabled from the Microservice Engine drop-down list in the upper part of the page.
Choose System Management.
In the displayed Security Authentication dialog box, enter the name and password of the account associated with the admin role under the microservice engine, and click OK.
- If you connect to the microservice engine for the first time, enter the account name root and the password entered when creating the microservice engine.
- For details about how to create an account, see Adding an Account.
On the Roles tab page, click Delete in the Operation column of the role to be deleted. In the displayed dialog box, enter DELETE and click OK.
- Deleted roles cannot be restored. Exercise caution when performing this operation.
- Before deleting a role, ensure that the role is not associated with any account. For details about how to cancel the association between a role and an account, see Editing an Account.

Viewing a Role

Log in to ServiceStage and choose Cloud Service Engine > Engines.
Select the target microservice engine with security authentication enabled from the Microservice Engine drop-down list in the upper part of the page.
Choose System Management.
In the displayed Security Authentication dialog box, enter the name and password of the account associated with the admin role under the microservice engine, and click OK.
- If you connect to the microservice engine for the first time, enter the account name root and the password entered when creating the microservice engine.
- For details about how to create an account, see Adding an Account.
On the Roles tab page, click next to the role to be viewed to expand the role details.
Service Group and Action of the role are displayed.