Roles

In addition to the default roles admin and developer, you can use a ServiceComb engine account associated with the admin role to log in to the CSE console and perform operations listed in Table 1 based on service requirements.

**Table 1** Role management operations
Operation	Description
Creating a Role	Creates a role and configures permission actions for the role in different service and configuration groups. A maximum of 100 roles can be created.
Editing a Role	Modifies the permissions of the created role.
Deleting a Role	Deletes a role that is no longer used. NOTE: Deleted roles cannot be restored. Exercise caution when performing this operation. Before deleting a role, ensure that the role is not associated with any account. For details about how to cancel the association between a role and an account, see Editing an Account.
Viewing a Role	Displays the created roles of the ServiceComb engine based on the keyword of the role name.

Creating a Role

Log in to CSE.
Choose Exclusive ServiceComb Engines.

Click the target ServiceComb engine with security authentication enabled.
Choose System Management.
In the displayed Security Authentication dialog box, enter the name and password of the account associated with the admin role under the ServiceComb engine, and click OK.
- If you connect to the ServiceComb engine for the first time, enter the account name root and the password entered when Creating a ServiceComb Engine.
- For details about how to create an account, see Adding an Account.
On the Roles tab page, click Create Role.
Enter a role name.

The role name cannot be changed once the role is created.

Configure permissions.

Set Permission Group.

Set the service permissions.

If you select All Services:
You can perform corresponding permission actions on all microservices of the ServiceComb engine.

If you select Custom Service Groups, set the parameters according to Table 2.

**Table 2** Custom service group operations
Operation	Description
Adding a Matching Rule	Click Add Service Group Matching Rule. Select Application, Environment, and Service based on service requirements to filter the microservices on which the role can perform permission actions. NOTE: Application, Environment, and Service are three parameters of a microservice: If only one parameter is set for a single matching rule, the role has the operation permission on the microservice that matches the parameter value. For example, if you add Environment: production, the role has the operation permission only on the microservice whose environment name is production. If more than one parameter is set for a single matching rule, the role has the operation permission on the microservices that match all parameter values. For example, if you add Environment: production Application: abc, the role has the operation permission on the microservice whose environment name is production and application name is abc. When automatic discovery is enabled, microservices query the instance addresses of services such as the registry center, configuration center, and dashboard through the registry center. When you grant the query permission to a microservice, the permission of the default application must be included. In this case, add the matching rule Application: default. After the microservice matching rule is set, click OK.
Editing a Matching Rule	Click next to the matching rule to be edited. You can reconfigure Service Group and Action of the matching rule based on service requirements. After the service group matching rule is set, click OK.
Deleting a Matching Rule	Click next to the matching rule to be deleted. You can delete the matching rule based on service requirements.

A maximum of 20 microservice matching rules can be set for a custom service group.

If multiple matching rules are set for a custom service group, the role has the operation permission on the microservice as long as the microservice meets any of the matching rules.

Set the configuration permissions.

If you select All Configurations:
You can perform corresponding permission actions on all microservices of the ServiceComb engine.

If you select Custom Configuration Groups, set the parameters according to Table 3.

**Table 3** Custom configuration group operations
Operation	Description
Adding a Matching Rule	Click Add Configuration Group Matching Rule. Select Application, Environment, and Service based on service requirements to filter the configurations on which the role can perform permission actions. If application-level and microservice-level configurations cannot meet service requirements, you can customize a matching rule to match the configured custom labels and filter the permission actions that can be performed by the role. NOTE: Application, Environment, and Service are three parameters of a configuration: If only one parameter is set for a single matching rule, the role has the operation permission on the configuration that matches the parameter value. For example, if you add Environment: production, the role has the operation permission only on the configuration whose environment name is production. If more than one parameter is set for a single matching rule, the role has the operation permission on the configurations that match all parameter values. For example, if you add Environment: production Application: abc, the role has the operation permission on the configuration whose environment name is production and application name is abc. After the configuration matching rule is set, click OK.
Editing a Matching Rule	Click next to the matching rule to be edited. You can reconfigure Configuration Group and Action of the matching rule based on service requirements. After the configuration group matching rule is set, click OK.
Deleting a Matching Rule	Click next to the matching rule to be deleted. You can delete the matching rule based on service requirements.

A maximum of 20 matching rules can be set for a custom configuration group.

If multiple matching rules are set for a configuration service group, the role has the operation permission on the configuration as long as the configuration meets any of the matching rules.

Set Action.
Configure the permission actions that can be performed by the role on the selected service group and configuration group based on service requirements. You can select multiple permission actions.
- All: Add, delete, modify, and query resources in the service group and configuration group.
- Add: Add resources to the service group and configuration group.
- Delete: Delete resources from the service group and configuration group.
  
  If only Delete is selected, you cannot delete resources in the service group and configuration group. You must select View at the same time.
- Modify: Modify resources in the service group.
  
  If only Modify is selected, you cannot modify resources in the service group and configuration group. You must select View at the same time.
- View: View resources in the service group and configuration group.

Click Create.

Editing a Role

Log in to CSE.
Choose Exclusive ServiceComb Engines.

Click the target ServiceComb engine with security authentication enabled.

Choose System Management.
In the displayed Security Authentication dialog box, enter the name and password of the account associated with the admin role under the ServiceComb engine, and click OK.
- If you connect to the ServiceComb engine for the first time, enter the account name root and the password entered when Creating a ServiceComb Engine.
- For details about how to create an account, see Adding an Account.
On the Roles tab page, click Edit in the Operation column of the role to be edited.
Modify Service Group, Configuration Group, and Action based on service requirements.
Click Save.

Deleting a Role

Log in to CSE.
Choose Exclusive ServiceComb Engines.

Click the target ServiceComb engine with security authentication enabled.

Choose System Management.
In the displayed Security Authentication dialog box, enter the name and password of the account associated with the admin role under the ServiceComb engine, and click OK.
- If you connect to the ServiceComb engine for the first time, enter the account name root and the password entered when Creating a ServiceComb Engine.
- For details about how to create an account, see Adding an Account.
On the Roles tab page, click Delete in the Operation column of the role to be deleted. In the displayed dialog box, enter DELETE and click OK.
- Deleted roles cannot be restored. Exercise caution when performing this operation.
- Before deleting a role, ensure that the role is not associated with any account. For details about how to cancel the association between a role and an account, see Editing an Account.

Viewing a Role

Log in to CSE.
Choose Exclusive ServiceComb Engines.

Click the target ServiceComb engine with security authentication enabled.

Choose System Management.
In the displayed Security Authentication dialog box, enter the name and password of the account associated with the admin role under the ServiceComb engine, and click OK.
- If you connect to the ServiceComb engine for the first time, enter the account name root and the password entered when Creating a ServiceComb Engine.
- For details about how to create an account, see Adding an Account.
On the Roles tab page, click next to the role to be viewed to expand the role details.

Service Group, Configuration Group, and Action of the role are displayed.