An overview on the permission structure for Cognito and RONIN.
There are two types of permissions that work together to ensure the right level of access for all of your RONIN users:
RONIN obtains user access tokens and top level groups from Cognito.
Cognito can be connected to third party identity providers such as Google, Facebook, OpenID and SAML.
The following three Cognito groups are managed via the AWS console.
As a member of the RONIN Admin group, I can…
- Create projects and assign users to them
- Manage project budgets and pause projects if necessary
- Configure base operating systems and pre-configured software via the Service Catalogue
- Do everything a RONIN Lower Admin can do
RONIN Lower Admin (previously RONIN Trial Admin)
As a member of the RONIN Lower Admin group, I can…
- Access the Budget Management and Machine List screen to view information for projects I am a member of
- Manage project budgets and pause projects if necessary for the projects I am an Admin of
- Do everything a RONIN User can do
RONIN User (deprecated - no Cognito group is required for standard users)
As a member of the RONIN User group, I can...
- Login to RONIN using my account sync'd from a connected Active directory or sent to me by RONIN
- Be found in a RONIN user search
- Access and/or administer projects that have been assigned to me
- Log out
RONIN PROJECT GROUPS
The following three RONIN Project groups are managed within RONIN via the project settings or permissions screens.
As a Project Admin within a RONIN project, I can...
- Modify permissions for other users within my project, including adding additional Project Admins, Users, Viewer
- Do everything a Project User can do
Note: Project Admins can be given the ability to manage project settings (budget, timeline, auto pause etc) if they are also added to the Cognito RONIN Lower Admin group.
As a Project User within a RONIN project, I can…
- Launch, start, stop and terminate instances within my project
- Choose the size of the machine I want to launch
- Attach additional storage to my project’s instances
- Backup my project’s storage
- Package my research infrastructure to reproduce or share my work within my project
- Create, manage and delete object storage (s3)
- Do everything a Project View can do
As a Project Viewer within a RONIN project, I can...
- Search for projects I have access to
- View the project dashboard
Below we provide a comprehensive list of actions that are available in RONIN and their respective required permissions.
The following matrix can be used as a guide to help you determine what combination of Cognito and RONIN Project permissions would be suitable for differing roles within the institution. The lowest required permissions to achieve the listed actions are indicated in red, dark shading indicates permission levels that are too low to achieve the listed action.