Permissions
Overview
FCP provides two permission management models to meet security and governance requirements in different scenarios:
- Role-based access control (RBAC): Grants permissions via roles in bulk. RBAC permissions are not tied to specific resources. Controls are mainly about what actions a user can perform in a module (functional permissions), rather than resource-level access.
- Access control lists (ACLs): Provides fine-grained permissions on specific resources. ACLs precisely control which entities (users or groups) can perform which actions (read/update/delete, etc.) on which resources (for example clusters and mounts).
How RBAC and ACL Work Together
RBAC and ACL are designed to be used together. Permission evaluation rules:
- For resources you create: As long as you have the required role permissions, the creator has full control of the resource without additional ACL grants.
- For resources created by others: You must satisfy both:
- Role permissions: You have the functional permission to operate on that resource type (granted by an administrator).
- Access control permissions: You have the target resource's ACL permission (configured by an administrator or the resource owner).
Role-Based Authorization (RBAC)
A role corresponds to a set of permissions. Permissions determine what operations can be performed. Granting a role to a user or group grants all permissions included in that role.
Create a Role
Administrators can create custom roles and assign permissions based on real needs. The platform also provides a built-in ADMIN role that has full control over all platform resources.
Steps to create a custom role:
- Go to Users and Authorization > Role Management.
- Click Create role.
- Fill in role information:
- Role name: Unique identifier (for example "Project Admin").
- Description: Explains the role purpose and permission scope.
- Configure the permission set:
- Select permissions from the permission tree.
- You can filter by resource type (task/cluster/desktop, etc.).
- Click Confirm to create the role.
Edit a Role
Click Edit to modify role name, description, and permission set.
Delete a Role
When a role is no longer used, click Delete and confirm.
Assign Roles
Grant roles to a user
- Go to User Management and select the target user.
- Click Edit.
- Select one or more roles from the available role list.
- Confirm.
- Open the target user to view their global permission list and global access control list.
Grant roles to a group
- Go to Group Management and select the target group.
- Click Edit.
- Select one or more roles from the available role list.
- Confirm. The grant applies to all group members automatically. New members inherit group roles.
- Open the target group to view its global permission list and global access control list.
RBAC Permission Reference
| Permission | Module | Menu path (UI) | Description |
|---|---|---|---|
| Manage job template tags | Job template tags | Compute > Application Center > Job templates | Manage job template tags, including create/read/update/delete. |
| Create task | Task | Compute > Application Center > Task management | Create tasks to satisfy compute needs. |
| Read task | Task | Compute > Application Center > Task management | Read task information (list, details, etc.). |
| Update task | Task | Compute > Application Center > Task management | Update tasks (for example cancel). |
| Delete task | Task | Compute > Application Center > Task management | Delete task records. |
| Create job template | Job template | Compute > Application Center > Task management | Create job templates for later task submission. |
| Read job template | Job template | Compute > Application Center > Task management | Read job templates (list, details, etc.). |
| Update job template | Job template | Compute > Application Center > Task management | Update job templates (for example template configuration). |
| Delete job template | Job template | Compute > Application Center > Task management | Delete job template records. |
| Create cluster | Cluster | Compute > HPC Cluster Service > Cluster management | Create a new cluster and allocate related resources. |
| Read cluster | Cluster | Compute > HPC Cluster Service > Cluster management | Read basic cluster information (list, details, etc.). |
| Update cluster | Cluster | Compute > HPC Cluster Service > Cluster management | Modify cluster configuration (add/remove partitions, add/remove quotas, update firewall, SSH login restriction, release protection). |
| Release cluster | Cluster | Compute > HPC Cluster Service > Cluster management | Release a cluster and free the occupied resources. |
| Update cluster ACL | Cluster | Compute > HPC Cluster Service > Cluster management | Update a cluster's ACL list. |
| Create cluster template | Cluster template | Compute > HPC Cluster Service > Cluster templates | Create cluster templates. |
| Read cluster template | Cluster template | Compute > HPC Cluster Service > Cluster templates | Read cluster templates (list, details, etc.). |
| Update cluster template | Cluster template | Compute > HPC Cluster Service > Cluster templates | Update cluster templates (name, description, configuration). |
| Delete cluster template | Cluster template | Compute > HPC Cluster Service > Cluster templates | Delete cluster templates. |
| Create SSH session | Sessions | Compute > HPC Cluster Service > Cluster management; Compute > Desktop Access Service > Desktop management | Create an SSH session on a cluster/desktop. |
| Create VNC session | Sessions | Compute > HPC Cluster Service > Cluster management; Compute > Desktop Access Service > Desktop management | Create a VNC session on a cluster/desktop. |
| Create RDP session | Sessions | Compute > HPC Cluster Service > Cluster management; Compute > Desktop Access Service > Desktop management | Create an RDP session on a cluster/desktop. |
| Disconnect SSH session | Sessions | Compute > HPC Cluster Service > Cluster management; Compute > Desktop Access Service > Desktop management | Disconnect an SSH session on a cluster/desktop. |
| Disconnect VNC session | Sessions | Compute > HPC Cluster Service > Cluster management; Compute > Desktop Access Service > Desktop management | Disconnect a VNC session on a cluster/desktop. |
| Disconnect RDP session | Sessions | Compute > HPC Cluster Service > Cluster management; Compute > Desktop Access Service > Desktop management | Disconnect an RDP session on a cluster/desktop. |
| Copy session clipboard data | Sessions | Compute > HPC Cluster Service > Cluster management; Compute > Desktop Access Service > Desktop management | Copy clipboard data from a cluster/desktop remote session. |
| Paste session clipboard data | Sessions | Compute > HPC Cluster Service > Cluster management; Compute > Desktop Access Service > Desktop management | Paste data into the clipboard of a cluster/desktop remote session. |
| Create desktop | Desktop | Compute > Desktop Access Service > Desktop management | Create desktops and allocate related resources. |
| Read desktop | Desktop | Compute > Desktop Access Service > Desktop management | Read desktops (list, details, etc.). |
| Update desktop | Desktop | Compute > Desktop Access Service > Desktop management | Update desktops (for example release protection, add nodes). |
| Release desktop | Desktop | Compute > Desktop Access Service > Desktop management | Release desktops. |
| Update desktop ACL | Desktop | Compute > Desktop Access Service > Desktop management | Update a desktop's ACL list. |
| Create desktop app | Desktop app | Compute > Desktop Access Service > Desktop apps | Create desktop apps for later desktop workloads in the Web portal. |
| Read desktop app | Desktop app | Compute > Desktop Access Service > Desktop apps | Read desktop apps (list, details, etc.). |
| Update desktop app | Desktop app | Compute > Desktop Access Service > Desktop apps | Update desktop apps (name, description, icon, etc.). |
| Delete desktop app | Desktop app | Compute > Desktop Access Service > Desktop apps | Delete desktop app records. |
| Manage hosts | Compute service | Compute > Compute service | Manage hosts (add/test/upgrade, etc.). |
| Manage host groups | Compute service | Compute > Compute service | Manage host groups (create/delete, etc.). |
| Create mount | Mount | Storage > Storage service > Mount management | Create mounts for later storage/cluster mounting. |
| Read mount | Mount | Storage > Storage service > Mount management | Read mounts (list, details, etc.). |
| Delete mount | Mount | Storage > Storage service > Mount management | Delete mounts. |
| Bind storage | Storage | Storage > Data center > Data management | Mount external storage into the system. |
| Read storage | Storage | Storage > Data center > Data management | View storage and operate on files in storage (storage list, create folder, delete file, file details, etc.). |
| Unbind storage | Storage | Storage > Data center > Data management | Unmount external storage from the system. |
| Upload files to storage | Storage | Storage > Data center > Data management | Upload files into storage. |
| Download files from storage | Storage | Storage > Data center > Data management | Download files from storage. |
| Approve data downloads | Approval | Storage > Data center > Approval management | Approve approval requests initiated from the DM client. This permission is derived from approval policy configuration. |
| Approval data management | Approval data | Storage > Data center > Approval data | Manage approval data: view files in the staging area, and view/delete files in the download area. |
| Manage subnets | Network service | Network > Network service | Manage subnets (create, delete, view subnet information, etc.). |
| Manage network proxies | Network service | Network > Network service | Manage network proxies (create, delete, update, view proxy information, etc.). |
| View management node monitoring | Monitoring and alerts | Operations > Monitoring and alerts > Management node monitoring | View management node monitoring data (host monitoring, service status, etc.). |
| View operational overview | Analytics and reports | Operations > Analytics and reports > Operational overview | View Operational Overview data across platform/cluster/task/user dimensions. |
| Create user | Identity and access | Users and Authorization > User management | Create user records so new users can log in and operate on the platform. |
| Read user | Identity and access | Users and Authorization > User management | Read user records (list, details, etc.). |
| Update user profile | Identity and access | Users and Authorization > User management | Update user information (mobile, login shell, home directory, email, etc.). |
| Reset user password | Identity and access | Users and Authorization > User management | Reset a user's password so they can log in with the new password. |
| Update user status | Identity and access | Users and Authorization > User management | Update user status (for example Normal/Locked). |
| Update user roles | Identity and access | Users and Authorization > User management | Update a user's role list to control permissions granted to the user. |
| Delete user | Identity and access | Users and Authorization > User management | Delete user records. |
| Create group | Identity and access | Users and Authorization > User management | Create group records. |
| Read group | Identity and access | Users and Authorization > User management | Read group records (list, details, etc.). |
| Update group | Identity and access | Users and Authorization > User management | Update group information (description, WeCom, Feishu, DingTalk, etc.). |
| Update group roles | Identity and access | Users and Authorization > User management | Update a group's role list to control permissions granted to group members. |
| Delete group | Identity and access | Users and Authorization > User management | Delete group records. |
| Manage user-group memberships | Identity and access | Users and Authorization > User management | Manage membership between users and groups (which groups a user belongs to, and which users a group contains). |
| Create role | Identity and access | Users and Authorization > User management | Create roles and configure permissions. |
| Read role | Identity and access | Users and Authorization > User management | Read role records. |
| Update role | Identity and access | Users and Authorization > User management | Update role information (name, description, permission list). |
| Delete role | Identity and access | Users and Authorization > User management | Delete role records. |
| View admin audit logs | Audit logs | Users and Authorization > Administration and approval > Audit logs | View all audit logs. |
| View non-admin audit logs | Audit logs | Users and Authorization > Administration and approval > Audit logs | View audit logs that are not admin-level. |
| Manage licenses | System | Users and Authorization > Administration and approval > Approval policy; Users and Authorization > Administration and approval > Global configuration; Users and Authorization > Administration and approval > Security configuration | Manage licenses (for example update license). |
| Manage approval policy | System | Users and Authorization > Administration and approval > Approval policy; Users and Authorization > Administration and approval > Global configuration; Users and Authorization > Administration and approval > Security configuration | Manage approval policy (enable/disable approval, edit approvers in the approval flow). |
| Manage global configuration | System | Users and Authorization > Administration and approval > Approval policy; Users and Authorization > Administration and approval > Global configuration; Users and Authorization > Administration and approval > Security configuration | Manage global configuration (for example VNC configuration). |
| Update password security policy | System | Users and Authorization > Administration and approval > Approval policy; Users and Authorization > Administration and approval > Global configuration; Users and Authorization > Administration and approval > Security configuration | Manage password security policy (password length, max login failures, etc.). |
| Update system security policy | System | Administration and approval > Approval policy; Users and Authorization > Administration and approval > Global configuration; Users and Authorization > Administration and approval > Security configuration | Manage system security policy (idle timeout for Web UI, DM token validity period, etc.). |
| Export usage details | Billing | Administration and approval > Usage details | Export usage details in a specified time range. |
Special Permissions: Global Resource Management
caution
Sensitive permissions: The following permissions are privileged commands in the RBAC system.
Unlike ordinary permissions, users who have these permissions gain access to all resources under the corresponding module without explicit ACL authorization on individual resources.
These permissions are typically granted only to resource administrators. Because they affect all resources in a module, grant them with caution.
| Permission | Scope (menu) | Behavior |
|---|---|---|
| Read all job templates | Compute > Application Center > Job templates | Global read: can read all job templates on the platform. |
| Manage all job templates | Compute > Application Center > Job templates | Global management: full control over all job templates on the platform. |
| Read all tasks | Compute > Application Center > Task management | Global read: can read task details of all users on the platform. |
| Manage all tasks | Compute > Application Center > Task management | Global management: full control over any task on the platform. |
| Read all clusters | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring | Global read: can read all HPC cluster information on the platform (does not include cluster analysis data). |
| Manage all clusters | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Global management: full control over any cluster on the platform. |
| Read all cluster templates | Compute > HPC Cluster Service > Cluster templates | Global read: can read all cluster templates. |
| Manage all cluster templates | Compute > HPC Cluster Service > Cluster templates | Global management: full control over any cluster template. |
| Read all mounts | Storage > Storage service > Mount management | Global read: can read detailed information for all mounts on the platform. |
| Manage all mounts | Storage > Storage service > Mount management | Global management: full control over any mount on the platform. |
| Read all desktops | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Cluster monitoring | Global read: can read all desktops on the platform. |
| Manage all desktops | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Cluster monitoring | Global management: full control over any desktop on the platform. |
| Read all desktop apps | Compute > Desktop Access Service > Desktop apps | Global read: can read all desktop apps on the platform. |
| Manage all desktop apps | Compute > Desktop Access Service > Desktop apps | Global management: full control over any desktop app on the platform. |
Access Control (ACL)
Access control lists (ACLs) are a fine-grained permission mechanism that allows administrators to set per-resource permissions for users/groups.
Compared with RBAC, ACL provides finer control at the resource level.
Grant ACL permissions to users/groups
- Navigate to the target resource (for example Cluster management or Mount management).
- On the resource details page, click Access control.
- Add an entry:
- Select the subject (user or group).
- Select the allowed actions (read/update/delete, etc.).
- Click Confirm to apply.
Revoke ACL permissions
Option 1: Revoke from the resource access control page
- Open the target resource's Access control page.
- Find the target entry in the list.
- Click Delete at the end of the row.
- Confirm.
Recommended when you need to clear all ACLs for a specific resource.
Option 2: Revoke from the user/group management page
- Go to Users and Authorization > User management / Group management.
- Search and select the target user/group.
- Click Permission management.
- In the access control list, you can:
- View all ACL permissions for the user/group.
- Find ACLs for a specific resource.
- Click Delete to remove the corresponding permission.
Recommended when you need centralized management for all permissions of a specific user/group.
ACL Permission Reference
| Permission | Module | Menu path (UI) | Description |
|---|---|---|---|
| Read job template | Job template | Compute > Application Center > Job templates | Read the target job template. |
| Update job template | Job template | Compute > Application Center > Job templates | Update the target job template. |
| Read cluster | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Read the target cluster. |
| Update cluster | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Update the target cluster (for example release protection, login restriction, custom parameters). |
| Release cluster | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Release the target cluster. |
| Update cluster ACL | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Update the target cluster's ACL list. |
| Cluster analysis | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Make the target cluster visible in the cluster list in Cluster Analysis and allow viewing cluster-level analysis data. If the user has cluster read ACL: the cluster is visible and the user can analyze their own related cluster analysis data (for example their Fsched jobs on the cluster). |
| Create cluster partitions | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Create partitions in the target cluster. |
| Release cluster partitions | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Release partitions created by the user in the target cluster. |
| Update cluster firewall rules | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Update firewall rules for the target cluster. |
| Create SSH sessions | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Create SSH sessions on the target cluster. |
| Create VNC sessions | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Create VNC sessions on the target cluster. |
| Create RDP sessions | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Create RDP sessions on the target cluster. |
| Disconnect SSH sessions | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Disconnect SSH sessions on the target cluster. |
| Disconnect VNC sessions | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Disconnect VNC sessions on the target cluster. |
| Disconnect RDP sessions | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Disconnect RDP sessions on the target cluster. |
| Copy session clipboard data | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring; Operations > Analytics and reports > Cluster analysis | Copy clipboard data from sessions on the target cluster. |
| Paste session clipboard data | Cluster | Compute > HPC Cluster Service > Cluster management; Operations > Monitoring and alerts > Cluster monitoring | Paste data into the clipboard of sessions on the target cluster. |
| Update cluster partitions | Cluster partition | Compute > HPC Cluster Service > Cluster management | Update target cluster partition configuration (for example add nodes). |
| Update cluster partition ACL | Cluster partition | Compute > HPC Cluster Service > Cluster management | Update the target cluster partition's ACL list. |
| Update cluster quotas | Cluster partition | Compute > HPC Cluster Service > Cluster management | Update cluster quotas for the target cluster. |
| Delete cluster quotas | Cluster partition | Compute > HPC Cluster Service > Cluster management | Delete cluster quotas for the target cluster. |
| Manage Fsched jobs | Cluster partition | Compute > HPC Cluster Service > Cluster management | Become an Fsched partition administrator of the target cluster and manage all Fsched jobs under that partition. |
| Read cluster template | Cluster template | Compute > HPC Cluster Service > Cluster templates | Read the target cluster template. |
| Read desktop | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Read the target desktop. |
| Update desktop | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Update the target desktop (for example release protection). |
| Release desktop | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Release the target desktop. |
| Update desktop ACL | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Update the target desktop's ACL list. |
| Update desktop firewall rules | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Update firewall rules for the target desktop. |
| Create SSH sessions | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Create SSH sessions on the target desktop. |
| Create VNC sessions | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Create VNC sessions on the target desktop. |
| Create RDP sessions | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Create RDP sessions on the target desktop. |
| Disconnect SSH sessions | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Disconnect SSH sessions on the target desktop. |
| Disconnect VNC sessions | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Disconnect VNC sessions on the target desktop. |
| Disconnect RDP sessions | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Disconnect RDP sessions on the target desktop. |
| Copy session clipboard data | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Copy clipboard data from sessions on the target desktop. |
| Paste session clipboard data | Desktop | Compute > Desktop Access Service > Desktop management; Operations > Monitoring and alerts > Desktop monitoring | Paste data into the clipboard of sessions on the target desktop. |
| Read desktop app | Desktop app | Compute > Desktop Access Service > Desktop apps | Read the target desktop app. |
| Update desktop app | Desktop app | Compute > Desktop Access Service > Desktop apps | Update the target desktop app. |
| Use hosts in a host group | Host group | Compute > Compute service > Host group management | Use hosts associated with the host group. |
| Read mount | Mount | Storage > Storage service > Mount management | Read the target mount. |
| Update mount ACL | Mount | Storage > Storage service > Mount management | Update the target mount's ACL list. |
| Use subnet | Subnet | Network > Network service > Subnet management | Use the target subnet. |