User Access Control (RBAC)
Cockpit uses Role-Based Access Control (RBAC) to manage user accounts and secure your virtualized resources. This ensures users only see and edit the specific items they need for their job.
Core Security Concepts 🔑
To understand how security works in Cockpit, think of it like a large corporate office building with keycard access control:
| Term | What it does | 💡 Analogy |
|---|---|---|
| Tenant / Organization | The highest level boundary separating clients or companies. | The Office Building Floor Lease: Different companies lease different floors in the same building. Employees of Tenant A cannot walk onto Tenant B's floor. |
| Group | A collection of users with similar job duties. | A Department Name: E.g., the "Marketing Team" or "Finance Team". |
| Role | A pre-defined template of general permissions. | A Keycard Template: E.g., "Developer Pass", "Manager Pass", or "System Admin Pass". |
| Privilege | A single, specific action a user can perform. | Opening a Single Door: E.g., "Permitted to open the server room" (vm.create) or "Permitted to reboot a server" (host.reboot). |
| Scope | Limits permissions to a specific folder or server. | Accessing specific rooms: Instead of giving a developer access to all server rooms in the building, their card is only programmed to unlock "Server Room A" (a specific folder or host). |
User Management
As an administrator, you can manage user accounts directly in Cockpit:
- Local Accounts: Accounts created directly inside Cockpit, consisting of a username, email, and password.
- Authentication Domains: You can choose to run authentication locally, or forward login requests to your company's central login system.
- Password Security Policy: Prevent weak passwords by setting password strength rules, forcing users to change their password periodically, and locking accounts after too many failed login attempts (e.g., locking out a user for 30 minutes after 5 bad attempts).
How to Set Up a Scoped Access Rule
Follow these steps to give a user permission to manage a specific group of Virtual Machines (scoped access):
- Log into Cockpit as an administrator.
- Navigate to Administration > Access Control in the sidebar.
- Select the User or Group you want to configure.
- Click Create Permission Mapping:
- Subject: Choose the user or team group (e.g.,
DevOps Group). - Role: Select their job profile (e.g.,
VM Operator- which allows starting/stopping VMs, but not deleting them). - Scope (Target): Select the specific folder, datacenter, or host server you want to give them access to.
- Subject: Choose the user or team group (e.g.,
- Save the rule. Cockpit will automatically program their digital pass. When they log in, they will only see the servers inside that specific scope.