Reference » Services » Authorization » Role
A role is an actor in the system, in the classical sense of role-based access control. Roles are the entities which receive permission grants. Each permission grant gives a specific privilege on a particular resource to a role.
A role may represent a person, a group, a non-human user ("robot") such as a virtual machine or process, or a group of other roles. It's an abstract definition.
A role is identified by a string in the form:
For more information, see Authorization Identifiers.
Most CLI methods can accept short version of role id:
Roles can be "granted to" other roles. When role A is granted to role B, role B gains the ability to perform all the actions permitted by A. Role grants are transitive; if A is granted to B, and B is granted to C, then A is granted to C.
In addition, a role can be granted with "admin option". When role A is granted to role B with admin option, role B can in turn grant role A to other roles. The admin option is also required to inspect role members and memberships.
By default, the current authenticated role (typically a user or host) becomes the owner of any resource that are created during the session. The owner has all permissions on an owned resource.
roleid : A role id in the format:
`[account]:[kind]:[id]` “kind” identifies the role kind, for example “user”, “group”, “host”, "layer", "variable".