How to migrate by role type

This topic provides information about each deprecated or changed role and what you need to do in order to migrate to the new model.

Account role: PowerUser

No migration is needed, but for security reasons we strongly recommend to have as few as possible PowerUsers in your account.

Account role: EnvironmentAdmin (Deprecated)

This account role got merged into the resource role with the same name EnvironmentAdmin. Previously this role enabled a particular user to manage all environments. The recommended substitute role is EnvironmentAdmin over a specific environment.

You can assign EnvironmentAdmin over a specific environment to a user or group from the CDP web interface from the environment details page via the Manage Access option available from the Actions menu. This needs to be done separately for each environment for which you want the user or group to be an admin.

Or you can do it from CDP CLI. For example:

  • To assign EnvironmentAdmin over an environment to a user:
    cdp iam assign-user-resource-role --user <USER-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:EnvironmentAdmin \
      --resource-crn <ENVIRONMENT-CRN>
  • To assign EnvironmentAdmin over an environment to a group:
    cdp iam assign-group-resource-role --group-name <GROUP-NAME-OR-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:EnvironmentAdmin \
      --resource-crn <ENVIRONMENT-CRN>

You need to run this command for each environment for which you want the user or group to be an admin.

Account role: EnvironmentUser (Deprecated)

This account role got merged into the resource role with the same name EnvironmentUser. Previously this role enabled a particular user to access all environments, but did not grant ability to perform user sync. The recommended substitute role is EnvironmentUser over a specific environment.

You can assign EnvironmentUser over a specific environment to a user or group from the CDP web interface from the environment details page via the Manage Access option available from the Actions menu. This needs to be done separately for each environment for which you want the user or group to be a user.

Or you can do it from CDP CLI. For example:

  • To assign EnvironmentUser over an environment to a user:
    cdp iam assign-user-resource-role --user <USER-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:EnvironmentUser \
      --resource-crn <ENVIRONMENT-CRN>
  • To assign EnvironmentUser over an environment to a group:
    cdp iam assign-group-resource-role --group-name <GROUP-NAME-OR-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:EnvironmentUser \
      --resource-crn <ENVIRONMENT-CRN>

You need to run this command for each environment for which you want the user or group to be a user.