CloudPlatform & CloudStack allow you to organise the tenants using Domains, Accounts and Users. You can then have projects span multiple accounts. Summary: A domain can have multiple Accounts. Each Account can have multiple users. Users are mere synonyms for accessing the account resources just like in a bank joint account, different users have visibility to the bank account. They just have different usernames and passwords but ultimately they use the same bank account funds.  A user can belong to only one Account, i.e. the same User cannot belong to multiple Accounts. Whenever creating an account at any domain level it can be of two types - Admin or user. If account == Admin then he will be domain admin of that domain and if created with type=user he will be a regular account under that domain. An admin created at ROOT level is called ROOT admin and since ROOT is the top domain he has privileges to act on all the resources. A Username is unique in a Domain across Accounts in that Domain. The same username can exist in other domains, including subdomains. Account name is unique in a domain. The same Account name can exist in other domains, including subdomains. Domain name can repeat as long as the full pathname from ROOT is unique. For ex, you can have ROOT/d1, as well as ROOT/foo/d1, and ROOT/bar/d1. Resources belong to an Account, not individual users in that account. Billing, resource limits etc are maintained by Account, not users CloudPlatform allows you to create 3 different types of accounts --> admin/domain-admin or user account. All the roles (admin, domain admins and user) are attached at account level. Under the account all the users have the same privileges. There are no role based users in one account. We can have multiple admins for the same domain. All the domains are created under the ROOT domain.

1. CloudPlatform in a
multi-tenant setup
Domains, Accounts, Users & Projects
cloudcentral.com.au

2. Accounts, Domains and Projects
CloudPlatform permissions hierarchy consists
of:
Domains
– Accounts
 Users
– Projects
cloudcentral.com.au

3. Multi-Tenancy Account Management
Domain
Organization A
•
Resources:
VMs, IPs, Snapshots…
Admin
•
Domain
Resources:
VMs, IPs, Snapshots…
Reseller A
Admin
•
•
Sub-Domain
Organization C
Admin
Account
Group A
•
Domain is a unit of isolation and
represents a business unit,
customer organisation or a
reseller
Domain can have arbitrary levels
of sub-domains
A Domain can have one or more
accounts
An Account represents one or
more users and is the basic unit
of isolation
Admin can limit resources at the
Account or Domain levels
Account
Group A
User 1
User 2
cloudcentral.com.au

4. Domains
Domains are, more or less, the equivalent
of an organizational unit. Domains can
house projects and accounts, but domains
don't really own any resources on their
own. Domains can also impose resource
limits upon all accounts held within them.
A domain is basically a container for other
things which can own resources such as
instances, volumes, networks, snapshots,
templates, etc.
ROOT Domain
The root domain is somewhat special
because all domains are a child of this
parent domain. An admin account of the
ROOT domain has the ability to manipulate
(via the API) other resources belonging to
all child domains (e.g. ALL domains,
because all domains are a child of ROOT).
So admin accounts of the ROOT domain
have global admin privileges.
Domains must be unique to their parent
(ROOT/dom1, ROOT/dom2, etc), however
they can repeat if they are a child of
another domain (ROOT/dom1/sub1 and
ROOT/dom2/sub1 is acceptable because
even though "sub1" is not unique, it is
unique to its parent).
cloudcentral.com.au

5. Accounts, Account Types and Users
Admin Account
An admin account has domain admin privileges. It is still constrained to domain limitations set by the ROOT
admin on that domain (# of instances permitted, # of volumes, etc) but it has more privileges. For example,
a domain admin can create additional accounts within a domain or generate API keys for users. It can also
create sub-domains within its own domain and report on their resource utilization. For a full list of the
differences, please see the API guide.
User Account
A user account has privileges to create new resources (instances, volumes, snapshots, etc) but very little
administrative privileges. At this time, user accounts cannot generate API keys or additional users within
their account, they can only view them.
Usernames, Passwords, and API Keys
Usernames, passwords, and API keys belong to an account. This is the username & password you would log
into the Web UI with (and if you generated an API key, the API key you would use for making API calls).
Usernames must be unique to the domain they belong to (e.g. two users within the domain foo.tld cannot
have the same username – you can't have two joe@foo.tld users), but they can be duplicative between
multiple domains (e.g. joe@foo.tld and joe@bar.tld). Users do not own any resources, they are simply used
as a means to manipulate and access resources owned by the account they are a part of. Users cannot have
separate permissions between them, they inherit the permissions of the account they belong to.
Accounts and Resources
Accounts own resources. This is extremely important so I'll state it again: Accounts own resources. If
you delete an account all resources associated with it (instances, volumes, snapshots, etc) will be removed
as well. Usage is also tracked at an account level. So for billing or chargeback purposes, if the usage module
is enabled, reporting is available for resources used at an account level.
cloudcentral.com.au

6. Summary overview
A domain can have multiple Accounts. Each Account can have multiple users.
Users are mere synonyms for accessing the account resources just like in a bank joint account, different
users have visibility to the bank account. They just have different usernames and passwords but ultimately
they use the same bank account funds.
A user can belong to only one Account, i.e. the same User cannot belong to multiple Accounts.
Whenever creating an account at any domain level it can be of two types - Admin or user. If account == Admin
then he will be domain admin of that domain and if created with type=user he will be a regular account under that
domain.
An admin created at ROOT level is called ROOT admin and since ROOT is the top domain he has privileges to act
on all the resources.
A Username is unique in a Domain across Accounts in that Domain. The same username can exist in other
domains, including subdomains.
Account name is unique in a domain. The same Account name can exist in other domains, including subdomains.
Domain name can repeat as long as the full pathname from ROOT is unique. For ex, you can have ROOT/d1, as
well as ROOT/foo/d1, and ROOT/bar/d1.
Resources belong to an Account, not individual users in that account. Billing, resource limits etc are
maintained by Account, not users
CloudPlatform allows you to create 3 different types of accounts --> admin/domain-admin or user account. All the
roles (admin, domain admins and user) are attached at account level.
Under the account all the users have the same privileges. There are no role based users in one account.
We can have multiple admins for the same domain.
All the domains are created under the ROOT domain.
cloudcentral.com.au

7. Projects
Domain
Organization A
Projects are similar to accounts but unique in one special
aspect.
Resources:
VMs, IPs, Snapshots…
Admin
Domain
Resources:
VMs, IPs, Snapshots…
Reseller A
Admin
Sub-Domain
Organization C
Admin
Project A
Account
Group A
Project
Admin
Account
Group A
User 1
Projects can share control of resources amongst multiple
accounts. The resources themselves (instances, volumes,
snapshots, etc) are owned by the project and are allowed
to be manipulated by multiple accounts within the same
domain. So if there was a joint project being worked on
by multiple departments within an organization, a project
could be created and could invite other accounts
(departments in the organization) to take part in the
project. With a project, one account must be delegated as
the project administrator. A project admin has the ability
to invite and revoke access to other accounts within the
domain with regard to access on that project.
A project admin only has control of the project and has no
other authority over other accounts (e.g. it cannot impose
account-level restrictions such as limits on the number of
instances, volumes, snapshots, etc permitted), only over
which accounts can access the project. While there can
only be one project admin, it can be moved between
accounts without affecting anything because all resources
created by the project are owned by the project and not
the individual accounts that are participating in it.
User 2
cloudcentral.com.au

8. References
Apache CloudStack wiki
– https://cwiki.apache.org/confluence/display/CLOUDSTACK/Accounts%
2C+Domains%2C+and+Admin+explained
– https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=3
0149981
Citrix CloudPlatform 4.2 Technical Presentation
8
cloudcentral.com.au
3/03/2014