Define new roles

2 files changed, 35 insertions, 7 deletions

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java
index 86f170bd84e..c22e7adf9d7 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java
@@ -47,6 +47,11 @@ public enum Policy {
                          .on(PathGroup.application)
                          .in(SystemName.all())),
 
+    /** Full access to application information, settings and jobs. */
+    applicationModify(Privilege.grant(Action.update)
+                               .on(PathGroup.application)
+                               .in(SystemName.all())),
+
     /** Read access to application information and settings. */
     applicationRead(Privilege.grant(Action.read)
                              .on(PathGroup.application)
@@ -58,9 +63,14 @@ public enum Policy {
                          .in(SystemName.all())),
 
     /** Full access to application production deployments. */
-    deployment(Privilege.grant(Action.all())
-                         .on(PathGroup.deployment)
-                         .in(SystemName.all())),
+    production(Privilege.grant(Action.all())
+                        .on(PathGroup.deployment)
+                        .in(SystemName.all())),
+
+    /** Read access to allapplication deployments. */
+    deploymentRead(Privilege.grant(Action.read)
+                            .on(PathGroup.development, PathGroup.deployment)
+                            .in(SystemName.all())),
 
     /** Full access to submissions for continuous deployment. */
     submission(Privilege.grant(Action.all())
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java
index af1388ae0df..38349565357 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java
@@ -12,16 +12,34 @@ import java.util.Set;
  */
 public enum Role {
 
+    /** Deus ex machina. */
     hostedOperator(Policy.operator),
 
-    tenantAdmin(Policy.tenant,
-                Policy.application,
-                Policy.development),
+    /** Tenant administrator with full access to all child resources. */
+    tenantAdmin(Policy.manager,
+                Policy.tenant,
+                Policy.application),
 
+    /** Build and continuous delivery service. */
     tenantPipelineOperator(Policy.buildService,
                            Policy.submission,
-                           Policy.deployment),
+                           Policy.production),
 
+    /** Application administrator with full access to an already existing application. */
+    applicationAdmin(Policy.tenantRead,
+                     Policy.applicationModify,
+                     Policy.development,
+                     Policy.production),
+
+    /** Application operator with read access to all information about an application. */
+    applicationOperator(Policy.tenantRead,
+                        Policy.applicationRead,
+                        Policy.deploymentRead),
+
+    /** Build service which may submit new applications for continuous deployment. */
+    buildService(Policy.submission),
+
+    /** Base role which everyone is part of. */
     everyone(Policy.classifiedRead,
              Policy.publicRead,
              Policy.onboardUser,