The Portal¶
RosettaHub's Liferay-based portal for user management, organizations, roles, and application delivery.
Overview¶
RosettaHub uses a Liferay portal to manage users, groups, roles, and organizations. Liferay is an enterprise portal platform that provides the user management backbone, personal workspaces, and content delivery for the RosettaHub platform.
The portal is distinct from the RosettaHub Console (the Federated Dashboard where cloud resources are managed). The portal handles who you are and what you can access; the console handles what you do with cloud resources.
What the Portal Manages¶
| Capability | Description |
|---|---|
| Users | User accounts, profiles, and preferences |
| Groups | Logical groupings of users for access control |
| Roles | Permission sets that define what users can do |
| Organizations | Hierarchical institutional structure (maps to RosettaHub org hierarchy) |
| Personal workspaces | Per-user sites with customizable pages and content |
| Organization sites | Per-organization sites with branding, documentation, and announcements |
Portal Architecture¶
┌─────────────────────────────────────────────────────────┐
│ RosettaHub Portal │
│ (Liferay Platform) │
├──────────┬──────────┬──────────┬────────────────────────┤
│ Users & │ Groups & │ Personal │ Organization │
│ Roles │ Orgs │ Workspaces│ Sites │
├──────────┴──────────┴──────────┴────────────────────────┤
│ Identity & SSO (Keycloak broker) │
├──────────────────────────────────────────────────────────┤
│ RosettaHub Console │ Gitea │ Superset │ Others │
│ (Federated Dashboard)│ │ │ │
└──────────────────────┴─────────┴────────────┴───────────┘
Organizations¶
Liferay's organization model maps directly to RosettaHub's hierarchy. Each RosettaHub organization corresponds to a Liferay organization, with sub-organizations, departments, and projects represented as nested organizations. Organization membership determines what users see in the RosettaHub Console.
Unlike OUs in public clouds, a user can belong to multiple unrelated sub-organizations. A researcher collaborating across two departments or institutions holds membership in both, each with its own role and scope.
Each organization can have its own Liferay site with custom branding, documentation, announcements, and organization-specific portal pages. Site membership is automatically aligned with organization membership.
Roles and Access Control¶
All roles are managed as Keycloak roles and carried in OIDC tokens. RosettaHub uses six categories of roles, each controlling a different aspect of the platform:
Platform Roles¶
Platform roles (rh-* prefixed) control capabilities that span all organizations:
| Role | Description |
|---|---|
rh-default |
Base platform access. Assigned to every user. |
rh-admin |
Platform administrator. Full administrative access. |
rh-allowadminsts |
Can assume admin-level STS credentials. |
rh-cloudaccount |
Enables federated cloud console access via RosettaOps. |
Federation Roles¶
Federation roles define what cloud resources a user can access:
| Dimension | Description |
|---|---|
| Regions | Which cloud regions the user can deploy to |
| Services | Which cloud services (EC2, S3, Bedrock, etc.) the user can use |
| Instance types | Which instance types (and sizes) the user can launch |
These roles shape the cloud access perimeter -- they determine where a user can deploy, what services they can consume, and what machine sizes are available to them.
Scope Roles¶
Scopes define quotas and subscription tiers. Each scope is a Keycloak role (rhs-scope-{id}) that controls resource limits:
| Role | Scope |
|---|---|
rhs-scope-default |
Default -- base quotas for all users |
rhs-scope-metasubscriber |
MetaCloud Subscriber -- full MetaCloud access |
rhs-scope-governancesubscriber |
Cloud Governance Subscriber -- RosettaOps access |
rhs-scope-hpctrial |
HPC Trial -- limited HPC cluster access |
Scopes control limits such as maximum concurrent instances and available resource tiers.
Organization Roles¶
Three role levels per organization, prefixed with rh- and suffixed with the organization name (e.g., rh-cpoc-MyOrg, rh-admin-MyOrg, rh-su-MyOrg):
| Role | Description |
|---|---|
| CPOC (Central Point of Contact) | Can view organization managers, create sub-organizations, and set regions, instance types, and services. Can stop and terminate all resources. |
| ADMIN | Everything CPOC can do, plus add/remove users, add/remove managers, and delete organizations. |
| SU (Superuser) | Everything ADMIN can do, plus access cloud consoles, masquerade as users, download/reset credentials, and cleanup all resources. |
Roles inherit downward -- if you have a role on an organization, you have at least that role on all its sub-organizations recursively. See Organizations for the full permissions matrix.
Project Roles¶
Projects use the same three role levels as organizations, but with different permissions:
| Role | Description |
|---|---|
| CPOC | Can view managers and cloud resources, connect to machines, and access the cloud console (read-only). Cannot create/delete resources or manage managers. |
| ADMIN | Full access to cloud resources -- set regions/instance types/services, stop/terminate/cleanup all, access cloud consoles, download/reset credentials. Cannot manage managers or delete the project. |
| SU (Superuser) | Everything ADMIN can do, plus add/remove managers and delete the project. |
When you create a project, you automatically receive the SU role on it. You can only assign roles at most equal to your own. See Projects for the full permissions matrix.
Portfolio Roles¶
Portfolios have their own role set, suffixed with the portfolio ID:
| Role Pattern | Description |
|---|---|
rhp-portfolio-{id} |
Portfolio member |
rhpsu-portfolio-{id} |
Portfolio superuser |
rhpadmin-portfolio-{id} |
Portfolio administrator |
Compliance Roles¶
Compliance roles bind Cloud Custodian policies to users' cloud accounts. Assigning a compliance role triggers automatic policy execution:
- Policy roles -- an individual policy (e.g., detect unencrypted S3 buckets, flag publicly accessible instances)
- Standard roles -- a full compliance standard (e.g., CIS Benchmarks, HIPAA, ISO 27001), bundling multiple policies
Cloud Custodian scans the user's accounts to detect non-compliant resources and can automatically remediate by taking corrective actions (tagging, stopping, or modifying resources). See Compliance Scanning for available policies and standards.
User Management¶
Liferay provides the user directory and lifecycle management that underpins all RosettaHub operations:
- User lifecycle -- account creation, activation, deactivation, and deletion
- Group membership -- organize users into groups for sharing and access control
- Self-registration -- configurable self-service signup workflows
- Personal workspaces -- each user gets a personal site with customizable pages, documents, and profile settings
Liferay Widgets in the Console¶
Liferay widgets can optionally be embedded as views within the RosettaHub Console, bringing portal content (announcements, documents, wikis) directly alongside cloud management views.
Identity and Access¶
The portal integrates with Keycloak as an identity broker for single sign-on across institutional identity providers. Researchers authenticate with their institutional credentials and gain access to the portal, the console, and all federated applications.
See Identity and Access for full details on:
- Keycloak identity broker architecture
- Supported identity providers (SAML 2.0, OIDC, LDAP, OAuth)
- Token enrichment with project membership and access tier claims
- Federated applications (Gitea, Superset, OpenMetadata, GrandNode2)
Federated Applications¶
The portal serves as the identity gateway for all RosettaHub-managed applications. All applications share the same identity context via Keycloak:
| Application | Purpose |
|---|---|
| RosettaHub Console | Cloud resource management and governance (Federated Dashboard) |
| Gitea | Version control and TRE airlock workflows |
| Apache Superset | Data visualization and SQL dashboards |
| OpenMetadata | Data catalog, discovery, and governance |
| GrandNode2 | Marketplace and service catalog |
Related Topics¶
- Identity and Access -- Keycloak SSO and federated authentication
- Dashboard Overview -- The RosettaHub Console workspace
- Views -- View types including Liferay widget views