Access control and scope-based permissions

All GTM URLs and routes are restricted by role-based access control (RBAC). RBAC regulates access to resources based on the roles and scopes assigned to a user. This access lets a user perform tasks such as view, add, or edit. When you click on a domain name in the domains list, the system checks the scope of the contract for that domain and determines which UI features to enable or disable for your use.

You can download and validate the domain configuration file for a domain regardless of your scope but the domain must be in a clean, pristine state with no pending changes. To upload a configuration file, you need Edit scope and the domain must be clean with no pending changes. To validate a file you need both Add and Edit scope.

Permissions for ‚ÄčAkamai Control Center‚Äč users are managed using scopes. Scopes are determined by a user's name and the terms of their contract. If you have access to ‚ÄčControl Center‚Äč Identity Services you can check your account information and accessible scopes.

When you start GTM, it checks for the contracts you can access as well as the features and scopes for those contracts. The contracts returned are not restricted by data passed from the client. The exception to this is the Add scope which is in the scope list only if the contract ID belongs to the group ID passed by the client.

These are the scope levels.

  • View. You can view and read about the domains but cannot save, add, or edit anything. Only buttons or fields relate to view actions are active in the UI. such as viewing the domain history or downloading the domain's configuration from the top of a domain's page. If you have the View scope in the contract that a domain belongs to, you can access the domain page by URL or bookmark if the domain name is valid. Users cannot add a new property or upload a configuration file as the button and link are grayed out. Users can view the history and download the configuration file.

  • Add. You can add a domain only for those contracts in which you have an Add scope. The Add New Domain contract menu lists those contracts and all buttons and fields are enabled. If you do not have Add scope the Add New Domain page displays an error message and all buttons and tabs are grayed out. Note that you cannot add new data centers if you have a performance plus domain with this scope. The feature to add a new data center is enabled only if the domain is not a performance plus domain, and you have Add and Edit domain rights.

  • Edit. You can perform several functions within the domain and its properties, data centers, maps, and other functions. For example, you can delete a property or create a new geographic map. You can perform create, edit, and delete functions on a domain but you cannot add a new domain or new data center. All UI buttons and fields are active.

There is currently no scope to delete a domain. Contact ‚ÄčAkamai‚Äč Support if you need to delete a domain.

Per-domain attributes

‚ÄčControl Center‚Äč scopes for GTM are controlled at the contract level. If you want one user to be able to edit one property and another user to be able to edit another property, then the two properties must belong to different GTM domains.

You can configure load feedback (on or off). The listed attributes are administrative settings that can be changed by Akamai. If you want two properties to differ in one or more of these settings, then the two properties must belong to these different domains.

  • Load feedback (on or off)
  • Minimum allowed test interval
  • Maximum allowed test timeout
  • Minimum allowed TTL
  • Maximum allowed TTL
  • Round-robin prefix
  • Maximum number of properties allowed