Multi-Tenant Deployments

OpenStack deployments can include multiple projects or tenants, with different tenants having access to different projects.

Users and Roles

Access is controlled through OpenStack user definitions. Users can have roles assigned within different projects to control access:

  • The Admin role provides visibility across projects and can manage shared resources (such as snapshots).

  • The Member role provides access to a specific project.

Proxy Locations

Users who perform backups and restores require one of these roles. Which role is required depends on where VSA proxies are deployed:

  • To perform backups within a project where a VSA proxy is deployed, the user must have the Admin role in that project.

  • To perform backups within a project without a VSA proxy, the user must have the Member role in that project.


When restoring public images for a project, the user performing the restore should have the Admin role for that project.

When a user only has the Member role for a project, that user does not have permission to create public images and can only restore an image as a private image. In that situation, an Admin user could later make the restored image public.


The following table shows user role requirements for a backup user for different projects, based on the locations of VSA proxies.



Minimum User Role

Project 1

Proxy A


Project 2

Proxy B


Project 3



Project 4