Use Role-Based Access Control to set the tags for individuals or teams. In this example, I will use only one cloud, AWS, but note that you can use this feature across heterogeneous infrastructure.
Rule 1: You must enable the “Read” action for a particular cloud, which ensures you can add and enforce rules for an individual and/or team.
Rule 2: Enable “Create Resources.” This will allow any member of a team to provision a machine but no other actions.
Rule 3: Next, enable the “machine” resource and “all” action plus, “where tags”. Now, add the tag; you can use a name or key value pair.
Rule 4: enable an SSH key.
Deny everything else.
In the example below, any member of the team with this team policy can provision machines on EC2 N. Virgina and the dev=team1 tag will dynamically be added to the machine. The user will not be able to edit the tag, unless the admin gives the user permissions to edit tags.
[image]