This topic introduces the basic concepts that are used in Service Catalog.
| Term | Description |
|---|---|
| administrator | The administrator can define, manage, and distribute compliant IT services. |
| end user | An end user can query and deploy approved IT services. An end user is a member of a business team. An end user can be an R&D engineer, test engineer, salesperson, data scientist, and training course participant. |
| product | A product is created by using a Terraform template of cloud resources. Terraform defines that a product can be a single cloud resource or a group of cloud resources. |
| product version | A product version is generated each time the cloud resource template of a product is changed. Multiple product versions can be used at the same time. The administrator can also disable a version to prevent the version from being used by end users. |
| product portfolio | A product portfolio consists of one or more products. The administrator can manage products by using product portfolios. The administrator can configure product launch constraints and permissions for end users from the dimension of product portfolios. |
| product instance | A product instance in Service Catalog is created by an end user. A product instance can be a single cloud resource or multiple cloud resources. For example, a product instance can be an Elastic Cloud Service (ECS) instance, or the combination of multiple ECS instances, one database, and one virtual private cloud (VPC). |
| constraint | The administrator can configure launch constraints for the products in a product portfolio. Launch constraints include the required permissions to launch products. The administrator can use the constraints to authorize end users to launch products. This way, the administrator does not need to separately grant management permissions on multiple product instances to each end user. This simplifies authorization. This also reduces the management workloads for the administrator. |
| launch role | A launch role is a Resource Access Management (RAM) role that is specified when the administrator creates a constraint. An end user can assume a launch role to launch products. If an end user assumes a launch role, the end user has the permissions to orchestrate resources and create cloud resources that are required for products. |
| authorization | The administrator can grant permissions to an end user so that the end user can view
all products in a product portfolio in the Service Catalog console. This process is
authorization.
An end user can be a RAM user or a RAM role. The administrator must configure a constraint for an end user before the end user can launch a product. When the administrator configures the constraint, the administrator must specify a RAM role (launch role). The RAM role has the operation permissions on the product, and the end user has the access permissions on the product. This separates access and operation permissions and reduces security compliance risks. |
| product portfolio sharing | If an enterprise owns multiple Alibaba Cloud accounts, the administrator can share the configurations of a product portfolio that belongs to one account with other accounts. This way, the administrator can manage the product portfolios of multiple accounts in an efficient and centralized manner. |