In order to allow Cloud services to model their user privilege models in CPBM, a cloud service is able to introduce security roles that can be used by the connector to determine the level of privilege to be accorded to users being represented in the cloud service. These roles can then be added to appropriate profiles defined in CPBM that can then be granted to individual users in CPBM. In CPBM, roles are scoped by the level of visibility they have in the system. There are four defined scopes in CPBM. They are:

• GLOBAL_ADMIN: Represents the super user scope. There are two and only two users in the system that have profiles of this scope. ‘root’ and ‘portal’. ‘portal’ represents the CloudPortal Business Manager portal itself, and any operations done by the system are done as the ‘portal’ user.
• GLOBAL: Has global visibility across multiple tenants. These roles require that the user be a service operator user (i.e, is a member of the SERVICE tenant), which will be tested by the security system before granting users access.
• TENANT_ADMIN: Tenant scoped role that represents a tenant administrator. This user, as a rule, should have visibility across users in this tenant.
• TENANT: Tenant scoped roles are granted to users who have visibility across all users in a tenant. Roles in this scope are used to manage resources within a given tenant.
• USER: User scoped roles are roles that are granted to users who should have visibility to only what they own and manage.