Architect allows you to create user spaces (US). These user spaces are implemented as OS-native user accounts with their own home directory and folder structure.
Creating a user space creates a OS user and the necessary folder structure for `deployments`, `backups` and `plugins`.
The OS users are created as `cf{seed}-{us_id}`. The password for the generated user will be stored within the agent database. These users are not authorized to authenticate against the system, only programmatical access from the system itself is supported. Regardless of these measures, do not hand your users the credentials for the user space user.
All processes the agent starts, will be automatically launched as the OS user created specifically for the user space. This logically isolates the processes and allows you to scope permissions on a deeper level. All folders will be chown'ed to that user as well, and reside within the users home directory. This offers physical isolation.
The user space isolation is a robust structure for base isolation, however it is not full isolation. Unknown workloads can brake the isolation, as they are run on the same system.
User space management
All user space operations are only available to the agents `root` user. You are able to create, delete and list user spaces. You can also modify the user space to change the underlying OS user password within the agents records.
User spaces are populated through user space users. When creating a user, the user space must be referenced. Users, roles, and all other entities are scoped to a user space, once created as a user space resource. They are visible to the `root` user, and members of the user space only.
Automation through user spaces
The common workflow is that you establish a user space for one of your users, create a new customer user within the user space and populate it with a role that carries the permissions you want to grant to your customers. WebHooks and other entities the user creates are then automatically scoped within the user space.
You can create system internal webhook events to automate your deployment and billing systems to automatically acknowledge internal state and then notify your customer about the completed deployment.
