Brand accounts and roles
The global Snap Store is the default source for all snaps, including those used by Ubuntu Core. It’s where the majority of snaps are published, where public, unlisted and private snaps can be shared with users and collaborators, and where developers can manage their releases across channels and tracks.
But snaps can also be hosted, and published from a dedicated snap store, often called a Brand store or IoT App Store. For a more in-depth look at dedicated snap stores, and how they’re used with Ubuntu Core and IoT devices, see our IoT App Store documentation.
A store is managed and governed through a brand account and the authority it delegates to other associated accounts. This is outlined below.
A brand account is an ordinary Ubuntu SSO account augmented by the store team after a support request. It then defines the scope of authority of a dedicated snap store, and it must be used for certain functions.
Accounts are registered the same as any other account, and it’s recommended a brand account acts as an umbrella account by using the project name or the legal entity responsible for the device.
The brand account can be used to:
- Generate, register, and hold the sign keys for the brand infrastructure.
- Sign Model Assertions used to build images that point at a dedicated snap store.
- Register kernel and gadget snap names.
The kernel and gadget snaps are special snaps that can only be registered by the brand account, which also must also be given a publisher role in the base store. Similarly, kernel and gadget snap names must be registered by the brand account (or by Canonical). See Snaps in Ubuntu Core for more details on the snaps used to build Ubuntu Core.
Use of the Brand Account and its credentials should be strictly limited. Canonical recommends that the Brand Account not be assigned any Roles that are not strictly needed. Do not make the Brand Account a store Administrator, a Reviewer or a Viewer.
When the Brand Account generates keys, they are only stored locally in ( ~/.snap/gnupg). These keys must be kept safe.
Enable two-factor authentication
We recommend enabling two-factor authentication on all Ubuntu SSO accounts, but especially the brand and administrator accounts described below. See SSO two-factor authentication for details.
Roles are a vital part of the device and snap management lifecycle. They enable accounts other than the master brand account to control various aspects of the deployment process, and for those aspects to be safeguarded from the key and registry functions that maintain the integrity of the brand account.
As with the brand account, roles are assigned to a regular Ubuntu SSO account by a project administrator via https://snapcraft.io/admin:
The following roles can be selected:
The administrator role in the App Store has the highest level of permissions granted. Administrator permissions include the abilities to:
Reviewers approve software changes made to snaps before they can be published to the Store, if the administrator has enabled the requirement for reviews in the Store.
The viewer role in the App Store has the fewest permissions granted. Viewers can see and download snaps from their IoT App Store. Downloaded snaps can be used to build images or perform testing.
The publisher role in the App Store is linked to publishing snaps to the Store, including registering snap names, uploading releases and specific revisions and configuring team collaborators.