Granular permission assignment

What is claimed is: 1 . A method comprising: creating, by a processing device, a plurality of reusable role definitions for a cloud provider system, wherein each of the plurality of reusable role definitions comprises a resource type and an action set permitted to be performed on a plurality of resources of the resource type; receiving, by the processing device, a first request to assign a user to a first role, the first request specifying a first cloud computing resource of a plurality of cloud computing resources of a respective resource type in the cloud provider system; identifying, by the processing device, a role definition corresponding to the respective resource type, the identified role definition comprising the respective resource type and an action set permitted to be performed in the cloud provider system on the plurality of cloud computing resources of the respective resource type; creating, by the processing device, the first role for the user on the first cloud computing resource, wherein creating the first role comprises associating the identified role definition with the first cloud computing resource and the user; receiving, by the processing device, a second request to assign the user to a second role, the second request specifying a second cloud computing resource of the plurality of cloud computing resources of the respective resource type; and creating, by the processing device, the second role for the user on the second cloud computing resource in view of the identified role definition corresponding to the resource type, wherein the identified role definition that was used for the first role of the user is being reused for the second role of the user, and wherein creating the second role comprises associating the identified role definition with the second cloud computing resource and the user. 2 . The method of claim 1 further comprising: receiving a request from the user to perform an action on the first cloud computing resource; identifying the first role of the user on the first cloud computing resource; allowing the user to perform the requested action if a role definition of the first role has an action set comprising the requested action; and preventing the user from performing the requested action if the role definition of the first role does not include the requested action. 3 . The method of claim 2 , wherein the respective action set comprises one or more of view a resource, modify a resource, create services, delete services, assign permissions, start a virtual machine, or stop a virtual machine. 4 . The method of claim 1 further comprising: receiving a request to assign a group comprising a user set to the role on the first cloud computing resource; assigning the group to the role on the first cloud computing resource; receiving a request from a user of the user set to perform an action of a respective action set on the first cloud computing resource; and allowing the user of the user set to perform the action. 5 . The method of claim 4 further comprising: receiving an updated user set; and updating the group assigned to the role in view of the updated user set. 6 . The method of claim 1 further comprising: receiving an updated action set for the role; and updating the role in view of the updated action set. 7 . The method of claim 1 , wherein the respective resource type comprises a cloud computing environment, an instance in the cloud computing environment, an application in the cloud computing environment, a deployment in the cloud computing environment, or a catalog in the cloud computing environment. 8 . The method of claim 1 , wherein the user is an owner of the first cloud computing resource and the second cloud computing resource, and the identified role definition is an owner role definition that provides for granting particular permissions to other users with respect to the first cloud computing resource and the second cloud computing resource. 9 . The method of claim 1 , wherein the identified role definition is a zone administrator role definition that provides for granting permissions with respect to different zones. 10 . The method of claim 1 further comprising: storing the first role and the second role in a data store; and querying the data store to determine whether the user is allowed to perform a requested operation with respect to at least one of the first cloud computing resource or the second cloud computing resource. 11 . A system comprising: a memory to store instructions; and a processing device, executing the instructions and coupled to the memory, to: create a plurality of reusable role definitions for a cloud provider system, wherein each of the plurality of reusable role definitions comprises a resource type and an action set permitted to be performed on a plurality of resources of the resource type; receive a first request to assign a user to a first role, the first request specifying a first cloud computing resource of a plurality of cloud computing resources of a respective resource type in the cloud provider system; identify a role definition corresponding to the respective resource type, the identified role definition comprising the respective resource type and an action set permitted to be performed in the cloud provider system on the plurality of cloud computing resources of the respective resource type; create the first role for the user on the first cloud computing resource, wherein creating the first role comprises associating the identified role definition with the first cloud computing resource and the user; receive a second request to assign the user to a second role, the second request specifying a second cloud computing resource of the plurality of cloud computing resources of the respective resource type; and create the second role for the user on the second cloud computing resource in view of the identified role definition corresponding to the resource type, wherein the identified role definition that was used for the first role of the user is being reused for the second role of the user, and wherein creating the second role comprises associating the identified role definition with the second cloud computing resource and the user. 12 . The system of claim 11 , wherein the processing device further to: receive a request from the user to perform an action on the first cloud computing resource; identify the first role of the user on the first cloud computing resource; allow the user to perform the requested action if a role definition of the first role has an action set comprising the requested action; and prevent the user from performing the requested action if the role definition of the first role does not include the requested action. 13 . The system of claim 12 , wherein the respective action set comprises one or more of view a resource, modify a resource, create services, delete services, assign permissions, start a virtual machine, or stop a virtual machine. 14 . The system of claim 11 , wherein the processing device is further to: receive a request to assign a group comprising a user set to the role on the first cloud computing resource; assign the group to the role on the first cloud computing resource; receive a request from a user of the user set to perform an action of a respective action set on the first cloud computing resource; and allow the user of the user set to perform the action. 15 . The system of claim 14 , wherein the processing device is further to: receive an updated user set; and update the group assigned to the role in view of