Role-Based Access Control explained

Last updated: Mon Feb 04 23:48:09 GMT 2019

The ThousandEyes platform now provides a new Role-based Access Control (RBAC) model for user and user group management.  RBAC provides two principal benefits: First, RBAC eliminates the hierarchical relationships between users, accounts and organizations. Under RBAC, users may belong to more than one Account Group. Second, RBAC provides configurability of permissions that were previously fixed within the three predefined roles. With RBAC you can create Roles for users which will allow them to do everything which is needed, and no more.  

For example, an employee who needs to administer their company’s ThousandEyes users in multiple accounts was previously required to have the Organization Admin role, which provided permissions not only to administer all users in every account, but also permissions to access billing information for all accounts.  Under RBAC, you may assign Roles which have permissions for only user administration tasks in only the Account Groups needed, and not grant permissions for billing or other tasks within those account groups.
 

Terminology in RBAC

As noted above, we have changed the prior terminology of “Accounts” to “Account Groups”, and expanded the terms “Roles” and “Permissions”.  Account Groups now are assigned to Users, who have Roles within each Account Group.  Previously, a User could be in only one Account, and a User could have only one of three built-in Roles—Organization Admin, Account Admin and Regular User--and the built-in Roles had fixed Permissions.  Under RBAC, a customer may create new Roles, each with customized Permissions.
 

Transition to RBAC

The ThousandEyes platform transitioned from our legacy permissions model on February 18, 2015. It's important to note that the transition from the legacy model to the new RBAC model does not require existing customers to make any changes. If the prior access control model was exactly what you needed, you can still use that model by making no changes to your organization’s configuration after the switch to RBAC.

The default roles available under RBAC are the roles of the prior model: Organization Admin, Account Admin and Regular Users. Users who were Organization Admin users are now assigned to a built-in Account Group, “All account groups”, with the Organization Admin role. Users who were Account Admins are assigned to a new Account Group of the same name as the prior Account, with the Account Admin role.

Note: With RBAC, users are now associated with the Organization, rather than with an Account. As a result, the Account Admin role does not have permissions required to create, edit or delete users. To provide this capability, a role having the Edit users permission must be assigned to the user.

Working with RBAC 

Managing users is done on the Account Groups, Users, and Roles tabs of the Settings > Accounts page (users may also modify their own settings on the Profile tab). The outline for user management with the RBAC model is:

Add a Role

Add a Role by selecting the Permissions for the Role, or skip this step and use the built-in Roles. Permissions are found under the Roles tab:

Roles.png
 

  1. Search bar: Allows searching using a string such as "email" or "alert" for matching permissions.  The number in parentheses is the number of Permissions currently displayed.  Additionally, there are two buttons:
    • All - displays the full list of permissions that match the search string
    • Lock icon - displays only Management permissions that match the search string
  2. Role change icons: Allows creation of new Roles via duplication of an existing Role, or editing or deleting of existing Roles
  3. Permission names: Lists the Permissions names which match the current search string
  4. Roles: Lists the names of the built-in Roles and any customer-defined roles.  In this example, there is a customer-defined role "Limited Admin 1" in addtion to the three built-in roles.  Use the scroll bar at the bottom of the display to move horizontally through the columns if more Roles are present than can be viewed in the current page size.  Use the scroll bar at the right to move vertically through the rows of Permissions.
  5. Management permission: A lock next to a Permission name indicates that it is a Management Permission.  Management Permissions grant users the ability to change their own or another user's permissions and scope of permissions, and so are given the special indication of a lock icon as a help and a caution.

Add an Account Group

Add or edit an Account Group.  Adding and editing of Account Groups is done on the Account Groups tab:

Account_Groups1.png

  1. Add New Account Group button: Click the button to enter Add New Account Group mode and display the Add New Account Group panel.
  2. Search bar: Allows searching the Account Groups for a text string or substring.
  3. Account Group column:  Alphabetized list of Account Groups in the organization.  Click the triangle icon to reverse the sort order.  Click the triangle next to an Account Group's name to enter Add New Account Group mode for that Account Group.
  4. Users column: The number of users in the Account Group.
  5. Enterprise Agents column: The number of Enterprise Agents in the Account Group.
  6. Delete: Click the trash can icon to delete the Account Group.

Add New Account Group

 To add new Account Groups, click on the Add New Account Group button.  The Add New Account Group panel will appear:

Account_Groups2.png

  1. Account Group Name: The name of the new Account Group.
  2. Enterprise Agents: Select Enterprise Agents assigned to this Account Group (optional).
  3. Add New Account Group/Cancel: Click the Add New Account Group button to save the new Account Group or Cancel to exit without saving.

Edit Account Group

To edit Account Groups, click on the triangle next to an Account Group's name.  The Edit Account Group panel will appear:

Account_Groups3.png
 

  1. Account Group Name: The name of the Account Group.
  2. Enterprise Agents: Select Enterprise Agents assigned to this Account Group (optional).
  3. Account Group Token: The token for the Account Group.  Used when installing Enterprise Agents for this Account Group.  Agents can be assigned to multiple Account Groups.
  4. Save Changes/Cancel: Click the Save Changes button to save the changes or click Cancel to exit without saving.

Add the User(s)

Add or edit the users and assign to one or more Account Groups.  Users are added or modified under the Users tab:

 Users1.png

  1. Mode indicator: Displays the current mode--either Edit Users mode or Add New Users mode.
  2. Add New Users button: Click the button to enter Add New Users mode and display the Add New Users panel.
  3. Search bar: Allows searching the User, Email or Account Group columns for a text string or substring.
  4. User column: Alphabetized list of users in the organization.  Click the triangle icon to reverse the sort order.  Click the triangle next to a user's name to enter Edit User mode for that user.  A User entry will be a dash ( -- ) if the user has not yet performed the registration process per the account registration email, after account creation.
  5. Email column: List of user email addresses, which are used as logins to the ThousandEyes platform.
  6. Account Groups column: List of the Account Groups to which the user belongs.  "All" indicates membership in the built-in Account Group whose name is "All account groups".
  7. Management permissions: The user-and-lock icon indicates that this user possesses Management permissions.
  8. Registration pending: A red triangle icon indicates that the user has not yet completed the registration process as provided for in the registration email sent from the ThousandEyes platform.
     

Adding Users

To add new users, click on the Add New Users button.  The Add New Users panel will appear:

 Users2.png
 

  1. Emails: Enter one or more email addresses which will be used by the users as logins to the ThousandEyes platform.  Use a comma as a delimiter to add multiple emails addresses (typically by pasting text from your clipboard).  An email with instructions to complete registration will be automatically sent to each address.
  2. Account Groups: Select the Account Group(s) to which the user will belong using the Account Groups pull-down menu. Multiple Account Groups are permitted. The selection affects all users listed in the Emails field.
  3. Roles: Click within the text field to display and select the Roles that the user(s) will have within the scope of the associated Account Group. Multiple Roles are permitted.
  4. Add/Remove Account Group: Click the + icon to add a new Account Group pull-down and associated Roles field, for multiple Account Group assignment. Click the - icon to remove an Account Group pull-down and associated Roles field.
  5. Login Account Group: Select the Account Group in which the user starts.  If a user is a member of multiple Account Groups, the user will be able to switch Account Groups using the Switch Account Groups link under their username in the upper-right corner of the interface.

Note: When creating new users, the name of the user(s) are not entered by the administrator.  After the user account is created, the user will receive an email from the ThousandEyes platform requesting that the user complete the registration process.  This permits the user to provide their name string, saving the administrator typing and reducing the risk of errors.  If the administrator wishes to provide the name, the Edit User panel under the Users tab allows for manual entry.

Editing Users

Users3.png
 

  1. Name: The name of the user.  This will be blank if the user has not completed registration.
  2. Email: The email addresses which will be used as the login to the ThousandEyes platform.
  3. Account Groups: The Account Group(s) to which the user belongs.  Edit the Account Group(s) to which the user belongs with the Account Groups pull-down menu. Multiple Account Groups are permitted.
  4. Roles: The Roles which belong to the user, within the associated Account Group.  Click within the text field to edit the Roles that the user has within the scope of the associated Account Group. Multiple Roles are permitted.
  5. Add/Remove Account Group: Click the + icon to add a new Account Group pull-down and associated Roles field, for multiple Account Group assignment.  Click the - icon to remove an Account Group pull-down and associated Roles field.
  6. Logon Account Group: The Account Group to which the user belongs upon login.  Click the Logon Account Group pull-down to edit Logon Account Group assignment.
  7. Delete: Click the trash can icon to delete the user.