The PubSub+ Cloud roles for Mission Control include access and permissions to Cluster Manager and its event broker services.
The level of access you have to Cluster Manager and its event broker services depends on the role you're assigned in PubSub+ Cloud and the permissions granted to that role. If your organization has SSO (single sign-on) enabled for individual event broker services, access to those services is further affected by the role mappings for the service with your identity provider (IdP). For more information see Mission Control Roles and Permissions.
If your organization has single-sign on enabled, roles can be assigned using user groups. If you have enabled SSO for an event broker service, you can configure user access on the event broker service, and saving the access settings pushes to the service's SSO configuration. You can then map the roles to users in your IdP.
To configure user access to your event broker services, you must:
-
Optional, if you want to set user access for SSO-enabled event broker services: configure single sign-on for your event broker service.
-
Set Mission Control User access for event broker service in Cluster Manager.
Mission Control Roles and Permissions
The roles you can be granted in Mission Control, and the actions each can perform are detailed below. Every role listed provides access to Cluster Manager:
- Mission Control User
- PubSub+ Cloud users with the Mission Control User role can access Cluster Manager but have limited access and viewing capabilities. They can't see, or view event broker services in Cluster Manager unless they are granted access by someone with Manager level access to the event broker service. The Mission Control User role can only be assigned to user groups, and requires that you have SSO configured. The following application domain access levels can be granted to user groups with the Mission Control User role:
- Viewer
- Mission Control User role with Viewer access to an event broker service allows users to view event broker service details.
- Editor
- Mission Control User with Editor access to an event broker service allows users to view event broker service details, as well as modify event broker service configuration, and add, delete, and modify queues.
- Manager
- Mission Control User with Manager access to an a event broker service allows users to perform the same functions as users with Editor access. They can also perform these functions:
- Delete the event broker service.
- Add, delete, and modify Dynamic Message Routing (DMR) links, replay, client-profiles, bridge SSL certificates, SEMP over message bus, and client authentication. Modify replication for disaster recovery.
- Assign access to the event broker service to other users with the Mission Control User role.
- Mission Control Viewer
- PubSub+ Cloud users with the Mission Control Viewer role can access Cluster Manager and have access to view the details of all event broker services in Cluster Manager but cannot edit or delete them. The Mission Control User application domain access levels can elevate the permissions of the Mission Control Viewer on a per-event broker service basis.
- Mission Control Manager
- PubSub+ Cloud users with the Mission Control Manager role can access Cluster Manager and have full access to all Cluster Manager capabilities. They also have Manager level access to all event broker service.
- Administrator
- PubSub+ Cloud users with the Administrator role have full access to all PubSub+ Cloud capabilities. Administrators can assign users any role in PubSub+ Cloud. In Cluster Manager, Administrators have the same access as Mission Control Managers.
For more information about assigning user roles for PubSub+ Cloud, see Managing Users, Groups, Roles, and Permissions. The table below provides a detailed breakdown of each role and their scope of operation in Mission Control.
| Roles | Administrator | Mission Control Manager | Mission Control Viewer | Mission Control User (requires SSO) | |||
|---|---|---|---|---|---|---|---|
| Scope of Operation | Manager | Editor | Viewer | No Role | |||
| Cluster Manager | Permissions are scoped to all event broker service in Cluster Manager | Permissions are scoped to an individual event broker service | |||||
| Assign Access |
|
|
 1
|
2
|
|
|
|
| Create event broker service |
|
|
1
|
|
|
|
|
| Modify event broker service |
|
|
1
|
|
|
|
|
| Delete event broker service |
|
|
1
|
2
|
|
|
|
| View event broker service |
|
|
|
|
|
|
|
1. You can assign Mission Control User roles to the Mission Control Viewer to provide the additional permissions to the Mission Control Viewer.
2. A Mission Control User with Manager access can only manage access for other Mission Control Users on event broker services where they have Manager access.
Setting Mission Control User Access for Event Broker Services in Cluster Manager
You must have organization-wide single sign-on (SSO) enabled and user groups configured to assign access to event broker services using role-based access controls. If you are setting user access for an SSO-enabled event broker service, saving the access settings pushes the roles and permissions to the event broker service's SSO configuration. You can map the roles to users in your identity provider (IdP).
If you are setting access for an SSO-enabled event broker service, you must ensure the event broker service SSO configuration is up-to-date before assigning user access. See Updating the SSO configuration for an Event Broker Service for more information.
- Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see
- Select Cluster Manager
on the navigation bar. - On the Service page, find the tile matching the service you want to set access for and click Actions
and select Set User Access to open the User Access dialog.
If the User Access dialog displays a message indicating the broker's SSO configuration is out-of-sync, you must update the SSO configuration before assigning user access. Either update the broker's SSO settings, or contact your PubSub+ Administrator. - In the User Access dialog, click Add User Groups.
- Select a group using the Name field and then set the access level using the Access Level field.
- Click Save.
