Managing Users, Groups, Roles, and Permissions

PubSub+ Cloud administrators can manage the roles assigned to other PubSub+ Cloud users. As an administrator, you can assign roles to users, or if you have single sign-on (SSO) enabled, you can instead create user groups and assign roles to groups. Each role has defined permissions, which allow or deny access to different sets of features in PubSub+ Cloud.

The PubSub+ Cloud user management system has the following components:

Permissions
Permissions provide your users with appropriate levels of access to PubSub+ Cloud features based on the work they need to do.
Roles
Roles are sets of permissions that can be assigned to users. Users can have different roles in separate organizational accounts. For example, a user can have the Administrator role in one account, the Mission Control Viewer role in a second account, and the Event Portal Manager role in a third account.
Users
Users with the Administrator role can add, edit, and delete other users and manage the actions users can perform by assigning one or more roles. If you have SSO enabled, users can also be added to user groups based on IdP claim values mapped to user groups.
User Groups
If you have SSO enabled for your organization, you can create user groups and assign one or more roles to each group. When users are assigned roles through user groups, roles assigned to individual users are ignored. You add users to groups by mapping claims from your identity provider (IdP) to automatically assign users to a group when they log in to PubSub+ Cloud.

For information about adding and managing users, see Configuring User Access.

User Management

User management includes a wide range of functionality, such as adding and deleting users, and controlling user activity through role assignments. Solace recommends following the security best practice to assign a role with the fewest permissions that a user requires.

Screenshot depicting the settings described in the surrounding text.


The User Management tab on the Account Details page provides administrators with a dashboard to view and manage users, groups, roles, and permissions. You can manage roles and permissions in two ways:

Roles and Permissions

Roles provide sets of permissions to users. You can assign one or more roles to each user. For example, you can assign a user the Mission Control Manager role to give them access to create and modify event broker services and event meshes in Cluster Manager and Mesh Manager. You can assign roles manually or dynamically using group management.

You can assign the following roles in PubSub+ Cloud:

Administrator
Administrators can create, manage, and delete users and event broker services. Administrators can also grant or deny access to Event Portal. This permission gives the user all the other roles listed here with the exception of the Insights Advanced Editor role. As an administrator, you can self-assign the Insights Advanced Editor role to yourself.
Mission Control Manager
Users can create, modify, and delete event broker service in Cluster Manager. Users with the Mission Control Manager role can also create, modify, and delete event meshes in Mesh Manager.
Mission Control Viewer
Users can view the details of an event broker service in Cluster Manager, but cannot edit or delete them. Users with the Mission Control Viewer can also view, scan, and run Health Checks on event meshes in Mesh Manager. You can assign permissions from the Mission Control User to the Mission Control Viewer on specific event broker services to enhance their capabilities if SSO is enabled.
Mission Control User
The Mission Control User is only available when you have enabled SSO and have user groups configured. are Users have limited viewing access in Cluster Manager. They cannot see event broker services they are not assigned permissions to. They have no access to Mesh Manager. Users can be given greater access to event broker services by assigning permissions to them. For more information on Mission Control-specific roles, see Configuring User Access to Event Broker Services.
Event Portal Manager
Users can view, create, and modify any Event Portal architectures. Event Portal Managers can add users with the Event Portal User role to application domains and grant them Viewer-level access to that domain.
Event Portal User
Users have limited viewing access in Event Portal. By default, they can only view shared events, shared schemas, and Event API Products. Users can be given greater access to one or more application domains. For more information on Event Portal-specific roles, see Configuring User Access to Application Domains.
Insights Advanced Editor
Users have access to the Datadog setup that is part of PubSub+ Insights. Users with the Insights Advanced Editor role can view, edit, create, and clone dashboards and monitors. They can also read trace data if you have a subscription to Distributed Tracing.
When this role is first assigned to a user profile, it triggers an invitation email to a Datadog account that is automatically created on behalf of the user. This Datadog account is separate from the PubSub+ Cloud invitation. This role is assignable only when you are subscribed to PubSub+ Insights. The access provided as part of this role is not included with the Administrator role.
Insights Advanced Viewer
Users have access to view dashboards and monitors inside the Datadog setup that is part of PubSub+ Insights. They do not have permission to edit, create, clone, share, or perform any other actions to the dashboards and monitors. They can also read trace data if you have a subscription to Distributed Tracing.
When this role is first assigned to a user profile, it triggers an invitation email to a Datadog account that is automatically created on behalf of the user. This Datadog account is separate from the PubSub+ Cloud invitation. This role is assignable only when you are subscribed to PubSub+ Insights. The access provided as part of this role is not included with the Administrator role.

Group Management

If you have SSO enabled, you can assign roles to user groups instead of directly to users and map claims received from your IdP with your user groups to automatically add users to groups. When group management is enabled, users are automatically added to groups based on the claim mapping that you have configured. For example, if your IdP returns a claim values such as service_manager, users with that claim value would be automatically assigned to the user group that the claim value is mapped to. If no claim returned for the user is mapped to a group when a user authenticates, the user can be added to a default role or denied access.

After you configure group management you can continue to invite new users manually or you can enable just-in-time provisioning to add new users to groups based on the existing claim mapping configuration when a user successfully authenticates using SSO.

To set up group management for your account, see Configuring Group Management.