Managing Users, Roles, and Permissions
PubSub+ Cloud administrators can manage users and assign roles that set permissions to allow or deny access to different sets of event broker services.
The PubSub+ Cloud user management system has the following components:
- Administrators can add, edit, and delete other users and manage the actions users perform by assigning roles that control user activity through permissions.
- Permissions provide your users with appropriate levels of access to PubSub+ Cloud features based on the work they need to do.
- Roles define groups of permissions that can be assigned to users. Users can have different roles in separate organizational accounts. For example, a user can have the Administrator role in one account, the Cluster & Mesh Manager Viewer role in a second account, and the Event Portal Manager role in a third account.
Your organization may have different accounts for different purposes; for example, production, development, quality assurance, and so on. You can add users to one or more accounts. This mechanism also allows you to segregate your user bases, such as separating contractors, sales engineers, and different professional services groups.
For information about adding and managing users, see Configuring User Access.
User management includes a wide range of functionality, such as adding and deleting users, and controlling user activity through role assignments. Solace recommends following the security best practice to assign a role with the fewest permissions that a user requires.
The User Management tab on the Account Details page provides administrators with a dashboard to view and manage users, roles, and permissions.
- Manually through the user management settings. For more information, see Manually Configuring User Settings.
- If you have single sign-on (SSO) enabled for your account, you can use role management to map claims received from your identity provider with the available roles in PubSub+ Cloud and automatically assign roles to users. For more information, see Dynamically Assigning User Roles .
Roles and Permissions
Roles and permissions provide different levels of access to users based on the tasks they perform. You can
assign users one or more roles and have different permissions associated with each role. For example, you can assign a user the Cluster & Mesh Manager Editor role to give them access to create and modify event broker services and event meshes in Cluster Manager and Mesh Manager.
You can assign the following roles in PubSub+ Cloud:
- The user can create, manage, and delete users and event broker services. Administrators can also grant or deny access to Event Portal. This permission gives the user all the other roles listed here with the exception of the Insights Advanced Editor role. As an administrator, you can self-assign the Insights Advanced Editor role to yourself.
- Cluster & Mesh Manager Editor
- The user can create, modify, and delete their own event broker service. Users with the Cluster & Mesh Manager Editor role can also create, modify, and delete event meshes.
- Cluster & Mesh Manager Viewer
- The user can view the details of an event broker service, but cannot edit or delete them. Users with the Cluster & Mesh Manager Viewer can also view, scan, and run Health Checks on event meshes.
- Event Portal Manager
- Users can view, create, and modify any Event Portal architectures. Event Portal Managers can add users with the Event Portal User role to application domains and grant them Viewer-level access to that domain.
- Event Portal User
- Users have limited viewing access in Event Portal. By default, they can only view shared events, shared schemas, and Event API Products. Users can be given greater access to one or more application domains. For more information on Event Portal-specific roles, see Configuring User Access to Application Domains.
- Insights Advanced Editor
- Users have access to the Datadog setup that is part of PubSub+ Insights to enable the PubSub+ Insights Advanced Monitoring option. When this role is first assigned to a user profile, it triggers an invitation email to a Datadog account that is automatically created on behalf of the user. This Datadog account is separate from the PubSub+ Cloud invitation. This role is only assignable when you are subscribed to PubSub+ Insights and the access provided as part of this role is not included with the Administrator role.
If you have enabled SSO for your PubSub+ Cloud account, you can enable role management to map user claims received from your identity provider to the roles available in your PubSub+ Cloud account. When role management is enabled, users are automatically assigned roles based on the role mapping that you have configured. For example, the groups scope may return claim values such as
event_viewer, and users with that claim value could be automatically assigned one or more roles, such as the Cluster Manager role, the Event Portal User role, or both. If no claim is mapped to a role when a user authenticates, the user can be assigned a default role or denied access.
After you configure role management you can continue to invite new users manually or you can enable just-in-time provisioning to assign roles based on the existing role mapping configuration when a user is successfully authenticates using SSO.
To set up role management for your account, see Dynamically Assigning User Roles .