Managing Users, Groups, Roles, and Permissions

PubSub+ Cloud administrators can manage the roles assigned to other PubSub+ Cloud users. As an administrator, you can assign roles to users, or if you have single sign-on (SSO) enabled, you can instead create user groups and assign roles to groups. Each role has defined permissions, which allow or deny access to different sets of features in PubSub+ Cloud.

The PubSub+ Cloud user management system has the following components:

Permissions
Permissions provide your users with appropriate levels of access to PubSub+ Cloud features based on the work they need to do.
Roles
Roles are sets of permissions that can be assigned to users. Users can have different roles in separate organizational accounts. For example, a user can have the Administrator role in one account, the Mission Control Viewer role in a second account, and the Event Portal Manager role in a third account.
Users
Users with the Administrator role can add, edit, and delete other users and manage the actions users can perform by assigning one or more roles. If you have SSO enabled, users can also be added to user groups based on IdP claim values mapped to user groups.
User Groups
If you have SSO enabled for your organization, you can create user groups and assign one or more roles to each group. When users are assigned roles through user groups, roles assigned to individual users are ignored. You add users to groups by mapping claims from your identity provider (IdP) to automatically assign users to a group when they log in to PubSub+ Cloud.

For information about adding and managing users, see Configuring User Access.

User Management

User management includes a wide range of functionality, such as adding and deleting users, and controlling user activity through role assignments. Solace recommends following the security best practice to assign a role with the fewest permissions that a user requires.

Screenshot depicting the settings described in the surrounding text.


The User Management tab on the Account Details page provides administrators with a dashboard to view and manage users, groups, roles, and permissions. You can manage roles and permissions in two ways:

Roles and Permissions

Roles provide sets of permissions to users. You can assign one or more roles to each user. For example, you can assign a user the Mission Control Manager role to give them access to create and modify event broker services and event meshes in Cluster Manager and Mesh Manager. You can assign roles manually or dynamically using group management.

You can assign the following roles in PubSub+ Cloud:

Administrator
Administrators can create, manage, and delete users and event broker services. Administrators can also grant or deny access to Event Portal. This permission gives the user all the other roles listed here with the exception of the Insights Advanced Editor role. As an administrator, you can self-assign the Insights Advanced Editor role to yourself.
Mission Control Manager
Users with the Mission Control Manager role can create, modify, and delete event broker services in Cluster Manager. They can also create, modify, and delete event meshes in Mesh Manager.
Mission Control Viewer
Users with the Mission Control Viewer role can view the details of an event broker service in Cluster Manager, but can't edit or delete them. They can also view, scan, and run Health Checks on event meshes in Mesh Manager. If you have enabled SSO and have user groups configured, you can assign extra permissions to Mission Control Viewers for specific event broker services.
Mission Control User
The Mission Control User role is available only if you have enabled SSO and have user groups configured. Mission Control Users have limited viewing access in Cluster Manager. They can't see event broker services they are not assigned permissions to and they have no access to Mesh Manager. Users can be given greater access to event broker services by assigning permissions to them. For more information about Mission Control-specific roles, see Configuring User Access to Event Broker Services.
Event Portal Manager
Users with the Event Portal Manager role can view, create, and modify all application domains and modeled event meshes in Event Portal. Event Portal Managers can also give additional permissions to users with the Event Portal User role to provide greater access to specific application domains and to modeled event meshes within specific environments.
Event Portal User
Event Portal Users have limited viewing and editing access for application domains and modeled event meshes in Event Portal. Event Portal Users can be given greater access to specific application domains and to modeled event meshes within specific environments. For more information about Event Portal-specific roles and user permissions, see Managing User Access to Event Portal.
Insights Advanced Manager (Controlled Availability)
If your organization has this controlled availability feature, you can assign a user the Insights Advanced Manager role. Users with this role have access to the Datadog setup that is part of PubSub+ Insights. Users with the Insights Advanced Manager role can view, edit, create, and clone dashboards and monitors. They can also read trace data if you have a subscription to Distributed Tracing.
Insights Advanced Managers can also manage Datadog API and APP keys, as well as Datadog Integrations. For more information, see Insights Advanced Manager Role.
Access to all Insights Advance roles require a PubSub+ Insights subscription. You must agree to the acceptable use policy (AUP) for Insights before assigning any Insights Advance roles to users. Assigning an Insights Advance role to a user triggers an invitation email to the Datadog account. This Datadog account is separate from PubSub+ Cloud. Insights Advance roles provide access beyond the access provided by the Administrator role.
Insights Advanced Editor
Users with the Insights Advanced Editor role have access to the Datadog setup that is part of PubSub+ Insights. Users with the Insights Advanced Editor role can view, edit, create, and clone dashboards and monitors. They can also read trace data if you have a subscription to Distributed Tracing.
Access to all Insights Advance roles require a PubSub+ Insights subscription. You must agree to the acceptable use policy (AUP) for Insights before assigning any Insights Advance roles to users. Assigning an Insights Advance role to a user triggers an invitation email to the Datadog account. This Datadog account is separate from PubSub+ Cloud. Insights Advance roles provide access beyond the access provided by the Administrator role.
Insights Advanced Viewer
Users with the Insights Advanced Viewer role have access to view dashboards and monitors inside the Datadog setup that is part of PubSub+ Insights. They do not have permission to edit, create, clone, share, or perform any other actions to the dashboards and monitors. They can also read trace data if you have a subscription to Distributed Tracing.
Access to all Insights Advance roles require a PubSub+ Insights subscription. You must agree to the acceptable use policy (AUP) for Insights before assigning any Insights Advance roles to users. Assigning an Insights Advance role to a user triggers an invitation email to the Datadog account. This Datadog account is separate from PubSub+ Cloud. Insights Advance roles provide access beyond the access provided by the Administrator role.

Group Management

If you have SSO enabled, you can assign roles to user groups instead of directly to users and map claims received from your IdP with your user groups to automatically add users to groups. When group management is enabled, users are automatically added to groups based on the claim mapping that you have configured. For example, if your IdP returns a claim values such as service_manager, users with that claim value would be automatically assigned to the user group that the claim value is mapped to. If no claim returned for the user is mapped to a group when a user authenticates, the user can be added to a default role or denied access.

After you configure group management you can continue to invite new users manually or you can enable just-in-time provisioning to add new users to groups based on the existing claim mapping configuration when a user successfully authenticates using SSO.

To set up group management for your account, see Configuring Group Management.