Setting Up Users, Roles, and Permissions

As an administrator for your PubSub+ Cloud account, you can manage users, roles, and permission from PubSub+ Cloud console or using the PubSub+ Cloud REST API. For the REST API-based instructions, see Managing Users with the PubSub+ Cloud REST API.

In the next few topics, we will show how to:

For an overview information, refer to Managing Users, Roles, and Permissions.

Before you begin

To configure user management settings for your PubSub+ Cloud account, you will need the following:

  • Administrator role for your PubSub+ Cloud account.
  • The following additional conditions must be fulfilled to set up role management to assign users to PubSub+ Cloud roles dynamically:

    • Single Sign-on (SSO) enabled for your account.
    • Groups, Role Identifier, or Claim information from your identity provider. For more information, refer to Role Management.
    • Claim Value to add role mapping. To get more information about claim value, refer to Role Management.

Manually Configuring User Settings

In this section, we will show you how to manually manage users, roles, and permissions for your PubSub+ Cloud account. Refer to Dynamically Assigning Users to Roles to learn how you can dynamically configure and manage role assignments.

Adding a User

As an account administrator, you can add a user to the account for which you belong. To add a user to an account, perform the following steps:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet.

  2. On the navigation bar, click User & Accounts and then select Account Details.
  3. On the Account Details page, select the User Management tab, and click Invite.
  4. In the Invite User dialog, fill the Email Address field.
  5. Optionally, you can change the default User Roles setting. For more information on this, see Changing the Roles and Permissions.
  6. Click Invite.

After you complete the steps above, the user receives a confirmation email with an account activation link shortly after.

Have users check their spam folders or junk mail to ensure that the invitation email has not been filtered.

Resending a PubSub+ Cloud Account Activation Email

Once you've added a new user to an account, the account status remains pending until the user clicks the account activation link in the email. As a reminder, you can resend the account activation email.

To resend a PubSub+ Cloud account activation email, perform these steps:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet.
  2. On the navigation bar, click User & Accounts and then select Account Details.
  3. On the Account Details page, select the User Management tab.
  4. Identify the user for whom you want resend the invitation. Optionally, you can type in the Search Emails field to filter the user accounts that are visible.
  5. Beside the user for whom you want to resend a invite, click the User Actions , and then select Re-send Invite. Note that the option to resend the invite appears only if the user hasn't accepted their invite to log into the PubSub+ Cloud Console.

Have users check their spam folders or junk mail to ensure that the invitation email has not been filtered.

If you have PubSub+ Insights, you can re-send the Datadog invite separately. For more information, see Resending an Invitation Email from Datadog.

Changing the Roles and Permissions

As an account administrator, you can:

  • edit the roles and permissions of any existing user
  • edit the default settings when you add a user or edit the roles
  • edit your own roles and permissions; however, since you are an administrator, you cannot remove the administrator role from yourself nor can you delete yourself

To edit the roles and permissions, perform the following steps:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet.
  2. On the navigation bar, click User & Accounts and then select Account Details.
  3. On the Account Details page, select the User Management tab.
  4. In the list of users, find the user (including yourself if you're an account administrator) whose roles you want to change. Optionally, you can filter the list based on role or use the search to quickly find user accounts that are visible.
  5. Beside the user for whom you want to edit, click User Actions , and then select Edit.
  6. On the Edit User Details dialog that appears, update the roles and permission as required, and then click Save.

The user is immediately updated with the roles and permissions you specified with the steps above. Note that if the change you make involves adding the Insights Advanced Editor role, the following occurs:

Deleting a User

As an account administrator, you can delete any user from an account except yourself.

If the user you delete has the Insights Advanced Editor role assigned, the corresponding Datadog account is disabled.

If the user owns any event broker services, reassign them to yourself or another user before you delete the user.

To delete a user from an account, perform the following steps:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet.
  2. On the navigation bar, click User & Accounts and then select Account Details.
  3. On the Account Details page, select the User Management tab.
  4. Identify the user that you to want to delete from your PubSub+ Cloud account. Optionally, you can filter the list based on role or use the search to quickly find user accounts that are visible.
  5. Beside the user for whom you want to delete, click the User Actions , and then select Delete
  6. In the Delete User dialog, verify that email matches the user you want to delete, and then click Confirm; otherwise, click Cancel.

After these steps, the user is permanently deleted. You can always add the user back. For more information, see Adding a User.

Dynamically Assigning Users to Roles

As a PubSub+ Cloud administrator, you can configure and enable role management so that you can align your identity provider's (IdP) claim with roles available in your PubSub+ Cloud account. In that way, when users log in through their IdP, they are automatically assigned a role in PubSub+ Cloud based on the IdP claims that are mapped to the roles in PubSub+ Cloud.

To configure role management for your PubSub+ Cloud account, you will need to perform the following tasks:

  • Add IdP provided Group, Role Identifier, or Claim to you PubSub+ Cloud account. For some examples on how to set up claims with your identity provider see, Setting Up Claims With Your Identify Provider
  • Add role mapping to align claim values with PubSub+ Cloud roles.
  • Enable just-in-time provisioning (Optional).
  • Customize default role (Optional).
  • Test and enable the role management settings.

In the following example, we will setup role management along with the optional configurations.

  1. Log in to the PubSub+ Cloud Console if you have not done so yet.
  2. On the navigation bar, click User & Accounts and then select Account Details.
  3. On the Account Details page, select the User Management tab.
  4. Click Role Management. Note that the Role Management option will only be available if single sign-on (SSO) has been activated on the account.
  5. On the Role Management screen, perform the following steps:
    1. In the Group, Role Identifier or Claim field, add the identity provider's key. Your IdP's identifier key is a key-value set that can be configured in any format. For example, you can create custom claims such as employee role, manager or the department. For more information, see Role Management.
    2. Click Add Role Mapping.
    3. In the Role table, in the fields that appear, add the Claim Value and select Roles to map to the claim value. Claim values are roles configured with your IdP that you can map with the roles available in your PubSub+ Cloud account. Your claim value can be a user email or a group where multiple users can be assigned the same value. You can set multiple PubSub+ Cloud roles for each claim. For example, a claim can be mapped to Cluster Manager, Mesh Manager Editor, and Event Portal User roles.
    4. Click Add.
    5. (Optional) Select the checkbox beside Enable Just-In-Time provisioning. If selected, the user is successfully authenticated through the IdP, and the user is automatically assigned a role based on the existing role mapping.
    6. (Optional) Select the checkbox beside Customize Default Role and click the drop-down arrow under PubSub+ Role(s) to select the default role. When selected, if the user is successfully authenticated through the IdP, but none of the defined role mappings match their claim value, the user will be assigned the default role.
    7. Before activating role management, we recommend that you test to ensure your administrator account will be allowed access with the new settings. To do so, click Test Access > Run Test.

      If you still have administrator privileges on the account, a screen with the confirmation message that the administrative access will be maintained will display.

      Otherwise, the message will indicate that administrative access will be lost.

    8. After testing the role management settings, click the Save button. The settings will be applied immediately, and the role management status will change to Enabled.

Once the role management settings are enabled, roles can only be applied using role mappings, which means that the user must be part of the claim value. You will not be able to assign roles manually. To manage roles and permissions manually, you must disable role management.

Disabling Role Management

To disable role management, do the following:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet.
  2. On the navigation bar, click User & Accounts and then select Account Details.
  3. On the Account Details page, select the User Management tab.
  4. Click Role Management. Note that the Role Management option will only be available if single sign-on (SSO) has been activated on the account.
  5. On the Role Management screen, click Disable.
  6. On the dialog that appears, click the Disable button.

Once role management is disabled, dynamic role assignment will be turned off. All existing users will still keep their current assigned roles.