User Access to Event Broker Services
The PubSub+ Cloud roles for Mission Control include access and permissions to Cluster Manager and its event broker services.
The level of access you have to Cluster Manager and its event broker services depends on the role you're assigned in PubSub+ Cloud and the permissions granted to that role.
If your organization has SSO enabled, you can assign roles to user groups. If an event broker service has SSO enabled, you can configure user access for the event broker service. You can then map the roles to users in your IdP.
To configure user access to your event broker services, you must:
-
(Optional) If you want to set user access for SSO-enabled event broker services: configure single sign-on for your event broker service.
-
Set Mission Control User access for event broker service in Cluster Manager.
Mission Control Roles and Permissions
The roles you can be granted in Mission Control, and the actions each can perform are detailed below.
- Mission Control User
- PubSub+ Cloud users with the Mission Control User role can access Cluster Manager but have limited access and viewing capabilities. They can't see, or view event broker services in Cluster Manager unless they are granted access by someone with Manager level access to the event broker service. The Mission Control User role can only be assigned to user groups, and requires that you have SSO configured. The following event broker service access levels can be granted to user groups with the Mission Control User role:
- Viewer
- The Mission Control User role with Viewer access to an event broker service allows users to view event broker service details.
- Editor
- The Mission Control User role with Editor access to an event broker service allows users to view event broker service details, as well as modify event broker service configuration, and add, delete, and modify queues.
- Manager
- The Mission Control User role with Manager access to an a event broker service allows users to perform the same functions as users with Editor access. They can also perform these functions:
- Delete the event broker service.
- Add, delete, and modify Dynamic Message Routing (DMR) links, message replay, client profiles, bridge SSL certificates, SEMP over message bus, and client authentication. Modify replication for disaster recovery.
- Assign access to the event broker service to other users with the Mission Control User role.
- Mission Control Viewer
- PubSub+ Cloud users with the Mission Control Viewer role can access Cluster Manager and have access to view the details of all event broker services in Cluster Manager but cannot edit or delete them.
- Users with the Mission Control Viewer role can also be given Editor or Manager level access to specific event broker services.
- Mission Control Manager
- PubSub+ Cloud users with the Mission Control Manager role can access Cluster Manager and have full access to all Cluster Manager capabilities. They also have Manager level access to all event broker services.
- Administrator
- PubSub+ Cloud users with the Administrator role have full access to all PubSub+ Cloud capabilities. Administrators can assign users any role in PubSub+ Cloud. In Cluster Manager, Administrators have the same access as Mission Control Managers.
For more information about assigning user roles for PubSub+ Cloud, see Managing Users, Groups, Roles, and Permissions.
The following table provides a detailed breakdown of the permissions available to each role in Mission Control.
| Roles | Administrator | Mission Control Manager
(10.10 and later) |
Mission Control Manager
(earlier than 10.10) |
Mission Control Viewer | Mission Control User
(requires SSO) |
|---|---|---|---|---|---|
|
Assign access to event broker services |
|
|
|
|
|
|
Create event broker services |
|
|
|
|
|
|
Modify event broker services |
|
|
|
|
|
|
Delete event broker services |
|
|
|
|
|
|
View event broker services |
|
|
|
|
|
|
Create a message replay log |
|
|
|
|
|
The following table provides a detailed breakdown of the operations available on an individual event broker service for Mission Control Users and Mission Control Viewers with elevated permissions.
| Roles | Mission Control Viewer (requires SSO) | Mission Control User (requires SSO) | |||||
|---|---|---|---|---|---|---|---|
| Access Level | Manager | Editor | No additional access | Manager | Editor | Viewer | No additional access |
|
Assign access to the event broker service |
|
|
|
|
|
|
|
|
Create an event broker service |
|
|
|
|
|
|
|
|
Modify an event broker service |
|
|
|
|
|
|
|
|
Delete an event broker service |
|
|
|
|
|
|
|
|
View an event broker service |
|
|
|
|
|
|
|
Setting Mission Control User Access for Event Broker Services in Cluster Manager
You must have organization-wide single sign-on (SSO) enabled and user groups configured to assign access to event broker services using role-based access controls. If you are setting user access for an SSO-enabled event broker service, saving the access settings pushes the roles and permissions to the event broker service's SSO configuration. You can map the roles to users in your identity provider (IdP).
If you are setting access for an SSO-enabled event broker service, you must ensure the event broker service SSO configuration is up-to-date before assigning user access. See Updating the SSO configuration for an Event Broker Service for more information.
- Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your
- Select Cluster Manager
on the navigation bar. If the event broker service is not listed, make sure you have the right environment selected. For more information, see Selecting Environments. - On the Service page, find the tile matching the service you want to set access for and click Actions
and select Set User Access to open the User Access dialog.
If the User Access dialog displays a message indicating the broker's SSO configuration is out-of-sync, you must update the SSO configuration before assigning user access. Either update the broker's SSO settings, or contact your PubSub+ Administrator. - In the User Access dialog, click Add User Groups.
- Select a group using the Name field and then set the access level using the Access Level field.
- Click Save.
