Managing Users, Roles, and Permissions

As a PubSub+ Cloud administrator (your user profile is assigned the Administrator role), you can manage accounts, assign roles, and set permissions to allow or deny access to different sets of event broker services.

The PubSub+ Cloud user management system has the following components:

Add, edit, and delete users. Manage the actions users perform by assigning them roles and controlling user activity through permissions.
Users can have different roles in separate accounts. For example, a user can have the Administrator role in one account, Cluster Manager Viewer in the second account, and Event Portal Manager in the third account.
Provide your users with different access and permissions.

Your organization may have different subscriptions for different purposes; for example, production, development, quality assurance, and so on. You can add users to one or more environments. This mechanism also allows you to segregate your user bases, such as separating contractors, sales engineers, and different professional services groups.

Let's first understand the different Roles and Permissions you can use to manage access for other users within your organization. We will then look at some of the setting your can configure through the User Management system in the Cloud Console.

Roles and Permissions

Roles and permissions provide different levels of access to users based on the task they perform. You can assign users one or more roles, and have different permissions associated with each role. For example, you can assign a user with the Cluster Manager Editor role to give them access to create/modify event broker services in Cluster Manager. Likewise, another user can be given the Cluster Manager Viewer role to only allow them to view event broker services. You can manage these roles and permissions manually or dynamically through the role management system, where you can align your identity provider's claim with roles in PubSub+ Cloud.

The following are the roles in PubSub+ Cloud:

Can create, manage and delete users and services, and grant or deny access to Event Portal. This permission gives you the roles for all the other roles listed here with the exception of the Insights Advanced Editor role. As an administrator, you can self-assign the Insights Advanced Editor role to yourself.
Billing Administrator
Can view and configure billing settings.
Cluster Manager Editor
Can create and delete their own services, and view services owned by others. Cluster Manager editors can also be granted access to Event Portal as a Manager or a viewer.
Cluster Manager Viewer
Can view service details, but cannot edit or delete any service. Cluster Manager Viewer can also be granted access to Event Portal as a Manager or a viewer.
Event Portal Manager
Can view, create and modify any Event Portal architectures. They can add users with Event Portal User role to application domains and grant them Viewer level access to that domain.
Event Portal User
Has limited viewing access in Event Portal. By default, they can only view shared events, shared schemas and Event API Products. They can be given access to one or more application domains.
Insights Advanced Editor
Can have access to the Datadog setup that is part of PubSub+ Insights to enable the PubSub+ Insights Advanced Monitoring option. When this role is first assigned to a user profile, it triggers an invitation email to a Datadog account that is automatically created on behalf of the user.  This Datadog account is separate from the PubSub+ Cloud invitation. This role is only assignable when you are subscribed to PubSub+ Insights and the access provided as part of this role is not included with the Administrator role.
Mesh Manager Editor
Can create, modify, and delete event meshes. If you are required to create, modify, or delete an event broker services, you also require the Cluster Manager Editor role.
Mesh Manager Viewer
Can view and run Health Checks on event meshes.

User Management

User management in PubSub+ Cloud enterprise account involves a wide range of functionality, such as adding and deleting users, managing user roles, and controlling user activity through permissions. A best practice is to assign the fewest permissions and roles that a user requires.

The User Management tab on the Account Details page provides account administrators with a dashboard to view and manage users, roles, and permissions. In the PubSub+ Cloud Console, there are two ways you can manage roles and permissions:

Role Management

Role Management enables you to align your Identity Provider (IdP) claims with the roles available in your PubSub+ Cloud account. Users are automatically assigned roles when role management is enabled based on the role mapping that you configure in your PubSub+ Cloud account. Note that single sign-on (SSO) must be activated for your account to use this feature. For multiple accounts, you must set up role management for each account.

Once you have SSO enabled on your PubSub+ Cloud account, you can configure role management to determine roles in PubSub+ Cloud based on claims coming from your IdP. To do so, you will need the following information:

Group, Role Identifier or Claim
Your IdP's identifier key, which is a key-value set. You can configure it in any format; for example, you can create custom claims such as employee role, manager or department.
Claim Value
Claim values are values configured with your IdP that you can map with the roles available in your PubSub+ Cloud account. Your claim value can be a user email or a group where multiple users can be assigned the same value. For example, your claim value can be service_manager or event_viewer, and users associated with this claim value can be assigned Cluster Manager role or Event Portal User or both.

While role management automatically assigns roles to the user authenticated through SSO based on the role mappings, as an administrator, you will still need to invite users manually if they aren't already part of the account. To avoid inviting users manually, you can enable Just-in-Time User Provisioning to assign roles based on the existing mapping configuration if a user is successfully authenticated through the IdP.

Furthermore, there could be some situations where a user may be successfully authenticated through the SSO, but if no defined role mappings match the user's claim, the user will be denied access to the account. To avoid that, you can Customize Default Role, which is assigned when no other defined mappings match the user's claim value. If the user is successfully authenticated and none of the defined role mappings match their claim value, the user will be assigned the default role.

Once the role management is enabled, roles can only be applied using role mappings, which means that the user must be part of the claim value.

To set up role management for your account, refer to Dynamically Assigning Users to Roles .