Introduction
Effective access control begins with role definition. By assigning roles to users and groups, you can manage permissions consistently across all resources.
The platform allows you to create multiple roles to accommodate various access requirements, with the Administrator role providing the highest level of access and full control over all resources.
- Roles define the access permissions assigned to users or user groups within your organization.
- Each role consists of a set of permissions and configurations that control what actions a user can perform and which features they can access on the platform.
You can configure Roles at the Service Provider(SP), Partner, and Client levels respectively.
Prerequisite
- Permission sets have been created and available.
Permissions
Following are the permissions required to View the Roles List:
| Type of user | Permissions |
|---|---|
| SP/MSP | Users_Manage, Roles_View, and Device_View |
| Client | Administration, Users_Manage, Roles_View, and Device_View |
- Following are the permissions required to Add the Roles:
| Type of user | Permissions |
|---|---|
| SP/MSP | Users_Manage, Roles_Manage, and Device_Manage, |
| Client | Administration, Users_Manage, Roles_Manage, and Device_Manage, |
Note
In addition to the above permissions, the user must be added to the All Users Group. To do this, navigate to Setup > Account > Users and Permissions > Users. Click ADD and then select the “All user groups” from the Assigned User Groups section.Create a Role
Follow these steps to create a role:
Click Setup > Account. The Account Details page is displayed.
Click the Users and Permissions tile on the Account Details page. The Permission Sets page is displayed.
Click the Roles card. The ROLES listing screen is displayed.
Click +ADD. The ROLE DETAILS screen is displayed.
Enter the following information:
- Role Name: Unique name of the role.
If you are a partner user, then select the appropriate option from Role for and Access to. - Permission Sets: Select the permission set(s) from the list.
Click Manage all permission sets to create a permission set.
Note: The Client Administrator, Client Dashboard Share Permission Set, and Client User are the default permission sets. - Description: Provide details to describe the role.
- Role Name: Unique name of the role.
From Resources visibility, select one of the following three options to apply visibility of devices to the role you are creating:
- All: Lets a role have the visibility of all resources in the client.
- Specified resources: Lets a role have the visibility of only the selected resources in the client.
- Select resource group(s) from the Resource groups dropdown.
- Select resource(s) from the Resources dropdown. You can also click Advanced Search to build a query to search for the resources.
- None: Prevents a role from having the visibility of the client resources.
From Assigned credentials, select one of the following three options to apply visibility of credentials to the role you are creating:
- All: Lets a role have visibility of all credentials in the client.
- Specified credentials: Lets a role have visibility of only the selected credentials in the client.
- Select credential(s) from the list.
- None: Prevents the role from having visibility of client credentials.
From Authz Tags, select one of the following three options to apply visibility of tags to the role you are creating:
- All: Lets a role have visibility of all tags in the client.
There are no restrictions on logs visibility. - Specified authz tags: Lets a role have visibility of only the selected tags in the client.
Only logs that carry the tags, or have no tags at all, are visible to the user with the assigned role.- Select authz tag(s) from the list.
- None: Prevents the role from having visibility of client tags.
Only logs without any tags are visible to the user.
- All: Lets a role have visibility of all tags in the client.
In the DASHBOARDS section, select one or more dashboards from the Classic Dashboards dropdown.
In the OPTIONS section, select the default landing page from the Home Page dropdown, according to the user’s role.
Click ADD. The role is created and displayed in the ROLES listing screen.
Users can perform the following actions based on the context:
| Type of user | Current context | User action |
|---|---|---|
| Service Provider User | Service Provider |
|
| Partner User | Partner |
|
| Partner User | Client | Manage roles for the current client. |
| Client User | Client | Manage roles for the current client. |
Actions on a role
You can perform the following actions after creating a role:
| Action | Procedure/Description |
|---|---|
| Search | To search for a role:
|
| View | To view a role:
|
| Edit | Note: You cannot edit a default role.
|
| Remove | Note: You cannot remove a default role.
|
Use Case
Let is suppose there are a total of five clients under a Partner.
Role 1 is created at the Partner level (with Partner as Tenant Scope) with two clients are selected and the Permission Set as a Partner Administrator.
Role 2 is created at the Partner level with All Clients selected, and Permission Set as Partner View Only.
These two roles are assigned to a user.
Result: The permission sets may not work as expected, and overlapping roles introduce ambiguity. This is because OpsRamp evaluates permissions cumulatively, and where multiple roles apply, the most permissive access takes precedence.
Recommendation: Create Role 2 at the Partner level and remaining three clients are selected, with Permission Set as Partner View Only.
This ensures that:
- As a Partner Administrator (via Role 1), the user has full access to resources and configurations for the two selected clients.
- With the Partner View Only permission set (via Role 2), the user has read-only access to the other three clients.