Permissions, roles, and entitlements
Connect introduces a new model for roles and permissions. The model touches all the areas of the system.
These concepts are introduced with the new model:
Permissions
Permission is the definition of an action the user can run from the user interface. For example, fetching transactions (Connect → Reports → Transactions) means that the user can fetch data for the Transactions report. The permission is not visible to the end user, but it's used to evaluate whether or not the user can access a particular button, section, or screen.
Roles
Roles are a group of permissions. A user can have several roles. For example, 'Tenant Admin' (a backward-compatible role), and 'Transactions Report Viewer'. When multiple roles are assigned, the user can access everything allowed by at least one role. More roles are added continuously. The goal is to have roles that grant access to almost all screens.
Entitlements
Unlike permissions, entitlements define what data a user can access. That is, entitlements grant a user access to one or several selected tenants in a domain, one or several selected site groups, or one or several selected sites. When the user can see only the selected site groups or sites, Connect automatically filters reports to show data only for machines from these site groups or sites.
Entitlements can't be granted to users with access to the Administration + Alert + OTA tabs. For example, entitlements can't be defined for users with the 'Tenant Admin' or 'Tenant User' roles but can be granted to users with the 'Transaction Reports Viewer' role. The reason is that much of the data visible for Tenant Admin or Tenant User roles can't be filtered by site group or site because that data is of a different nature.
When you create or edit a user account, you have the option to define roles and entitlements. Go to Administration → Users.
If you try to create a user with a setup that doesn't match the requirements, an error message is shown.
Users that were created before the new model was introduced, will be migrated and keep their roles and entitlements from the old model. These users will have access to all resources because the old model didn't support limited access.
If the Tenant feature is disabled, this takes precedence over any roles that are defined. This means that if the Tenant feature is disabled, the entire feature is unavailable to users in this tenant.
EXAMPLES OF WHAT SOME ROLES CAN SEE AND DO
GLOBAL ADMIN
A GLOBAL ADMIN is a user with entitlements to all resources.
Global admins can:
See all the tenants
See users in various tenants
Create, edit, and modify users in all tenants (including the carbon.super domain)
Note
When editing a user, the current data for that user is loaded on the screen. That is, if the user has roles and entitlements assigned, then when you edit the user, the data for that user is preselected on the Edit screen.
See all tabs on the left side panel and can access all of them
TENANT ADMIN
A TENANT ADMIN is a user with entitlements to all domain resources.
'Tenant Admins' can:
See all the tenants but ONLY from their domain
Create, edit, and modify users in ALL tenants from their domain
Note
When editing a user, the current data for that user is loaded on the screen. That is, if the user has roles and entitlements assigned, then when you edit the user, the data for that user is preselected on the Edit screen.
See all tabs on the left side panel and can access all of them
On Administration → Tenants, a 'Tenant Admin' can only see tenants the role is entitled to see.
A 'Tenant Admin' can't create, edit, or delete tenants.
A 'Tenant Admin' can edit the tenant name and daybreak.
TENANT ADMIN WITH ENTITLEMENT TO ONLY ONE SELECTED TENANT
This example is valid for a domain with at least two tenants.
A TENANT ADMIN with entitlements to only one selected tenant in a domain has entitlements to all resources on the selected tenant.
'Tenant Admins' with entitlement to only one selected tenant can:
See only the tenants they are entitled to
See only the users with access to the same tenants as the 'Tenant Admin'
Create, edit, and modify users only on the tenant they are entitled to
See all tabs on the left side panel and can access all of them
On Administration → Tenants, this 'Tenant Admin' can only see tenants the role is entitled to see.
A 'Tenant Admin' with access to only one tenant can’t create, edit, or delete tenants.
A 'Tenant Admin' can edit the tenant name and daybreak.
TENANT USER
A TENANT USER is a user with entitlement to ALL tenants from his domain.
A TENANT USER:
Can’t see the Administration sections
Can see other sections
MORE INFORMATION
Users can only see sections they are entitled to.
Users with multiple roles can see everything they are allowed to see by at least one of the roles.
Users with entitlements to a single site group or a single site can only see data related to machines from that site group or site.
It isn’t possible to grant access to a user on both site group and site level.
Users with entitlements to multiple site groups or sites can only access data related to machines from all site groups or sites the role is entitled to access.
See also