Note that in Console ≥ 2.x:
- global roles are managed in SSO/Keycloak see Configure authentication and roles using Keycloak - v. 2.x.
- resource level roles for user access are managed in Console, see below.
Introduction
Console uses a system of "roles" to manage permissions and access to data. Currently the following roles are available:
Role name | Type | Description |
---|---|---|
admin | Global | This Global level role allows a user or member of a group to administer the entire Console, including:
It can be assigned to a User or Group (if LDAP/Active Directory/SAML user authentication mode is in operation).
|
dashboard_admin | Global | This role is only available in Console ≥ 2.x and is configured directly in SSO/Keycloak. This global level role applies the dashboard "admin" role to a user. See User roles for more information about what this role can do. |
application owner | Global / Resource |
Global level:
Resource level:
|
resource owner | Resource |
|
Users can hold more than one role at a time - in this case the most permissive role takes priority.
Adding a Global level role
Console ≥ 2.x
Global level roles are managed directly in SSO/Keycloak. See Configure authentication and roles using Keycloak - v. 2.x for more information:
Console 1.x
To assign a Global level role to other users, the current user needs to already have the "Admin" role.
Move to the Security option:
A list of users/groups that already have Global level roles will be displayed (your own login or the group your login belongs to should be displayed in the list as an Admin):
Click the Add Roles button to assign the role. Depending on the authentication mode in use (see Configuring User Authentication), you will then be prompted to assign the role:
Authentication mode | GUI | Action required |
---|---|---|
Authentication using local configuration |
| |
LDAP/Active Directory/SAML |
|
The page will updated and list the changes you have made:
In the above example, when the user "James" logs in, he will have Application Owner rights at Global level. To remove a role, click the recycle bin next to the user's name:
Adding a Resource level role
To assign a Resource level role to other users, the current user needs to already have the "Admin" role.
Resource level roles (i.e. Application Owner) can be assigned to Domains (and all Applications associated with them) and/or individual Applications. To add a resource level role, move to the Applications option:
Console ≥ 2.x
In Console ≥ 2.x, users that need to interact with existing applications will need to first be assigned the "application_owner" global role in Keycloak - see Configure authentication and roles using Keycloak - v. 2.x, which will allow them to create new applications of their own. They will then will need to be assigned a resource owner role to the specific existing applications they need to interact with. This can be done by assigning the role to the individual application or to a group of applications which belong to a specific domain.
Use the three dots menu on either the Domain or the individual Application to assign the resource owner role via the Manage User Roles option:
In this example we have selected to assign the resource owner role to the user "James" to a specific application. No roles have previously been assigned for this Application. Click the Add Roles button to assign the role:
Enter the name of the user you would like to assign the role to and click Save:
The page will update and list the changes you have made:
Note that if you are using LDAP/SAML authentication, you can also specify groups as well as users (the Scope drop down determines whether this is a user or a group):
Console 1.x
A list of Applications that already exist will be listed by Domain. Choose whether you want to assign the role at Domain or Application level, and then click the appropriate three dots menu and select Manage User Roles:
Click to enlarge
In this example we have selected to assign the role at Application level for the Application "MEUDON". No roles have previously been assigned for this Application. Click the Add Roles button to assign the role:
Depending on the authentication mode in use (see Configuring User Authentication), you will then be prompted to assign the role:
Authentication mode | GUI | Action required |
---|---|---|
Authentication using local configuration |
| |
LDAP/Active Directory/SAML |
|
The page will update and list the changes you have made:
To edit the assigned role, click the edit button, to remove a role, click the recycle bin next to the User or Group's name as shown above.