How to set up Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) provides control over the level of access for different users.

Using the RBAC system different features of the Hyperglance application can be enabled or disabled, users can be given read-only or read-write access and individual accounts/subscriptions/projects/clusters can be made available or hidden from display in the Hyperglance UI.


Hyperglance supports two ways to manage or federate your user access:


Regardless of how you administer your users we use the same set of "role tokens" (described below) to govern users access.

Exactly how or where you set these role tokens depends on whether you have chosen to use the built-in user database or SAML based SSO. The remainder of this article documents which role tokens are available and what they do.

Understanding Hyperglance Role Tokens

Hyperglance roles are tokens that govern access and capabilities. Some role tokens are more akin to permissions than to traditional roles but we use the term "role" for all of these.

There are a few kinds of roles in Hyperglance:

  • Base user roles - Specifies the type of user, all users have a base role.
  • Feature access roles - These govern access to features/behaviours of the product.
  • Account restriction roles - These limit access to all or certain accounts.
  • Group-like roles - These govern access to user-created content such as dashboards.

Base User Roles

Every user requires a base role. If more than one is assigned the most high-powered role will be used.

  • HyperglanceUser - Grants basic access and can be combined with other role tokens to boost the level of access. As a convenience if absolutely no other role tokens are specified then HyperglanceRole_ViewAllTopo will also be assumed.
  • HyperglanceContributor - Grants full feature access as though all feature-access roles were specified.  As a convenience if absolutely no other role tokens are specified then HyperglanceRole_ViewAllTopo will also be assumed.
  • HyperglanceAdmin - Grants full access to all accounts, all features as well as the Settings page and the ability to reset user passwords.

Feature Access Roles

If your base user role is HyperglanceUser then you may grant all, some or none of the following feature-access roles.

Note: A HyperglanceContributor or HyperglanceAdmin already assumes all of these.

  • HyperglanceRole_Actions - Grants access to view and execute Automations.
  • HyperglanceRole_Rules - Grants full create, edit and run access to Rules.
  • HyperglanceRole_Rules_RunOnly - Grants only the ability to refresh/rerun Rules. Users can run existing rules but cannot create new ones or edit existing ones.
  • HyperglanceRole_DashboardWrite - Grants create & edit functionality to all Dashboards accessible to this user. Note: Dashboards may limit who can access them.

Account Restriction Roles

We provide a system role that conveniently grants access to all accounts, otherwise you may specify access on a per-account basis.

  • HyperglanceRole_ViewAllTopo - Grants access to view the full set of all accounts/subscriptions/projects/clusters in Hyperglance across all pages including the diagram, dashboards, billing, etc.
    • Note: If this role is not granted then you must set account-restriction roles on a per-account basis instead (see below) otherwise the user will not see anything.
    • Note: This role is always implied for HyperglanceAdmin users.
    • Note: As a convenience this role is automatically implied for HyperglanceUser and HyperglanceContributor users when NO other role tokens specified beyond the base user role.

Per account restriction roles

You can assign as many per-account restriction roles to a single user as you need to limit access to a chosen set of accounts/subscriptions/projects/clusters in Hyperglance. This applies to accounts visible in the Diagram, the dashboards, billing data, etc.

Admin users never require per-account roles as they can see everything anyway, so this is only useful when combined with either HyperglanceUser and HyperglanceContributor base user roles.

To determine the correct role token for an account the most reliable way is to click on the account in the Diagrams page and use the text visible at the top of the description panel on the right:

Then to grant users access to this 'DevTest' account you assign a correspondingly-named role token:


DevTest (014556131918)


Or if you prefer you can use the fully-qualified syntax of {DatasourceName}::{AccountAlias}

E.g.


Amazon::DevTest (014556131918)

Azure::demo

GCP::my-project

Kubernetes::cluster1


Group-Like Roles

These govern access to user-created content.

Note: At the current time this is only available for Dashboards.

Access to dashboards can be restricted to users with one or more role tokens, this includes any arbitrary token such as "Acme Team1" which would limit access to just the a set of users who have that role token assigned.