How to set up Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) provides control over the level of access for different users. Different parts of the Hyperglance application can be enabled or disabled, users can be given read-only or read-write access and individual accounts & subscriptions can be shown or hidden from display in the Hyperglance diagram.


Hyperglance supports two ways to manage or federate your user access:

  • Hyperglance's own database of users -- Read more.
  • SAML (via Identity Provider) -- Read more.

Regardless of how you administer your users we use the same set of role-based permissions to grant users access to various functions and/or to restrict access to parts of the diagram.


Understanding Hyperglance Roles

There are two kinds of roles in Hyperglance: "system" roles and "fine-grained topology access" roles.

Exactly how you assign roles to users depends on whether you are using the built-in user scripts or SAML based authentication.


The System Roles

  • HyperglanceUser - Grants basic login access with read-only ability. All users need this role (even admins).
  • HyperglanceAdmin - Grants full access (all the below roles combined), admins also have access to the Administration Settings page for managing accounts/subscriptions.
  • HyperglanceRole_ViewAllTopo - Grants read-access to view full set of all accounts & subscriptions in the diagram. If this role is not granted then a fine-grained topology-access role must be granted instead, otherwise the user will not see anything at all when they login to Hyperglance.
  • HyperglanceRole_Actions - Grants write-access. i.e The ability to view and execute Actions such as Add-Tag or Terminate-Instance.
  • HyperglanceRole_Rules - Grants write-access to Hyperglance's Rules dashboard, users can create, edit and run their own rules.
  • HyperglanceRole_Rules_RunOnly - Grants run-only permission to rules. Users can run existing rules but cannot create new ones or edit existing ones.

Examples of role assignments for different kinds of user:

  • An admin user:
    • HyperglanceUser;HyperglanceAdmin
  • A non-admin user who can only view the diagram & inventory:
    • HyperglanceUser;HyperglanceRole_ViewAllTopo
  • A non-admin user who can view all data, trigger actions (e.g. start/top VM) and create/edit/delete rules:
    • HyperglanceUser;HyperglanceRole_ViewAllTopo;HyperglanceRole_Actions ; HyperglanceRole_Rules

Note: All non-admin users will require either the HyperglanceRole_ViewAllTopo role, or, one of the "fine-grained topology-access roles" (see below). Otherwise they will not see anything when they login.

Fine-Grained Topology-Access Roles:


Fine-Grained Topology-Access roles give users access to different parts of the overall diagram on a per account/subscription basis.

You can assign as many fine-grained topology-access roles to a single user as you need.

Note: Admin users never require topology-access roles as they can see everything anyway.


The fine-grained topology-Access roles correspond with the "Account Alias" which is setup when adding accounts/subscriptions for Hyperglance to monitor:


These account aliases can also be found in the top-left of the screen after you click on any entity in the diagram, for example here is an Amazon resource belonging to the "demo" account:



To grant users access to topology from this 'demo' account you need to assign a correspondingly-named role:


demo


If you had multiple 'demo' accounts across datasources, such as a demo account in AWS and a demo subscription in Azure then you might want to use a more specific version of the role:


Amazon::demo

Azure::demo



The syntax here is simply this:  {DatasourceName}::{AccountAlias}