General Config/Admin
      Back to home
      1. Hyperglance Support
      2. Setup & Configuration
      3. General Config/Admin

      How to set up Role-Based Access Control (RBAC)

      Role-Based Access Control (RBAC) provides control over the level of access for different users. Different parts of the Hyperglance application can be enabled or disabled, users can be given read-only or read-write access and individual accounts & subscriptions can be shown or hidden from display in the Hyperglance diagram.


      Hyperglance supports two ways to manage or federate your user access:

      • Hyperglance's own database of users -- Read more.
      • SAML (via Identity Provider) -- Read more.

      Regardless of how you administer your users we use the same set of role-based permissions to grant users access to various functions and/or to restrict access to parts of the diagram.


      Understanding Hyperglance Roles

      There are two kinds of roles in Hyperglance: "system" roles and "fine-grained topology access" roles.

      Exactly how you assign roles to users depends on whether you are using the built-in user scripts or SAML based authentication.


      The System Roles

      • HyperglanceUser - Grants basic login access with read-only ability. All users need this role (even admins).
      • HyperglanceAdmin - Grants full access (all the below roles combined), admins also have access to the Administration Settings page for managing accounts/subscriptions.
      • HyperglanceRole_ViewAllTopo - Grants read-access to view full set of all accounts & subscriptions in the diagram. If this role is not granted then a fine-grained topology-access role must be granted instead, otherwise the user will not see anything at all when they login to Hyperglance.
      • HyperglanceRole_Actions - Grants write-access. i.e The ability to view and execute Actions such as Add-Tag or Terminate-Instance.
      • HyperglanceRole_Rules - Grants write-access to Hyperglance's Rules dashboard, users can create, edit and run their own rules.
      • HyperglanceRole_Rules_RunOnly - Grants run-only permission to rules. Users can run existing rules but cannot create new ones or edit existing ones.

      Examples of role assignments for different kinds of user:

      • An admin user:
        • HyperglanceUser;HyperglanceAdmin
      • A non-admin user who can only view the diagram & inventory:
        • HyperglanceUser;HyperglanceRole_ViewAllTopo
      • A non-admin user who can view all data, trigger actions (e.g. start/top VM) and create/edit/delete rules:
        • HyperglanceUser;HyperglanceRole_ViewAllTopo;HyperglanceRole_Actions ; HyperglanceRole_Rules

      Note: All non-admin users will require either the HyperglanceRole_ViewAllTopo role, or, one of the "fine-grained topology-access roles" (see below). Otherwise they will not see anything when they login.

      Fine-Grained Topology-Access Roles:


      Fine-Grained Topology-Access roles give users access to different parts of the overall diagram on a per account/subscription basis.

      You can assign as many fine-grained topology-access roles to a single user as you need.

      Note: Admin users never require topology-access roles as they can see everything anyway.


      The fine-grained topology-Access roles correspond with the "Account Alias" which is setup when adding accounts/subscriptions for Hyperglance to monitor:


      These account aliases can also be found in the top-left of the screen after you click on any entity in the diagram, for example here is an Amazon resource belonging to the "demo" account:



      To grant users access to topology from this 'demo' account you need to assign a correspondingly-named role:


      demo


      If you had multiple 'demo' accounts across datasources, such as a demo account in AWS and a demo subscription in Azure then you might want to use a more specific version of the role:


      Amazon::demo

      Azure::demo



      The syntax here is simply this:  {DatasourceName}::{AccountAlias}