Role-Based Access Control (RBAC) provides control over the level of access for different users. Different parts of the Hyperglance application can be enabled or disabled, users can be given read-only or read-write access and individual accounts & subscriptions can be shown or hidden from display in the Hyperglance diagram.


Hyperglance supports several options to manage or federate your user access:

  • Hyperglance's own database of users -- Read more.
  • LDAP / Microsoft Active Directory -- Read more.
  • SAML (via Identity Provider) -- Read more.


Regardless of how you administer your users we use the same set of role-based permissions to grant users access to various functions and/or to restrict access to parts of the diagram.


Understanding Hyperglance Roles

Hyperglance has a small set of system roles that can be assigned to users to grant access to different functions within the product (e.g. the ability to access the admin pages or the ability to perform actions such as AddTag)

In addition to the system roles, there are fine-grained "topology-access" roles which can control access to view individual accounts / subscriptions in the diagram.


The system roles are:

  • HyperglanceUser - Grants basic login access with read-only ability. All users need this role (even admins).
  • HyperglanceAdmin - Grants full access (all the below roles combined), admins also have access to the Administration panel for managing accounts/subscriptions.
  • HyperglanceRole_ViewAllTopo - Grants read-access to view full set of all accounts & subscriptions in the diagram. If this role is not granted then a fine-grained topology-access role must be granted instead, otherwise the user will not see anything at all when they login to Hyperglance.
  • HyperglanceRole_Actions - Grants write-access. i.e The ability to view and execute Actions such as Add-Tag or Terminate-Instance.
  • HyperglanceRole_SavedSearches_WriteAccess - Grants write-access to Hyperglance's Rules dashboard, users can create, edit and run their own rules.
    • Note: In future versions of Hyperglance (v6.1+) this role will be renamed to: HyperglanceRole_Rules


Note: Any all non-admin users require either the HyperglanceRole_ViewAllTopo or at least one fine-grained topology-access role (see below) otherwise they will not see anything when they login.



Fine-Grained Topology-Access Roles:


Fine-Grained Topology-Access roles give users access to view different parts of the overall diagram on a per account (AWS) or per subscription (Azure) basis.

You can assign as many fine-grained topology-access roles to a single user as you need.

Note: Admin never require topology-access roles as they can see everything anyway.


The fine-grained topology-Access roles correspond with the "Account Alias" which is setup when adding accounts/subscriptions for Hyperglance to monitor:


These account aliases can also be found in the top-left of the screen after you click on any entity in the diagram, for example here is an Amazon resource belonging to the "demo" account:



To grant users access to topology from this 'demo' account you need to assign a correspondingly-named role:


demo


If you had multiple 'demo' accounts across datasources, such as a demo account in AWS and a demo subscription in Azure then you might want to use a more specific version of the role:


Amazon::demo

Azure::demo



The syntax here is simply this:  {DatasourceName}::{AccountAlias}