Role-Based Access Control (RBAC) allows Hyperglance administrators to grant users access to different levels of functionality or to view/manage different topologies.


Hyperglance supports different ways that you can manage users depending on what is most suitable for you:

  • Hyperglance's own database of users -- Read more.
  • LDAP / Microsoft Active Directory -- Read more.
  • SAML (via Identity Provider) -- Read more.


Regardless of how you administer your users we use the same set of role-based permissions to grant users access to various functions and/or to restrict access to parts of the topology map.


Understanding Hyperglance Roles

We have 3 system roles that can be assigned to users to grant access to different functions within the product (e.g. the ability to access the admin pages or the ability to perform actions such as AddTag)

In addition to the system roles, there are "topology-access" roles which correspond with the Account Alias(es) that are setup when configuring Hyperglance to collect data from Amazon or Azure.


The 3 system roles are:

  • HyperglanceUser - This grants login access with read-only ability. All users need this role (even admins).
  • HyperglanceActionsUser - This additionally grants write-access (i.e. The ability to see available Actions such as AddTag and execute them directly from Hyperglance).
  • HyperglanceAdmin - This grants write-access (much like HyperglanceActionsUser), admins also have full visibility over all topologies as well as access to the Administration panel.


Note: Any user who is not an admin (i.e. does not have the HyperglanceAdmin role) will require at least one topology-access role for them to see anything!



Topology-Access Roles:


Topology-Access roles give users access to different parts of the overall topology map. 

You can assign as many topology-access roles to a single user as you need.

Admin users do not require topology-access roles as they can see everything anyway, however non-admin users always require at least one topology-access role otherwise they will not see anything.


Topology-Access roles correspond with the "Account Alias" which is setup when adding accounts for Hyperglance to collect topology:


These account aliases can also be found in the top-left of the screen after you click on any entity in the 3D view, for example here is an Amazon resource belonging to the "demo" account:



To grant users access to topology from this 'demo' account you need to assign a correspondingly-named role:


demo


If you had multiple 'demo' accounts across datasources, such as a demo account in AWS and a demo account in Azure then you might want to use a more specific version of the role:


Amazon::demo

Azure::demo


The syntax here is simply this:  {DatasourceName}::{AccountAlias}