Role-Based Access Control (RBAC) allows Hyperglance administrators to grant users access to different functionality or to different topologies.

To securely and centrally define new users and manage their roles we recommend using an LDAP service like Active Directory (see below).

Alternatively we have a file-based user configuration that you can use to get started (see below).

Either way you need to first understand how roles work in Hyperglance...

Understanding Hyperglance Roles

We have 3 pre-defined system roles that can be assigned to users. In addition, the topology account aliases that are set when configuring Hyperglance to collect from various datasources each correspond with topology-access-role that can be assigned.

The 3 system roles are:

  • HyperglanceUser - This grants login access with read-only ability. All users need this role (even admins).
  • HyperglanceActionsUser - This grants write-access (i.e. The ability to see available Actions and execute them directly from Hyperglance).
  • HyperglanceAdmin - This grants write-access and full visibility to all topologies as well as access to the Administration panel.


These are set by the administrator as the "Account Alias" when adding accounts to collect topology from:

These account aliases can also be found in the top-left of the screen after you click on any entity in the 3D view, for example here is an Amazon node belonging to the "demo" account:

The corresponding topology role that needs to be granted to a user is written as:


Or you can omit the datasource name as simply use the alias alone:


The former will grant access specifically to the "demo" account under "Amazon".

The latter will grant access to all "demo" accounts across all datasources.

Getting Started with File-Based User Configuration

We offer the file-based configuration as an easy means to get started with our RBAC facilities. Be aware that passwords will be stored on the file-system and hashed with SHA-256 (SHA-2).  For maximal security or for production use we recommend using our LDAP integration (see below).

1) Stop Wildfly:  sudo service wildfly stop

2) Open this file for editng: /opt/wildfly/standalone/configuration/

3) Add new lines to the file to define new users, using this format: username=passwordHash

Note: The passwords must be SHA-256 hashes that are Base64 encoded.

There are online tools that can do this for you such as: 

To use this tool, set the 'Algorithm' dropdown to 'SHA-256 (SHA-2)' and the 'Output Format' dropdown to 'Base64 Encoding').

4) Open this file for editing: /opt/wildfly/standalone/configuration/

5) Add new lines to the file to list the roles that you want to grant to your users. Entries take the format of: username=role1,role2,role3

6) Start Wildfly: sudo service wildfly start


Let's create a user called "Fred" with the password "pass123" and we will give him write-access (the "HyperglanceActionsUser" role) to our Amazon "demo" account.





Using an LDAP Service or Active Directory

Users and roles can be managed through an LDAP service like Active Directory.

1) Stop Wildfly:  sudo service wildfly stop

2) Open this file for editing: /opt/wildfly/standalone/configuration/standalone.xml

3)  Locate the LDAP login-module section. It starts with: <login-module code="Ldap"

4) Configure appropriate values for each <module-option> tag within this section.  Many of the default values are suitable Active Directory already, so if you are configuring for Active Directory then module-options that you will need to set are these:

  • java.naming.provider.url - Please provide the URL to an Active Directory server. 
  • principalDNPrefix - Please provide text that will be automatically prefixed onto the username when authenticating, e.g. MYCOMPANYDOMAIN\ 
  • rolesCtxDN - Please provide the distinguished name to the context to search for user roles, e.g. OU=roles,DC=mycompany,DC=org

5) Start Wildfly:  sudo service wildfly start

More details about configuring the LDAP integration are available online: