Role-Based Access Control
Last updated
Last updated
This section offers information on understanding role-based access control in the ThousandEyes platform and other organization settings. Below is an overview of the tabs and their contents that are related to role-based access control.
The Account Settings menu item provides a management interface for various aspects of your ThousandEyes account, such as managing information about your organization, its users and account groups, your current and projected usage, and viewing user activity on your account. This section offers information about the contents found on the Account Settings > Users and Roles and Account Settings > Organization Settings screens. For Account Settings > Usage and Billing, see Usage-Based Billing and for Account Settings > Activity Log, see User Activity.
Depending on your permissions, you might not see all the submenu items and their tabs and contents under the Account Settings menu item. For example, users with the Organization Admin role see the Users tab, which displays information about users in each account group within the organization. Users with the Account Admin role also see a Users tab, but are limited to seeing only those users in the account groups they are assigned to.
For information about roles and permissions, see Role-Based Access Control, Explained.
The Profile tab displays information about the user's organization(s), account groups(s) and assigned roles within those account groups. Here, users can modify their own username and email address (used for login to the ThousandEyes platform), change their password, set their login account group, and set their preferred timezone for the web interface.
If you need to update the email address you use for login to the ThousandEyes platform, do the following:
In the Email field, type the new email address.
Click Save Changes.
In both the new and the old email addresses, confirm the change.
The update takes effect only when confirmation is received from both email addresses. Until then, the user must log in from the previous email address.
Note that this dual-confirmation approach applies whether you are interacting with the ThousandEyes user management via the ThousandEyes web UI, via the ThousandEyes API, or via SCIM.
Each user's password must be at least eight characters in length, and must contain at least three of the following types of characters:
Digits
Symbols
Uppercase letters
Lowercase letters
If the user is a member of more than one account group (in one or in multiple organizations), they can select their Login Account Group. This determines into which account group the user is placed upon login. Once logged in, users can switch between account groups with the Current Account Group selector in the User menu, as described in Switching Account Groups.
For users with API access enabled (i.e., users with the API access permission), the User API Tokens section is visible, containing the API authentication tokens.
Two types of API authentication token are available: a token for HTTP Basic authentication and a token for OAuth-based authentication.
To issue or regenerate a user API token, you will need to receive and enter a multi-factor authentication (MFA) code sent to the email attached to the current user, to confirm the user permissions.
A user with the View roles permission will be able to see the Roles tab containing a table of all security roles defined within the organization (columns) and permissions associated with each role (rows):
See Role-Based Access Control, Explained for detailed information about the ThousandEyes permission system and Built-in Roles and Permissions for a complete list of roles and permissions.
The Users tab is visible for users having the View all users permission. As the name suggests, this section allows general user management:
Clicking on any entry in the table opens a side panel and presents management options for the user's name, email address, and account group associations, not unlike what each user sees in their Profile tab:
At the top, the + New Users button opens a similar dialog, displayed in the figure below. This dialog has one additional feature - multiple users can be created in one step, with identical account group and role associations. To create multiple users in one step, simply add multiple email addresses into the Emails field. You can add multiple emails by either pressing the Enter key after each email address is typed in, or by pasting a comma-separated list of email addresses into the field:
As shown in the previous figure (the expanded user entry figure above), each user can be a member of multiple account groups. In each account group, the user can have more than one role assigned. The permission list granted to the user within each account group is a union of permissions across all roles assigned to the user in that account group. For example, if the user has the Account Admin and Regular User roles, they will have the combined permissions of both roles.
For an extensive description of the ThousandEyes role-based permission system, see Role-Based Access Control, Explained and for a complete list of roles and permissions, see Built-in Roles and Permissions.
For users with the View all account groups permission, the Account Groups tab will be visible. This tab displays all account groups defined in the organization, along with the number of users and Enterprise Agents present in each account group. Users with the Edit all account groups permission can add, manage, and delete account groups:
Expanding a row in the Account Groups table displays the account group's details and allows changes to the account group's name. The account group token is also displayed for users to copy when installing Enterprise Agents.
An account group's Enterprise Agents can be displayed in the Enterprise Agents drop-down. Enterprise Agents available to the current account group are displayed with checked boxes. Agents from other account groups can be checked to make them available to this account group or can be unchecked to remove them from the current account group. A checked and greyed out entry indicates an agent for which the current account group is the primary account group (i.e., the agent was created with the current account group's token) and thus cannot be deselected:
See Ways of Separating Account Groups which offers guidance about different ways to set up multiple account groups, and ways to share resources across them.
As explained above, each user can have access to more than one account group. Those account groups can even span across multiple organizations. Additionally, users with the Organization Admin role (or similar) have access to all account groups defined within the organization. This allows the user to view tests, shares, reports, and agents assigned to each of the account groups belonging to the organization.
The following figure on the left shows the currently active context of the "QA PROD" account group (1). The figure on the right shows the expanded drop-down listing all account groups available to the user, from multiple organizations (2). Below the ThousandEyes Support organization (in gray) is the "ThousandEyes Support" (3) account group. Under the ThousandEyes Internal organization there are 4 other account groups. In this example QA PROD is listed in another organization further up in the menu selection:
Security and Authentication, SSO setup and Organization Default Time Zone Settings are found under Account Settings > Organization Settings:
The Security and Authentication tab provides configuration of the following aspects of your ThousandEyes account:
SCIM Settings - To complement the SSO, SCIM-based automatic user provisioning is supported. For further information, see ThousandEyes Support for SCIM.
Single Sign-On (SSO) Settings. For information about how to configure SSO, see How to Configure Single Sign-On (SSO).
Password Expiration - Policy configuration for users who are allowed to use interactive login.
Organizations can optionally enforce a password expiry period within their organization. Users with the Edit security & authentication settings permission can define a password expiration rule forcing password expiry every 3, 10, 30, 60, 90, or 120 days. You must first check the box to Enable password expiration, then set the expiration period. For organizations using SSO, this applies to ThousandEyes passwords, not to passwords managed by your SSO provider.
The Password recycle count allows users to set the number of passwords a user must use before a previously used password can be reused. The count options go up to ten. If you select Default, that means users cannot reuse the current password for the new password.
The extensive list of permissions can be narrowed down by using the search bar at the top. New roles can be defined by either clicking the + New Role button on the right of the screen or by cloning one of the existing roles by clicking the icon under its name.
To change the current account group context, click the icon in the upper right corner of the ThousandEyes platform and expand the Current Account Group drop-down menu. This will allow you to switch into another account group context.
