Role-Based Access Control

This section offers information on understanding role-based access control in the ThousandEyes platform and other organization settings. Below is an overview of the tabs and their contents that are related to role-based access control.

Account Settings

In Manage > Account Settings, you can edit various aspects of your ThousandEyes account, such as information about your organization, its users and account groups, your current and projected usage, and viewing user activity on your account. This section offers information about the contents found on the Manage > Account Settings > Users and Roles and Manage > Account Settings > Organization Settings screens. For Manage > Account Settings > Usage and Billing, see Usage-Based Billing and for Manage > Account Settings > Activity Log, see User Activity.

Depending on your permissions, you might not see all the submenu items and their tabs and contents under Manage > Account Settings. For example, users with the Organization Admin role see the Users tab on the Users and Roles screen, which displays information about users in each account group within the organization. Users with the Account Admin role also see a Users tab, but are limited to seeing only those users in the account groups they are assigned to.

For information about roles and permissions, see Role-Based Access Control, Explained.

Users and Roles

Profile Screen

The Manage > Account Settings > Users and Roles > Profile screen displays information about the user's organization(s), account groups(s) and assigned roles within those account groups. Here, users can modify their own username and email address (used for login to the ThousandEyes platform), change their password, set their login account group, and set their preferred timezone for the web interface.

Updating Your Email Address

If you need to update the email address you use for login to the ThousandEyes platform, do the following:

  1. In the Email field, type the new email address.

  2. Click Save Changes.

  3. In both the new and the old email addresses, confirm the change.

    The update takes effect only when confirmation is received from both email addresses. Until then, the user must log in from the previous email address.

Note that this dual-confirmation approach applies whether you are interacting with the ThousandEyes user management via the ThousandEyes web UI, via the ThousandEyes API, or via SCIM.

Password Requirements

Each user's password must be at least eight characters in length, and must contain at least three of the following types of characters:

  • Digits

  • Symbols

  • Uppercase letters

  • Lowercase letters

Login Account Group

If the user is a member of more than one account group (in one or in multiple organizations), they can select their Login Account Group. This determines into which account group the user is placed upon login. Once logged in, users can switch between account groups with the Current Account Group selector under the user icon, as described in Switching Account Groups.

User API Tokens

For users with API access enabled (i.e., users with the API access permission), the User API Tokens section is visible, containing the API authentication tokens.

Two types of API authentication token are available: a token for HTTP Basic authentication and a token for OAuth-based authentication.

To issue or regenerate a user API token, you will need to receive and enter a multi-factor authentication (MFA) code sent to the email attached to the current user, to confirm the user permissions.

MFA token

Roles Screen

A user with the View roles permission will be able to see the Manage > Account Settings > Users and Roles > Roles screen containing a table of all security roles defined within the organization (columns) and permissions associated with each role (rows):

The extensive list of permissions can be narrowed down by using the search bar at the top. New roles can be defined by either clicking the + New Role button on the right of the screen or by cloning one of the existing roles by clicking the icon under its name.

See Role-Based Access Control, Explained for detailed information about the ThousandEyes permission system and Built-in Roles and Permissions for a complete list of roles and permissions.

Users Screen

The Manage > Account Settings > Users and Roles > Users screen is visible for users having the View all users permission. As the name suggests, this section allows general user management.

Clicking on any entry in the table opens a side panel and presents management options for the user's name, email address, and account group associations, not unlike what each user sees in their Profile screen.

At the top, the + New Users button opens a similar dialog, displayed in the figure below. This dialog has one additional feature - multiple users can be created in one step, with identical account group and role associations. To create multiple users in one step, simply add multiple email addresses into the Emails field. You can add multiple emails by either pressing the Enter key after each email address is typed in, or by pasting a comma-separated list of email addresses into the field:

As shown in the previous figure (the expanded user entry figure above), each user can be a member of multiple account groups. In each account group, the user can have more than one role assigned. The permission list granted to the user within each account group is a union of permissions across all roles assigned to the user in that account group. For example, if the user has the Account Admin and Regular User roles, they will have the combined permissions of both roles.

For an extensive description of the ThousandEyes role-based permission system, see Role-Based Access Control, Explained and for a complete list of roles and permissions, see Built-in Roles and Permissions.

Account Groups Screen

For users with the View all account groups permission, the Manage > Account Settings > Users and Roles > Account Groups screen is visible. This screen displays all account groups defined in the organization, along with the number of users and Enterprise Agents present in each account group. Users with the Edit all account groups permission can add, manage, and delete account groups.

Expanding a row in the Account Groups table displays the account group's details and allows changes to the account group's name. The account group token is also displayed for users to copy when installing Enterprise Agents.

An account group's Enterprise Agents can be displayed in the Enterprise Agents drop-down. Enterprise Agents available to the current account group are displayed with checked boxes. Agents from other account groups can be checked to make them available to this account group or can be unchecked to remove them from the current account group. A checked and greyed out entry indicates an agent for which the current account group is the primary account group (i.e., the agent was created with the current account group's token) and thus cannot be deselected:

See Ways of Separating Account Groups which offers guidance about different ways to set up multiple account groups, and ways to share resources across them.

Switching Account Groups

As explained above, each user can have access to more than one account group. Those account groups can even span across multiple organizations. Additionally, users with the Organization Admin role (or similar) have access to all account groups defined within the organization. This allows the user to view tests, snapshots, dashboards, and agents assigned to each of the account groups belonging to the organization.

To change the current account group context, click the user icon in the upper right corner of the ThousandEyes platform and expand the Current Account Group drop-down menu. This will allow you to switch into another account group context.

The following figure on the left shows the currently active context of the "QA PROD" account group (1). The figure on the right shows the expanded drop-down listing all account groups available to the user, from multiple organizations (2). Below the ThousandEyes Support organization (in gray) is the "ThousandEyes Support" (3) account group. Under the ThousandEyes Internal organization there are 4 other account groups. In this example QA PROD is listed in another organization further up in the menu selection.

Organization Settings

Single sign-on setup, user provisioning, organization security profile, credential repository, and organization default timezone settings are found under Manage > Account Settings > Organization Settings.

Security and Authentication Screen

The Manage > Account Settings > Organization Settings > Security and Authentication screen provides configuration of the following aspects of your ThousandEyes account:

  • Single Sign-On (SSO) Settings - For information about how to configure SSO, see How to Configure Single Sign-On (SSO).

  • SCIM Settings - To complement the SSO, SCIM-based automatic user provisioning is supported. For further information, see ThousandEyes Support for SCIM.

  • Organization Security Profile

    • Password Expiration - Policy configuration for users who are allowed to use interactive login.

      • Organizations can optionally enforce a password expiry period within their organization. Users with the Edit security & authentication settings permission can define a password expiration rule forcing password expiry every 3, 10, 30, 60, 90, or 120 days. You must first check the box to Enable password expiration, then set the expiration period. For organizations using SSO, this applies to ThousandEyes passwords, not to passwords managed by your SSO provider.

    • The Password recycle count allows users to set the number of passwords a user must use before a previously used password can be reused. The count options go up to ten. If you select Default, that means users cannot reuse the current password for the new password.

PreviousAuthorizationNextRole-Based Access, Explained

Last updated