Role-Based Access Control, Explained

The ThousandEyes platform provides a Role-Based Access Control (RBAC) model for user and user group management. RBAC provides two principal benefits. First, RBAC eliminates the hierarchical relationships between users, account groups and organizations. Under RBAC, users may belong to more than one account group. Second, RBAC provides the flexibility to configure permissions that were previously fixed within the three predefined roles. With RBAC you can create roles for users which will allow them to do everything which is needed via the UI or API and no more.
For example, an employee who needs to administer their company’s ThousandEyes users in multiple accounts was previously required to have the Organization Admin role, which provided permissions not only to administer all users in every account but also permissions to access billing information for all accounts. Under RBAC, you may assign Roles which have permissions for only user administration tasks in only the Account Groups needed, and not grant permissions for billing or other tasks within those account groups.
For a complete list of all available Permissions, their descriptions and what Permissions are assigned to each of the built-in Roles see the table below.

Terminology in RBAC

Account groups are assigned to users who have roles within each account group. A user can be in one or many account groups, and users can be assigned to one of three built-in roles (Organization Admin, Account Admin and Regular User) which have fixed permissions, or they can be assigned to a custom role. Under RBAC, a customer may create multiple new custom roles and unique permission sets.
With RBAC, users are associated with the organization. The Account Admin role does not have the permissions required to create, edit, or delete users. To provide this capability, the user must have a role that carries the Edit users permission.

Working with RBAC

Managing users is done under Account Settings > Users and Roles, on the Roles, Users, and Account Groups tabs. Users can also modify their own settings under the Profile tab.

Default Built-In Roles

All accounts come preloaded with 3 default roles: Organization Admin, Account Admin, and Regular Users. The permissions assigned to these predefined roles are fixed, but you can duplicate any of these roles and then customize them to suit your requirements. The ThousandEyes platform has almost 100 permissions to choose from. For a full list of permissions assigned to the predefined roles, see the Roles and Permissions Table.
When new permissions are added to the permissions table, for example when a new feature requires a new set of permissions, only the default roles are automatically updated with the new permission settings. If you want to turn on the new permissions for users in custom roles, you will need to turn them on manually.
When you hover over a permission title, a tooltip appears that explains what the permission does. For instructions on how to use the features on the Roles tab, see Managing Roles.
The permissions assigned to a user with an Organization Admin role (or similar) enables them to do the following:
  • access all Account Groups defined within the organization
  • fully manage all Users and Roles
  • view and create tests, shares, dashboards and reports
  • Assign agents to any Account Group belonging to the organization.
  • Edit security settings, view billing information and change payment details.
The permissions assigned to a user with an Account Admin role (or similar) allow the following:
The Account Admin role has permissions to create, edit, or delete users within their assigned account group only.
The permissions assigned to a user with a Regular Users role (or similar) enables them to do the following:
  • access all test results and read-only access to test settings
  • customize their dashboards
  • reset their password
  • create and delete their own shares, snapshots
  • check their own activity log
  • run instant tests but are not able to save/create them

Managing Roles

Roles and permission settings are all contained under the Account Settings > Users & Roles > Roles tab. To create a new role or update an existing role:
  1. 1.
    Click + New Role at the top left to create a new role, or click the pencil icon below each role name to update an existing role.
  2. 2.
    The Role-based Permission Controls dialog opens, with which you can modify role permissions.
  3. 3.
    After editing the role, click Save to save your changes.
To edit a default built-in role, you must first duplicate it, then customize it.
  • Search bar - Search for matching permissions using a string such as "email" or "alert". The number of results is shown in parentheses next to the Show label to the left of the search bar.
  • The dropdown next to the Show label provides additional "shortcut" filters in two categories. The two QUICK FILTER options are:
    • All Permissions - displays the full list of permissions that match the search string
    • Management Permissions - displays only management permissions that match the search string
  • The RELATED COMPONENT filter options are:
    • API
    • Admin
    • Alerts
    • BGP
    • Cloud and Enterprise Agents
    • Dashboard
    • Devices
    • Endpoint Agents
    • Labels
    • Live Shares
    • Saved Events
    • Snapshots
    • Tests
  • Permission names - Permission names which match the current search string are listed in the left column.
  • Roles - All built-in roles and any customer-defined roles are listed in the top row.
  • Management permissions - A user-and-lock icon next to a permission name indicates that the permission is a management permission, and should be treated with caution. With management permissions, a user can:
    • Change their own or another user's permissions or scope of permissions.
    • View and edit billing information.
    • Manage quotas.
    • Delete accounts.
  • Role change icons - The pencil, copy and trash icons below the role names are for editing, copying, and deleting existing roles.

Custom Role Example

The following table is an example of a commonly configured custom role used by ThousandEyes users.
NOC wallboard monitor for displaying dashboards
Enable users to log in, keeps their session alive, view dashboards and any report type widgets used within a dashboard.
  • View reports (if you have report widgets in your dashboard)
  • Login via Single Sign-on/ThousandEyes login page
  • Keep session alive on auto-update

Add a New Account Group

To add a new account group:
  1. 2.
    Click New Account Group.
  2. 3.
    Enter the name of the new account group.
  3. 4.
    Select Enterprise Agents to assign to this account group.
  4. 5.
    Click Add New Account Group to save your new account group.

Switch between Account Groups

To switch between account groups:
  1. 1.
    Click on your account name in the top-right corner.
  2. 2.
    Choose the account group you would like to switch to from the drop-down:

Edit an Account Group

To edit an account group:
  1. 1.
    Click the name of the account group. The Edit Account Group dialog opens.
  2. 2.
    The Account Group Token is used when assigning Enterprise Agents to this account group. Agents can be assigned to multiple account groups.
  3. 3.
    Click Save Changes to save the changes or Cancel to exit without saving.

Deleting an Account Group

To delete an account group:
  1. 1.
    Click the name of the account group.
  2. 2.
    In the Edit Account Group dialog, click the trash can icon to delete the account group.

Managing Users

You can add, edit, or assign users to one or more account groups on the Users tab.
  • Search bar - Search the User, Email or Account Groups columns for a text string or substring.
  • User - An alphabetized list of users in the organization. Click the arrow icon beside User to reverse the sort order. A User entry will be a dash ( -- ) if the user has not yet performed the registration process per the account registration email, after account creation.
  • Email - A list of user email addresses, which are used as logins to the ThousandEyes platform.
  1. 6.
    Account Groups - lists the Account Groups to which the user belongs. "All" indicates membership in the built-in account group whose name is "All account groups".
  • Management Permissions - A user-and-lock icon next to an email address indicates that this user possesses management permissions.
  • Pending Registration - A red triangle icon next to a user indicates that the user has not yet completed the registration process as provided for in the registration email sent from the ThousandEyes platform. If you haven’t received a registration email within 24 hours and you are getting the notification above, please reach out to the Customer Engineering team and request their assistance. Note: One registration email can be sent per 24 hours using the Resend registration email link in the Edit User dialog. If you attempt to send more than one in the 24-hour period, a warning message is displayed: "A registration email has been sent to this user in the past 24 hours."

Adding Users

To add new users:
  1. 1.
    Click New Users. The New Users dialog appears.
  2. 2.
    Enter one or more email addresses that users will use to log into the ThousandEyes platform. Use a comma as a delimiter to add multiple email addresses.
  3. 3.
    Select the user(s) account group(s) using the Account Groups drop-down menu. Multiple account groups are permitted. The selection affects all users listed in the Emails field.
  4. 4.
    Select the user(s) Roles within the scope of the associated account group. Multiple roles are permitted.
  5. 5.
    Click the + icon to add a new account group and associated roles. For a multi-account group assignment, click the - icon to remove an account group and associated roles.
  6. 6.
    In the Login Account Group field, select the initial account group the user will log in with. If a user is a member of multiple account groups, they will be able to switch account groups using the Switch Account Groups link under their username in the upper-right corner of the interface.
  7. 7.
    Click Add New Users to save your changes. An email with instructions to complete registration will be automatically sent to each address.
Note: When creating new users, the name of the user(s) are not entered by the administrator. After the user account is created, the user receives an email from the ThousandEyes platform requesting that the user complete the registration process. This permits the user to provide their name string. If the administrator wishes to provide the name, the Edit User panel under the Users tab allows for manual entry.

Edit a User

To edit an existing user:
  1. 1.
    In the Users tab, click any user entry in the table to open the Edit User dialog.
  2. 2.
    Update the required fields. Note: The name field is blank if the user has not completed registration.
If a user's email address is updated: * The user must validate this change before they can log in or execute API operations. * The user will no longer be associated with any alerts to which their previous email address was associated.
3. Click **Save Changes** to save the changes or **Cancel** to exit without saving.

Deleting a User

To delete a user:
  1. 1.
    In the Users tab, click any user entry in the table to open the Edit User dialog.
  2. 2.
    Click the trash can icon at the bottom left to delete the user.

Roles and Permissions Table

Permission Name
Permission Description
Organization Admin
Account Admin
Regular User
Accept inbound live shares
Be able to accept a live share of a test
x
x
Administer WAN Insights *
Be able to make changes to administer WAN Insights
x
x
API access
Full access to ThousandEyes API
x
x
x
Assign agent to account group
Creating agents in and sharing agents to an account group
x
Assign email address of users to alerts
Add subscriber emails to alerts
x
x
Assign management permissions
Assign management permissions
x
Be able to view my own saved events
Be able to view events saved by me
x
x
x
Can add or modify tests to consume over 100% resources
Ability to create and modify tests that would consume more than the purchased resource amount. This permission would only apply if your account has overage enabled.
x
x
Create live shares for inside the organization
Be able to create live shares to share with other account groups in the organization
x
x
Create live shares for outside the organization
Be able to share data with other organizations
x
x
Create saved events
Be able to save an event within views
x
x
x
Create snapshot shares
Be able to create and share a snapshot within views
x
x
x
Create web transaction tests
Be able to create a web transaction tests that records various transactions during a webpage interaction. The "Edit tests" permission is also required for this permission to work.
x
x
Delete account
Delete Account Group
x
Download Endpoint Agents
Be able to download a custom endpoint agent installer for the organization to use within different account groups
x
x
Edit agent notifications
Be able to edit agent notification rules in agent settings
x
x
Edit agents in account group
Be able to modify enterprise agents and their configurations (e.g. proxy settings) in an account group
x
x
Edit alert rules
Be able to create and edit the alert rules for a test
x
x
Edit alert suppression windows
Be able to configure and edit an alert suppression window
x
x
Edit all account groups
Be able to create and edit all account group settings
x
Edit BGP monitors
Be able to create and edit private BGP monitors
x
x
Edit dashboard templates for all users in account group
Be able to edit dashboard templates for all users within an account group
x
x
Edit dashboards for all users in account group
Be able to edit dashboards for all users in an account group
x
x
Edit default timezone settings
Be able to edit organization-wide timezone settings
x
Edit device notifications
Be able to edit device notifications in device layer view
x
x
Edit endpoint agent monitored domain sets
Be able to edit the monitored domain sets by endpoint agents
x
x
Edit endpoint agent monitored networks
Be able to edit the monitored networks by endpoint agents
x
x
Edit endpoint agent settings
Be able to modify endpoint agents and their configurations in an account group
x
x
Edit endpoint tests
Be able to edit endpoint tests
x
x
Edit Internet Insights - Catalog settings
Be able to modify catalog entries
x
x
Edit labels
Edit labels
x
x
Edit live shares sent by all users in account group
Be able to edit the live shares sent by all users in an account group
x
x
Edit live shares shared by ThousandEyes
Be able to edit the live shares shared by ThousandEyes
x
x
Edit my domains
Be able to write the domains to be monitored
x
x
Edit organization and account group quotas
In order to edit quotas, you must also be able to view usage and billing
x
Edit own dashboard templates
Be able to edit your personal dashboard template
x
Edit own live shares
Be able to edit own live shares
x
Edit own report snapshots
Be able to edit report snapshots created by you
x
Edit own reports
Be able to edit your reports created by you
x
Edit own saved events
Be able to edit your own saved events
x
x
Edit own saved events for all users in account group
Be able to edit all saved events within an account group
x
x
Edit own snapshots
Be able to edit your own snapshots
x
Edit Path Visualization interface groups
Be able to edit interface groups in test views
x
x
Edit payment and contact details
Be able to edit the billing information and credit card information
x
Edit roles
Be able to edit the roles. This is a separate tab that will appear in Account Settings to users with this permission
x
Edit security & authentication settings
Be able to modify security and authentication settings. This is a separate tab that will appear to users with this permission
x
Edit snapshots for all users in account group
Be able to edit all snapshots in an account group
x
Edit snapshots shared by all users in account group
Be able to edit all shared snapshots in an account group
x
x
Edit streaming integrations
Be able to edit streaming integrations
x
Edit tests
Be able to create and edit tests
x
x
Edit user email addresses
Be able to edit email addresses of all users
x
x
Edit users
Be able to create and edit users in an account group
x
x
Edit users in all account groups
Be able to create and edit users in an organization
x
Embed own widgets
Embed your own widgets into other applications
x
Embed widgets for all users in account group
Embed widgets within an account group in other applications
x
x
Internet Insights - Catalog settings
Be able to view Internet Insights - Catalog set
x
x
x
Keep session alive on auto-update
Be able to keep the ThousandEyes session alive during an auto-update
x
x
x
Login via Single Sign-On
Be able to login by using SSO
x
x
x
Login via ThousandEyes login page
Be able to login by typing username and password interactively into ThousandEyes
x
x
x
Set dashboard template as account group default
Be able to set default dashboards for an account group
x
x
Set report template as account group default
Be able to set default reports for an account group
x
x
View activity log for all users in account group
Be able to view an account group's activity log. The activity log will appear in a new tab within Account Settings for users with this permission
x
x
View agent notifications
Be able to receive enterprise agent notifications
x
x
View agents in account group
Be able to view Enterprise Agents settings and their configurations (e.g. proxy settings) in an account group
x
x
x
View alert rules
Be able to view alert rules
x
x
x
View alert suppression windows
Be able to view alert suppression windows
x
x
x
View all account groups settings
Be able to view account group settings
x
View all users
Be able to view all users in an organization
x
x
View BGP monitors
Be able to view all privately created BGP monitors
x
x
x
View billing
Be able to view the billing tab
x
View dashboards
Be able to view dashboards
x
x
x
View device notifications
Be able to receive and view device notifications
x
x
x
View endpoint agent data
Be able to view endpoint agent data
x
x
x
View endpoint agent monitored domain sets
Be able to view endpoint agent monitored domain sets
x
x
x
View endpoint agent monitored networks
Be able to view endpoint agent monitored networks
x
x
x
View endpoint agent settings
Be able to view endpoint agent settings
x
x
x
View endpoint data that identifies users
Be able to view endpoint data that identifies users
x
x
x
View endpoint data that identifies network
Be able to view endpoint data that identifies network
x
x
x
View endpoint data that identifies endpoint agents
Be able to view endpoint data that identifies endpoint agents
x
x
x
View endpoint data that identifies visited pages
Be able to view endpoint data that identifies visited pages
x
x
x
View endpoint tests
Be able to view endpoint tests
x
x
x
View labels
Be able to view labels within an account group
x
x
x
View live shares shared by ThousandEyes
Be able to view live shares created by ThousandEyes
x
x
x
View live sharings from all users in account group
Be able to view live shares in an account group
x
x
View my domains
Be able to view my own domains
x
x
x
View organization usage
Be able to view my organization's units and licenses consumption
x
View own activity log
Be able to view my own activity log
x
View own live shares
Be able to view my own live shares
x
View own snapshots
Be able to view snapshots saved by me
x
View roles
Be able to view the Roles tab within Account Settings
x
View security & authentication settings
Be able to view the security and authentication settings for an organization within Account Settings
x
View sensitive data in web transaction scripts
Be able to view sensitive data in transactions scripts in a transaction test
x
x
View snapshots
Be able to view snapshots shared to me in an account group
x
x
x
View snapshots shared by all users in account group
Be able to view snapshots shared by all users in an account group
x
x
View streaming integrations
Be able to view streaming integrations
x
x
x
View tests
Be able to view the tests created in an account group
x
x
x
View user activity in all account groups
Be able to view the activity log for the organization within Account Settings
x
View WAN Insights *
Be able to view WAN Insights
x
x
x
View WAN Insights anonymously *
Be able to view WAN Insights anonymously
* You will only see WAN Insights permissions on the permissions list on the platform if your organization has activated WAN Insights. For more information, see the WAN Insights documentation.