Users, groups and roles

Authentication & Authorization

Self-Service supports different means of authentication for users.

We support OAuth2, SAML, LDAP and other protocols via Keycloak.

This means the user can use its own corporate credentials to get access. As soon as the user has logged in, authorization is done by Self Service by a combination of a RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control) system.

Roles & Permissions

In a DevOps culture, applications, topics and environments are maintained by the teams responsible for those entities. That is exactly why ownership of resources in Self Service is based on a group (team).

High Level Permissions

At a high level, AUTHOR permissions are necessary to create a resource and assign an owner. After the resource has been created, the group ownership is used to determine the user’s permissions. Users with ADMIN rights on specific resources can create and modify resources even though they are not the owner. For an overview, see the table below.

Table 1. Permissions for Applications, Topics, Environments and Schemas
View Create Edit Delete Roles

Authenticated user

X

-

-

-

-

Author

X

X

-

-

  • Application Author

  • Topic Author

  • Environment Author

  • Schema Author

Owner

X

X

X

X

-

Admin

X

X

X

X

  • Application Admin

  • Topic Admin

  • Environment Admin

  • Schema Admin

  • Tenant Admin (see below)

Application Permissions

When a user has Edit permissions on an Application, the user has the following additional permissions:

Topic Permissions

When a user has Edit permissions on a Topic, the user has the following additional permissions:

Viewing Topic Messages

Access to the messages of a topic is granted based on the following permissions:

  • If you are a topic owner: you can see the messages on topics you own

  • If you are a tenant admin: you can see the messages on any topic in any environment

  • If you are an application owner of a connected application: you can see the messages on any topic, in authorized environments

Environment Permissions

When a user has Edit permissions on an Environment, the user has the following additional permissions:

Schema Permissions

When a user has Edit permissions on a Schema, the user has the following additional permissions:

  • Upload a new version of the existing Schema

  • Transfer ownership of an existing Schema to another group

  • Delete the existing Schema or its Schema Version

Default Roles

By default, whenever a user logs in to the Self-Service for the first time, the user receives by default the following roles:

  • Application Author

  • Environment Author

  • Topic Author

Other Resources

The most frequently modified resources such as Applications, Topics, Environments have now been covered. There are additional resources that are not visible for most users, but can be administered as well, such as:

  • Instance

  • Cluster

  • Group

Group Permissions

See Groups

Tenant permissions

For administering any resource within a tenant, the role "Tenant admin" has been created. This role is intended for people managing the Self Service installation within a company. Anyone with the role Tenant admin has admin permissions for all resources mentioned above, including some additional resources:

  • Users: assign roles, modify, delete users

  • Groups: create, modify and delete groups

  • Tenant: modify the Tenant Profile, such as Admin contacts, logo

Instance And Cluster Permissions

For modifying the Instance and Cluster resources, the role Super Admin has been added.This user has the following permissions:

  • Cluster: create, update, delete

  • Instance: create, update, delete, synchronize instance, synchronize environment

Users

Editing A User

  1. Visit the Settings page

  2. Click the Users tab

  3. Click on a user to visit the User’s detail page

  4. Click the Edit user button and you see the below page:

Edit user

  1. Filling or changing any information you need and clicking the Update User button updates the user’s information.

Disable User Notifications

This setting is only available when Tenant admin has enabled notifications

  1. Go to the User’s detail page

  2. Click the Edit user button and you see the below page:

Edit user

  1. Toggle Enable notifications for Axual to disabled.

Disable user notifications

  1. Click on the Update User button. On the bottom right

By default, notifications for the user are enabled. If notifications are disabled, the user will stop receiving emails about various events related to the owned applications and topics, even if the notifications are enabled in tenant notification settings.

Deleting a User

  1. Go to the User’s detail page

  2. Click the Edit user button and you see the below page:

  3. Click on the Delete User button at the bottom left of the page and a confirmation modal pops up.

  4. After clicking on Confirm your user is deleted.

Groups

Creating a Group

  1. Go to Settings

  2. Click on Groups on the top right

  3. Then click on the Add Group button. You will see a page as below:

Creating new group

  1. After filling out the form and saving it, you have created your new group.

Editing a Group

  1. Go to Settings

  2. Click on Groups on the top right. You will see the list of existing groups.

  3. Click on the group you want to edit. It will take you on the Group’s detail page.

  4. Click on the Edit Group button. On the bottom right, you see the below page:

Edit group

  1. Fill in or change any information you need and click the Save user group button to update the group’s information.

Deleting a Group

Deleting a group can only be done if the group is not owning any entities(applications, environments, topics).

  1. Visit the Group Detail page

  2. Click Edit Group

  3. There is a Delete Group button on the bottom left of the page. The button is active if all constraints are met and deletion is possible. Clicking the button, a confirmation modal opens, as below:

Delete group confirmation

  1. Clicking on Confirm will delete the group.

  2. If all constraints are not met, the Delete Group button is disabled and on hover, a tooltip is shown with information on how many applications, environments and topics this group owns, as below:

Inform delete group modal

Adding Users To a Group

You can add users to a group from the Add Group page or from the Edit Group page. The forms in these pages have a Members section as below:

Add user to group

You can add a user by clicking on the Add Member button and choosing a user from the dropdown.

Removing Users From a Group

You can remove users from a group from the Edit Group page. The form in that page has a Members section as the one above. You can remove a user by clicking on the button with the bin icon.

Making a Group Member Manager of the group

A Group Manager can edit this group, including adding or removing users and other group managers.

Adding a Group Manager To a Group

You can designate group managers for a group either from the Add Group page or the Edit Group page. To assign a group manager, click the toggle checkbox next to the users you wish to make group managers.

Designate group manager for the group
A Group Manager has the authority to edit the group, including adding or removing users and other group managers.If a group lacks a group manager, only a tenant admin can add or remove users and group managers.

Viewer Groups

The Viewer Groups define which Groups are authorized to View all Resource Configurations, regardless of ownership and visibility.

Owners can still perform the same activities as before.The Viewer Groups are intended only to provide an additional set of users with VIEW access.

For example, in case we want to give only view access to all configurations defined in a Production Environment, we will require to only set the Viewer Groups of the Production Environment, then all members of any of the Viewer Groups will be able to see all Topic Configurations and Application Authentications defined in the Production Environment.

Environment Viewer Groups

Members of the Environment Viewer Groups can view all Topic Configurations and Application Authentications within the Environment only if the Topics and the Applications do not have Viewer Groups defined.

If a user is in both the Environment’s Viewer Groups and the Topic’s Viewer Groups, they can see the Topic Configuration for that Topic in that Environment.

If a user is in both the Environment’s Viewer Groups and the Application’s Viewer Groups, they can see all Application Authentications for that Application in that Environment.

To add an Environment Viewer Groups, please select the groups in Add Environment or Edit Environment view:

Select Environment viewer groups

Application Viewer Groups

If Viewer Groups are defined only for the Application, members can view all Application Authentications for that Application across all Environments.

If Viewer Groups are defined only for the Environment, members can view all Applications' Application Authentications defined in that Environment.

If both the Environment and the Application have Viewer Groups, the user must belong to both Viewer Groups to view the Application Authentications for that Application in that Environment.

To add an Application Viewer Groups, please select the groups in Add Application or Edit Application view:

Select Application viewer groups

Topic Viewer Groups

If the Viewer Groups are defined only for the Topic, members can view all Topic Configurations for that Topic across all Environments.

If the Viewer Groups are defined only for the Environment, members can view all Topics' Topic Configurations defined in that Environment.

If both the Environment and the Topic have Viewer Groups, the user must belong to both Viewer Groups to view the Topic Configuration for that Topic in that Environment.

To add a Topic Viewer Groups, please select the groups in Add Topic or Edit Topic view:

Select Topic viewer groups