Access control
Access control allows you to set up permissions for users and user groups on the platform. On this page you will find:
Users
From the Settings > Users tab you can view, add, edit, and remove users from SquaredUp Cloud.

Go to Settings > Users.
Click Add User.
Email:
Enter the email address of the user that you want to add.
Add to User Group(s):
Select which user group(s) you would like to add the new user to from the dropdown.
New users are automatically included in the Everyone group.
Click Done.

Go to Settings > Users.
Search for the user that you want to edit.
Under Options, click the Edit icon for the user that you want to edit.
Edit User Group(s):
Select which user group(s) you would like to add the user to from the dropdown.
You can remove the user from a user group by selecting X next to the desired group.
Click Done.

Go to Settings > Users.
Under Options, click the Remove icon for the user that you want to remove.
Click Remove.
User groups
You are able to control the access of users by assigning them to specific user groups. There are two default groups:
Everyone includes all users on the platform and is updated when you add or remove a user from the tenant
Administrators are given full access to the platform
You can also create your own groups:
Custom enables you to create your own custom groups of users. These groups have no special privileges - they are just used to manage users for use in Access Control Lists (ACLs).

All tenants have a special Administrators group, managed under Settings > Users. Members of this group have access to extra features, including:
Management of users and groups
Management of API keys
Advanced settings
Administration of all workspaces, regardless of workspace access control
Administration of all plugins, regardless of plugin access control
A member of the administrators group can always delete or modify access control for a workspace or plugin, even if the original creator has left the company and the workspace or plugin is otherwise inaccessible. Administrators do not have access to the content of workspaces (dashboards, etc.) unless they are given access through the workspace Access Control List (ACL). Similarly, administrators cannot read data from a plugin unless they have access to the data through a workspace. More information about the workspace ACL can be found in the Workspace access control section.

Go to Settings > Users.
Click Add User Group.
Name:
Enter the name of the user group.
Group Description:
If required, enter a description of the group.
Users:
Select the users you want to add to the group from the dropdown.
Click Done.

Go to Settings > Users.
Click the Edit icon next to the user group that you want to edit.
You cannot edit the Everyone group.
Name:
Edit the name of the group.
Group Description:
Edit the description of the group.
Users:
Select which user(s) you would like to add to the user group from the dropdown.
You can remove a user from a user group by selecting X next to the desired user.

Go to Settings > Users.
Click on the Remove icon next to the user group that you want to remove.
Click Remove.
Workspace access control
For more information about setting up and editing workspaces, see Workspaces.

You can control access to workspaces by setting up permissions, where you can assign Viewer, Editor or Full Control permissions to users or groups. If you do not set permissions when creating a workspace, then anyone will be able to view, edit and administer it.
Access to workspaces is controlled through an Access Control List (ACL), which is a set of one or more Access Control Entries (ACEs), each of which specifies the permissions for a particular user or group.
By default, Manage Access is set to off. The workspace can be viewed, edited and administered by anyone. If you would like to control who has access to this workspace, switch Manage Access to on.
Use the Manage Access dropdown to control who has access to the workspace:
By default, the user setting the permissions for the workspace will be given Full Control and the Everyone group will be given Viewer permissions.
Tailor access to the workspace, as required, by selecting individual users or user groups from the dropdown and giving them Viewer, Editor or Full Control permissions.
If the user is not available from the dropdown, you are able to invite them to the workspace by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp Cloud. Once the account has been created, they will gain access to the tenant.
At least one user or group must be given Full Control.
Administrator users are able to modify the ACL and delete the workspace.

Access Level
Viewer |
|
Editor |
|
Full Control |
|

Administrators have special ‘administrative’ access to all workspaces. This means they see all workspaces listed under Settings > Workspaces, and they can modify workspace properties, including the ACL, for any workspace.
Administrators do not see all workspaces in the main dashboarding area of SquaredUp Cloud, and do not have any access to the contents of workspaces unless they add themselves to the workspace ACL.
Plugin access control
Plugin access control works differently to workspace access control. Access control on a plugin restricts which users are allowed to link a plugin to a workspace, rather than which users are allowed to read data from the plugin. This difference is reflected in the Access Control List (ACL) presets and custom ACL options.
When configuring new plugins from Settings > Plugins > Add plugin, there is an option to Restrict access to this plugin?.

The term plugin here really means plugin instance. For example, a user may configure two instances of the AWS plugin, one for their development environment and one for production. In that case, each plugin instance has its own access control settings.
By default, Restrict access to this plugin? is set to off. The plugin can be viewed, edited and administered by anyone. If you would like to control who has access to this plugin, switch Restrict access to this plugin? to on.
Use the Restrict access to this plugin? dropdown to control who has access to the workspace:
By default, the user setting the permissions for the plugin will be given Full Control and the Everyone group will be given Link to workspace permissions.
Tailor access to the plugin, as required, by selecting individual users or user groups from the dropdown and giving them Link to workspace or Full Control permissions.
If the user is not available from the dropdown, you are able to invite them to the plugin by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp Cloud. Once the account has been created, they will gain access to the tenant.
At least one user or group must be given Full Control.
Admin users can edit the configuration, modify the Access Control List (ACL) and delete the plugin, regardless of the ACL chosen.

Access Level:
Link to workspace |
|
Full Control |
|

Like workspaces, administrators have special ‘administrative’ access to all plugins. This means they see all plugins listed under Settings > Plugins, and they can modify plugin properties, including the ACL, for any plugin.
Administrators do not have any special access to data from plugins unless they add themselves to the plugin ACL.
Workspace linking
Each workspace is linked to a set of plugins. These plugins are the only plugins that the workspace can read data from.
Plugin ACLs are mainly used to restrict the users that can link a plugin to workspace - once the plugin is linked it is accessible to anyone with access to the workspace. Control over access to plugin data is mainly controlled through workspace permissions, not permissions on the plugin itself.
This means that all users with access to a workspace are guaranteed to be able to see everything in the workspace, regardless of their permissions on plugins used to populate it. Similarly, any monitoring and alerting is based on this same fixed view of the data. This is particularly important with scopes that match across multiple plugins.
Each workspace can also be linked to a set of other workspaces, for the same reason. The linked workspaces can be accessed to read workspace resources like health or KPIs. Again, this ensures any user viewing health or KPI tiles sees the same data as everyone else with access to the workspace.

Linking is performed automatically where possible. If access control is never enabled for any workspace or plugin, linking is completely automatic.
The scenarios where linking occurs automatically are:
Any new workspace is automatically linked to all workspaces and plugins that are accessible to everyone.
Any new plugin is automatically linked to all existing workspaces that are accessible to everyone, if the plugin is accessible to everyone.
Any new workspace is automatically linked to all existing workspaces that are accessible to everyone, if the new workspace is accessible to everyone.
When a user asks to create a new workspace for a new plugin, the workspace is linked to the plugin.
When a user adds a downstream workspace on the Monitoring page, the downstream workspace is automatically linked.

When users start restricting access to workspaces and/or plugins, manual linking becomes necessary in some cases.
For example, if user 1 adds a new plugin and restricts Link to workspace permissions to only user 2, there will be no automatic linking of the plugin to any workspaces. If user 2 wants to use the plugin in their workspace, they will need to add the link. The link can be added through the workspace configuration, or by clicking on the plugin in the Quick Scope editor.
Useful tips about access control

The highest permission applies. If the ACL on a workspace gives a user the Viewer permission directly and the Editor permission to a group the user belongs to, the user has Editor permissions. Similarly, if a user belongs to two groups, one that has the Editor permission and one that has Full Control, the user will have Full Control of the workspace.

Yes. Administrators always have Full Control over workspace and plugin ACLs, including the ability to add themselves.

In some cases it may take up to one minute for access control changes to take effect, and sometimes a browser refresh may be required to see the changes reflected in SquaredUp Cloud.

You cannot. When you give the Link to workspace permission to someone, you are effectively delegating responsibility for protecting the data to them. The only way to guarantee restricted access to a plugin is to not give anyone the Link to workspace permission, and link the plugin to your own workspace. You can then control access to the data through the workspace ACL.

No. Changing a plugin ACL does not modify any existing workspace links. There are three options to handle this scenario:
In the plugin configuration, click on the Unlink from all workspaces option. Workspace admins who still have access through the new restricted ACL will need to re-add a link to the plugin if they want to use it.
Delete the plugin and reconfigure it. This is very similar to option 1, but requires reconfiguring the plugin from scratch.
Ask a tenant administrator to remove the link to the plugin from any existing workspaces. The administrator would have to check every workspace for the link.

No. Nested groups are not supported.

None. All users can create workspaces or plugins.
Comments
0 comments
Please sign in to leave a comment.