Skip to main content

Access control

Documentation Team
  • Updated

Access control

Access control allows you to set up permissions for users and user groups on the platform. On this page you will find:

User groups

From the Settings > Users tab you can view, add, edit, and remove users from SquaredUp.

For information about adding, editing and removing users see Users

You are able to control the access of users by assigning them to specific user groups.

There are two default groups:

  • Everyone includes all users on the platform and is updated when you add or remove a user from the tenant

  • Administrators are given full access to the platform

You can also create your own groups:

  • Custom enables you to create your own custom groups of users. These groups have no special privileges - they are just used to manage users for use in Access Control Lists (ACLs).

ClosedAdministrators group

All tenants have a special Administrators group, managed under Settings > Users. Members of this group have access to extra features, including:

  • Management of users and groups

  • Management of API keys

  • Advanced settings

  • Administration of all workspaces, regardless of workspace access control

  • Administration of all data sources, regardless of data source access control

A member of the administrators group can always delete or modify access control for a workspace or data source, even if the original creator has left the company and the workspace or data source is otherwise inaccessible. Administrators do not have access to the content of workspaces (dashboards, etc.) unless they are given access through the workspace Access Control List (ACL). Similarly, administrators cannot read data from a data source unless they have access to the data through a workspace. More information about the workspace ACL can be found in the Workspace access control section.

ClosedHow to create a custom user group

  1. Go to Settings > Users.

  2. Click Add User Group.

  3. Name:

    Enter the name of the user group.

  4. Group Description:

    If required, enter a description of the group.

  5. Users:

    Select the users you want to add to the group from the dropdown.

  6. Click Done.

ClosedHow to edit a user group

  1. Go to Settings > Users.

  2. Click the Edit icon next to the user group that you want to edit.

    You cannot edit the Everyone group.

  3. Name:

    Edit the name of the group.

  4. Group Description:

    Edit the description of the group.

  5. Users:

    Select which user(s) you would like to add to the user group from the dropdown.

    You can remove a user from a user group by selecting X next to the desired user.

ClosedHow to remove a custom user group

  1. Go to Settings > Users.

  2. Click on the Remove icon next to the user group that you want to remove.

  3. Click Remove.

Workspace access control

For more information about setting up and editing workspaces, see Workspaces.

ClosedManage Access

You can control access to workspaces by setting up permissions, where you can assign Viewer, Editor or Full Control permissions to users or groups. If you do not set permissions when creating a workspace, then anyone will be able to view, edit and administer it.

Access to workspaces is controlled through an Access Control List (ACL), which is a set of one or more Access Control Entries (ACEs), each of which specifies the permissions for a particular user or group.

By default, Manage Access is set to off. The workspace can be viewed, edited and administered by anyone. If you would like to control who has access to this workspace, switch Manage Access to on.

Use the Manage Access dropdown to control who has access to the workspace:

  • By default, the user setting the permissions for the workspace will be given Full Control and the Everyone group will be given Viewer permissions.

  • Tailor access to the workspace, as required, by selecting individual users or user groups from the dropdown and giving them Viewer, Editor or Full Control permissions.

  • If the user is not available from the dropdown, you are able to invite them to the workspace by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp. Once the account has been created, they will gain access to the tenant.

  • At least one user or group must be given Full Control.

  • Administrator users are able to modify the ACL and delete the workspace.

ClosedWorkspace access levels

Access Level

Viewer

  • User can view the workspace contents (dashboards, scopes, KPIs, etc.).

  • User can add the workspace as a downstream workspace for monitoring from other workspaces.

  • User can see the workspace and related objects in their scopes (i.e., to monitor the health of the workspace).

  • User cannot edit or delete anything within the workspace, including dashboards, tiles, scopes and KPIs. User cannot configure the workspace or its contents (e.g., change workspace name, change the ACL, configure notifications).

Editor

  • User can do everything from Viewer level, but additionally can modify the workspace contents (dashboards, scopes, KPIs, notifications, etc.).

  • User can modify workspace properties, such as name.

  • User cannot modify the workspace ACL.

  • User cannot delete the workspace.

Full Control

  • User can do anything with the workspace, including changing its ACL and deleting it.

ClosedSpecial access for administrators

Administrators have special ‘administrative’ access to all workspaces. This means they see all workspaces listed under Settings > Workspaces, and they can modify workspace properties, including the ACL, for any workspace.

Administrators do not see all workspaces in the main dashboarding area of SquaredUp, and do not have any access to the contents of workspaces unless they add themselves to the workspace ACL.

Data source access control

Data source access control works differently to workspace access control.

Access control on a data source restricts which users are allowed to link a data source to a workspace, rather than which users are allowed to read data from the data source. This difference is reflected in the Access Control List (ACL) presets and custom ACL options.

When configuring new data sources from Settings > Data Sources > Add data source, there is an option to Restrict access to this data source?.

ClosedRestrict access to this data source?

The term data source here really means data source instance. For example, a user may configure two instances of the AWS data source, one for their development environment and one for production. In that case, each data source instance has its own access control settings.

By default, Restrict access to this data source? is set to off. The data source can be viewed, edited and administered by anyone. If you would like to control who has access to this data source, switch Restrict access to this data source? to on.

Use the Restrict access to this data source? dropdown to control who has access to the workspace:

  • By default, the user setting the permissions for the data source will be given Full Control and the Everyone group will be given Link to workspace permissions.

  • Tailor access to the data source, as required, by selecting individual users or user groups from the dropdown and giving them Link to workspace or Full Control permissions.

  • If the user is not available from the dropdown, you are able to invite them to the data source by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp. Once the account has been created, they will gain access to the tenant.

  • At least one user or group must be given Full Control.

  • Admin users can edit the configuration, modify the Access Control List (ACL) and delete the data source, regardless of the ACL chosen.

ClosedData source access levels

Access Level:

Link to workspace

  • User can link the data source to any workspace they have at least Editor permissions for.
  • Data from the data source can then be viewed by anyone with any access to the workspace.

  • User can share the data source data with anyone they want.

  • User cannot configure the data source in any way, or delete it.

Full Control
  • User can change the data source configuration, ACL, and delete the data source.
ClosedSpecial access for administrators

Like workspaces, administrators have special ‘administrative’ access to all data sources. This means they see all data sources listed under Settings > Data Sources, and they can modify data source properties, including the ACL, for any data source.

Administrators do not have any special access to data from data sources unless they add themselves to the data source ACL.

Workspace linking

Each workspace is linked to a set of data sources. These data sources are the only data sources that the workspace can read data from.

Data source ACLs are mainly used to restrict the users that can link a data source to workspace - once the data source is linked it is accessible to anyone with access to the workspace. Control over access to data source data is mainly controlled through workspace permissions, not permissions on the data source itself.

This means that all users with access to a workspace are guaranteed to be able to see everything in the workspace, regardless of their permissions on data sources used to populate it. Similarly, any monitoring and alerting is based on this same fixed view of the data. This is particularly important with scopes that match across multiple data sources.

Each workspace can also be linked to a set of other workspaces, for the same reason. The linked workspaces can be accessed to read workspace resources like health or KPIs. Again, this ensures any user viewing health or KPI tiles sees the same data as everyone else with access to the workspace.

ClosedAutomatic workspace linking

Linking is performed automatically where possible. If access control is never enabled for any workspace or data source, linking is completely automatic.

The scenarios where linking occurs automatically are:

  • Any new workspace is automatically linked to all workspaces and data sources that are accessible to everyone.

  • Any new data source is automatically linked to all existing workspaces that are accessible to everyone, if the data source is accessible to everyone.

  • Any new workspace is automatically linked to all existing workspaces that are accessible to everyone, if the new workspace is accessible to everyone.

  • When a user asks to create a new workspace for a new data source, the workspace is linked to the data source.

  • When a user adds a downstream workspace on the Monitoring page, the downstream workspace is automatically linked.

ClosedManual workspace linking

When users start restricting access to workspaces and/or data sources, manual linking becomes necessary in some cases.

For example, if user 1 adds a new data source and restricts Link to workspace permissions to only user 2, there will be no automatic linking of the data source to any workspaces. If user 2 wants to use the data source in their workspace, they will need to add the link. The link can be added through the workspace configuration, or by clicking on the data source in the Quick Scope editor.

Useful tips about access control

ClosedIf a user has direct permissions that differ from permissions through a group, which takes precedence?

The highest permission applies. If the ACL on a workspace gives a user the Viewer permission directly and the Editor permission to a group the user belongs to, the user has Editor permissions. Similarly, if a user belongs to two groups, one that has the Editor permission and one that has Full Control, the user will have Full Control of the workspace.

ClosedCan an administrator add themselves to the ACL for a workspace, and thereby gain access to its contents (dashboards, etc.)?

Yes. Administrators always have Full Control over workspace and data source ACLs, including the ability to add themselves.

ClosedDo access control changes take effect immediately?

In some cases it may take up to one minute for access control changes to take effect, and sometimes a browser refresh may be required to see the changes reflected in SquaredUp.

ClosedIf I create a data source and give the Link to workspace permission to someone, how can I stop that person sharing the data with everyone via their workspace?

You cannot. When you give the Link to workspace permission to someone, you are effectively delegating responsibility for protecting the data to them. The only way to guarantee restricted access to a data source is to not give anyone the Link to workspace permission, and link the data source to your own workspace. You can then control access to the data through the workspace ACL.

ClosedI accidentally gave everyone the Link to workspace permission on my data source. I have now configured a more restricted ACL. Will that automatically stop existing linked workspaces from accessing the data source?

No. Changing a data source ACL does not modify any existing workspace links. There are three options to handle this scenario:

  1. In the data source configuration, click on the Unlink from all workspaces option. Workspace admins who still have access through the new restricted ACL will need to re-add a link to the data source if they want to use it.

  2. Delete the data source and reconfigure it. This is very similar to option 1, but requires reconfiguring the data source from scratch.

  3. Ask a tenant administrator to remove the link to the data source from any existing workspaces. The administrator would have to check every workspace for the link.

ClosedCan I add a group to a group?

No. Nested groups are not supported.

ClosedWhat permissions does a user need to create workspaces or data sources?

None. All users can create workspaces or data sources.

Related articles

Comments

0 comments

Please sign in to leave a comment.