Skip to main content

Access control

Documentation Team
  • Updated

Access control

Access control allows you to set up permissions for users and user groups on the platform. On this page you will find:

Users

From the Settings > Users tab you can view, add, edit, and remove users from SquaredUp Cloud.

ClosedHow to add a user

  1. Go to Settings > Users.

  2. Click Add User.

  3. Email:

    Enter the email address of the user that you want to add.

  4. Add to User Group(s):

    Select which user group(s) you would like to add the new user to from the dropdown.

    New users are automatically included in the Everyone group.

  5. Click Done.

ClosedHow to edit a user

  1. Go to Settings > Users.

  2. Search for the user that you want to edit.

  3. Under Options, click the Edit icon for the user that you want to edit.

  4. Edit User Group(s):

    Select which user group(s) you would like to add the user to from the dropdown.

    You can remove the user from a user group by selecting X next to the desired group.

  5. Click Done.

ClosedHow to remove a user

  1. Go to Settings > Users.

  2. Under Options, click the Remove icon for the user that you want to remove.

  3. Click Remove.

User groups

You are able to control the access of users by assigning them to specific user groups. There are two default groups:

  • Everyone includes all users on the platform and is updated when you add or remove a user from the tenant

  • Administrators are given full access to the platform

You can also create your own groups:

  • Custom enables you to create your own custom groups of users. These groups have no special privileges - they are just used to manage users for use in Access Control Lists (ACLs).

ClosedAdministrators group

All tenants have a special Administrators group, managed under Settings > Users. Members of this group have access to extra features, including:

  • Management of users and groups

  • Management of API keys

  • Advanced settings

  • Administration of all workspaces, regardless of workspace access control

  • Administration of all plugins, regardless of plugin access control

A member of the administrators group can always delete or modify access control for a workspace or plugin, even if the original creator has left the company and the workspace or plugin is otherwise inaccessible. Administrators do not have access to the content of workspaces (dashboards, etc.) unless they are given access through the workspace Access Control List (ACL). Similarly, administrators cannot read data from a plugin unless they have access to the data through a workspace. More information about the workspace ACL can be found in the Workspace access control section.

ClosedHow to create a custom user group

  1. Go to Settings > Users.

  2. Click Add User Group.

  3. Name:

    Enter the name of the user group.

  4. Group Description:

    If required, enter a description of the group.

  5. Users:

    Select the users you want to add to the group from the dropdown.

  6. Click Done.

ClosedHow to edit a user group

  1. Go to Settings > Users.

  2. Click the Edit icon next to the user group that you want to edit.

    You cannot edit the Everyone group.

  3. Name:

    Edit the name of the group.

  4. Group Description:

    Edit the description of the group.

  5. Users:

    Select which user(s) you would like to add to the user group from the dropdown.

    You can remove a user from a user group by selecting X next to the desired user.

ClosedHow to remove a custom user group

  1. Go to Settings > Users.

  2. Click on the Remove icon next to the user group that you want to remove.

  3. Click Remove.

Workspace access control

For more information about setting up and editing workspaces, see Workspaces.

ClosedManage Access

You can control access to workspaces by setting up permissions, where you can assign Viewer, Editor or Full Control permissions to users or groups. If you do not set permissions when creating a workspace, then anyone will be able to view, edit and administer it.

Access to workspaces is controlled through an Access Control List (ACL), which is a set of one or more Access Control Entries (ACEs), each of which specifies the permissions for a particular user or group.

By default, Manage Access is set to off. The workspace can be viewed, edited and administered by anyone. If you would like to control who has access to this workspace, switch Manage Access to on.

Use the Manage Access dropdown to control who has access to the workspace:

  • By default, the user setting the permissions for the workspace will be given Full Control and the Everyone group will be given Viewer permissions.

  • Tailor access to the workspace, as required, by selecting individual users or user groups from the dropdown and giving them Viewer, Editor or Full Control permissions.

  • If the user is not available from the dropdown, you are able to invite them to the workspace by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp Cloud. Once the account has been created, they will gain access to the tenant.

  • At least one user or group must be given Full Control.

  • Administrator users are able to modify the ACL and delete the workspace.

ClosedWorkspace access levels

Access Level

Viewer

  • User can view the workspace contents (dashboards, scopes, KPIs, etc.).

  • User can add the workspace as a downstream workspace for monitoring from other workspaces.

  • User can see the workspace and related objects in their scopes (i.e., to monitor the health of the workspace).

  • User cannot edit or delete anything within the workspace, including dashboards, tiles, scopes and KPIs. User cannot configure the workspace or its contents (e.g., change workspace name, change the ACL, configure notifications).

Editor

  • User can do everything from Viewer level, but additionally can modify the workspace contents (dashboards, scopes, KPIs, notifications, etc.).

  • User can modify workspace properties, such as name.

  • User cannot modify the workspace ACL.

  • User cannot delete the workspace.

Full Control

  • User can do anything with the workspace, including changing its ACL and deleting it.

ClosedSpecial access for administrators

Administrators have special ‘administrative’ access to all workspaces. This means they see all workspaces listed under Settings > Workspaces, and they can modify workspace properties, including the ACL, for any workspace.

Administrators do not see all workspaces in the main dashboarding area of SquaredUp Cloud, and do not have any access to the contents of workspaces unless they add themselves to the workspace ACL.

Plugin access control

Plugin access control works differently to workspace access control. Access control on a plugin restricts which users are allowed to link a plugin to a workspace, rather than which users are allowed to read data from the plugin. This difference is reflected in the Access Control List (ACL) presets and custom ACL options.

When configuring new plugins from Settings > Plugins > Add plugin, there is an option to Restrict access to this plugin?.

ClosedRestrict access to this plugin?

The term plugin here really means plugin instance. For example, a user may configure two instances of the AWS plugin, one for their development environment and one for production. In that case, each plugin instance has its own access control settings.

By default, Restrict access to this plugin? is set to off. The plugin can be viewed, edited and administered by anyone. If you would like to control who has access to this plugin, switch Restrict access to this plugin? to on.

Use the Restrict access to this plugin? dropdown to control who has access to the workspace:

  • By default, the user setting the permissions for the plugin will be given Full Control and the Everyone group will be given Link to workspace permissions.

  • Tailor access to the plugin, as required, by selecting individual users or user groups from the dropdown and giving them Link to workspace or Full Control permissions.

  • If the user is not available from the dropdown, you are able to invite them to the plugin by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp Cloud. Once the account has been created, they will gain access to the tenant.

  • At least one user or group must be given Full Control.

  • Admin users can edit the configuration, modify the Access Control List (ACL) and delete the plugin, regardless of the ACL chosen.

ClosedPlugin access levels

Access Level:

Link to workspace

  • User can link the plugin to any workspace they have at least Editor permissions for.
  • Data from the plugin can then be viewed by anyone with any access to the workspace.

  • User can share the plugin data with anyone they want.

  • User cannot configure the plugin in any way, or delete it.

Full Control
  • User can change the plugin configuration, ACL, and delete the plugin.
ClosedSpecial access for administrators

Like workspaces, administrators have special ‘administrative’ access to all plugins. This means they see all plugins listed under Settings > Plugins, and they can modify plugin properties, including the ACL, for any plugin.

Administrators do not have any special access to data from plugins unless they add themselves to the plugin ACL.

Workspace linking

Each workspace is linked to a set of plugins. These plugins are the only plugins that the workspace can read data from.

Plugin ACLs are mainly used to restrict the users that can link a plugin to workspace - once the plugin is linked it is accessible to anyone with access to the workspace. Control over access to plugin data is mainly controlled through workspace permissions, not permissions on the plugin itself.

This means that all users with access to a workspace are guaranteed to be able to see everything in the workspace, regardless of their permissions on plugins used to populate it. Similarly, any monitoring and alerting is based on this same fixed view of the data. This is particularly important with scopes that match across multiple plugins.

Each workspace can also be linked to a set of other workspaces, for the same reason. The linked workspaces can be accessed to read workspace resources like health or KPIs. Again, this ensures any user viewing health or KPI tiles sees the same data as everyone else with access to the workspace.

ClosedAutomatic workspace linking

Linking is performed automatically where possible. If access control is never enabled for any workspace or plugin, linking is completely automatic.

The scenarios where linking occurs automatically are:

  • Any new workspace is automatically linked to all workspaces and plugins that are accessible to everyone.

  • Any new plugin is automatically linked to all existing workspaces that are accessible to everyone, if the plugin is accessible to everyone.

  • Any new workspace is automatically linked to all existing workspaces that are accessible to everyone, if the new workspace is accessible to everyone.

  • When a user asks to create a new workspace for a new plugin, the workspace is linked to the plugin.

  • When a user adds a downstream workspace on the Monitoring page, the downstream workspace is automatically linked.

ClosedManual workspace linking

When users start restricting access to workspaces and/or plugins, manual linking becomes necessary in some cases.

For example, if user 1 adds a new plugin and restricts Link to workspace permissions to only user 2, there will be no automatic linking of the plugin to any workspaces. If user 2 wants to use the plugin in their workspace, they will need to add the link. The link can be added through the workspace configuration, or by clicking on the plugin in the Quick Scope editor.

Useful tips about access control

ClosedIf a user has direct permissions that differ from permissions through a group, which takes precedence?

The highest permission applies. If the ACL on a workspace gives a user the Viewer permission directly and the Editor permission to a group the user belongs to, the user has Editor permissions. Similarly, if a user belongs to two groups, one that has the Editor permission and one that has Full Control, the user will have Full Control of the workspace.

ClosedCan an administrator add themselves to the ACL for a workspace, and thereby gain access to its contents (dashboards, etc.)?

Yes. Administrators always have Full Control over workspace and plugin ACLs, including the ability to add themselves.

ClosedDo access control changes take effect immediately?

In some cases it may take up to one minute for access control changes to take effect, and sometimes a browser refresh may be required to see the changes reflected in SquaredUp Cloud.

ClosedIf I create a plugin and give the Link to workspace permission to someone, how can I stop that person sharing the data with everyone via their workspace?

You cannot. When you give the Link to workspace permission to someone, you are effectively delegating responsibility for protecting the data to them. The only way to guarantee restricted access to a plugin is to not give anyone the Link to workspace permission, and link the plugin to your own workspace. You can then control access to the data through the workspace ACL.

ClosedI accidentally gave everyone the Link to workspace permission on my plugin. I have now configured a more restricted ACL. Will that automatically stop existing linked workspaces from accessing the plugin?

No. Changing a plugin ACL does not modify any existing workspace links. There are three options to handle this scenario:

  1. In the plugin configuration, click on the Unlink from all workspaces option. Workspace admins who still have access through the new restricted ACL will need to re-add a link to the plugin if they want to use it.

  2. Delete the plugin and reconfigure it. This is very similar to option 1, but requires reconfiguring the plugin from scratch.

  3. Ask a tenant administrator to remove the link to the plugin from any existing workspaces. The administrator would have to check every workspace for the link.

ClosedCan I add a group to a group?

No. Nested groups are not supported.

ClosedWhat permissions does a user need to create workspaces or plugins?

None. All users can create workspaces or plugins.

Related articles

Comments

0 comments

Please sign in to leave a comment.