Configuring Role-based Access Control in the Portal

Note

We will be updating existing customer accounts to use this new role-based access control capability over the next couple of months. If you want to get access sooner, please reach out to Instart support.

Instart Product Management, 14 March 2019

Overview

Role-based access control (RBAC) enables admin users to define and create teams to collect properties into groups and associate users with them, and to define and create custom roles to assign to users.

Roles are a collection of permissions or rights — the ability to add, modify, and view various elements of the overall account.

A team is a collection of one or more properties. A property cannot belong to more than one team. Teams can be added, edited, and deleted from the Account > Teams screen. They need to be assigned to properties from the Config > Properties & Domains > Add New Property or Edit Property screens.

Note

If you are an existing customer that now has had RBAC turned on for your account, your initial state is a single default team that has all your existing properties associated with it. In order to use RBAC effectively for your account, you need to create teams that correspond to your actual organizational needs, then edit the existing individual properties to assign them to the appropriate team.

Users are the individuals that can access the portal with various roles. Users are set up with associations to the available roles and teams.

  • Users with global association can be assigned roles that apply across all properties of the account. Examples of rights that can be assigned globally are the ability to add, edit, and delete users, the ability to add, edit and delete security rules, and the ability to add, edit, and delete network lists.
  • Users with per-team association can be assigned roles that apply only to specific teams. Examples of rights that can be assigned per team are the ability to purge cache, the ability to add domains, and the ability to add, edit, and delete performance and delivery rules.

A user can either have global or per-team associations, but not both.

An account will always have at least one admin user, an administrator that has unrestricted access to all parts of the account and can create users, roles and teams.

Teams

Admin users can create new teams to group properties together. Users can then be associated with one or more teams.

If you are an existing customer and you want to have RBAC turned on for your account, please contact Instart Support to request this. 

Creating a new team

  1. Click Account > Teams from the navigation menu to open the Teams page:

  2. Click Add New Team to open the Add New Team page:
  3. Provide a Team name and a Team description.

Once your team has been created, you associate it with one or more properties. You can also do this when creating a new property.

Associating a property to a team

  1. Click Config > Properties & Domains to display the list of properties:

  2. Click on the desired property in the list to open its Property Overview screen:

  3. Click Edit to open the property editor screen:

  4. Select the team you want this property associated with from the Team assignment pulldown, then click Update Property.

Roles

Admin users can create new roles to grant specific privileges to groups of users to support your organization's particular workflow needs. Rules can also be edited or deleted.

Creating a new role

  1. Click Account > Roles from the navigation menu to open the Roles page:

  2. Click Add a New Role to open the Add a New Role page:

  3. Provide a Role name and a Description.
  4. Select the Role Type. This can be
    - Global — the role applies to all properties in the account.
    - Per-team — the role applies on a per-team basis. A team can be used to group properties together, and users adopt these roles if they are associated with this team.
    - Admin — the role grants all permissions on all properties and elements of the account.
    If you select Global, the following permissions can be assigned to the role:

    If you select Per-Team, the following permissions can be assigned to the role:

    If you select Admin, all permissions are be assigned to the role, so no checkboxes are displayed.
  5. Select the appropriate permissions for your new role, then click Save.

This role can now be applied to users.

Editing/deleting an existing role:

  1. From the role list page, click the role you want to change, and an Edit a Role form appears:

  2. The fields are all the same as those provided in the Add a New Role form. Edit any of the fields as desired, then click Save to update the rule; or, click Delete role to remove this role.

If any existing users are assigned to a role, it cannot be deleted.

Users

The Account > Users page shows a list of all current users in your account, their email addresses, statuses, and last-modified dates, and whether or not two-factor authentication is enabled for them.

Click Account > Users from the navigation menu to open the Users page:

Adding a new account administrator user

  1. Click Add New User to open the Add New User form:
  2. Fill in the following fields (all are required except for phone number):
    - Full name
    - Email address
    - Phone number
  3. Click Yes under the question Is this user an account admin with all privileges on all teams?
    (Note that the various choices on the lower part of the form disappear; since an account admin has unrestricted access, there's no need to select specific roles, etc.)
  4. If desired, you can set the Enabled/Disabled toggle to create the user with his account inactive.
  5. Click Save.

Adding a new user with global association

  1. Click Add New User to open the Add New User form
  2. Fill in the following fields (all are required except for phone number):
    - Full name
    - Email address
    - Phone number
  3. Leave No selected under the question Is this user an account admin with all privileges on all teams? and choose Global for Association Type. In this example the only global assigned roles available to associate to the user are Legacy User (Global) or Global Stats Read:
  4. If desired, you can set the Enabled/Disabled toggle to create the user with his account inactive.
  5. When you have finished entering the information, click the Save button.
  6. The new user, upon receipt of the email message, follows a link to set his password. The chosen password must have at least one uppercase letter, digit, and special character, and must be at least 12 characters in length.

Adding a new user with a per-team association

  1. Click Add New User to open the Add New User form
  2. Fill in the following fields (all are required except for phone number):
    - Full name
    - Email address
    - Phone number
  3. Leave No selected under the question Is this user an account admin with all privileges on all teams? and chose Per-Team for Association Type.

  4. Select the role(s) you want to assign this user on the left, and the team(s) on the right. If the lists are long, you can scroll, or begin typing the name of the role or team in the field just above them to jump directly to them.
  5. If desired, you can set the Enabled/Disabled toggle to create the user with his account inactive.
  6. When you have finished entering the information, click the Save button.

The new user, upon receipt of the email message, follows a link to set his password. The chosen password must have at least one uppercase letter, digit, and special character, and must be at least 12 characters in length.

Editing or deleting a user

  1. From the list on the Users screen, click the user you want to edit to open the View User screen:
  1. Click Edit User to open the Edit User screen:
  1. Make your desired changes and click Save Changes to update the user information, or click Delete User to delete the user from the account.