Introduction
Adding a Global level role
- Console ≥ 2.x
- Console 1.x
Adding a Resource level role
- Console ≥ 2.x
- Console 1.x

Summary: this page describes how to manage User Roles in Console.

Note that in Console ≥ 2.x:

global roles are managed in SSO/Keycloak see Configure authentication and roles using Keycloak - v. 2.x.
resource level roles for user access are managed in Console, see below.

Introduction

Console uses a system of "roles" to manage permissions and access to data. Currently the following roles are available:

Role name	Type	Description
admin	Global	This Global level role allows a user or member of a group to administer the entire Console, including: creating/editing/deleting any Application viewing data from any Application in the embedded dashboards access to the Administration Center to change settings assigning roles to users/groups It can be assigned to a User or Group (if LDAP/Active Directory/SAML user authentication mode is in operation). In Console 1.x, this role is configured directly in Console. In Console ≥ 2.x, this role is configured directly in SSO/Keycloak.
dashboard_admin	Global	This role is only available in Console ≥ 2.x and is configured directly in SSO/Keycloak. This global level role applies the dashboard "admin" role to a user. See User roles for more information about what this role can do.
application owner	Global / Resource	In Console ≥ 2.x this role is Global only and is configured directly in SSO/Keycloak. In Console 1.x this role can be Global or Resource (or both): A role at Global level grants specific rights over all Applications managed in Console A role at Resource level grants specific rights over the resource in question (i.e. Applications or Domains). Global level: At Global level this role allows a user to create/edit/delete/deliver code/analyze/snapshot any Application, and view data in the embedded dashboards from any Application, but the ability to assign an Application to domains is not available. When an Application is created by a user/group with the Application Owner Global level role, the user/group can choose an existing domain or create a new one for the Application When an Application is created by a user with the Application Owner Global level role, the user is also automatically granted Application Owner role at Resource level. Resource level: At Resource level, an Application Owner can edit/delete/deliver code/analyze/create snapshots the Applications they have created (if they also have the Global level role) or that they have been assigned to via a Domain and can view data in the embedded dashboards from the Applications they have created or have been assigned to For all Applications they have been granted Application Owner at Resource level, they will be automatically granted rights to work with the Application or the Applications, i.e.: deliver code analyze create snapshots
resource owner	Resource	This role is available in Console 1.x andConsole ≥ 2.x. A Resource Owner can edit/delete/deliver code/analyze/create snapshots the Applications they have created or that they have been assigned to via a Domain and can view data in the embedded dashboards from the Applications they have created or have been assigned to For all Applications they have been granted Resource Owner, they will be automatically granted rights to work with the Application or the Applications, i.e.: deliver code analyze create snapshots

Users can hold more than one role at a time - in this case the most permissive role takes priority.

Adding a Global level role

Console ≥ 2.x

Global level roles are managed directly in SSO/Keycloak. See Configure authentication and roles using Keycloak - v. 2.x for more information:

Console 1.x

To assign a Global level role to other users, the current user needs to already have the "Admin" role.

Move to the Security option:

A list of users/groups that already have Global level roles will be displayed (your own login or the group your login belongs to should be displayed in the list as an Admin):

Click the Add Roles button to assign the role. Depending on the authentication mode in use (see Configuring User Authentication), you will then be prompted to assign the role:

Authentication mode	GUI	Action required
Authentication using local configuration		Enter the name of the User Choose the role Click Save.
LDAP/Active Directory/SAML		Select the LDAP/Active Directory/SAML scope (User or Group) Enter the name of the User / Group Choose the role Click Save.

The page will updated and list the changes you have made:

In the above example, when the user "James" logs in, he will have Application Owner rights at Global level. To remove a role, click the recycle bin next to the user's name:

Note that it is not possible to remove the Admin role from your own login (in the example above, this is the "cast" login). This is to prevent a situation where there are no users with the Admin role.

Adding a Resource level role

To assign a Resource level role to other users, the current user needs to already have the "Admin" role.

Resource level roles (i.e. Application Owner) can be assigned to Domains (and all Applications associated with them) and/or individual Applications. To add a resource level role, move to the Applications option:

Console ≥ 2.x

In Console ≥ 2.x, users that need to interact with existing applications will need to first be assigned the "application_owner" global role in Keycloak - see Configure authentication and roles using Keycloak - v. 2.x, which will allow them to create new applications of their own. They will then will need to be assigned a resource owner role to the specific existing applications they need to interact with. This can be done by assigning the role to the individual application or to a group of applications which belong to a specific domain.

Use the three dots menu on either the Domain or the individual Application to assign the resource owner role via the Manage User Roles option:

In this example we have selected to assign the resource owner role to the user "James" to a specific application. No roles have previously been assigned for this Application. Click the Add Roles button to assign the role:

Enter the name of the user you would like to assign the role to and click Save:

The page will update and list the changes you have made:

Note that if you are using LDAP/SAML authentication, you can also specify groups as well as users (the Scope drop down determines whether this is a user or a group):

Console 1.x

A list of Applications that already exist will be listed by Domain. Choose whether you want to assign the role at Domain or Application level, and then click the appropriate three dots menu and select Manage User Roles:

Click to enlarge

In this example we have selected to assign the role at Application level for the Application "MEUDON". No roles have previously been assigned for this Application. Click the Add Roles button to assign the role:

Depending on the authentication mode in use (see Configuring User Authentication), you will then be prompted to assign the role:

Authentication mode	GUI	Action required
Authentication using local configuration		Enter the name of the User Choose the role Click Save.
LDAP/Active Directory/SAML		Select the LDAP/Active Directory/SAML scope (User or Group) Enter the name of the User / Group Choose the role Click Save.

The page will update and list the changes you have made:

To edit the assigned role, click the edit button, to remove a role, click the recycle bin next to the User or Group's name as shown above.

Administration Center - Security - User Roles

Introduction

Adding a Global level role

Console ≥ 2.x

Console 1.x

Adding a Resource level role

Console ≥ 2.x

Console 1.x