Users & Groups
This Document provides instructions on User Onboarding (various roles), The changes introduced to support MSP Functionality & Data Filtering across Various Organizations
User Onboarding
To support MSP functionality we added new roles. Here are the following roles
Workspace Administrator
Description: This is the role given to the default user (admin@cfx.com). This user is super user who can on board all the different user roles and also has permissions to do both administration and configuration of users and organizations.
MSP Administrator
Description: This user has administrator permissions to add, edit, delete, configure, administer multiple organizations and to onboard users across multiple organizations and assign different roles to the users.
MSP User
Description: This user has permissions to see dashboards assigned to them and also, can perform certain actions (please capture what actions???) This user can be associated with one or more organizations. This user will not have any administrator or configuration privileges.
Organization (Tenant) Administrator
Description: This user is assigned to a specific organization by either Workspace Administrator or MSP Administrator. This user has privilege to configure the assigned organization. Also, this user can onboard users with either Organization Admin, Organization User, L1, L3, Organization Read Only Users as well for the assigned organization.
Organization User
Description: This user has permissions to see dashboards assigned and also can perform certain actions. This user can be associated with only one organization. No administrator or configuration privileges.
MSP Read Only User
Description: This user has only read only access to see dashboards assigned and cannot perform any actions. This user can be associated with more than one organization. No administrator or configuration privileges (Difference between MSP user and MSP RO user is that, this user will not have any associated actions).
Organization Read Only User
Description: This user has read only permission to see dashboards assigned and also cannot perform any actions. This user can be associated with only one organization. No administrator or configuration privileges (Difference between Or Organization user and Organization RO user is that, this user will not have any associated actions).
L3 User
Description: This user is the same as the Organization User with different privileges. This user can be associated with only one organization.
L1 User
Description: This user is the same as the Organization User with even less privileges. This user can be associated with only one organization.
User Roles and Permissions
RDA Permissions for Dashboards
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| Enable | Yes | Yes | No | No | No | No | No | No | No |
| Disable | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Dashboards Groups
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Enable | Yes | Yes | No | No | No | No | No | No | No |
| Disable | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Datasets
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Ingest | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
| Manage | Yes | Yes | No | No | No | No | No | No | No |
| Clone | Yes | Yes | No | No | No | No | No | No | No |
| Export | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Schemas
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Pstreams
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Pipelines
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Verify | Yes | Yes | No | No | No | No | No | No | No |
| Run | Yes | Yes | No | No | No | No | No | No | No |
| Publish | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Formatting Templates
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Stacks
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Service Blueprints
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
| Enable | Yes | Yes | No | No | No | No | No | No | No |
| Disable | Yes | Yes | No | No | No | No | No | No | No |
| Deploy | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Alert Rules
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Bundles
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Compare | Yes | Yes | No | No | No | No | No | No | No |
| Deploy | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Credentials
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Verify | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Site Profiles
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Staging Areas
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Log Archives
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | No | No | No | No | No | No | No |
| View | Yes | Yes | No | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Fabric Health
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| View | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Users
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | Yes | No | No | No | No | No | No |
| Edit | Yes | Yes | Yes | No | No | No | No | No | No |
| Reset Password | Yes | Yes | Yes | No | No | No | No | No | No |
| Activate | Yes | Yes | Yes | No | No | No | No | No | No |
| Deactivate | Yes | Yes | Yes | No | No | No | No | No | No |
| Manage | Yes | Yes | Yes | No | No | No | No | No | No |
| View | Yes | Yes | Yes | No | No | No | No | No | No |
| Delete | Yes | Yes | Yes | No | No | No | No | No | No |
RDA Permissions for User Groups
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | Yes | No | No | No | No | No | No |
| Edit | Yes | Yes | Yes | No | No | No | No | No | No |
| Delete | Yes | Yes | Yes | No | No | No | No | No | No |
RDA Permissions for Organizations
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | No | No | No | No | No | No | No |
| Edit | Yes | Yes | Yes | No | No | No | No | No | No |
| Configure | Yes | Yes | Yes | No | No | No | No | No | No |
| Delete | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for MSP Details
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Update | Yes | Yes | No | No | No | No | No | No | No |
RDA Permissions for Authentication Severs
| RDA Permissions | Workspace Admin | MSP Admin | Organization Admin | MSP User | Organization User | MSP RO User | Organization RO User | L1 User | L3 User |
|---|---|---|---|---|---|---|---|---|---|
| Add | Yes | Yes | Yes | No | No | No | No | No | No |
| Edit | Yes | Yes | Yes | No | No | No | No | No | No |
| Delete | Yes | Yes | Yes | No | No | No | No | No | No |
Steps to onboard user
Login as workspace administrator(admin@cfx.com)
After Login on the left side the user can find Menu for Workspace administrator, The user needs to select Administration
Select Organizations section form the the left side Menu Bar to add new Organization
Note
Workspace Administrator can add Multiple Organizations
After selecting Organizations here as shown below the user can Add New Organization
Select Users Section on the left side Menu Bar to on-board users. select the User Groups tab above
Here after selecting User Groups on the right side you will find Add Group click on that and Add a New User Group
In the above Screenshot, when a user is created it has MSP Administrator role and is associated with organizations 'OIA-CloudFabrix' and ‘Test 1’ (two organizations/tenants)
Note
Each User Group is associated with a particular role. Based on the role selected administrators can assign one or more organizations. If the selected role is MSP Administrator, MSP User or MSP Read Only User then this user group can be associated with one or more organizations. Any other role (except for Workspace Administrator) only one organization can be associated.
Select the Users Tab to add New user, New user is on boarded by adding the user details and assigning the user to a User Group. All the users will have the same role that is associated with the User Group and across all the organizations within the User Group.
In the below Screenshot, cfx_admin@cfx.com user is added to MSP Admin Group. Meaning, this cfx_admin@cfx.com user will have an MSP Administrator role across organizations
Here in the below Screenshot the added user can be seen
To view the permissions associated with each role select View Permissions action, users can select this action by selecting three dots which is at the right side of each user as shown in the below screenshot
Once a user is On-boarded, appropriate dashboards need to be assigned to that User Group. Dashboards that are assigned to the User Group will be visible to all the users within that group
Note
Except for Workspace Administrator and MSP Administrator who have access to all the dashboards
Adding a new Dashboard Group
Prerequisites
Before creating a Dashboard Group, ensure that you have completed all the necessary prerequisites.
Step 1: Created a User Group with an assigned Role
Step 2: Created Users and assigned them to the User Group
Note
The role assigned to the User Group in Step 1 determines the dashboard permissions (View/Edit) accessible to its users.
Creating a Dashboard Group
Use these steps to create a Dashboard Group and assign dashboard access to User Groups.
Navigate to Dashboard Groups
Go to Main Menu, navigate to Configuration → RDA Administration → Dashboards → Dashboard Groups
Each Dashboard Group is associated with one or more User Groups and one or more dashboards.
Create a New Dashboard Group
1. On the Dashboard Groups page, click Add Group.
2. In the creation form, enter the following details:
-
Dashboard Group name: A unique identifier for the group
-
Label: A display name for the Dashboard Group
-
User Group: Select the User Group (created in prerequisite Step 1) that should have access to these dashboards
-
Dashboards: Select one or more dashboards that this User Group should be able to access
3. Save the Dashboard Group configuration.
- Added Dashboard group can be seen in the screenshot below
How Dashboard Permissions Work
-
View Permission: Users in the assigned User Group can view the dashboards included in this Dashboard Group.
-
Edit Permission: If the User Group's Role includes edit permissions, users can modify the dashboards.
-
Permission Inheritance: Dashboard permissions are inherited from the Role assigned to the User Group during User Group creation (prerequisite Step 1).
Dashboard Groups act as a link between User Groups and Dashboards, allowing users to:
- Specify which dashboards are accessible to particular User Groups
- Manage dashboard access centrally via group assignments
- Utilize Role-based permissions for detailed access control
Once a Dashboard Group is created and configured, users assigned to the associated User Group will automatically have access to the assigned dashboards based on their Role permissions.
All dashboards assigned through Dashboard Groups are accessible under User Dashboards in the Main Menu.
Login with cfx_admin@cfx.com with default password “changeme” and then will ask for reset password
- Changes to support MSP Functionality
Only Workspace Administrators and MSP Administrators have privileges to administer and configure various organizations. These roles can on board users across different organizations with different roles
Organization Administrators can be associated with only one organization and can configure that organization only. Also, this user can on board users with roles at the same level that is Organization Administrator, Organization Read Only User, L1 User and L3 User for that organization. In addition, this user has access to only dashboards that are assigned and associated to this user group.
- Menu for Organization Administrator
All the RDA related administration have been moved under 'RDA Administration' and 'RDA Integrations' options that are visible only for Workspace Administrator and MSP Administrator
Some of the diagnostic related UI are moved under 'Fabric Health' and can be accessed only by Workspace Administrator and MSP Administrator
Data filtering across various organizations
Users are associated to the organizations based on the user groups they belong to. If they have any 'MSP' related roles then they can have access to the organization(s) that are associated within the user group. The users cannot have access to organizations which they are not associated with.
Example:
A setup has 3 organizations Org1, Org2, Org3 with the following users and the associated roles
| User | Role | Organizations | Dashboards |
|---|---|---|---|
| User1 | MSP Admin | Org1, Org2 | Incidents, Alerts |
| User2 | MSP Admin | Org2, Org3 | Incidents, Alerts |
| User3 | MSP User | Org2, Org3 | Incidents |
| User4 | Organization Admin | Org1 | Incidents, Alerts |
| User5 | Organization User | Org1 | Incidents, Alerts |
| User6 | MSP Read Only User | Org2, Org3 | Incidents, Alerts |
| User7 | Organization Read Only User | Org1 | Incidents, Alerts |
| User8 | L1 User | Org1 | Incidents, Alerts |
| User9 | L3 User | Org1 | Incidents, Alerts |
-
User1 is ‘MSP Admin’ for organizations Org1 and Org2. That user will be able to perform all the actions within the dashboards Incidents and Alerts. User1 shouldn’t be able to see data from Org3.
-
User2 is ‘MSP Admin’ for organizations Org2 and Org3. That user will be able to perform all the actions within the dashboards Incidents and Alerts. User2 shouldn’t be able to see data from Org1.
-
User3 is ‘MSP User’ for Org2 and Org3. User3 can see only the dashboard ‘Incidents’. User3 cannot see Org1 data and also ‘Alerts’ dashboard. The actions that User3 can perform within the ‘Incidents’ dashboard are a subset of the MSP Admin role.
-
User4 is Organization Admin for only Org1. User4 shouldn’t be able to see data from Org2 and Org3. User4 can perform all the actions within Incidents and Alerts dashboards
-
User5 is Organization User for only Org1. User5 shouldn’t be able to see data from Org2 and Org3. User5 can perform only subset of actions within Incidents and Alerts dashboards
-
User6 is ‘MSP Read Only User’ for Org2 and Org3. User6 can see the dashboards ‘Incidents’ and ‘Alerts’. User6 cannot see Org1 data. User6 cannot perform any actions with the dashboards.
-
User7 is ‘Organization Read Only User’ for Org1. User7 can see the dashboards ‘Incidents’ and ‘Alerts’. User7 cannot see Org2 and Org3 data. User7 cannot perform any actions with the dashboards.
-
User8 is L1 User for only Org1. User8 shouldn’t be able to see data from Org2 and Org3. User8 can perform only subset of actions within Incidents and Alerts dashboards
-
User9 is L3 User for only Org1. User9 shouldn’t be able to see data from Org2 and Org3. User9 can perform only subset of actions within Incidents and Alerts dashboards
-
Migration
Current setups on boarded only tenant admin and tenant users. The corresponding roles are renamed as "Organization Admin and "Organization User". Also all screens related to RDA have been moved under "Configuration" and "Fabric Health" menus which can be accessible only to MSP Admin or Workspace Admin roles. If the current tenant admin needs to access those screens that user role has to be changed to msp admin. The following steps need to be performed to migrate those users from tenant admin to msp admin