Introduction
Effective access control begins with role definition. By assigning roles to users and groups, you can manage permissions consistently across all resources.
The platform allows you to create multiple roles to accommodate various access requirements, with the Administrator role providing the highest level of access and full control over all resources.
- Roles define the access permissions assigned to users or user groups within your organization.
- Each role consists of a set of permissions and configurations that control what actions a user can perform and which features they can access on the platform.
You can configure Roles at the Service Provider(SP), Partner, and Client levels respectively.
Prerequisite
- Permission sets have been created and available.
Permissions
Following are the permissions required to View the Roles List:
| Type of user | Permissions |
|---|---|
| SP/MSP | Users_Manage, Roles_View, and Device_View |
| Client | Administration, Users_Manage, Roles_View, and Device_View |
- Following are the permissions required to Manage (Add, Update, Delete) Roles:
| Type of user | Permissions |
|---|---|
| MSP | Users_Manage, Roles_Manage, and Device_Manage |
| Client | Administration, Users_Manage, Roles_Manage, and Device_Manage |
Note
In addition to the above permissions, you must be added to All User Groups. To do this, navigate to Setup > Account > Users and Permissions > Users. Verify if the All user groups option is selected in the user details page. If not, select the All user groups option from the Assigned User Groups section.
If you have access to No user groups or to restricted user groups (that is, if None or Specified user groups is selected from the Assigned User Groups section), you cannot add or remove roles.
Create a Role
Follow these steps to create a role:
Click Setup > Account. The Account Details page is displayed.
Click the Users and Permissions tile on the Account Details page. The Permission Sets page is displayed.
Click the Roles card. The ROLES listing screen is displayed.
Click +ADD. The ROLE DETAILS screen is displayed.
Enter the following information:
- Role Name: Enter a unique name for the role.
If you are a partner user, select the appropriate option from Role for and Access to. - Permission Sets: Select the permission set(s) from the list.
Click Manage all permission sets to create a permission set.
Note: The Client Administrator, Client Dashboard Share Permission Set, and Client User are the default permission sets. - Description: Enter details to describe the role.
- Role Name: Enter a unique name for the role.
From Resources visibility, select one of the following three options to control which resources the role can access:
- All: The role has visibility of all resources in the client.
- Specified resources: The role has visibility of only the selected resources in the client.
- Select resource group(s) from the Resource groups dropdown.
- Select resource(s) from the Resources dropdown. You can also click Advanced Search to build a query to search for the resources.
- None: The role has no visibility of client resources.
From Assigned credentials, select one of the following three options to control which credentials the role can access:
- All: The role has visibility of all credentials in the client.
- Specified credentials: The role has visibility of only the selected credentials in the client.
- Select credential(s) from the list.
- None: The role has no visibility of client credentials.
From Authz Tags, select one of the following three options to control which tags the role can access:
- All: The role has visibility of all tags in the client.
There are no restrictions on logs visibility. - Specified authz tags: The role has visibility of only the selected tags in the client.
Only logs that carry the tags, or have no tags at all, are visible to users with the assigned role.- Select authz tag(s) from the list.
- None: The role has no visibility of client tags.
Only logs without any tags are visible to users with the assigned role.
- All: The role has visibility of all tags in the client.
In the DASHBOARDS section, select one or more dashboards from the Classic Dashboards dropdown.
In the OPTIONS section, select the default landing page from the Home Page dropdown.
Click ADD. The role is created and displayed in the ROLES listing screen.
Users can perform the following actions based on the context:
| Type of user | Current context | User action |
|---|---|---|
| Service Provider User | Service Provider |
|
| Partner User | Partner |
|
| Partner User | Client | Manage roles for the current client. |
| Client User | Client | Manage roles for the current client. |
Actions on a role
You can perform the following actions after creating a role:
| Action | Procedure/Description |
|---|---|
| Search | To search for a role:
|
| View | To view a role:
|
| Edit | Note: You cannot edit a default role.
|
| Remove | Note: You cannot remove a default role.
|
Use Case
Suppose there are a total of five clients under a Partner.
Role 1 is created at the Partner level (with Partner as Tenant Scope) with two clients selected and the Permission Set set to Partner Administrator.
Role 2 is created at the Partner level with All Clients selected, and Permission Set as Partner View Only.
These two roles are assigned to the same user.
Result: The permission sets may not work as expected because overlapping roles introduce ambiguity. OpsRamp evaluates permissions cumulatively, and when multiple roles apply, the most permissive access takes precedence.
Recommendation: Create Role 2 at the Partner level with the remaining three clients selected and Permission Set set to Partner View Only.
This ensures that:
- As a Partner Administrator (via Role 1), the user has full access to resources and configurations for the two selected clients.
- With the Partner View Only permission set (via Role 2), the user has read-only access to the other three clients.