Users & Access
tCell uses the Insight cloud’s role-based access control framework to manage global user accounts and permissions. Additional per-app controls are included in tCell and require varying levels of user permissions to access.
Types of User Access
tCell provides user access at two levels:
- Global Roles - Global access roles provide user accounts with a minimum level of access to all tCell applications within the tCell customer domain.
- Application Roles - Per-app access roles provide user accounts with increased privileges beyond the global access level for specific tCell apps.
Global Roles
All users have a global role. The global role sets a minimum access level for that user to all tCell apps. Global roles include:
- Read-Only
- Read-Write
- Admin
The global "Read-Only" role permits access to information across all apps. Users in this role can see all app data such as IP groups, custom regexs, events, package version information, and agents installed. Users in this role cannot modify the configuration of any apps such as changing policies or setting up alerts.
Members assigned to the "Read-Write" role can see all data like the Read-Only role, but can also make changes to all app configurations. This role can modify collected data and requests or client IP addresses to block. However, users with a Read-Write role cannot create or delete tCell Apps, or modify other users.
The "Admin" role grants all capabilities available to the Read-Write role, but adds these capabilities:
- Modify, add, and remove other user logins
- Add, edit, delete, and view IP groups and custom regexs
- Create and delete tCell apps
Disabling the global role
A user account with a disabled global role and no application roles has no access to tCell applications in the tCell customer domain. If you add one or more application roles, the user account then has access to those applications and no others. Organizations with many applications use this approach to restrict users to a particular subset of applications.
Global role actions
The following actions can only be taken by the roles listed:
Action | Roles |
---|---|
Access information across all apps | Read-only, Read-write, Global admin |
Modify app configurations | Read-write, Global admin |
Modify, add, remove user logins | Global admin |
Create and delete tCell apps | Global admin |
Create and own apps | Global Admin, Read-Write |
Admins cannot modify their own role
As a special limitation, admins cannot modify their own role, to prevent the possibility of the last admin removing their admin privileges. If you need to remove global Admin access from a user, do so under a different Admin user. If necessary you may need to create a new Admin user or promote an existing user to Admin.
Read more about global roles in the Insight User Management documentation.
Application Roles
Users can also have roles scoped to a specific tCell application. These roles do not restrict access to the app, only increase it. A user's access to an app is the greater of their global role and the app-specific role.
The three levels of access are:
- Read-Only
- User
- Admin
The "Read-Only" role provides access to review all collected data, while the "User" role permits review the data as well as configure the app.
As an app-specific role, "Admin" role access allows users to edit app-specific roles for other users. Admins can select users who need additional access to the app beyond their global access. Admins cannot add, edit, or delete IP groups or custom regexs.
Note
Users with an app-specific Admin role cannot create or remove user accounts from the tCell system. Only global admins can bring users into the customer account.
Permissions for apps
The following actions can only be taken by the corresponding roles:
Action | Roles |
---|---|
Create and own apps | Read-Write, Admin |
Review data for the app | Read-only, User, Admin |
Configure the app | User, Admin |
Change user roles | Admin |
Add users to the app | Admin |
Update a policy and reference existing IP Groups or Custom Regex | Application Admins, Read-Write |
User Management Examples
Global user
Richard has a global role of Read-Write, and is an Admin in the “Cheese Shop” app. Richard can:
- Create apps. He will be the app admin for his apps.
- View all data within the entire customer-specific tCell environment
- Change the configuration of all apps
- Give access at various levels to the “Cheese Shop” app to accounts that already exist in the system. For example, Richard can enable a user with global Read-Write access to be an Admin within the context of the Cheese Shop app
Global admin
Duval has the Admin global role. No per-app roles will have any effect. Duval will have administrative access to all apps, even if his account has an app-specific role declared.
If Duval’s access is later reduced below app-specific roles, the app-specific settings would permit Duval to keep those levels of access in those apps, even if Duval’s new global role offered fewer privileges.
Restricted application user
Darlene's global role is disabled. She has User access to the "Lindstaler College Basketball" fanbase app which she maintains as president of the Lindstaler Alumni Basketball Club. She has Read-Only access to the other Lindstaler Alumni sports apps which are maintained by her colleagues. She has no access to the other alumni apps.
Managing User Roles
There are a few places where users and admins can make changes to user access. Global admins can make changes to tCell accounts from Insight User Management. This access includes:
- Adding users to tCell
- Deleting users from tCell
- Granting Insight cloud admin role
- Changing tCell product role
Additionally, access for users with app-specific admin access to tCell includes:
- Adding, editing, and deleting app-specific roles
- Enabling or disabling tCell global role
Creating tCell Accounts
To add a new tCell user account:
- Click the cogwheel icon in the top right menu.
- Select User Management in the menu. The Insight cloud opens in a new tab.
- Click the Add User button.
- In the “User Details” tab, enter the email address, name, and time zone for the user account and click the Next button.
- In the “Role Management” tab, choose Admin, Read Write, or Read Only under “Product Roles.” Note, selecting “Platform Admin” will give that user the ability to add and delete user accounts.
- In the “Product Assignment” tab, choose tCell.
- Click the Submit button.
To remove a user account from tCell:
- Click the cogwheel icon in the top right menu.
- Select User Management in the menu. The Insight cloud opens in a new tab.
- Click the pencil to the right of the user name.
- Click the Product Assignment tab.
- Deselect tCell.
- Click the Submit button.
Giving Access to Apps
To give a user access to specific apps:
- Click tCell Admin in the top right of the screen. The “Admin” screen appears.
- Click the Users tab.
- Click the pencil icon to the right of the user name.
- In the “Edit User” window, click +Add.
- Select the app.
- Select the Admin, User, or Read Only role.
- Click the Save button.
You can also use this process to edit existing user access to apps.