Network Monitoring Across Teams: Account Groups, Roles and Activity Log

Posted by on February 24, 2015

Over the last month, we’ve taken some major steps to allow more control and transparency to organizations using ThousandEyes, in the area of user management and access control. This week we released the several major features that make it easier for large organizations and distributed teams to secure their ThousandEyes environment.

Taken together, Account Groups, Roles and Activity Logs make it possible to define and assign robust role-based access control (RBAC) across an organization, tailoring user permissions to exactly to what each user needs, as well as provide a comprehensive audit framework for administrative users to see individual user activities across their organization.

Organizing Users and Accounts

Within ThousandEyes, the Organization is the top-level object, typically set as the company name. Each Organization has one or more Account Groups, used for multiple business units or teams. Each Organization also has one or more Users, defined uniquely based on the user’s email address, each of whom has individual credentials. Users are associated to Account Groups within the Organization, and their permissions are described by Roles. Therefore, a User can belong to multiple Account Groups and have distinct permissions in each.

Figure 1: New organization structure with a many-to-many relationship between Users and Account Groups.
Figure 1: New organization structure with a many-to-many relationship between Users and Account Groups.
Figure 2: New Role structure where Users can be assigned to one or many Roles across one or many Account Groups.
Figure 2: New Role structure where Users can be assigned to one or many Roles across one or many Account Groups.

Previously, non-administrative Users were bound to one ‘Account’ in the Organization. In addition, Users were assigned one of three pre-defined Roles, with no scope for customization: in many circumstances, this was an all-or-none approach to permission management. As we began working with larger organizations with users spanning many teams, the model proved to be a limitation for some. The logical evolution was to move to a flexible role-based access control model.

Figure 3: Users and Enterprise Agents associated with each Account Group.
Figure 3: Users and Enterprise Agents associated with each Account Group.

You can even define a user’s default Account Group in their user profile, such that when a user logs in, she gets shown the most relevant contextual dashboards and tests, but can switch to another Account group with the click of a button.

Assigning RBAC with Roles

With the new Organization and User structure, an administrator can customize Roles based on individually defined permissions. Examples of permissions include the ability to add users, create or update tests, view billing information or adjust security settings. In the new model, each Organization has three built-in Roles: Org Admin, Account Admin and Regular User.

Selected Permissions for default Roles Org Admin Account Admin Regular User
View Tests all Account Groups current Account Group own User
Edit shares, saved events, dashboard, reports all Account Groups current Account Group own User
View Activity Log all Account Groups current Account Group own User
Assign Roles all Account Groups current Account Group
Edit Agents, Tests, Alert Rules and Notifications all Account Groups current Account Group
Edit Account Groups, Users and Roles all Account Groups
View and edit billing all Account Groups
Figure 4: A simplified view of select permissions across the three default Roles.

The extensibility of these roles is limitless: these Roles can be cloned and modified, and new roles can be created from scratch, to fit specific needs across your teams. For example, you can create Roles for API users, a finance role for billing management, or an information security role for modification of organization security settings.

Figure 5: Roles across columns, including the customized ‘Limited Admin 1’, with associated Permissions in the rows.
Figure 5: Roles across columns, including the customized ‘Limited Admin 1’, with associated Permissions in the rows.

Simplify Your Roles Based on Task

If you have users who wear multiple hats in your organization, you’re not alone. The flexibility of the RBAC model allows assignment of multiple roles to a user within an account group: the user’s permissions when logged in are determined based on the highest level of access granted to the user, within the context of the User’s account group.

This allows you to create multiple roles focused on execution of specific tasks, and then assign those roles to users on an individual basis. One user may have User Management, Billing and Test creator/editor privileges, while another only has Test creator/editor privileges, while another has view-only permissions. Even things like login control are based on permissions defined in roles, so as an administrator, you can define who can log in using Single Sign-On, who can log in using the ThousandEyes login page, and who can access the API.

Figure 6: Users can be assigned distinct Roles in each Account Group.
Figure 6: Users can be assigned distinct Roles in each Account Group.

Tracking History with Activity Log

In January, we released the Activity Log feature to help administrators understand user actions across the Organization. Together with our new Role-Based Access Control structure, , you have a comprehensive way to organize, define and track user activities. The Activity Log includes nearly everything that a user can do in the platform, with the exception of looking at data. Items such as user login (including the method used for login), test and alert configuration changes are tracked. And for each activity we log the time, Account Group, User, IP address and event type.

Figure 7: Activity Log for a user with an ‘Account Admin’ Role.
Figure 7: Activity Log for a user with an ‘Account Admin’ Role.

Within the Activity Log you’ll be able to quickly search and filter by each of these parameters. The smart search will even guide you through event types, allowing tight filtering of the information shown, or broad wildcard-based searches that cover various fields.

Figure 8: Activity log filter by Event Type.
Figure 8: Activity log filter by Event Type.

Monitoring Across Your Organization

All Organizations are now using this new permissions model, with the legacy permission sets mapping closely to the new default Roles. Should you want to customize or adjust Roles and Permissions in your Organization, you’ll find the new controls in the Settings > Account view. More information on the Role-Based Access Control features can be found in this article in our Customer Success Center, and information on using the Activity Log can be found in this article.

Don’t already have an account and want to get started? Create a free account and invite your team today.

Processing...