Over the last month, we’ve taken some major steps to allow more control and transparency to organizations using ThousandEyes, in the area of user management and access control. This week we released the several major features that make it easier for large organizations and distributed teams to secure their ThousandEyes environment.
Taken together, Account Groups, Roles and Activity Logs make it possible to define and assign robust role-based access control (RBAC) across an organization, tailoring user permissions to exactly to what each user needs, as well as provide a comprehensive audit framework for administrative users to see individual user activities across their organization.
Organizing Users and Accounts
Within ThousandEyes, the Organization is the top-level object, typically set as the company name. Each Organization has one or more Account Groups, used for multiple business units or teams. Each Organization also has one or more Users, defined uniquely based on the user’s email address, each of whom has individual credentials. Users are associated to Account Groups within the Organization, and their permissions are described by Roles. Therefore, a User can belong to multiple Account Groups and have distinct permissions in each.
Previously, non-administrative Users were bound to one ‘Account’ in the Organization. In addition, Users were assigned one of three pre-defined Roles, with no scope for customization: in many circumstances, this was an all-or-none approach to permission management. As we began working with larger organizations with users spanning many teams, the model proved to be a limitation for some. The logical evolution was to move to a flexible role-based access control model.
You can even define a user’s default Account Group in their user profile, such that when a user logs in, she gets shown the most relevant contextual dashboards and tests, but can switch to another Account group with the click of a button.
Assigning RBAC with Roles
With the new Organization and User structure, an administrator can customize Roles based on individually defined permissions. Examples of permissions include the ability to add users, create or update tests, view billing information or adjust security settings. In the new model, each Organization has three built-in Roles: Org Admin, Account Admin and Regular User.
|Selected Permissions for default Roles||Org Admin||Account Admin||Regular User|
|View Tests||all Account Groups||current Account Group||own User|
|Edit shares, saved events, dashboard, reports||all Account Groups||current Account Group||own User|
|View Activity Log||all Account Groups||current Account Group||own User|
|Assign Roles||all Account Groups||current Account Group|
|Edit Agents, Tests, Alert Rules and Notifications||all Account Groups||current Account Group|
|Edit Account Groups, Users and Roles||all Account Groups|
|View and edit billing||all Account Groups|
The extensibility of these roles is limitless: these Roles can be cloned and modified, and new roles can be created from scratch, to fit specific needs across your teams. For example, you can create Roles for API users, a finance role for billing management, or an information security role for modification of organization security settings.
Simplify Your Roles Based on Task
If you have users who wear multiple hats in your organization, you’re not alone. The flexibility of the RBAC model allows assignment of multiple roles to a user within an account group: the user’s permissions when logged in are determined based on the highest level of access granted to the user, within the context of the User’s account group.
This allows you to create multiple roles focused on execution of specific tasks, and then assign those roles to users on an individual basis. One user may have User Management, Billing and Test creator/editor privileges, while another only has Test creator/editor privileges, while another has view-only permissions. Even things like login control are based on permissions defined in roles, so as an administrator, you can define who can log in using Single Sign-On, who can log in using the ThousandEyes login page, and who can access the API.
Tracking History with Activity Log
In January, we released the Activity Log feature to help administrators understand user actions across the Organization. Together with our new Role-Based Access Control structure, , you have a comprehensive way to organize, define and track user activities. The Activity Log includes nearly everything that a user can do in the platform, with the exception of looking at data. Items such as user login (including the method used for login), test and alert configuration changes are tracked. And for each activity we log the time, Account Group, User, IP address and event type.
Within the Activity Log you’ll be able to quickly search and filter by each of these parameters. The smart search will even guide you through event types, allowing tight filtering of the information shown, or broad wildcard-based searches that cover various fields.
Monitoring Across Your Organization
All Organizations are now using this new permissions model, with the legacy permission sets mapping closely to the new default Roles. Should you want to customize or adjust Roles and Permissions in your Organization, you’ll find the new controls in the Settings > Account view. More information on the Role-Based Access Control features can be found in this article in our Customer Success Center, and information on using the Activity Log can be found in this article.
Don’t already have an account and want to get started? Create a free account and invite your team today.