Access control
Access control allows you to set up permissions for users and user groups on the platform. On this page you will find:
User groups
From the Settings > Users tab you can view, add, edit, and remove users from SquaredUp.
For information about adding, editing and removing users see Users
You are able to control the access of users by assigning them to specific user groups.
There are two default groups:
- Everyone includes all users on the platform and is updated when you add or remove a user from your organization
Administrators are given full access to the platform
You can also create your own groups:
Custom enables you to create your own custom groups of users. These groups have no special privileges - they are just used to manage users for use in Access Control Lists (ACLs).
Each organization has a special Administrators group, managed under Settings > Users. Members of this group have access to extra features, including:
Management of users and groups
Management of API keys
Advanced settings
Administration of all workspaces, regardless of workspace access control
Administration of all data sources, regardless of data source access control
A member of the administrators group can always delete or modify access control for a workspace or data source, even if the original creator has left the company and the workspace or data source is otherwise inaccessible. Administrators do not have access to the content of workspaces (dashboards, etc.) unless they are given access through the workspace Access Control List (ACL). Similarly, administrators cannot read data from a data source unless they have access to the data through a workspace. More information about the workspace ACL can be found in the Workspace access control section.
Go to Settings > Users.
Click Add user group.
Name:
Enter the name of the user group.
Description:
If required, enter a description of the group.
Users:
Select the users you want to add to the group from the dropdown.
Click Done.
Go to Settings > Users.
Click the Edit icon next to the user group that you want to edit.
You cannot edit the Everyone group.
Name:
Edit the name of the group.
Description:
Edit the description of the group.
Users:
Select which user(s) you would like to add to the user group from the dropdown.
You can remove a user from a user group by selecting X next to the desired user.
Go to Settings > Users.
Click on the Delete icon next to the user group that you want to delete.
Click Delete.
Workspace access control
For more information about setting up and editing workspaces, see Workspaces.
You can control access to workspaces by setting up permissions, where you can assign Viewer, Editor or Full Control permissions to users or groups. If you do not set permissions when creating a workspace, then anyone will be able to view, edit and administer it.
Access to workspaces is controlled through an Access Control List (ACL), which is a set of one or more Access Control Entries (ACEs), each of which specifies the permissions for a particular user or group.
By default, Manage Access is set to off. The workspace can be viewed, edited and administered by anyone. If you would like to control who has access to this workspace, switch Manage Access to on.
Use the Manage Access dropdown to control who has access to the workspace:
By default, the user setting the permissions for the workspace will be given Full Control and the Everyone group will be given Viewer permissions.
Tailor access to the workspace, as required, by selecting individual users or user groups from the dropdown and giving them Viewer, Editor or Full Control permissions.
If the user is not available from the dropdown, you are able to invite them to the workspace by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp. Once the account has been created, they will gain access to the organization.
At least one user or group must be given Full Control.
Administrator users are able to modify the ACL and delete the workspace.
Access Level
Viewer |
|
Editor |
|
Full Control |
|
Administrators have special ‘administrative’ access to all workspaces. This means they see all workspaces listed under Settings > Workspaces, and they can modify workspace properties, including the ACL, for any workspace.
Administrators do not see all workspaces in the main dashboarding area of SquaredUp, and do not have any access to the contents of workspaces unless they add themselves to the workspace ACL.
Data source access control
Data source access control works differently to workspace access control.
Access control on a data source restricts which users are allowed to link a data source to a workspace, rather than which users are allowed to read data from the data source. This difference is reflected in the Access Control List (ACL) presets and custom ACL options.
When configuring new data sources from Settings > Data Sources > Add data source, there is an option to Restrict access to this data source.
The term data source here really means data source instance. For example, a user may configure two instances of the AWS data source, one for their development environment and one for production. In that case, each data source instance has its own access control settings.
By default, Restrict access to this data source is set to off. The data source can be viewed, edited and administered by anyone. If you would like to control who has access to this data source, switch Restrict access to this data source to on.
Use the Restrict access to this data source dropdown to control who has access to the workspace:
By default, the user setting the permissions for the data source will be given Full Control and the Everyone group will be given Link to workspace permissions.
Tailor access to the data source, as required, by selecting individual users or user groups from the dropdown and giving them Link to workspace or Full Control permissions.
If the user is not available from the dropdown, you are able to invite them to the data source by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp. Once the account has been created, they will gain access to the organization.
At least one user or group must be given Full Control.
Admin users can edit the configuration, modify the Access Control List (ACL) and delete the data source, regardless of the ACL chosen.
Access Level:
Link to workspace |
|
Full Control |
|
Like workspaces, administrators have special ‘administrative’ access to all data sources. This means they see all data sources listed under Settings > Data Sources, and they can modify data source properties, including the ACL, for any data source.
Administrators do not have any special access to data from data sources unless they add themselves to the data source ACL.
Workspace linking
Each workspace is linked to a set of data sources. These data sources are the only data sources that the workspace can read data from.
Data source ACLs are mainly used to restrict the users that can link a data source to workspace - once the data source is linked it is accessible to anyone with access to the workspace. Control over access to data source data is mainly controlled through workspace permissions, not permissions on the data source itself.
This means that all users with access to a workspace are guaranteed to be able to see everything in the workspace, regardless of their permissions on data sources used to populate it. Similarly, any monitoring and alerting is based on this same fixed view of the data. This is particularly important with scopes that match across multiple data sources.
Each workspace can also be linked to a set of other workspaces, for the same reason. The linked workspaces can be accessed to read workspace resources like state or KPIs. Again, this ensures any user viewing state or KPI tiles sees the same data as everyone else with access to the workspace.
Linking is performed automatically where possible. If access control is never enabled for any workspace or data source, linking is completely automatic.
The scenarios where linking occurs automatically are:
Any new workspace is automatically linked to all workspaces and data sources that are accessible to everyone.
Any new data source is automatically linked to all existing workspaces that are accessible to everyone, if the data source is accessible to everyone.
Any new workspace is automatically linked to all existing workspaces that are accessible to everyone, if the new workspace is accessible to everyone.
When a user asks to create a new workspace for a new data source, the workspace is linked to the data source.
When a user adds a downstream workspace on the Monitoring page, the downstream workspace is automatically linked.
When users start restricting access to workspaces and/or data sources, manual linking becomes necessary in some cases.
For example, if user 1 adds a new data source and restricts Link to workspace permissions to only user 2, there will be no automatic linking of the data source to any workspaces. If user 2 wants to use the data source in their workspace, they will need to add the link. The link can be added through the workspace configuration, or by clicking on the data source in the Quick Scope editor.
Useful tips about access control
The highest permission applies. If the ACL on a workspace gives a user the Viewer permission directly and the Editor permission to a group the user belongs to, the user has Editor permissions. Similarly, if a user belongs to two groups, one that has the Editor permission and one that has Full Control, the user will have Full Control of the workspace.
Yes. Administrators always have Full Control over workspace and data source ACLs, including the ability to add themselves.
In some cases it may take up to one minute for access control changes to take effect, and sometimes a browser refresh may be required to see the changes reflected in SquaredUp.
You cannot. When you give the Link to workspace permission to someone, you are effectively delegating responsibility for protecting the data to them. The only way to guarantee restricted access to a data source is to not give anyone the Link to workspace permission, and link the data source to your own workspace. You can then control access to the data through the workspace ACL.
No. Changing a data source ACL does not modify any existing workspace links. There are three options to handle this scenario:
In the data source configuration, click on the Unlink from all workspaces option. Workspace admins who still have access through the new restricted ACL will need to re-add a link to the data source if they want to use it.
Delete the data source and reconfigure it. This is very similar to option 1, but requires reconfiguring the data source from scratch.
Ask an organization administrator to remove the link to the data source from any existing workspaces. The administrator would have to check every workspace for the link.
No. Nested groups are not supported.
None. All users can create workspaces or data sources.