Managing roles

The permission system in DataForge is based on user roles. DataForge offers default and custom user roles based on ACL rules.

DataForge provides default manager and default user roles with predefined ACL rules, which are available for all companies and cannot be modified or removed. Additionally, users have the possibility to create custom manager and user roles. Custom roles are associated with companies and are only accessible within the company they were created in. Their parent companies can view, but not utilize them.

Navigate to Administration > Roles > Manager Roles or Administration > Roles > USer Roles (depending on the type of role you want to manage) to access the list of existing roles. Here you can review the default roles, create new roles, and make necessary edits.

Manager roles list

Inspecting a role

Clicking on the role card opens the Role configuration page. If the selected role is a default role, it is not possible to change the configuration.

Create a new role

To create a new role, click the blue plus:

Create new role form

Name: The name of the user role.
Company: Select a company, where the role will be available.
Description: Set a description for the user role.

After filling out the form, click Create to complete the process.

Configure a role

To access the configuration, click the role card button of the role.

Basic settings

At the top of the configuration page the associated company is listed. Right beneath that, the name and description can be changed.

Basic settings

General permissions

The general permission section provides a way to allocate permissions using switches. Enabling a permission category through the switch will always override the settings of specific permissions, offering a more generalized approach.

General permissions

Can do anything: Provides no specific permissions, instead a permission check is always successful if an authorization is checked.
Can see anything: Allows the user to view everything by granting the read permission for all items.

Specific permissions

The specific permissions differ depending on the type of role: manager or user.

Manager

Specific permissions: Manager

Can assign roles: Enables to create and assign roles to other users.
Can impersonate: Grants permission to impersonate other users.
Can bypass Support Tokens: Grants the ability to bypass the requirement for a support token* when impersonating other users.
Can use Zabbix admin Calls: Grants the ability to perform administrative actions on the Zabbix server using the root user.
Can modify quota: Enables to manage modules and quotas.
Can create reseller companies: Enables to create a reseller company, if the necessary additional permissions are granted (Companies: create).

Support tokens are necessary for impersonating DataForge Users from other companies and are always required when impersonating other DataForge Managers.

User

Specific permissions: User

Can use Zabbix Client: Provides access to the Zabbix client section.
Can manage push media: A permission related to the push notification service of our IntelliTrend Mobile for Zabbix. It allows the user to use the in-app solution for configuring the necessary Zabbix user media.

ACL rule sets

In addition, the specific permissions are further subdivided into ACL rule sets. The section for which such a set can be configured depends on the role type. Instance administration and Company administration are available for the manager roles. For the user roles, Reporting, Self provisioning and AI are available for configuration.

ACL set: Reporting

These sets are all configured in the same way. A permission is divided into: Create, Delete, Modify, and Read. Each of these permissions can have one of three states:

Can Not: If a rule is set to Can Not, the role is prohibited from performing the corresponding action.
Can: When a rule is set to Can, the role is allowed to perform the corresponding action.
Can Grant: When a rule is set to Can Grant, the role can perform the corresponding action and can also grant other roles the permission to use that action.

To grant permissions to other roles, a role must have the necessary permissions to create or modify roles, found in Manager roles > Company administration > Roles.

User roles: Role overrides

A user can be a member of multiple user groups. With role overrides, the user can have changing user roles depending on the user group the user acts for.

Role overrides

If a user is for example part of the “dfu_group:master@intellitrend.de” and acts on behalf of that group, the user’s base role will be overridden with the admin role. The override only impacts the create, delete, and modify permissions, but not the read permissions. These read permissions need to be configured in the base role, even if the role is going to be overridden.

To configure role mapping, click the New Role Override button:

Role overrides form

The user group acts as an identifier. If an imported user is a member of that user group, the user’s permissions will be overridden by the assigned role (located in the second input field, Role).

Delete a custom role

To delete a custom role, open the context menu button and click Delete.

Last modified December 3, 2024: [CHG] changes to companies and instance manager manual (9d98b9bfc)