Managing roles

The permission system in DataForge is based on user roles. DataForge offers default and custom user roles based on ACL rules.

DataForge provides default manager and default user roles with predefined ACL rules. These roles are available for all companies and cannot be modified or removed. Additionally, custom manager and user roles can be created. Custom roles are associated with companies and are only accessible within the company in which they were created. Parent companies can view but not utilize them.

Navigate to Administration > Roles > Manager roles or Administration > Roles > User roles (depending on the type of role to manage) to access the list of existing roles. Here, default roles can be reviewed, new roles created, and existing roles modified.

userRoles
Manager roles list

Inspecting roles

Clicking a role card opens the Role configuration page. Default roles cannot be modified.

Creating new roles

To create a new role, click the blue plus:

newRole
Create new role form
  • Name: Name of the user role.
  • Company: Company in which the role is available.
  • Description: Description of the user role.

Click Create to complete the process.

Configuring roles

To access the configuration, click the role card button.

Basic settings

At the top of the configuration page, the associated company is displayed. Below that, the role name and description can be changed.

basicSettings
Basic settings

General permissions

General permissions can be allocated using switches. Enabling a permission category overrides the settings of specific permissions, offering a broader approach.

generalPermissions
General permissions
  • Can do anything: Grants global authorization, overriding all specific checks.
  • Can see anything: Grants the read permission for all items.

Specific permissions

Specific permissions differ depending on the type of role: manager or user.

Manager

managerSpecificPermissions
Specific permissions: Manager
  • Can assign roles: Create and assign roles to other users.
  • Can impersonate: Impersonate other users.
  • Can bypass support tokens: Bypass the requirement for a support token* when impersonating other users.
  • Can use Zabbix admin calls: Perform administrative actions on the Zabbix server using the root user.
  • Can modify quota: Manage modules and quotas.
  • Can create reseller companies: Create a reseller company if the necessary permissions are granted (Companies: create).
Support tokens are required for impersonating DataForge users from *other companies* and are always required when impersonating DataForge managers.

User

userSpecificPermissions
Specific permissions: User

ACL rule sets

Specific permissions are further subdivided into ACL rule sets. The available sets depend on the role type:

  • Manager roles: Instance administration, Company administration.
  • User roles: Reporting, Self Provisioning, AI.
specificPermissions2
ACL set: Reporting

Permissions are divided into Create, Delete, Modify, and Read. Each permission can have one of three states:

  • Can Not: Prohibited.
  • Can: Allowed.
  • Can Grant: Allowed, and can also grant the permission to others.

To grant permissions to other roles, a role must itself have the necessary permissions to create or modify roles, found in Manager roles > Company administration > Roles.

Role overrides for user roles

A user can be a member of multiple user groups. Role overrides allow a user’s role to change depending on the group they act for.

roleOverride
Role overrides

For example, if a user is part of the group dfu_group:master@intellitrend.de and acts on behalf of that group, the user’s base role can be overridden with the admin role. The override impacts create, delete, and modify permissions but not read. These read permissions must be defined in the base role, even if overridden.

To configure role mapping, click New Role Override:

roleOverrideForm
Role overrides form

The user group acts as an identifier. If an imported user is a member of that user group, the user’s permissions are overridden by the assigned role (selected in the Role field).

Deleting roles

To delete a custom role, open the context menu and click Delete.