Roles and Permissions

Introduction

An organisation can contain any number of employees or external contractors as users of its Turbo360 account to manage and monitor the associated services.

Not all employees or contractors of an organisation can be granted authorization to execute all activities on Turbo360-managed applications. Depending on the features and configurations of the applications, an organisation may require many access restrictions. An account with too many permissions is vulnerable to security breaches.

Turbo360's fine-grained access control is aided by a user access policy with personalised function capability.

The first user who signs up for Turbo360 will be given the role of Account Owner, which grants them full access to the account. That user can add an unlimited number of users to Business Applications (here after referred to as "module") and assign them any system or user-defined roles.

Managing roles

System-defined roles

Business Applications (hereafter referred to as "module") has three system-defined roles, and can contain any number of user-defined roles. The System-defined roles are:

1) Owner
2) Contributor
3) Reader

Owner has complete access to the module, including managing users and roles in that module. No other role other than Account owner and Owner of the module can manage users and roles.

Contributor has access to manage everything at the scope at which it is assigned.

Reader has access to read everything at the scope at which it is assigned.

What is Scope?

The scope of a role determines at which level in the module, a user has permissions that are specified for that role. The scope of a role in Business Applications module can be any of the three levels given below:

1. Entire module
2. Business Application Group
3. Business Application

The below screenshot shows the list of users having access to a Business Application Order details app.

From the Scope column in the screenshot above, it is clear that the first user has got access to this application because that user is an account owner (Having complete access to Turbo360). The second user has got access to this application because that user is an owner (Having complete access to the module). The third user has got access to this application because that user was assigned a role to access the Business Application group that contains this application. The last user has got access to this application because that user was directly assigned a role to access this application.

User-defined roles

• Account owners and owners of the module can add any number of roles to the module. A user-defined role is used to specify permissions in the context of Business Application. In simple terms, it determines who can do what in a Business Application.

• A user-defined role contains three set of permissions: Management permissions, Feature permissions and Resource permissions.

  1. Management permissions comprises of the user management permission that allows users to manage users and their permissions. The role creator can choose if this role can contain either read-only or manage permission on user management.

  2. Feature permissions comprises of a set of Business Application features such as Monitoring, Service Map management, Dashboard management, and Automated tasks management. The role creator can choose if this role can contain either read-only or manage permission on these features.

  3. Resource permissions comprises of all the supported Azure resources. The permission for each resource can be: Read, Manage, Reprocess (applicable to supported resources), Repair & Reprocess (applicable to supported resources), Purge(applicable to supported resources), Upload(applicable to supported resources), and Manage Filter(applicable to supported resources).

• For example, if a group of users needs to manage Service Bus resources for all the applications in the module, and should be restricted from accessing other resources and features, then a role can be created with the access only to Service Bus resources with manage permission, and this role can be assigned to those users.

• A role can be added by selecting Add role option under Roles tab. A role must include a name and an optional description, followed by feature/resource permissions.

• A user-defined role can be removed any time by clicking the Delete role option in the Actions column under Roles tab. Before deleting, a replacement role must be provided to replace the role of all the users who have been assigned the role that is about to be deleted. As a result, users won't lose access in the module at any scope to which the previous role was assigned.

System vs User-defined roles

• As mentioned above, user-defined roles are used to specify permissions in the context of Business Application. Performing operations on top of a Business Application or group, such as editing/deleting the Business Application, adding/removing resources from the application, editing/deleting a group, managing Service principals of the module requires at least a Contributor role on those scopes respectively.

• For example, if a user is a good fit for managing a Business Application group set up for testing but not for managing a Business Application group set up for production, that user can be assigned a Contributor role for the testing group and any other suitable role with limited permissions for the production group.

Export user details with permissions

The list of all users and their permissions in the Business Application module can be exported in a CSV file.

1. Go to User management section in the Business Application module
2. Click the Export icon

The downloaded file displays the list of all users, including their permissions provided at various levels within the account.