Managing permissions and roles in Striim Cloud
Permissions determine which actions each user can perform in Striim. Permissions are assigned to users through roles. This topic describes the roles and federation behavior for Striim Cloud. For general information about how you will be able to access roles and permissions within Striim services, see Managing permissions and roles.
Striim Cloud provides the following roles that you can assign to users:
Admin: this role has full access: can create, view, delete, and edit users, tunnels, and services, and view billing information. The Admin role can also perform functions that incur costs in the account, such as upgrading or resizing services, and creating SSO configurations.Service Admin: this role has full access to create, view, delete, and edit services. The service admin does not have access to billing or budget-related functions, or user-related functions such as creating an SSO configuration.Developer: this role can view user information, and has limited access to services: can view and launch existing services, and can view tunnels. This role cannot perform functions that incur additional costs in the account, such as creating a service, starting, stopping, or upgrading a service, attaching Kafka to a service, resizing a service, or adding tunnels, or creating a private endpoint for a service.Viewer: provides access to view user, service and tunnel information. When a user has a Viewer role, the role is not federated, and the user will not be able to launch any service. Viewer access is recommended as the access level for users who only need to view services.
Note
The Service Admin role is a new role that you can assign in Striim Cloud that has full access to create, view, delete, or edit services. If you want a role to manage services, you may consider migrating users with a current Developer role to the Service Admin role.
The Viewer role is not federated, and cannot launch a service. To be federated to a service, you may want to migrate your users with a Viewer role to the Developer, Service Admin, or Admin roles.
Federation of roles as admin or non-admin
The Admin and Service Admin roles are federated as Global.admin or Global.appadmin, respectively (which are admin federations), with the difference that the Service Admin does not have user management privileges in Striim Cloud, such as adding or deleting a user.
Developer roles are federated as Global.appdev (a non-Admin federation) for a particular service. Developers were earlier federated as admin - and those existing using with this role will not be changed. If you want to change this manually, you can change it by selecting Edit role from the Users page in Striim Cloud. See Managing permissions and roles.
The Viewer role cannot be federated to a service.
Role based access control permissions
The following table describes the permissions available to each role. A user can launch a service only if federated to the service. A Developer's permissions, such as associating and disassociating observability tools, also depend on being federated to the service.
Permission | Admin | Service Admin | Developer | Viewer | |
|---|---|---|---|---|---|
User management | List all users | ✓ | ✓ | ✓ | ✓ |
View a user's details | ✓ | ✓ | ✓ | ✓ | |
Invite a new user | ✓ | ||||
Delete a user | ✓ | ||||
Change a user's role | ✓ | ||||
Service management | Access service listing page | ✓ | ✓ | ✓ | ✓ |
Access service details page | ✓ | ✓ | ✓ | ✓ | |
Create a service | ✓ | ✓ | |||
Delete a service | ✓ | ✓ | |||
Start/stop a service | ✓ | ✓ | |||
Upgrade a service | ✓ | ✓ | |||
Attach Kafka to a service | ✓ | ✓ | |||
Apply/revert patches on services | ✓ | ✓ | |||
Resize service VM | ✓ | ✓ | |||
Increase number of Striim nodes for a service | ✓ | ✓ | |||
Billing | View the metering page | ✓ | |||
Tunnels | List tunnels for a service | ✓ | ✓ | ✓ | ✓ |
Create a tunnel for a service | ✓ | ✓ | |||
Delete a tunnel for a service | ✓ | ✓ | |||
User federation | List users federated to a service | ✓ | ✓ | ✓ | ✓ |
Federate, defederate, activate, or deactivate a user to a service | ✓ | ✓ | |||
Credit accounts | List credit accounts | ✓ | ✓ | ✓ | ✓ |
Update credit account information | ✓ | ||||
SSO | View SSO configuration | ✓ | ✓ | ✓ | ✓ |
Create SSO configuration | ✓ | ||||
Delete SSO configuration | ✓ | ||||
Schedules | View schedule configurations | ✓ | ✓ | ✓ | ✓ |
Create schedule for a service | ✓ | ✓ | |||
Delete schedule for a service | ✓ | ✓ | |||
Budgets | View budgets | ✓ | ✓ | ✓ | ✓ |
Create a budget | ✓ | ||||
Update a budget | ✓ | ||||
Delete a budget | ✓ | ||||
Private endpoints | View private endpoint details | ✓ | ✓ | ✓ | ✓ |
Create a private endpoint for a service | ✓ | ✓ | |||
Update a private endpoint | ✓ | ✓ | |||
Delete a private endpoint | ✓ | ✓ | |||
Observability | Add observability tool for an account | ✓ | ✓ | ||
Update observability tool for an account | ✓ | ✓ | |||
Delete observability tool for an account | ✓ | ✓ | |||
View observability tool API token | ✓ | ✓ | |||
Associate observability tool to a service | ✓ | ✓ | ✓ | ||
Disassociate observability tool from a service | ✓ | ✓ | ✓ | ||
Striim AI | View AI Insights tab | ✓ | ✓ | ✓ | ✓ |
Can enable Striim AI for a service | ✓ | ✓ | |||
Can disable Striim AI for a service | ✓ | ✓ |