Roles
The Roles view provides administrators with comprehensive control over user roles and permissions within the DataStream platform. It enables granular permission management, role assignment tracking, and detailed access control for organizational security and operational efficiency.
To access the Roles view
- Go to the Home > Organization pane
- Click Manage Roles
-or-
- Click the hamburger menu on the top left
- Select Organization > Roles
The view contains the following essential components:
- Role table - Displays Role name, Description, Permissions count, and Assigned Users count
- Items per page - Controls pagination settings for role display
- Page navigation - Shows current page and total pages
- Action menu - Three-dot menu for additional role management options
Role Columns
The table lists all available roles in your organization with their key characteristics:
-
Role name - Human readable name of the role
-
Description - Details of the role, including the actions the role has permission to carry out
-
Permissions - Permissions assigned to the role, given in Unix-style numeric masks.
Clicking on this value opens a list with two columns, displaying the details of the abilities or the permission set:
- Permission Title - Internal constant representing the permission
- Ability - Internal constant assigned to the permission
Click again to close the table.
-
Assigned Users - Number of users the role has been assigned to in your organization.
Clicking on this value opens a list displaying the e-mails and names of the assignees. Click again to close the list.
Actions Menu
The Action menu—the vertical ellipsis (⋮) on the right—proivdes additional information on the actions the assigned permissions of the role make possible.
Built-in Role Types
The system provides four fundamental role types with distinct permission levels:
User Role
User has read-only access to all files, with no access to edit/delete actions.
Contributor Role
Contributor has the same abilities as User, and plus can edit files and make configurations but cannot delete them.
Admin Role
Admin has the same abilities with Owner to read, edit and delete all files and make configurations, but cannot change Owner information.
Owner Role
Owner has the ability to read, edit, and delete all files and make configurations. The permissions mask is 340.
The built-in roles cannot be modified or deleted.
Role Permission Matrix
The following table summarizes the essentials of role permissions:
| User | Contributor | Admin | Owner | |
|---|---|---|---|---|
| Fleet Management | 📗 | 🟨 | 📘 | 📘 |
| Devices, Targets | 📗 | 🟨 | 📘 | 📘 |
| Pipelines | 📗 | 🟨 | 📘 | 📘 |
| Routes | 📗 | 🟨 | 📘 | 📘 |
| User Management | ⚪️ | 🟨 | 📘 | 📘 |
| Audit | ⚪️ | 📘 | 📘 | 📘 |
| Transfer Owner | ⚪️ | ⚪️ | ⚪️ | 📘 |
Permission Legend
- ⚪️ None: No access
- 📗 Read: View-only access
- 🟨 Read + Edit: View and modify access
- 📘 Read + Edit + Delete: Full access including deletion
Role-Based Access Control
VirtualMetric DataStream role-based access control (RBAC) provides granular permission management for enterprise deployments, enabling organizations to control user access to telemetry processing components based on assigned roles. The system supports both built-in roles with predefined permissions and custom roles with fine-grained access controls across DataStream components including pipelines, devices, targets, routes, and administrative functions.
Custom Role Management
Create custom roles with specific permission sets for organizational requirements.
Create Custom Role
-
Access Role Management
- Click Create New Role button
-
Configure Role Details
- Role Name: Descriptive identifier for the role
- Description: Purpose and scope of the role
- Configuration Method: Select Basic or Advanced
-
Permission Assignment
Basic Configuration:
- Predefined Permission Sets: Select from common role templates
- Simplified Interface: Checkbox-based permission selection
Advanced Configuration (requires Advanced RBAC feature):
- Granular Permissions: Individual permission selection per component
- Fine-grained Control: Separate Read, Create, Edit, Delete permissions
Permission Categories
System Components:
- Pipeline: Telemetry processing chain management
- Device: Data input source configuration
- Target: Data output destination management
- Quick Route: Simple route configuration
- Advanced Route: Complex conditional routing
- Director: Service orchestration management
Administrative Functions:
- User: User account management
- Role: Role and permission management
- Audit: System audit log access
- Settings: System configuration management
- Usage: Resource utilization monitoring
Enterprise Features:
- SSO: Single sign-on configuration
- MSSP: Multi-tenant switching capabilities
- Content Hub: Pre-built template access
Permission Levels:
- Read: View component information
- Create: Add new components
- Edit: Modify existing components
- Delete: Remove components
Role Assignment
Assign roles to users during account creation or through user management.
Assign Role to User
-
Navigate to User Management
- Access Organization → Users
- Select target user or create new user
-
Role Selection
- Role Dropdown: Select from available roles
- Custom Roles: Organization-specific roles
-
Permission Validation
- System validates role permissions against user requirements
- Feature Access: Roles filtered by tenant edition capabilities
- Tenant Scope: Permissions limited to tenant boundaries
Advanced RBAC Features
Edition-Based Permission Filtering
Advanced RBAC Feature (premium editions):
- Custom role creation and modification
- Granular permission assignment per component
- Role management interface access
Feature Dependencies:
- SSO Permissions: Require SSO feature in tenant edition
- MSSP Permissions: Require MSSP feature for multi-tenant operations
- Advanced Configuration: Available only with Advanced RBAC feature
Security and Compliance
Session Management:
- Automatic session invalidation when roles change
- Permission cache clearing for immediate access updates
- Audit trail for all role and permission modifications
Access Protection:
- Owner role protection prevents accidental lockout
- Self-modification restrictions prevent users from elevating their own permissions
- Tenant isolation ensures users cannot access other tenant resources
Role Modification and Deletion
Modify Existing Role
-
Access Role Settings
- Select role to modify
-
Update Permissions
- Add/Remove Permissions: Adjust access levels
- Change Configuration Method: Switch between Basic/Advanced
- Update Description: Modify role documentation
-
Apply Changes
- User Session Impact: Existing user sessions invalidated
- Immediate Effect: Permission changes take effect immediately
- Audit Logging: All changes recorded in audit trail
Delete Custom Role
-
Check Role Usage
- User Assignment Validation: Ensure no users assigned to role
- Dependency Check: Verify no system dependencies
-
Role Removal
- Navigate to role settings
- Click Delete Role (requires confirmation)
- User Reassignment: Reassign affected users to other roles first
Restrictions:
- Built-in roles cannot be deleted
- Roles with active user assignments must be unassigned first
- Owner role deletion is permanently blocked for tenant security
Troubleshooting
Permission Issues
User Cannot Access Component:
- Verify Role Assignment: Check user's assigned role
- Review Role Permissions: Confirm role includes required permissions
- Check Edition Features: Ensure tenant edition supports required features
- Validate Tenant Scope: Confirm user accessing correct tenant resources
Role Management Not Available:
- Advanced RBAC Feature: Verify tenant edition includes Advanced RBAC
- User Permissions: Ensure current user has Role Read/Create/Edit permissions
- Owner Access: Confirm Owner role for full role management access
Session and Cache Issues
Permission Changes Not Applied:
- Session Refresh: Log out and log back in to refresh permissions
- Cache Invalidation: System automatically clears permission cache
- Browser Refresh: Clear browser cache if interface issues persist