Skip to main content

Roles

The Roles view provides administrators with comprehensive control over user roles and permissions within the DataStream platform. It enables granular permission management, role assignment tracking, and detailed access control for organizational security and operational efficiency.

To access the Roles view

  • Go to the Home > Organization pane
  • Click Manage Roles

-or-

  • Click the hamburger menu on the top left
  • Select Organization > Roles

The view contains the following essential components:

  • Role table - Displays Role name, Description, Permissions count, and Assigned Users count
  • Items per page - Controls pagination settings for role display
  • Page navigation - Shows current page and total pages
  • Action menu - Three-dot menu for additional role management options

Role Columns

The table lists all available roles in your organization with their key characteristics:

  • Role name - Human readable name of the role. Built-in roles display a Built-in tag next to the name. Clicking the name opens the role detail drawer.

  • Description - Details of the role, including the actions the role has permission to carry out

  • Permissions - The number of permissions assigned to the role.

    Clicking on this value opens a breakdown list with two columns:

    • Permission Title - The name of the permission
    • Ability - The action the permission grants

    Click again to close the table.

  • Assigned Users - Number of users the role has been assigned to in your organization.

    Clicking on this value opens a list displaying the e-mails and names of the assignees. Click again to close the list.

Actions Menu

The Action menu—the vertical ellipsis (⋮) on the right—opens a management menu. For custom roles, the available items are Manage role, Clone role, and Delete role (subject to your permissions). For built-in roles, only Clone role is available.

Role Details Drawer

Clicking a role's name opens a side drawer with a Role Details section showing Name, Description, Permissions (N) (expandable permission list), and Assigned Users (N) (expandable user list). The footer offers Manage role (custom roles only) and Clone role.

Built-in Role Types

The system provides four fundamental role types with distinct permission levels:

User Role

User has read-only access to all files, with no access to edit/delete actions.

Contributor Role

Contributor has the abilities to read, edit, and create all files and make configurations, but cannot delete them.

Admin Role

Admin has the same abilities with Owner to read, edit and delete all files and make configurations, but cannot change Owner information.

Owner Role

Owner has the ability to read, edit, and delete all files and make configurations.

warning

The built-in roles cannot be modified or deleted.

Role Permission Matrix

The following table summarizes the essentials of role permissions:

UserContributorAdminOwner
Fleet Management📗🟨📘📘
Devices, Targets📗🟨📘📘
Pipelines📗🟨📘📘
Routes📗🟨📘📘
User Management⚪️🟨📘📘
Audit⚪️📘📘📘
Transfer Owner⚪️⚪️⚪️📘

Permission Legend

  • ⚪️ None: No access
  • 📗 Read: View-only access
  • 🟨 Read + Edit: View and modify access
  • 📘 Read + Edit + Delete: Full access including deletion

Role-Based Access Control

VirtualMetric DataStream role-based access control (RBAC) provides granular permission management for enterprise deployments, enabling organizations to control user access to telemetry processing components based on assigned roles. The system supports both built-in roles with predefined permissions and custom roles with fine-grained access controls across pipelines, devices, targets, routes, and administrative functions.

Custom Role Management

Create custom roles with specific permission sets for organizational requirements.

Create Custom Role

  1. Access Role Management

    • Click the Create new role button. The page heading reads Create a custom role.

  2. Configure Role Details

    • Role Name: Descriptive identifier for the role
    • Description: Purpose and scope of the role
    • Scope: Dropdown (Select scope) restricting where the role applies; defaults to All
    • Configuration Method: Select Basic or Advanced

  3. Permission Assignment

    Basic Configuration:

    • Predefined Permission Sets: Select from common role templates
    • Simplified Interface: Checkbox-based permission selection

    Advanced Configuration (requires Advanced RBAC feature):

    • Granular Permissions: Individual permission selection per component
    • Fine-grained Control: Separate Read, Create, Edit, Delete permissions
    • View the actions for: Dropdown that filters the permission list by component group

  4. Review and Submit

    • A Summary panel on the right side reflects the selections
    • Click Create Role to submit, or Cancel to discard

Permission Categories

System Components:

  • Pipeline: Telemetry processing chain management
  • Device: Data input source configuration
  • Target: Data output destination management
  • Quick Route: Simple route configuration
  • Advanced Route: Complex conditional routing
  • Director: Service orchestration management

Administrative Functions:

  • User: User account management
  • Role: Role and permission management
  • Audit: System audit log access
  • Settings: System configuration management
  • Usage: Resource utilization monitoring

Enterprise Features:

  • SSO: Single sign-on configuration
  • MSSP: Multi-tenant switching capabilities
  • Content Hub: Pre-built template access

Permission Levels:

  • Read: View component information
  • Create: Add new components
  • Edit: Modify existing components
  • Delete: Remove components

Role Assignment

Assign roles to users during account creation or through user management.

Assign Role to User

  1. Navigate to User Management

    • Access OrganizationUsers
    • Select target user or create new user

  2. Role Selection

    • Role Dropdown: Select from available roles
    • Custom Roles: Organization-specific roles

  3. Permission Validation

    • System validates role permissions against user requirements
    • Feature Access: Roles filtered by tenant edition capabilities
    • Tenant Scope: Permissions limited to tenant boundaries

Advanced RBAC Features

Edition-Based Permission Filtering

Advanced RBAC Feature (premium editions):

  • Custom role creation and modification
  • Granular permission assignment per component
  • Role management interface access

Feature Dependencies:

  • SSO Permissions: Require SSO feature in tenant edition
  • MSSP Permissions: Require MSSP feature for multi-tenant operations
  • Advanced Configuration: Available only with Advanced RBAC feature

Security and Compliance

Session Management:

  • Automatic session invalidation when roles change
  • Permission cache clearing for immediate access updates
  • Audit trail for all role and permission modifications

Access Protection:

  • Owner role protection prevents accidental lockout
  • Self-modification restrictions prevent users from elevating their own permissions
  • Tenant isolation ensures users cannot access other tenant resources

Role Modification and Deletion

Modify Existing Role

  1. Access Role Settings

    • Select role to modify

  2. Update Permissions

    • Add/Remove Permissions: Adjust access levels
    • Change Configuration Method: Switch between Basic/Advanced
    • Update Description: Modify role documentation

  3. Apply Changes

    • User Session Impact: Existing user sessions invalidated
    • Immediate Effect: Permission changes take effect immediately
    • Audit Logging: All changes recorded in audit trail

Delete Custom Role

  1. Open the role's Action menu (⋮) and select Delete role
  2. Confirm the deletion in the modal
  3. If the role has assigned users, the confirmation modal lets you select a replacement role to automatically reassign all affected users before deletion

Restrictions:

  • Built-in roles cannot be deleted
  • Owner role deletion is permanently blocked for tenant security