Roles User Guide
This user guide provides an overview of the purpose of user roles in Tehama and describes the four predefined roles.
Overview
Tehama uses roles to restrict what actions a user is permitted to perform within their organizations and Enclaves.
The Tehama platform currently defines four predefined base roles: Org Admin, Org Manager, Enclave Manager and Staff.
This user guide provides information on these four roles. It provides general information on the capabilities that users with each of these roles has and how these capabilities are dependent on the function/role that the user's organization has in a Tehama Enclave.
Tehama also provides organizations with the ability to define custom roles, composed of one or more permission sets. For information on how to construct your own 'custom roles' from 'permission sets', see the Custom Roles and Permissions User Guide.
Predefined Roles
This section explains what the predefined base roles can do with respect to their own organization.
The following table provides a brief overview of the four base roles in Tehama:
| Org Admin | Org Managers | Room Managers | Staff |
|---|---|---|---|
| Has full access | Have full access with some exceptions, including visibility of organization usage and webhook administration | Has access only to Enclaves of which they are a member | Can access Enclaves they've been added to and approved to access |
| Has full management capabilities | Are able to manage their own organization and add, edit, remove teams, team members and policies but cannot delete the organization | Are able to manage Enclaves of which they are a member | Can edit their own profile, and can access Enclaves they've been added to and approved to access |
| Receives all approval notifications for Enclaves and Enclave membership | Receives all approval notifications for Enclaves and Enclave membership | Receives all approval notifications for Enclaves and Enclave member ship for Enclaves of which they are a member |
Note that there is only one Org Admin per organization, but the Org Admin can transfer their role to another member of their organization by selecting another member and making them an Org Admin.
Here is a more detailed breakdown of the permissions for each of these roles.
Org Admin
The 'Org Admin' role has full access to the organization. A user with this role:
- Manages the organization's profile information.
- Manages the organization's authentication method.
- Manages the organization and Enclave membership.
- Can create/archive/delete Enclaves.
- Can add/edit/delete/assign policies.
- Can manage data access (e.g.: via the configuration and management of Multi-path connections) in Enclaves connected-to by their organization.
- Can create/edit/delete/assign-users-to Desktop templates in Enclaves owned by their organization.
- Can be assigned to Desktop templates and connect to the instances for them.
- Receives all Enclave approval notifications/invitations.
- Has full auditing abilities. This includes:
- Activity Stream: Can view all events in the organization.
- Recordings: Can access live and recorded sessions in the organization.
- Has visibility into organization TCU Usage.
- TCU Usage Configuration: Can access TCU Usage options and data for the assigned organization.
- TCU Usage Notification: Can enable TCU Usage notifications for the assigned organization.
- Metering Report: Can access granular breakdown of usage metering report related to the organization.
- Sees all reports, including TCU Usage/Metering reports.
- Can request that the organization be deactivated.
- Has the ability to reactivate the organization once it is deactivated, before it is deleted.
There is only one Org Admin user in each organization - and there must be one. This role is given to the user who first creates the organization, by default. The role can be assigned to any other organization member, automatically demoting the existing Org Admin to the role of Org Manager.
Org Manager
The 'Org Manager' role has full access to the organization, except for TCU Usage and the ability to deactivate the organization. A user with this role:
- Manages the organization and Enclave membership.
- Can create/archive/delete Enclaves.
- Can add/edit/delete/assign policies.
- Can manage data access (e.g.: via the configuration and management of Multi-path connections) in Enclaves connected-to by their organization.
- Can create/edit/delete/assign-users-to Desktop templates in Enclaves owned by their organization.
- Can be assigned to Desktop templates and connect to the instances for them.
- Receives all Enclave approval notifications/invitations.
- Has full auditing abilities. This includes:
- Activity Stream: Can view all events in the organization.
- Recordings: Can access live and recorded sessions in the organization.
- Sees all reports, except the Webhook Event Types report.
- Can request that the organization be deactivated.
There can be any number of Org Managers in each organization.
Enclave Manager
The 'Room Manager' role has access only to those Enclaves in the organization of which they are a member. A user with this role:
- Manages the organization and Enclave membership for Enclaves of which they are a member.
- Can assign policies in Enclaves of which they are a member.
- Can manage data access (e.g.: via the configuration and management of Multi-path connections) in Enclaves connected-to by their organization of which they are a member.
- Can create/edit/delete/assign-users-to Desktop templates in Enclaves owned by their organization of which they are a member.
- Can be assigned to Desktop templates and connect to the instances for them for Enclaves of which they are a member.
- Receives all approval notifications for Enclave memberships in Enclaves of which they are a member.
- Has full auditing abilities for Enclaves of which they are a member. This includes:
- Activity Stream: Can view all events in the Enclave.
- Recordings: Can access live and recorded sessions in the Enclave.
- Sees all report information for Enclaves of which they are a member.
There can be any number of Enclave Managers in each organization.
Staff
The 'Staff' role has partial access only to those Enclaves in the organization of which they are a member. A user with this role:
- Can be assigned to Desktop templates and connect to the instances for them in Enclaves of which they are a member.
There can be any number of Staff in each organization.
User Management Roles vis-a-vis Org Functions/Roles in an Enclave
This section is a bit more complicated. While each user has a role, (Org Admin, Org Manager, Enclave Manager, Staff, or Custom), each organization plays a 'role' or 'function' in an Enclave. This Enclave role/function affects what permissions a user role has in an Enclave.
Organization Enclave roles/functions are described in the section Org Roles and responsibilities in an Enclave in the Enclaves User Guide.
Here is a brief overview:
-
Owner+Connected: Their organization created the Enclave (i.e.: they are paying for it) and connected it (i.e.: they configured the network access for the Enclave). (Their organization will have both the
icon and the 
icon under its name in the Enclave's MEMBERS tab.)
- User-only: Their organization has been added to a Enclave that another organization is paying for and has connected.
-
User+Owner: They've created and are paying for a Enclave, but it's connected to another organization. (Their organization will have the icon under its name in the Enclave's MEMBERS tab.)
-
Connected-only: They've connected the Enclave that another organization is paying for. (Their organization will have the icon under its name in the Enclave's MEMBERS tab.)
The management permissions/responsibilities in a Enclave that are available to users with one of the manager roles (Org Admin, Org Manager and Enclave Manager) differ, depending on which of the above 'Enclave roles' their organization plays in an Enclave.
Note that people with the Staff role have no permissions with respect to Enclave management.
The following table outlines the management permissions for a user with a manager role vis-a-vis their organization's role in an Enclave:
Note, Enclave Managers only have those permissions in the table below that relate to Enclaves of which they are a member.
| OWNER+CONNECTED | USER-ONLY | USER+OWNER | CONNECTED-ONLY |
|---|---|---|---|
| Full control/approval of membership and policies | Can propose team members for membership to Enclave | Can propose team members for membership to Enclave | Full control/approval of membership and policies |
| Full control/approval of tools/tool configurations. | Can add new tools/tool configurations | Do not control tool configurations but set policies | |
| Full control of audit of work | No audit | Access to audit | Full control of audit of work |
| Full control of connections - Can add/edit/remove connections. |
- Can add/edit/remove connections. | ||
| Org Admin (not Org/Enclave Manager) can delete audit information | Org Admin (not Org/Enclave Manager) can delete audit information |
Note that when referring to the 'connected organization' in an Enclave, this means either an 'owner+connected' organization or a 'connected-only' organization. Similarly, when referring to the 'owner organization' in an Enclave, this means either an 'owner+connected' organization or a 'user+owner' organization.
View Roles
The Org Admin user and the Org Managers can view the Roles available in the organization.
View the roles, both predefined and custom, in your organization as follows:
- Log in to the Tehama Web UI.
- Click on the ORGANIZATION tab.
- Click on the ROLES sidebar item. You will see the ROLES table.
Assign a Role
You can assign a role, custom or predefined, when inviting a new member to your organization. Follow the instructions in the Add members to an organization section in the Organization User Guide.
You can also assign a role by editing the role of an existing member in your organization. Follow the instructions in the Edit a member's role section in the Organization User Guide.