Roles User Guide
This user guide provides an overview of the purpose of user roles in Tehama and describes the four predefined roles.
Overview
Tehama uses roles to restrict what actions a user is permitted to perform within their organizations and Rooms.
The Tehama platform currently defines four predefined base roles: Org Admin, Org Manager, Room Manager and Staff.
This user guide provides information on these four roles. It provides general information on the capabilities that users with each of these roles has and how these capabilities are dependent on the function/role that the user's organization has in a Tehama Room.
Tehama also provides organizations with the ability to define custom roles, composed of one or more permission sets. For information on how to construct your own 'custom roles' from 'permission sets', see the Custom Roles and Permissions User Guide.
Predefined Roles
This section explains what the predefined base roles can do with respect to their own organization.
The following table provides a brief overview of the four base roles in Tehama:
Org Admin | Org Managers | Room Managers | Staff |
---|---|---|---|
Has full access | Have full access with some exceptions, including visibility of organization usage and webhook administration | Has access only to Rooms of which they are a member | Can access Rooms they've been added to and approved to access |
Has full management capabilities | Are able to manage their own organization and add, edit, remove teams, team members and policies but cannot delete the organization | Are able to manage Rooms of which they are a member | Can edit their own profile, and can access Rooms they've been added to and approved to access |
Receives all approval notifications for Rooms and Room membership | Receives all approval notifications for Rooms and Room membership | Receives all approval notifications for Rooms and Room member ship for Rooms of which they are a member |
Note that there is only one Org Admin per organization, but the Org Admin can transfer their role to another member of their organization by selecting another member and making them an Org Admin.
Here is a more detailed breakdown of the permissions for each of these roles.
Org Admin
The 'Org Admin' role has full access to the organization. A user with this role:
- Manages the organization's profile information.
- Manages the organization's authentication method.
- Manages the organization and Room membership.
- Can create/archive/delete Rooms.
- Can add/edit/delete/assign policies.
- Can manage data access (e.g.: via the configuration and management of Tehama Gateways, or of VPN IPSec connections, depending on the Room's network access type) in Rooms connected-to by their organization.
- Can create/edit/delete/assign-users-to Desktop templates in Rooms owned by their organization.
- Can be assigned to Desktop templates and connect to the instances for them.
- Receives all Room approval notifications/invitations.
- Has full auditing abilities. This includes:
- Activity Stream: Can view all events in the organization.
- Recordings: Can access live and recorded sessions in the organization.
- Has visibility into organization TCU Usage.
- TCU Usage Configuration: Can access TCU Usage options and data for the assigned organization.
- TCU Usage Notification: Can enable TCU Usage notifications for the assigned organization.
- Metering Report: Can access granular breakdown of usage metering report related to the organization.
- Sees all reports, including TCU Usage/Metering reports.
- Can request that the organization be deactivated.
- Has the ability to reactivate the organization once it is deactivated, before it is deleted.
There is only one Org Admin user in each organization - and there must be one. This role is given to the user who first creates the organization, by default. The role can be assigned to any other organization member, automatically demoting the existing Org Admin to the role of Org Manager.
Org Manager
The 'Org Manager' role has full access to the organization, except for TCU Usage and the ability to deactivate the organization. A user with this role:
- Manages the organization and Room membership.
- Can create/archive/delete Rooms.
- Can add/edit/delete/assign policies.
- Can manage data access (e.g.: via the configuration and management of Tehama Gateways, or of VPN IPSec connections, depending on the Room's network access type) in Rooms connected-to by their organization.
- Can create/edit/delete/assign-users-to Desktop templates in Rooms owned by their organization.
- Can be assigned to Desktop templates and connect to the instances for them.
- Receives all Room approval notifications/invitations.
- Has full auditing abilities. This includes:
- Activity Stream: Can view all events in the organization.
- Recordings: Can access live and recorded sessions in the organization.
- Sees all reports, except the Webhook Event Types report.
- Can request that the organization be deactivated.
There can be any number of Org Managers in each organization.
Room Manager
The 'Room Manager' role has access only to those Rooms in the organization of which they are a member. A user with this role:
- Manages the organization and Room membership for Rooms of which they are a member.
- Can assign policies in Rooms of which they are a member.
- Can manage data access (e.g.: via the configuration and management of Tehama Gateways, or of VPN IPSec connections, depending on the Room's network access type) in Rooms connected-to by their organization of which they are a member.
- Can create/edit/delete/assign-users-to Desktop templates in Rooms owned by their organization of which they are a member.
- Can be assigned to Desktop templates and connect to the instances for them for Rooms of which they are a member.
- Receives all approval notifications for Room memberships in Rooms of which they are a member.
- Has full auditing abilities for Rooms of which they are a member. This includes:
- Activity Stream: Can view all events in the Room.
- Recordings: Can access live and recorded sessions in the Room.
- Sees all report information for Rooms of which they are a member.
There can be any number of Room Managers in each organization.
Staff
The 'Staff' role has partial access only to those Rooms in the organization of which they are a member. A user with this role:
- Can be assigned to Desktop templates and connect to the instances for them in Rooms of which they are a member.
There can be any number of Staff in each organization.
User Management Roles vis-a-vis Org Functions/Roles in a Room
This section is a bit more complicated. While each user has a role, (Org Admin, Org Manager, Room Manager, Staff, or Custom), each organization plays a 'role' or 'function' in a Room. This Room role/function affects what permissions a user role has in a Room.
Organization Room roles/functions are described in the section Org Roles and responsibilities in a Room in the Rooms User Guide.
Here is a brief overview:
- Owner+Connected: Their organization created the Room (i.e.: they are paying for it) and connected it (i.e.: they configured the network access for the Room). (Their organization will have both the
icon and the
icon under its name in the Room's MEMBERS tab.)
- User-only: Their organization has been added to a Room that another organization is paying for and has connected.
- User+Owner: They've created and are paying for a Room, but it's connected to another organization. (Their organization will have the
icon under its name in the Room's MEMBERS tab.)
- Connected-only: They've connected the Room that another organization is paying for. (Their organization will have the
icon under its name in the Room's MEMBERS tab.)
The management permissions/responsibilities in a Room that are available to users with one of the manager roles (Org Admin, Org Manager and Room Manager) differ, depending on which of the above 'Room roles' their organization plays in a Room.
Note that people with the Staff role have no permissions with respect to Room management.
The following table outlines the management permissions for a user with a manager role vis-a-vis their organization's role in a Room:
Note, Room Managers only have those permissions in the table below that relate to Rooms of which they are a member.
OWNER+CONNECTED | USER-ONLY | USER+OWNER | CONNECTED-ONLY |
---|---|---|---|
Full control/approval of membership and policies | Can propose team members for membership to Room | Can propose team members for membership to Room | Full control/approval of membership and policies |
Full control/approval of tools/tool configurations. | Can add new tools/tool configurations | Do not control tool configurations but set policies | |
Full control of audit of work | No audit | Access to audit | Full control of audit of work |
Full control of connections For Tehama Gateway Rooms: - Can enable/disable the connection option Multi-GWsMultiple Gateways
- Can configure/change network access type from Gateway to Internet-only or to Multi-Path when option Multi-GWsMultiple Gateways
is disabled- Can manage updating of installed Gateways. For Internet-Only Rooms: - Can configure/change network access type from Internet-only to Gateway or to Multi-Path. For Multi-Path Rooms: - Can add/edit/remove connections. |
For Tehama Gateway Rooms: Can enable/disable the connection option Multi-GWsMultiple Gateways
|
For Tehama Gateway Rooms: - Cannot enable/disable the connection option Multi-GWsMultiple Gateways
- Can configure/change network access type from Gateway to Internet-only or to Multi-Path when option Multi-GWsMultiple Gateways
is disabled- Can manage updating of installed Gateways. For Internet-Only Rooms: - Can configure/change network access type from Internet-only to Gateway or to Multi-Path. For Multi-Path Rooms: - Can add/edit/remove connections. |
|
Org Admin (not Org/Room Manager) can delete audit information | Org Admin (not Org/Room Manager) can delete audit information |
Note that when referring to the 'connected organization' in a Room, this means either an 'owner+connected' organization or a 'connected-only' organization. Similarly, when referring to the 'owner organization' in a Room, this means either an 'owner+connected' organization or a 'user+owner' organization.
View Roles
The Org Admin user and the Org Managers can view the Roles available in the organization.
View the roles, both predefined and custom, in your organization as follows:
- Log in to the Tehama Web UI.
- Click on the ORGANIZATION tab.
- Click on the ROLES sidebar item. You will see the ROLES table.
Assign a Role
You can assign a role, custom or predefined, when inviting a new member to your organization. Follow the instructions in the Add members to an organization section in the Organization User Guide.
You can also assign a role by editing the role of an existing member in your organization. Follow the instructions in the Edit a member's role section in the Organization User Guide.