Rooms User Guide
A Tehama Room provides an isolated set of tools and services so you can collaborate securely. Organizations work together using a shared Room with access governed by policies. A Room is connected to a network, either a private or a public network (e.g. resources in the cloud) in which remote people work. All work performed in the connected network through the Room is audited.
What is a Room?
A Room is a container with a set of tools and services running within it.
Tools and services in a Tehama Room:
- Firewall Rules, a set of rules that constrain access to the 'connected network'.
(See the description of the 'connected network' below.) - Secrets Vault, secure storage of access credentials for assets in the connected network.
- File Vault, a secure transfer mechanism for files between the users local environment and the connected network.
- App Vault, a way to securely transfer application installation files to the Room's desktops.
- Desktops, both Windows and Linux Virtual Machines (VMs), used by Room members to interact with the connected network. Rooms contain Desktop templates from which Desktop instances are generated. A Desktop template contains the description of the Desktop configuration and the users assigned to it - those Room members who can connect to the template's generated Desktop instances. Each Desktop (instance) runs a 'Tehama Desktop Agent' application (AKA Workspace Agent) which provides access to tools/services in the Room. (Note that support for enabling the Linux Desktop feature is currently suspended.)
- Audit, a set of audit tools including live Desktop session viewing, Desktop session recording, an activity stream of events occurring in the Room and reports.
The firewall rules, secrets vault, the file vault and the audit capabilities, are managed through the Tehama Web UI and accessible from the Tehama Desktop Agent in the Desktops. The app vault is managed through the Tehama Web UI and the files it contains are accessible from mapped drives in the Desktops.
Each Room is owned by a Tehama organization, the 'owner organization', and is connected to the network of a Tehama organization, the 'connected organization'. (These can be the same organization.) Other organizations can be invited to use the Room as well. These are known as 'user organizations'.
A Room has members. Members are users from the Tehama organizations in the Room. Members must comply with the access policy set for their organization in the Room. Only members in a Room can be assigned to Desktop templates in the Room. Members access the instances of their assigned Desktop templates through the Tehama Web UI.
A Room is connected to a network, either a private network or a public network (e.g. resources in the cloud) that is controlled by the Room's 'connected organization'. This is referred to as the 'connected network'. The only way the tools and services in the Room can access the connected network is through the connection the Room provides, isolating access to the connected network's access to Room members.
The character of the 'connected network' depends on the 'Network Access' setting chosen by the Room's 'connected to' organization. It can be set to either 'Internet Only' or 'Tehama Gateway'.
- When set to 'Internet Only', the 'connected network' is the set of applications and services in the cloud that the Room's firewall settings allow access to.
- When set to 'Tehama Gateway', the 'connected network' is the organization's private network where a Tehama Gateway must be installed (as well as desired resources in the cloud), constrained by the Room's firewall settings. (See the Tehama Gateway User Guide for more information on Tehama Gateways.)
The following image shows how the architecture achieves the isolation that Rooms provide. It shows the scenario where a service consumer (customer) has two Rooms in Tehama connected to their network where:
- Whiteroom X is a Tehama Room with 'Network Access' set to 'Tehama Gateway' and with the 'Multiple Gateways' option disabled.
- Whiteroom Y is a Tehama Room with 'Network Access' set to 'Internet Only'.
More information on the Room concept is available in the 'Room' section of the Introduction.
Roles and responsibilities in a Room
Each organization in a Room has one of the following roles:
- owner+connected: The organization created the Room (i.e.: they are paying for it) and connected it (i.e.: they configured the network access for the Room to connect to their private (or public) network).
- user-only: The organization has been added (invited to join) to a Room and has no particular responsibilities in the Room.
- user+owner: The organization created and is paying for the Room but the Room is connected to by another organization.
- connected-only: The organization connected to the Room that another organization is paying for.
Room management responsibilities are divided as follows:
⦿ In your role as the Admin user or an Org Manager or a Room Manager (who is a member of the Room) of the Room's connected organization (owner+connected or connected-only), it is your responsibility to:
- configure and monitor the connection to the connected network.
- keep the Tehama Gateway in the Room up-to-date (if applicable).
- set up firewall rules.
- add/remove secrets.
- grant membership to the Room to users from your own and other organizations.
- monitor and audit the actions users perform when accessing and using resources on the connected network. (See note below.) Actions you can audit include user sessions, users' use of access credentials, the transfer of files in and out of your systems, and much more.
⦿ In your role as the Admin user or an Org Manager or a Room Manager (who is a member of the Room) of the Room's owner organization (owner+connected or user+owner), it is your responsibility to:
- add and approve requests for Desktop templates for Room members.
- enable/disable the Multiple Gateways option for the Room (if applicable).
- monitor and audit Room activity.
In addition ...
⦿ In your role as the Admin or an Org Manager or a Room Manager (who is a member of the Room) of an organization in the Room that DOES NOT own the Room (connected-only or user-only), you can:
- request Desktop templates for Room members.
⦿ In your role as the Admin or an Org Manager or a Room Manager (who is a member of the Room) of an organization in the Room that IS NOT the organization that is connected to the Room (user+owner or user-only), you can:
- request/propose users from your organization for membership in the Room.
⦿ In your role as a Staff member of an organization in the Room that has been approved as a member of the Room, you can:
- request Desktop templates for Room members.
- be assigned to Desktop templates in the Room.
- connect to and work in Desktops in the Room - Desktops generated from the Desktop templates that you have been assigned to.
All of the above responsibilities are handled through the Tehama Web UI.
The Roles User Guide provides an overview of the roles and responsibilities that organizations can have in a Room. See the section 'Roles and their permissions vis-a-vis Room management' in the guide.
Typical Room workflow
First a Room has to be created.
Once a Room has been created, it must be set up properly. Between them, the Admin users and Org Managers and Room Managers (who are members of the Room) of a Room's connected organization and its owner organization will:
- set and monitor the connection to the connected network.
(Once the Room is connected, it needs to be monitored - see the Room Connection Status Monitoring/Management User Guide. For additional information on Room connections - see the Tehama Gateway User Guide.) - set up firewall rules to constrain the Room's access to the connected network.
(See the Firewall Rules User Guide.) - set up secrets to generate credentials for assets in the connected network.
(See the Secrets Vault User Guide.) - add members to work in the Room's Desktops.
(See the Room Membership User Guide.) - configure Desktop templates for those members.
(See the Desktops User Guide.)
After that, as a member of a Room, you can start to work as follows:
- Log in to one of your Desktops.
(See the 'Connect to a Desktop' section in the Desktops User Guide.)- for Windows Desktops, either launch the Desktop directory from the Tehama Web UI, logging in with temporary access credentials automatically passed along for you by the UI, or launch the Desktop from an AWS app, logging in with temporary access credentials that you can obtain from the Tehama Web UI.
- for Linux Desktops, launch the Desktop directly from the Tehama Web UI. It will launch in a new browser tab.
Through the Desktop, you have access to the Room's connected network. This is where you perform your tasks on the connected network.
To help you in your work, you can:
-
transfer files between your local environment and the connected network using the Room's file vault.
(See the File Vault User Guide.)- use the Tehama Web UI to upload files from and download files to your local environment.
- use the Tehama Desktop Agent (Workspace Agent) to upload files from and download files to your Desktop (and from there to the connected network).
-
use the secrets from the Room's secrets vault to access assets in the connected network.
(See the Secrets Vault User Guide.)- access the secrets in the secrets vault (from either the Tehama Web UI or the Tehama Desktop/Workspace Agent) to generate temporary credentials that you can use to gain access to password protected assets/resources in the Room's connected network.
View list of Rooms
All roles in all organizations can access the list of Rooms. The Admin user and Org Managers in an organization will see all Rooms the organization has a stake in. Room Managers and Staff members will only see those Rooms of which they are a member.
View the list of Rooms you have access to as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
An organization's Admin user and its Org Managers will see all the Rooms the organization has a stake in - that is all the Rooms they own, are connected to or otherwise use.
An organization's Room Managers and Staff members will see all the Rooms that they are a member of.
The list displays the following information for each Room:
- Room: the name of the Room
- In use: the number of Desktops in the Room that are currently in use (maximum allowed is 50)
- Policy: the policy that members of their organization in the Room must comply with
- Status: the status of the Room (Connected, Disconnected, Pending, Deactivated or Archived)
The graph at the top right of the list shows the TCU usage for the Rooms. (See the TCU Usage reports under REPORTS for more information on TCU Usage.)
Note that the Rooms list can be sorted on all columns.
Note that an entry whose text overruns the column can be expanded by clicking within the text field in the entry. (Avoid clicking on the text itself if it is a link.)
Create and connect to a Room
Only the Admin user and Org/Room Managers of an organization can create a Room and connect to it.
In this creation scenario, your organization will be both the Room's owner organization and the Room's connected organization. (i.e.: Your organization will be the Room's owner+connected organization.)
All of the ways to create/connect/join a Room are covered in the Tehama Installation section of Tehama's Getting Started Guide.
If you want to create a Room and connect to it, see Room Creation Scenario 1 in the installation guide.
Once your Room is created, it will appear in the list of Rooms in the Tehama Web UI.
Create a Room and invite another organization to connect to it
Only the Admin user and Org/Room Managers of an organization can create a Room and invite another organization to connect to it.
In this creation scenario, your organization will be the Room's owner organization and the other organization will be its connected organization. (i.e.: Your organization will be the Room's user+owner organization and the other organization will be the Room's connected-only organization.)
All of the ways to create/connect/join a Room are covered in the Tehama Installation section of Tehama's Getting Started Guide.
If you want to create a Room and get another organization to connect to it, see Room Creation Scenario 2 in the installation guide.
Once your Room is created, it will appear in the list of Rooms in the Tehama Web UI.
Connect to a Room via invitation
Only the Admin user and Org Managers of an organization can connect their organization to a Room, having received an invitation to do so from the Room's owner organization.
In this configuration scenario, your organization will be the Room's connected organization and the other organization will be its owner. (i.e.: Your organization will be the Room's connected-only organization and the organization that invited you will be the Room's user+owner organization.)
All of the ways to create/connect/join a Room are covered in the Tehama Installation section of Tehama's Getting Started Guide.
If you want to respond to an invitation to connect your network to a Room created by another organization, see Room Configuration Scenario 1 in the installation guide.
Join a Room via invitation
Only the Admin user and Org Managers of an organization can join their organization to a Room, having received an invitation to do so from the Room's connected organization.
In this configuration scenario, your organization will not have any particular management responsibilities in the Room. _(i.e.: Your organization will be (one of) the Room's user-only organization(s).)
All of the ways to create/connect/join a Room are covered in the Tehama Installation section of Tehama's Getting Started Guide.
Once a Room has been created and connected, the connected organization for a Room can invite other organizations to join the Room.
If you want to respond to an invitation to join a Room, see Room Configuration Scenario 2 in the installation guide.
Delete or archive a Room
Only the Admin user and Org Managers and Room Managers (who are members of the Room) of a Room's owner organization (owner+connected or user+owner) in a Room can delete or archive the Room.
WARNING: A Room, once deleted, cannot be recovered. Connections associated to the Room are also deleted and cannot be recovered. Archiving the Room will preserve recordings.
Delete or archive a Room as follows:
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Select the Room you wish to delete or archive by clicking in the checkbox to the left of the Room's name.
- At the bottom of the page, click the Trash Can
icon. You will see the DELETE ROOM dialog.
- Acknowledge the warning and type the name of the Room into the dialog.
- If you want to delete the Room:: Click DELETE.
- If you want to archive the Room:: Click ARCHIVE.
View a Room's interface
The Admin user and Org Managers in an organization can access the interface of all Rooms the organization has a stake in. Room Managers and Staff members of an organization will only be able to access the interface of those Rooms of which they are a member.
Essentially, if you can see a Room in the list of Rooms under the ROOMS tab, you can access its interface.
Access the interface for a Room in the Tehama Web UI as follows: (Choose A or B.)
A: find the Room in the list of Rooms that you have access to
- Log in to the Tehama Web UI.
- Click on the ROOMS tab. You will see a list of all the Rooms that you have access to.
- Click on the name of the Room you want to access. You will see the page for the Room.
Here is the Room interface with the WORK tab selected for a member of a Room's user organization who is not currently assigned to a Desktop template in the Room:
B: find the Room in the list of all your Desktops in the organization
- Log in to the Tehama Web UI.
- Click on the DESKTOPS tab. You will see a list of all the Desktop templates you are assigned to. 1 Each entry contains the name of the Room to which the Desktop template belongs. Note, this will not contain Rooms in which you are not assigned to a Desktop template.
- Click on the name of the Room you want to access. You will see the page for the Room.
- Admin users and Org Managers and Room Managers also have the option of seeing either a list of all Desktop templates in the organization or a list of in-use Desktop templates in the organization from the DESKTOPS tab. If the first option is chosen, all Rooms in the organization that have at least one Desktop template will be in the list. (Note, for Room Managers, the listed Desktops templates are restricted to those belonging to Rooms of which they are members.) ↩
Here is the Room interface with the WORK tab selected for a member of a Room's owner organization who is assigned to a couple of Desktop templates in the Room:
Change a Room's name
Only the Admin user and Org Managers and Room Managers (who are members of the Room) of a Room's owner organization (owner+connected or user+owner) can edit the Room's name.
Change a Room's name as follows:
- Access the Room's interface.
- Click on the Room name in the breadcrumbs at the top of the page in order to make it editable.
- Type in the editable field.
- Save your change by selecting the checkmark or discard it by selecting the cross.
Note that a Room's name can only be modified if the Room has not been archived.
Note that a Room's name can be modified by a 'Tehama Super Admin' user (a super user belonging to the Tehama Support team) if necessary.
Note that the ability to change a Room's name is available from any tab in the Room's interface.
Room Desktop Settings
Only the Admin user and Org Managers and Room Managers (who are members of the Room) of a Room's owner organization (owner+connected or user+owner) and the Admin user and Room Managers (who are members of the Room) of the Room's connected organization (owner+connected or connected-only) can configure the Room's Desktop settings.
A Room has a collection of Desktop settings that are applied to all the Desktops that belong to the room. These settings can be set from your Room's CONFIGURE -> SETTINGS page.
• Set Idle Session Timeout
The idle session timeout setting is the length of time a desktop session will idle before disconnecting (and no longer using TCU).
Change a Room's idle session timeout setting as follows:
- Access the Room's interface.
- Click the Room's CONFIGURE tab.
- Click on the SETTINGS sidebar item.
- Click on the EDIT button at the top right of the DESKTOP SETTINGS section.
- Locate the dropdown field to the right of the "Idle Session Timeout" desktop-setting.
- Click on the dropdown field to display the preconfigured idle timeout options.
- Select the idle timeout option you wish for your Room's desktop sessions.
- Click SAVE.
Room Feature Settings
Only the Admin user and managers of a Room's owner organization (owner+connected or user+owner) and the Admin user and managers of the Room's connected organization (owner+connected or connected-only) can configure the Room's Feature settings.
A Room has a collection of features that can be enabled or disabled for the room. These features can be enabled or disabled from your Room's CONFIGURE -> SETTINGS page. Note that only one feature can be enabled/disabled at a time, to allow the Room's infrastructure to update before the next change is made.
• Enable/Disable File Vault
The File Vault Room feature secures the transfer of files between your local environment & the Room's Tehama Desktops. See the File Vault User Guide for more details.
When it is enabled, all users with access to the Room will be able to see the FILE VAULT page under the Room's WORK tab.
When it is disabled, the FILE VAULT page under the Room's WORK tab will not be available.
Enable or disable the File Vault Room feature as follows:
- Access the Room's interface.
- Click the Room's CONFIGURE tab.
- Click on the SETTINGS sidebar item.
- Click on the EDIT button at the top right of the ROOM SETTINGS section.
- Locate the toggle to the right of the "File Vault" feature.
- Enable or disable the feature as follows:
- Click on the left of the toggle to disable the feature. (The toggle will display an 'x'.)
- Click on the right of the toggle to enable the feature. (The toggle will display a checkmark.)
- Click SAVE to save your change, or CANCEL to cancel your change. (Note that the SAVE and CANCEL buttons only become visible once you have changed the toggle's currently saved value.)
• Enable/Disable Multi-GW
The Multi-Gateway Room feature allows you to connect multiple Tehama Gateways (to a maximum of 2) to your Room to provide redundancy for your network access.
When the Multi-Gateway Room feature is enabled, the Room's owner organization will be able to see the feature and to turn it on or off in the Room's CONNECTION -> STATUS page. The Room's connected organization will be able to see the feature. See both the "View the 'Multiple Gateways' option for a Room" section and the "Enable/Disable the 'Multiple Gateways' option for a Room" section in the Room Connection Status Monitoring/Management User Guide for more details.
Note, ensure that the 'Multiple Gateways' option in the Room's CONNECTION -> STATUS page is turned off before attempting to disable the Multi-Gateway Room feature.
Note that enabling the 'Multi-Gateway' feature here in the Room Settings does not incur any cost for your Room, however, subsequently enabling it (turning it on) under the room's CONNECTION -> STATUS page does incur an added expense for your room.
Enable or disable the Multi-Gateway Room feature as follows:
- Access the Room's interface.
- Click the Room's CONFIGURE tab.
- Click on the SETTINGS sidebar item.
- Click on the EDIT button at the top right of the ROOM SETTINGS section.
- Locate the toggle to the right of the "Multi-Gateway" feature.
- Enable or disable the feature as follows:
- Click on the left of the toggle to disable the feature. (The toggle will display an 'x'.)
- Click on the right of the toggle to enable the feature. (The toggle will display a checkmark.)
- Click SAVE to save your change, or CANCEL to cancel your change. (Note that the SAVE and CANCEL buttons only become visible once you have changed the toggle's currently saved value.)
• Enable/Disable Linux Dsktps
The Linux Desktop Room feature provides virtual Desktop environments connected via PCoIP to Linux-based servers. These are known as Tehama Linux Desktops. It is offered with a range of hardware and software options similar to a Windows Desktop. The currently available Operating System is Ubuntu Server 18.04.
(Note that Tehama also offers “Linux Legacy Desktops” feature based on older technology that is being phased out of use.)
The Linux Desktop Room feature, when enabled, allows the creation of Tehama Linux Desktops in the Room.
When enabled, Tehama Linux Desktops can be created in the room, and the LINUX DESKTOPS page found under the Room's CONFIGURE tab in the Tehama Web UI will be present.
When disabled, Tehama Linux Desktops cannot be created in the room, and the LINUX DESKTOPS page found under the Room's CONFIGURE tab in the Tehama Web UI will be absent.
Note that the LINUX DESKTOPS page may be present if the Linux Desktop feature is disabled if the 'Linux Legacy Desktops’ feature is enabled. The legacy feature cannot be enabled/disabled by organization Admins and managers.
Note any Tehama Linux desktops that have been created for the room will continue to exist after the feature has been disabled and will be accessible through the Tehama Web UI (although note that the ability to request or add new Tehama Linux desktops will be unavailable).
Enable or disable the Linux Desktop Room feature as follows:
- Access the Room's interface.
- Click the Room's CONFIGURE tab.
- Click on the SETTINGS sidebar item.
- Click on the EDIT button at the top right of the ROOM SETTINGS section.
- Locate the toggle to the right of the "Linux Desktop" feature.
- Enable or disable the feature as follows:
- Click on the left of the toggle to disable the feature. (The toggle will display an 'x'.)
- Click on the right of the toggle to enable the feature. (The toggle will display a checkmark.)
- Click SAVE to save your change, or CANCEL to cancel your change. (Note that the SAVE and CANCEL buttons only become visible once you have changed the toggle's currently saved value.)
• Enable/Disable Recordings
The Recordings Room feature provides recordings of the Room's Desktop sessions.
From the time it is enabled, any subsequent desktop sessions in the room will be recorded.
From the time it is disabled, any subsequent desktop sessions in the room will not be recorded.
Recordings are available in the Room's SESSIONS page under the AUDIT tab. See the Desktop Session Auditing User Guide for more details.
Note, any recordings that are already present will continue to be available once the feature is disabled.
Enable or disable the Recordings Room feature as follows:
- Access the Room's interface.
- Click the Room's CONFIGURE tab.
- Click on the SETTINGS sidebar item.
- Click on the EDIT button at the top right of the ROOM SETTINGS section.
- Locate the toggle to the right of the "Recordings" feature.
- Enable or disable the feature as follows:
- Click on the left of the toggle to disable the feature. (The toggle will display an 'x'.)
- Click on the right of the toggle to enable the feature. (The toggle will display a checkmark.)
- Click SAVE to save your change, or CANCEL to cancel your change. (Note that the SAVE and CANCEL buttons only become visible once you have changed the toggle's currently saved value.)