Manage global permissions with roles

Administrators use roles to fine-tune authorization in the Wavefront environment:

  1. Create one or more roles and assign one or more permissions to each role.
  2. Create one or more groups and add one or more accounts to each group. Accounts can be user accounts or service accounts.
  3. Assign one or more roles to each group. It’s also possible to assign a role to individual users.

In addition to the global roles and permissions model, Wavefront also supports access control for individual objects, for example, administrators can limit access to a sensitive dashboard.

Manage Roles and Permissions

The Wavefront roles and permissions model allows you to make sure nobody can perform tasks without the corresponding permission – and this doc set lists the required permissions for most tasks.

Creating roles and assigning them to groups of users is most efficient and least error prone. It’s possible to grant permissions or assign a role to an individual account – that might make sense during a POC.

Create a Role

All users with Accounts, Groups & Roles permission can create roles.

To create a role:
  1. Log in to your Wavefront instance.
  2. From the gear menu, select Account Management.
  3. Click the Roles tab and select Create Role.
  4. Specify a name, description, and one or more permissions for that role.
  5. (Optional) Enter groups (or accounts) to assign the role to.
  6. Click Create.
create a role

Create a Group

All users with Accounts, Groups & Roles permission can create groups and add members and roles to the group. You can’t assign permissions to groups.

To create a group:
  1. Log in to your Wavefront instance.
  2. From the gear menu, select Account Management.
  3. Click the Groups tab and select Create Group.
  4. Specify a name and (optional) description.
  5. (Optional) Add one or more accounts to the group. You cannot add a group as a member.
  6. (Optional) Add one or more roles to the group now or later.
create a group

Assign a Role to a Group

Users with Accounts, Groups & Roles permission can assign roles when they create a group, or can add and remove roles later.

To assign a role to a group:
  1. Log in to your Wavefront instance.
  2. From the gear menu, select Account Management.
  3. Click the Groups tab and change role assignment in one of these ways:
    • Click the group name, click +Role or -Role, and select a role to change role assignment.
    • Select the check box for the group and click the group name. In the Edit Group dialog, make the desired changes and click Update
add role to group

Grant or Revoke Account Permissions Explicitly

Assigning a role to a group of users is more efficient and leaves less room for error than granting or revoking account permission or assigning a role to an account. We support those two ways of managing permissions in part for compatibility.

The process of granting permissions is the same for users and for service accounts

You can grant a service account permissions when you create it or add permissions later from the Service Accounts / Users page or from the Edit Service Account / Edit User page.

The following example shows this for service accounts.

To grant or revoke permissions from the Service Accounts page:
  1. Select one or more service accounts.
  2. Click +Permissions or -Permissions and select the permission to add or remove.
globally add or remove service account permissions
To grant or revoke permissions from the Edit Service Account page:
  1. Click the service account name to open the Edit Service Account page.
  2. Select the permission(s) that you want to grant or revoke in the Permissions field.
add or remove service account permissions