User roles & management
Users
When you create a new account on qbee.io, the first user is automatically given a default role. This role has full access to all areas of the platform. You have the ability to create new roles and assign these to any user. If a user is assigned multiple roles, they will have a combination of all the permissions from each of their roles. This means they can access and use everything allowed by each of their roles.
Users management¶
To see a list of all users, go to the Users section (top-right menu). From here you can see and search all users in your company, add new users, edit, disable and delete existing users.
Creating a new user¶
- In Users section, click on the
+ Add user
button. - Enter the first and last name, and email address of the new user.
- Select the role(s) for the new user.
- Click on the
Create
button.
Once the user is created, they will receive an email with a link to set their password. New users need to accept Service Agreement before they can log in.
Editing a user¶
- In Users section, find the user you want to edit.
- Open the actions context menu (
⋮
) and selectEdit
. - Change user details and/or roles.
- Click on the
Save
button.
Disabling a user¶
- In Users section, find the user you want to disable.
- Open the actions context menu (
⋮
) and selectDisable
.
Disabled users cannot log in anymore and are not counted towards the number of users in your subscription.
Deleting a user¶
- In Users section, find the user you want to delete.
- Open the actions context menu (
⋮
) and selectDelete
. - Confirm the deletion.
Deleting a user
Deleting a user has immediate effect and cannot be undone.
Profile management¶
In the Profile section (top-right menu) you can change your personal details and password.
Roles management¶
To see a list of all roles, go to the Roles section (top-right menu). From here you can see and search all roles in your company, add new roles, edit and delete existing roles.
Creating a new role¶
- In Roles section, click on the
+ Add role
button. - Enter the name and optional description of the new role.
- Select the permissions for the new role.
- Click on the
Create
button.
Editing a role¶
- In Roles section, find the role you want to edit.
- Open the actions context menu (
⋮
) and selectEdit
. - Change role details and/or permissions.
- Click on the
Save
button.
Deleting a role¶
- In Roles section, find the role you want to delete.
- Open the actions context menu (
⋮
) and selectDelete
. - Confirm the deletion.
Deleting a role assigned to users
You cannot delete a role that is assigned to one or more users. You need to reassign the users to a different role first.
Permissions¶
Each role consists of a set of permissions. The following permissions are available:
Permission | Allowed API calls |
---|---|
alerts:read | GET /alert/{uuid} GET /alerts GET /alert-logs GET /alert-devices GET /group-recipients/{uuid} GET /groups-recipients GET /notification-template/{uuid} GET /notification-templates GET /notification-logs GET /changes-logs GET /criteria-template/{uuid} GET /criteria-templates |
alerts:acknowledge | GET /alert-reset/{uuid} GET /alert-set-resolved/{uuid} POST /alert-devices/clear |
alerts:manage | POST /alert POST /group-recipients POST /notification-template POST /criteria-template PATCH /alert/{uuid} PATCH /group-recipients/{uuid} PATCH /notification-template/{uuid} PATCH /criteria-template/{uuid} DELETE /alert/{uuid} DELETE /group-recipients/{uuid} DELETE /notification-template/{uuid} DELETE /criteria-template/{uuid} |
analysis:read | GET /analysis POST /analysis GET /analysis/orgstats |
audit:read | GET /commitlist |
billing:read | GET /stripe/subscriptions |
billing:manage | POST /stripe/create-customer-portal POST /stripe/create-checkout-session DELETE /stripe/cancel-subscription/{uuid} |
bootstrap-keys:read | GET /bootstrapkey/{bootstrapkey_id} GET /bootstrapkeylist |
bootstrap-keys:manage | PUT /bootstrapkey/{bootstrap_key} POST /bootstrapkey DELETE /bootstrapkey/{bootstrap_key} |
company:read | GET /company/{company_id} |
company:manage | PUT /company/{company_id} PATCH /company/{company_id} |
configuration:read | GET /change/{sha} GET /changelist GET /commit/{sha} GET /config/{type}/{item_id} GET /configpreview/{type}/{item_id} GET /config/{device_id} GET /configpreview/{node_id} |
configuration:manage | DELETE /changes DELETE /change/{sha} POST /change POST /commit |
cve:read | GET /cve/{cve_id} GET /cvelist GET /cvescorestats GET /cve_hosts_max_count |
cve:manage | PATCH /cve/{cve_id} GET /cve/status/cves DELETE /cve/{cve_id} |
device:read | GET /grouptree GET /grouptree/{node_id} GET /node/{node_id} GET /groupreportssummary/{group_id} GET /deviceattribute/{device_id} GET /tagslist |
device:manage | PUT /grouptree PATCH /deviceattribute/{device_id} DELETE /inventory/{device_id} PATCH /grouptree/{node_id} |
device:approve | POST /pendinghost GET /pendinghost DELETE /removeapprovedhost/{node_id} DELETE /pendinghost/{node_id} |
files:read | GET /file GET /files GET /file/stats |
files:manage | POST /file POST /file/createdir PATCH /file DELETE /file |
inventory:read | GET /inventory/{device_id} GET /inventorylist GET /inventory GET /inventoryreport/{device_id} GET /inventoryreport/docker/{device_id} GET /inventorysummarybytype/{node_id} GET /inventoryonlinestats |
metrics:read | GET /metric/last GET /metric/{node_id}/conn/overview GET /metric/{device_id}/filesystem GET /metric/{node_id}/conn/last GET /metric/{node_id}/conn/outage GET /metric/{node_id} GET /metric/{node_id}/conn/summary GET /metric/{node_id}/conn/series GET /metric/{node_id}/top GET /metric/{node_id}/topdetailed GET /metric/{node_id}/traffic |
remote-access:connect | GET /remoteconsoletoken/{device_id} GET /remoteconsoletokenv2/{node_id} GET /qbee-connect/{device_id}/portmaplist/auto GET /qbee-connect/numconnection GET /qbee-connect/{device_id}/portmap/{remote_port} GET /qbee-connect/portmaplist/autoall GET /qbee-connect/{device_id}/portmaplist |
remote-access:manage | POST /qbee-connect/portmap PATCH /qbee-connect/portmap |
reports:acknowledge | PATCH /reportmarkread |
reports:read | GET /reportlist GET /reportsummary/{device_id} |
roles:read | GET /role/{role_id} GET /roleslist GET /permissionslist |
roles:manage | POST /role PUT /role/{role_id} DELETE /role/{role_id} |
users:read | GET /user/{user_id} GET /userlist |
users:manage | POST /user PUT /user/{user_id} PATCH /user/{user_id} DELETE /user/{user_id} |
Permissions used in the UI
Certain parts of the UI are only visible when the user has the corresponding permissions assigned through a role. Following is the list of UI elements and their corresponding permissions:
UI Element | Permission |
---|---|
Dashboard | analysis:read device:read inventory:read metrics:read reports:read |
Devices | cve:read device:read inventory:read metrics:read reports:read |
Devices → Pending hosts | device:approve |
Devices → Update attributes & Delete | device:manage |
Devices → Show configuration | configuration:read |
Device → Connect to console | remote-access:connect |
Configure | configuration:read device:read |
Configure → Modify | configuration:manage |
Configure → File selector | files:read |
Configure → User & Ports Popups | inventory:read |
Files manager | files:read |
Files manager → Write access | files:manage |
Logs | reports:read |
Logs → Mark as read | reports:acknowledge |
Alerts | alerts:read |
Alerts → Manage | alerts:manage device:read |
Alerts → Acknowledge | alerts:acknowledge |
Map | inventory:read |
Audit | audit:read |
Audit → Show reports | reports:read |
CVE | cve:read |
CVE → Manage | cve:manage |
Remote console | device:read inventory:read remote-access:connect |
Remote console → Manage | remote-access:manage |
Analysis | analysis:read device:read |
Bootstrap Keys | bootstrap-keys:read device:read |
Bootstrap Keys → Manage | bootstrap-keys:manage |
Company | company:read |
Company → Manage | company:manage |
Users | users:read |
Users → Manage | roles:read users:manage |
Roles | roles:read |
Roles → Manage | roles:manage |
Order subscription | billing:read |
Order subscription → Manage | billing:manage |
Remote Access¶
Allowing remote access for users
In order to give a user remote access to devices, it needs to have a role assigned with the remote-access:connect
permission set.
All access attempts will appear in the audit log with a detailed entry which device was accessed.