User Groups ⭐
This page describes how to use the User Groups Feature, which is part of the User Management Plugin that is provided by the Management Center for the Pro Edition of Eclipse Mosquitto (MMC).
User Groups can only be accessed by users with an admin role
User Groups Overview
Being part of the User Management, the User Groups feature allows for even better user grouping, separation, and access management. Assign users to the groups that provide specified permissions for specified connections and will not permit accessing any other connection. With this, you can limit users to only the functionality they need ensuring higher levels of security, knowing that users will not be able to see or touch anything they are not supposed to.
Enable User Groups Plugin
User Groups Feature is part of the User Management Plugin, so to enable it you should make sure you are using the Pro Edition of Mosquitto and that you have the User Management feature enabled in your license. Also, ensure that your config file (specified with
CEDALO_MC_PROXY_CONFIG environmental variable or by default saved in
management-center/config/config.json) contains the following entry inside of the
On start-up, the Management Center will print a message that the
user-management plugin is enabled and loaded into the console:
Loaded plugin: "cedalo_user_management" (Cedalo User Management)
User Groups Functionality
User groups allow their members to access only the connections specified in the said groups and no other connections. Moreover, groups override user roles for the specified connections. For example, add a user with a viewer role to the admin user group that contains connection A. This user will only have access to connection A, and the role with which they can access this connection will be admin, not viewer.
Member of the user group will only be able to see the connections that were specified in this group and no others
If you create a user group and will add member to it but no connections, then no restrictions will be applied to those users until you add the first connection to said group. Before that, while the group has no connection, group members can access all the connections inside the MMC.
A user can be added to more than one group. In this case, if some of the connections in two or more groups are the same, a user will get the highest permissions among those overlapping connections
User Groups Roles
If you assign a viewer role to the user group, this role will be applied only to the connections specified in the group. This means that group members will only have viewer permissions: they will only be able to access the systopic and the topic tree. The same holds for monitoringViewer and connectionManager.
Editor role will have the same access as a viewer user plus access to dynamic security for the specified connections.
Admin role will have access to the same functionality as viewer and editor plus the streams, and it will be able to edit and connect/disconnect the specified connections.
User Groups View
User Groups Feature has a designated view (or page, also called user groups overview) in the MMC GUI. You can access the view by clicking on the "User Groups" menu item:
User Groups view features a table that contains information about all the existing user groups:
The table has the following fields:
- Name - name of the user group. Must be unique
- Role - role that the group grants to its members
- Group's Description - description of the group
- Users - list of all members of the group
- Connections - list of the connections available to the members of the groups. An empty list does not enforce any restrictions
Create a User Group
To create a new user group, navigate to the User Groups view using the right menu bar and click on the "New User Group" Button in the top left.
After that, you will be redirected to the user group creation page:
There you can specify the parameters required for the user group creation, namely, Group Name (30 characters long at max), Role, and an optional Group's Description. After entering all the required parameters and clicking "Save", the group will be created, and you will be redirected to the user groups overview page.
Here you can locate the user group you have just created and add users and/or connections to it by using the dropdown menu in the respective fields.
Update a User Group
In order to change the list of user group members or connections that those members can access, you simply need to locate the group of interest on the User Groups Overview page and click on the cross icon near the members or connections you want to delete. If you want to add any, just click on the dropdown menus for the
Connections fields and find the ones you want to add.
If you want to change the role of the group or groups description, you can just click on the user group entry in the overview table and then click "Edit":
The name of the user group cannot be changed. To change it, you will need to completely delete this user group and create a new one with a new name
Delete a User Group
To delete a user group click on the trash bin icon on the right of the user group entry on the overview page. After that click on "Ok" to confirm the removal of the specified group.
User groups in user profile
You can navigate to user profile page to see all the user groups for a currently logged in user: