Help Docs

Custom Role for MSP

At the MSP level, you can use custom roles to restrict access to customer management, audit logs, user management, Third-Party Integration, and device keys. Instead of creating customer roles in each customer level, you can also create customer level custom roles from the admin portal.

At the portal level, MSP admins can assign custom roles for users to manage the overall monitoring solutions for multiple clients. For instance, a technical support role can be configured with read-only access to all customer monitors, restricting permissions for critical settings like reports or dashboards.

At the customer level, custom roles can be specifically designed for individual client accounts, ensuring each has precise permissions for unique requirements. For example, network engineers or application developers can manage only the relevant monitors associated with them. 

Understanding user roles

When a new user is configured, a role is assigned to them. Select user roles from the Site24x7 User Role drop-down field, which includes System Roles or Custom Roles. System Roles comprise of traditional roles such as: 

  • MSP Admin
  • MSP Operator

If you want to assign a unique role apart from the provided roles, use Custom Roles

To access custom roles, follow the steps below:

  1. Click Create Custom Roles near the Site24x7 User Role field. Otherwise, if there are other customized roles already available from the list, you can select from any of them. 
  2. You can:
    • Create new custom role for MSP 
    • Edit custom roles 

Add new custom role for MSP accounts

From the Custom Roles page, a new custom role can be created only by an MSP admin. You can add new custom roles by following the sequence of steps:

  1. Click Add Custom Roles in the top right corner.
  2. From the drop-down menu, select Add Custom Role to create a custom role at the portal level or select Add Custom Role for Customer to create a custom role at the customer level.

Add Custom Role

When you assign a custom role at the portal level, this role can be mapped for all the customers using the portal.

  1. At the portal level, you can assign access for MSP Admin Management, Dashboards, Configuration Profiles, MSP Monitor Types, and Device Key. For all modules, grant the required access for each module. The four types of permission settings are: 
    1. All: Grant all permissions to all resources and configuration.
    2. Allowed: Grant all permissions to all monitors that a user has access to, as specified in the user’s form. 
    3. Created: This is the same as the Allowed/All permission, but it is applicable only to resources and configurations created by the user.
    4. No Access: Deny permission to access resources and configurations. 
      Note

      When the No Access check box is selected for a module, all permissions, including view, write, and delete, are disabled.

  2. We have four operations for each module: 
    • No Access: Check to prevent all access to modules and operations.
    • View: Gives read access.
    • Write: Gives access to make modifications to modules and operations.
    • Delete: Gives access to delete the modules and operations.
  3. After filling in the details and permissions, click Save in the top right corner.
Note
  • Some fields are disabled to restrict specific permissions for the modules and configurations.
  • When you choose Created permission for View, Write permission will also be automatically changed to Created. However, when you assign View permission as All, you can set Write permission to All, Created, or No Access.
  • When View permission is restricted, you cannot grant Write or Delete permission for a module. 

Permission Settings (portal-level)

Customize new roles for different Modules by assigning specific permissions to manage access. Prevent unauthorized access and maintain granular access control by assigning View, Write, and Delete access for the required monitors, dashboards, and other such features and configurations. 

MSP Admin Management: You can assign permissions to control access to User Management, Audit Logs, Manage Customers, and Customer Groups. 

For example, when you grant Allowed access for View, Write, and Delete in Manage Customers to a user, they can add customers, update account information, and delete a customer account. 

Note

You can only grant View access for User Management, Audit Logs, and Customer Groups.

Dashboards: Grant All, Created, or No Access permissions to View, Write, and Delete actions in Manage Dashboards. When assigning permissions to manage dashboards, make sure that the user has the necessary permissions for the resources included in the dashboard.

Configuration Profiles: Assign required permissions to various configuration profiles like Location Profile, Notification Profile, Threshold Profile, Business Hours, and Email Template. 

If you grant All permissions for View in the Location Profile, you might then assign All, Created, or No Access for Write and Delete. However, granting Created permissions for any configuration profiles automatically assigns the same permission level for Write, and you can only assign Created or No Access for Delete.

For example, if there are five location profiles and the user has created three of them, assigning Created permission for View prevents you from assigning All for Delete. A user cannot delete a location profile for which they do not have view access.

MSP Monitors Type: Assign varied levels of permissions for On-Premise Pollers and Device Templates.

Device Key: You can only grant View access for Device Key. 

Add a Custom Role for MSP Customer 

Add Custom Role for customer allows you to customize roles for the MSP customers individually. 

  1. Log in to Site24x7.
  2. Navigate to Admin > Custom Roles.
  3. Select Add Custom Role for Customer
  4. Fill up the following details in the Add Custom Role form that appears:
    • Role Name: Give a suitable role name.
    • Description: Provide a brief description of the role name, explaining its purpose.
    • Permission Settings: Grant the required access for each module. The four types of permission settings are: 
      • All: Grant all permissions to all resources and configuration.
      • Allowed: Grant all permissions to all monitors that a user has access to, as specified in the user’s form.
      • Created: This is the same as the Allowed/All permission, but it is applicable only to resources and configurations created by the user.
      • No Access: Deny permission to access resources and configurations.
        Note

        When the No Access check box is selected for a module, all permissions, including View, Write, and Delete, are disabled.

  5. We have four operations for each module: 
    • No Access: Check to prevent all access to modules and operations.
    • View: Gives read access.
    • Write: Gives access to make modifications to modules and operations.
    • Delete: Gives access to delete the modules and operations.
  6. Configuration: Select one or more options listed in the drop-down to add or update the configuration for the relevant modules. For instance, you need to select Modify Threshold Profile for Server monitors if you wish to make changes to the threshold profile settings of the desired Server monitor. 
  7. Navigate to the Permission Settings section to explore how you can define and restrict user access to various modules according to their roles and limitations.
  8. After filling in the details and permissions, click Save in the top right corner.

Permission Settings (customer-level)

Customize new roles for different Modules by assigning specific permissions to manage access. Prevent unauthorized access and maintain granular access control by assigning View, Write, and Delete access for the required monitors, dashboards, and other such features and configurations. 

Monitor Configurations: You can assign permissions to control access to resources grouped as modules. You can also select different configuration settings that they can modify.

For example, a system administrator might require different levels of access for various types of monitors. They might need View and Write permissions for a server monitor, enabling them to modify configurations and troubleshoot issues efficiently. For a network monitor, they could have View-only access, allowing them to monitor network performance without making changes. Additionally, they might hold View access for a cloud monitor, enabling them to review its status and performance metrics while restricting any modifications.

For each resource, configuration settings—such as Modify User Alert Groups, Modify On-Call Schedule, Modify Notification Profile, Upgrade, Modify Tags, Modify Third-Party Integrations, Modify IT Automations, and Services—should be selected to allow the user to add or update their settings.

For example, to create a custom role responsible for notifications and alerts for all Internet Services Monitors, you can select Modify User Alert Groups, Modify On-Call Schedule, and Modify Notification Profile in the Configurations. The custom role user will have permissions to make changes to or delete the User Alert Groups, On-Call Schedule, and Notification Profile settings associated with all Internet Service Monitors.

Dashboard and Reports: Assign various permissions to the dashboard and reports, based on the user role. When assigning permissions to manage dashboards, make sure that custom role has the necessary permissions for the resources included in the dashboard.

Monitor Groups: A custom role can have only Created or No Access permission for Monitor Groups.

User and Alert Management: A custom user role can be granted a varied level of access to User Management, User Alert Groups, and On-Call Schedule based on the organization's policy.

Note

You can only grant View access for User Management.

Configurations: Assign required permissions to various configurations profiles like Location Profile, Notification Profile, Threshold Profile, Business Hours, Email Template, Global Parameters, OAuth Providers, Web Tokens, APM Agent Configuration, and APM Key Transaction Configuration

Consider a scenario where a DevOps Engineer requires all permissions for APM Agent Configuration to manage application monitoring, along with View-only access to Global Parameters. A network administrator will need only View and Write permissions for the Notification Profile and Threshold Profile to configure alerts while having View access to Business Hours for scheduling alignment. A Compliance Officer should then receive View-only access to Email Templates, OAuth Providers, and Web Tokens to ensure compliance without making changes. 

Tags: You can grant All, Created, or No Access to manage tags. You cannot check No Access for tags management if Modify Tags has been selected in the configuration of any module.

Third-Party Integration: To manage Third-Party Integration channels, you can have All or Created access. You cannot check No Access for tags management if Modify Third-Party Integrations has been selected in the configuration of any module.

Operations: To assign restricted access to users for sensitive actions like IT Automations, Scheduled Maintenance, Account Settings, and Audit Logs, select varied permissions for each of the above actions. To assign IT automation permissions, ensure that you have configured IT automation for the associated resources. All actions except audit logs have All, Created, or No Access. And for audit logs, you can assign Allowed or No Access permissions.

Device Key: Grant restricted access to Device Key Access, which is a unique authentication mechanism for Site24x7 agents and On-Premise Pollers. By controlling access to the device key, you can ensure that only authorized users can interact with and push performance metrics to the Site24x7 platform, keeping sensitive data secure and maintaining proper role-based access.

Use cases

  • While assigning roles for MSP Admin Management, you can grant Allowed access to View and Write to allow the user to add user account and update account information. You can grant No Access to Delete to prevent them from terminating the account information. 
  • To allow dashboard management for all dashboards or only user-created dashboards, grant All or Created access, respectively, for View, Write, and Delete under Manage Dashboard.

Editing custom roles

The list of custom roles of the existing users and their related details can be accessed by following the steps below: 

The Custom Roles List page shows the following details:

  • Role Name: To identify the purpose and responsibility of the role.
  • Description: To understand the role's scope and the purpose for its creation.
  • Created By: To know who created the specific role.
  • Type: To understand whether the role was created at the portal level or the customer level.
  • Last Updated Time: To know when the role was last updated.
    Note

    You can hover over the data in the Last Updated Time column to know the exact date and time.

More actions on the custom roles

On the Custom Roles page, you can edit, clone, view the associated users, or delete a user role. To perform any of the actions, follow the sequence of steps below:

  1. Click the hamburger icon to the right of the custom roles. 
  2. The pop-up allows you to perform the following actions on the particular custom role:
    • Edit
      1. Select Edit to modify Role Name, Description, and access permissions allocated for the specific user role.
      2. On the Edit Role page, the MSP Admin Management, Dashboards, Configuration Profiles, MSP Monitor Types, and Device Key access permissions can be customized.
      3. Click Save to apply the changes made, or select Cancel to discard the changes.
    • Clone: Select Clone to duplicate the same set of customized access permissions to multiple user roles. By default, the role name is set to the current user role - clone. You can modify it to a more suitable user role.
    • Associated Users: Displays a list of all users with the current user role. If no associated users are found, you can select them from the Users List page and click Add User.
    • Delete: Select Delete to remove the current custom role along with their configuration settings permanently. 

Assigning custom role to users

Once a new custom role is created, you can assign it to any user. Follow the steps below to assign a custom role to any user:

  1. For a new user:
    1. Navigate to Admin > Users & Alerts > Add User.
    2. On the displayed form, fill in all the details.
    3. In the Site24x7 User Role drop-down, the newly created custom role is listed below the Custom Roles.
    4. Select it to assign the custom role to a new user.
    5. Click Save.
  2. For an existing user:
    1. Navigate to Admin > Users & Alerts.
    2. Click the icon near any user details.
    3. On the displayed form, in the Site24x7 User Role drop-down, the newly created custom role is listed below the Custom Roles.
    4. Select it to assign the custom role to the user.
    5. Click Save.

Dependent cases in Custom Role form

Some settings in the custom role form are interdependent; changing one might affect others. 

Case 1: Any settings configured in Monitor Configuration cannot be subsequently set to No Access. For example, if Modify Location Profile is selected for Internet Services Monitors, the Location Profile setting cannot be disabled.

Case 2: The View and Write permissions for Schedule & Export Dashboards and Reports are linked; setting one automatically sets the other to the same value. 

Case 3: If No Access is checked for IT Automation, then Schedule IT automation is automatically disabled.

Case 4: If you grant Modify Location Profiles, Modify Tags, Modify Third-Party Integrations, and other configuration permissions under Monitor Configurations, you cannot give No Access permission for the respective modules.

Was this document helpful?

Would you like to help us improve our documents? Tell us what you think we could do better.


We're sorry to hear that you're not satisfied with the document. We'd love to learn what we could do to improve the experience.


Thanks for taking the time to share your feedback. We'll use your feedback to improve our online help resources.

Shortlink has been copied!