Managing administrator roles
Administrator roles control the actions that administrators can perform in the web-based Administrator interface or management API after they have been authenticated. You can map different administrator roles to different sets of users, based on their group membership within your chosen authentication provider, giving you greater control over the actions that individual administrators can perform. For example, you can configure a role that allows an administrator to only view (and not modify) specific items of configuration data or status information via the Administrator interface.
For information on using administrator roles in conjunction with your authentication provider, see Managing administrator access via LDAP, Managing administrator access via OIDC, or Managing API access via OAuth2 as appropriate.
Roles are not relevant to the local admin account, which will always have full read-write access.
When an administrator has restricted permissions, all navigation menu options are still displayed, but they are given an Access denied message if they try to select a menu option that they are not authorized to use. For read-only restrictions, the relevant options are not displayed.
Two roles are present by default:
- Read-only: allows read-only access to all configuration settings and status information when accessing the system via the web-based Administrator interface or the management API. An administrator with this role can also take diagnostic snapshots and backups, view logs, and make packet captures. Note that this role has full read access to sensitive information — you can create more restricted roles if necessary.
- Read-write: allows full administrative access when accessing the system via the web-based Administrator interface or the management API.
To add, edit or delete administrator roles, go to
. When configuring roles, the options are:Option | Description |
---|---|
Name | A descriptive name of the role, e.g. "auditor" or "management system". |
Permissions |
Select from the list of Available permissions the set of permitted actions for the role and then use the right arrow to move the selected actions into the Chosen permissions list. For more information on each permission, see Descriptions of all available administrator permissions. All roles must include the Is an administrator permission for access to the system. In addition, the May use web interface and May use API permissions must be included for access via the web-based Administrator interface and management API respectively. You must then also add all of the other permissions, such as May modify system configuration and so on, that you want to apply to the role — if a role has, for example, only the Is an administrator and May use web interface permissions, an administrator with that role will be able to log in via the web-based Administrator interface but will not be able to perform any actions. When creating an OAuth2 client for management API access, the permissions Is an administrator and May use API are assumed and do not need to be set explicitly. The permissions that are applied to the default Read-only role are shown below:
|
Descriptions of all available administrator permissions
The table below describes each of the permissions that can be applied to an administrator role:
Permission | Description |
---|---|
Is an administrator | Required for any of the other permissions listed below |
May use API | Required to access the Pexip Infinity management API (via api/admin) |
May use web interface | Required to access the Management Node Administrator interface |
May add/remove themes | May add, change, delete and view themes |
May view gateway configuration | May view Call Routing Rules |
May modify gateway configuration | May change and view Call Routing Rules |
May add/remove gateways | May add or delete Call Routing Rules (does not include view permission) |
May modify VMR configuration |
May change and view:
|
May view VMR configuration |
May view:
|
May add/remove VMRs |
May add or delete (does not include view permission):
|
May view system configuration |
May view:
|
May modify system configuration |
May add, change, delete and view:
May change:
|
May restore system backup |
May change (does not include view permission):
|
May create/delete system backup |
May add or delete:
May change and view:
|
May download system backup |
May view:
|
May modify conference status |
May view and perform available actions on:
|
May view conference status |
May view:
|
May view logs |
May view:
|
May configure logs |
May add, change, or delete:
|
May download TLS private key | May download TLS private key |
May create/delete packet capture |
May add or delete (does not include view permission):
|
May download packet capture |
May view:
|
May view authentication configuration |
May view:
|
May modify authentication configuration |
May add, change, delete and view:
|
May generate system snapshot |
May view:
|
May view system status |
May view:
|
May upload software bundle |
May upload (does not include view permission):
|