Nobl9 supports Role-Based Access Control (RBAC) to enable granular user permissions and access to resources in the Nobl9 platform.
There are two levels of permissions, the organization level and the project level:
Organization roles enable access across the Nobl9 platform. Depending on the desired access rights, users can be assigned the Organization Admin, User, or Viewer role.
Project roles enable users to access a project and its underlying resources, such as services or SLOs. Project-level roles include Project Owner, Editor, Viewer, and Integrations User.
Projects in the Nobl9 Platform
Projects are the primary logical grouping of resources in the Nobl9 platform. They are intended for use in organizations where many users are spread across multiple teams and/or departments. Projects group and organize all resources available to users in the Nobl9 platform, enabling users across teams or departments to access those resources safely.
The resources that can be grouped under a project include:
Projects cannot be nested inside one another, but data sources and alert methods can be shared across many projects.
Resources cannot be moved between projects. If you create a resource (such as a service or SLO) in the wrong project, you must delete it first, then go to the correct project and add the resource there. For more details, see the Managing Shared Resources section below.
If you are using a
sloctl version older than 0.0.56, you will not be able to use the
Adding a Project
To add a project in Nobl9, follow these steps:
Go to Catalog > Projects.
Click the button.
In the Project Creation wizard, enter the following information:
Display name (optional)
Click the Create Project button at the bottom-right corner.
When you create a project, you are automatically assigned the role of Project Owner.
Roles in the Nobl9 Platform
In this section, we’ll walk through the different organization- and project-level roles in more detail. For details on how to manage roles in
sloctl, refer to the
RoleBinding section of the documentation.
Organization Admins have full read and write access to all areas in the Nobl9 platform. They are responsible for setting up single sign-on (SSO) and user management. Organization Admins can:
Add, delete, and suspend users.
Assign organization- and project-level roles to other users.
Promote other users to an Admin role.
Grant other users view access to all projects. (For example, this type of access can be granted to executives who require read-only access to all services for dashboards.)
Access all projects.
Create new projects.
Create, edit, delete, and view annotations (see the SLO Annotations section of the documentation).
By default, anyone who signs in to the Nobl9 platform is an Organization User. Organization Users can be granted access to one or more projects by being assigned the role of Project Owner, Editor, Viewer, or Integrations User. Organization Users can:
Create projects (and automatically become the Owner of these projects).
Manage resources (provided they are assigned the Owner or Editor role for the project in question).
View SLOs and other resources for projects in which they are assigned the Viewer role.
Organization Users can only see the resources in a project if they have been granted access to this project by the Organization Admin or the Project Owner.
An Organization Viewer has read-only access to all resources in the Nobl9 platform. Organization Viewers can:
View alert methods.
View other users.
Organization Viewers cannot edit any resources in the Nobl9 platform.
Project Owners have read and write access to the project(s) they own. A Project Owner can:
Add existing Nobl9 users to the project.
Manage existing users’ levels of access to the project.
Remove users from the project.
Delete the project.
Create, edit, delete, and view annotations in the project.
The Project Editor is the primary user of the Noble9 platform. Project Editors can:
Create, edit, and delete resources in the projects they are assigned to.
Manage SLOs, integrations, and alert policies.
Pull reports and charts.
Create, edit, delete, and view annotations in the projects they can edit.
The Project Viewer is the primary consumer of data in the Nobl9 platform. Project Viewers can:
Generate reports for the projects to which they are assigned.
View dashboards in the projects to which they are assigned.
View the SLO grid in the projects to which they are assigned.
Project Viewers cannot create, edit, or delete resources.
Project Integrations User
A Project Integrations User can use a data source or an alert method in a given project, but cannot create, edit, or delete project resources. Project Integrations Users can:
Use a data source from one project to set up SLOs in another project.
Use an alert method from one project to configure an alert policy in another project.
For example, if a user is a Project Editor for Project A and a Project Integrations User for Project B, they can use data sources and alert methods from Project B in Project A. However, they cannot edit any resources in Project B.
Here’s a summary of the capabilities available to users assigned the different organization-level roles:
|Organization Admin||Organization User||Organization Viewer|
|View all Resources||Yes||Depends on project access granted to this user||Yes|
|Add, remove, and suspend users||Yes||No||No|
|Assign and remove user roles (on an organization and project level)||Yes||No||No|
|Create Projects and Resources||Yes||Projects only||No|
|View Resource Usage Summary Report||Yes||No||Yes|
|Create Access Keys1||Yes||Yes||Yes|
And here’s a summary of the capabilities available to the different project-level roles:
|Project Owner||Project Editor||Project Viewer||Project Integrations User|
|Add existing users to the project||Yes||No||No||No|
|Create/edit Alert Policies||Yes||Yes||No||No|
|Add/use Integrations||Yes||Yes||No||Can use but cannot create integrations|
|View SLO Details||Yes||Yes||Yes||Yes|
|Create Access Keys||Yes||Yes||Yes||Yes|
Managing Users and User Roles
Roles in the Nobl9 platform can be managed on the organization and project levels. To access the user management UI, navigate to Settings > Users.
Organization roles can only be assigned and changed by Organization Admins. Organization Admins can also invite new users to their organization, delete users, or suspend users' accounts.
Project roles can be assigned either by Organization Admins or by the Project Owner.
Project Owners cannot invite new users or delete or suspend user accounts.
Adding a User
Go to Settings > Users.
Click the button.
In the Create User wizard, enter the following information:
Click the Create User button in the bottom-right corner.
An invitation to join Nobl9 will automatically be sent to the user, and their role will be applied once they log in. The status of the invited user is automatically set to Pending. It will be changed to Active after the user accepts the invitation. Organization Admins can issue reminders to users with the Pending status by resending the invitations.
Deleting a User
Go to Settings > Users.
In the user list, hover over the user you want to remove.
Click the trash can icon on the right: .
Click the Delete button in the pop-up window to confirm.
Deleted users will be permanently removed from the organization, along with their Access Keys. They will no longer be able to log in to the Nobl9 platform via the UI or access Nobl9 with
Suspending a User
Go to Settings > Users.
Find the user whose account you want to suspend in the user list.
In the Status column, click the down-pointing arrow to display the drop-down menu.
Click the Deactivate button in the pop-up window.
Suspended users will not be removed from the database, but they will not be able to access the Nobl9 platform via the UI or with
sloctl. Access keys belonging to a suspended user will be temporarily deactivated. An Organization Admin can reactivate a suspended user by navigating to Settings > Users and changing the user’s status to Active.
Changing a User’s Organization Role
Go to Settings > Users.
In the user list, find the user whose role you wish to update.
In the Organization Role column, click the to display the drop-down menu.
Select the organization role you wish to assign to the user.
Assigning a User to a Project
Go to Settings > Users.
In the user list, find the user you wish to add to the project.
Hover over the user’s name, and click the icon on the right-hand side of the user list. If the user has access to multiple projects, click the next to the user’s name to display the list.
In the dialog box, in the Projects column, select or enter the name of the project that you want to assign the user to.
In the Access Permissions column, click the and select the access permission that you want to assign to the user.
Organization Admins can manage project-level permissions for all projects, and Project Owners can manage permissions for the projects they own.
A user cannot be assigned to a project without a role. If an Organization Admin or a Project Owner attempts to add a user to a project without assinging the user a specific role in the project, the change will not be saved.
Changing a User’s Project Role
To remove a project role from a user, you must remove the user from the project (i.e., delete the user). You can then reassign them to the project with a different role if desired. Follow the steps in the preceding sections to complete these actions.
Managing Projects and Project Resources
Users can review and manage their projects in the Catalog section in the UI. The Catalog view allows users with the appropriate role to edit and delete resources that belong to a given project directly from the Project Details tab.
To manage a project’s resources in this way:
Click Catalog in the left navigation pane.
Select the project from the list in the Projects tab.
The Project Details tab allows users (depending on their roles) to review and manage services, SLOs, data sources, alert policies, alert methods, and users that belong to a specific project. From here, users with the appropriate role can directly access all of the project’s resources, edit them through the UI wizards, or delete them.
User Roles and the Visibility of Resources
Project permissions affect what data is visible and what actions are available to a user in the Catalog and on the Project Details tab:
Organization Admins can view, edit, or delete all projects, services, SLOs, and other resources within their organization.
Organization Users can see only the project(s) they have been assigned to. Their permissions will vary depending on the role they have in a project.
Project Owners can edit or delete their projects as well as adding, editing, and deleting resources belonging to these projects. They can also assign existing users to the projects they own.
Project Editors can edit a project and add, edit, and delete resources within the project. They can’t delete the project (the icon will be grayed out). They also can’t add users to the project.
Project Viewers can only view a project and its resources. They can’t edit or delete the project or add, edit, or delete project resources. The and icons will be greyed out.
User Roles and the Settings Tab
Project permissions also restrict the content that is visible to users on the Settings > Users tab:
Only Organization Admins can view the organization’s roles and assign organization roles to other users in their organization. They can also invite new users and assign them organizational roles in the invitation.
Organization Users and Organization Viewers cannot see the organizational roles of other users within their organization.
On the project level, Organization Users and Organization Viewers can only see the roles of those users assigned to the projects that they own or can edit or view. They can only assign and edit project roles in the project(s) that they own.
User Roles and Access to Resources
Project permissions affect what resources users can access. For example:
Users can pull reports (in the Reports section) and view services and SLOs (in the SLO grid view) only from projects in which they are assigned the Project Viewer, Editor, or Owner role.
In the Service Health Dashboard, users can only see services that belong to projects they have access to (i.e., where they have the role of Project Viewer, Editor, or Owner).
The same limitations apply to
sloctl. The role bindings that are visible depend on the role that is assigned to the user.
Managing Shared Resources
Data sources and alert methods are global resources in Nobl9. They can be used across projects by users with the following roles assigned:
Project Owner or Project Editor in the project where SLOs and alert policies will be configured.
Project Integrations User in the project to which the data source or alert method belongs.
Project Integrations Users can only use data sources and alert methods; they cannot edit or delete these integrations. They also cannot add, edit, or delete any other resources in projects they are assigned to with this role.
Project Owners have control over the use of their data sources and alert methods. Project Owners must explicitly agree that users who do not belong to their projects can use their integrations by assigning them the Integrations User role.
If you want to share specific data sources and/or alert methods across the entire organization, it may be preferable to create a project specifically for this purpose. To do this:
Create a new project, and add the data sources and/or alert methods to it.
Grant any users in the organization that you want to be able to access these resources the Editor or Integrations User role in this project.
Default Security Status of Projects in Nobl9
The default role for all new users in Nobl9 is Organization User (unless a different default role has been set for your organization). This means that if you create a new Project as an Organization Admin, users who reside in your organization will not see the Project in their Project list (Catalog > Projects) or any SLOs related to this Project.
There are two methods in which you can give your users access to the Project, and all resources that are related to it:
From the Organization level: change the organization roles of the users to Organization Viewer. This way, they will be able to see all Projects (and their related resources) within your organization. Keep in mind that Organization viewers can’t create new Projects.
From the Project level: when you create a Project, assign users from Settings > Users. Add the project to the relevant users from the level of the Settings pane and assign appropriate project roles to them.
Any Project role will be sufficient for the assigned users to view all resources related to the Project.