What Is Role-Based Access Control?
Role-Based Access Control (or RBAC) is an organizational structure and methodology that gives you more fine-tuned, granular control over your teams' work and what they can work with. With RBAC you can make custom rules for your organization within Kobiton that enables you to define which devices and/or actions your users have access to.
How Does It Work?
Each user is defined by a role and assigned to a team; these aspects of the user's values in RBAC's organizational system will specify which permissions are available to them (which actions they can take) and which devices they can access.
A team is simply a collection of multiple users identified by RBAC as a single group unit. An admin can add or remove users to or from a team, can modify settings for that team including default cleanup policy and SSO policies, and set which device bundles that team is permitted to view and interact with.
A role is a defined set of permissions that can be granted to a user. Users assigned a certain role are considered "members" of that role. Members of a role are granted the permissions assigned to that role.
As an example, let's say Kevin is a high-level admin of his organization. He is made a member of the Custom Admin Role, which grants him a number of powerful action permissions (decided on by him and his IT colleagues), including the ability to view all uploaded applications for the company, terminate any other user's sessions, and modify SSO settings. At the same time, Kevin is part of the Custom Admin Team, which is given access to view all devices for the organization.
Meanwhile, Fred is a tester who works primarily with Android devices. He doesn't need the same high-level abilities Kevin does, nor does he need to be able to interact with devices that aren't Android model. Kevin and his fellow admins decide to assign Fred to a more limited role and a team that only views Android devices. They assign him the Custom Tester Role, which only has permissions to log in and out of the Kobiton portal, install and uninstall applications to devices, and nothing else--none of the power and scope to touch other users' sessions or devices like the Custom Admin Role has. Fred is also added to the Android Devices Team, which has access to Android devices but none of the iOS devices or XiaoMi devices in the company's device lab.
Finally, Angela is also an admin like Kevin, but she only manages Android devices like Fred. Angela is made a member of the Custom Admin Role so that she shares the same permissions as Kevin, but she is also added to the Android Devices Team like Fred so that she is limited to a view of Android-only devices and does not have to sort through all the devices in the device lab.
To view, define, and create teams, roles, users, and device bundles, go to the Org Management side-tab in the Kobiton portal. To assist you in navigating the RBAC system and managing your users, roles and teams, a detailed guide is below.
Navigating RBAC
Overview
1. Once you've signed in to the Kobiton portal, click on the Org Management tab in the left sidebar of your screen. This will take you to the Org Management page, which by default displays the Teams tab. You will see the name of your organization at the top of the page, as well as tabs for Teams, Roles, Users, and Device Bundles.
2. If you wish to change the name of your organization (for example, if your company has multiple branches or departments working with Kobiton, you may want to have different org information to differentiate between groups) or its description, click on the pencil icon to the right of the organization name. The Edit Organization pop-out window will appear. Click "Update" when you have completed your changes to apply them and close the window.
Teams tab
1. The first tab in the RBAC/Org Management page is the Teams tab. We'll walk through how to create a team first, then look at what a team looks like once it's been created. To start the process of creating a new team, click the "Create" button to the right of the search bar.
2. You are now viewing the Add New Team > Details page. To complete the creation of the new team you will need to enter data on the Details, Settings, Users, and Devices tabs, as seen in the right corner of the Add New Team page. Enter your team name and a brief description of the team. You can also select the "Mark as Default" button; by clicking this button you enable RBAC to add any new users added to your organization to this team. Any team you choose can be the Default team.
3. Next is the Team Settings tab. Here you can choose whether or not you wish this team to work in Private Test Mode, as well as select the cleanup policy you want to employ for any devices used by a user within this team. Private Test Mode is an optional security measure that will pause all recording test activities for all private/local devices, ensuring that all commands, screenshots, and videos will not be captured. Toggle the button to the right of the Private Test Mode option to enable or disable Private Test Mode.
For device cleanup, you can select no cleanup, which leaves the device in whatever state it is in when the session is closed; the default Kobiton cleanup policy ("Thorough"); or you can create your own cleanup policy by clicking the "New" button in the lower-right corner of the Settings box.
Clicking "New" will bring up the Configure clean-up policy pop-out box. Here you can choose which models of devices to target (Android or iOS), provide details describing this cleanup policy, and choose which action(s) Kobiton will take on the device once the cleanup policy is activated. Please be sure to click "Save" at the bottom of the box when your changes are completed to save the policy as an option in the Teams Settings page. Below are a couple images portraying a sample of the Configure cleanup policy window's options, but more options are available to you than those displayed here.
4. Next is the Team Users tab. Here you will assign which users you would like to be a part of this team by clicking the Add User dropdown, which will display a comprehensive list of all users in your organization. A user can be part of more than one team, so all users will be displayed in this dropdown list.
To add a user, click on the add users dropdown to display the list of organization users. To search for a particular user, click in the "Search Users" search bar. Once you have identified the user you wish to add, click the purple plus (+) sign beside their name to add them to the team roster. Once they have been added they will appear in the Team User list in the main section of the Team Users page. To remove a user, click the red minus (-) sign beside their name in the main section. You can also search for members within the team roster by clicking in the "Filter by name/email" search bar.
5. The final step in the creation of a new team is the Devices tab. Here you can search for which devices you want this team to have access to. The "Assigned Devices" box will display devices that have been added to this team's access; the "Unassigned Devices" will list the pool of organization devices from which you can add devices for the team.
Clicking the "Assign All" button will add all devices in the organization to the team's Assigned Devices list. Otherwise, you can search for a device within the Public, Private, or Public and Private spheres. When you find the device you wish to add, click the purple plus (+) sign beside its name. Information about the device such as OS version, public/private status, and UDID will be displayed in both boxes.
6. Once you have made all the changes you wish to your new team, click the "Save" button in the bottom-right area of the page. You can save changes from any tab at any time.
A view of the Teams tab, once it is populated with your created teams, will look something like the image in Step 1. If you wish to view the details for a team or the manager of that team, click on the associated purple hyperlink. Clicking on a team name will take you to the team's Details tab (the information for viewing or creating a team is laid out in the same UI.) Clicking on a team manager's name will take you to that user's User Details page (more below.) Once you have configured a team, the team's Details tab will look like this:
Should you wish to, you now have the ability to clone this team, disable the team, mark the team as your Default Team for new users, or delete the team entirely. Clone is useful if you wish to make a very similar team configuration for a new team with only minor changes and do not wish to go through the entire new team creation process again. Deleting the team will purge the team data from the RBAC system and cannot be undone. Disabling the team will change the team's status to inactive; the team details stay in the RBAC data system but the users will effectively no longer receive device access or be grouped according to this team's details. The team can be reenabled by searching for the team name on the Teams page and clicking Enable, as seen below:
Roles tab
1. Clicking the Roles tab will bring you to the Roles page. Here you will find the list of roles created for your organization. There are two preconfigured roles provided by Kobiton that cannot be altered: preconfigured ADMIN, and preconfigured MEMBER. You can search for roles by name in the search bar and view general details about each role, such as number of permissions, number of users, and whether the status is active or inactive. You can create a new role by clicking the "Create" button in the upper-right corner.
2. As with the Teams section of RBAC, there is a similar configuration process for roles once you click "Create". You will be directed to the Add New Role > Details page. To complete the creation of the new role you will need to enter data on the Details, Members, and Permissions tabs, as seen in the right corner of the Add New Role page. In the Details tab, you can enter the name for this role as well as a brief description of the role.
3. Next is the Members tab. As described earlier in this article, a user must be assigned as a "member" of a role in order to receive the permissions granted to that role. The process of adding a user as a member of a role is similar to adding them to a team.
On the Members tab page, click the dropdown arrow in the "Add Members" box; the list of users for your organization will be displayed. As with teams, you can search for the user you wish to add by name, then click the purple plus (+) sign next to their name to add them. Once a user is a member of a role, they will appear in the Assigned Members box on the Members page.
4. Finally you must assign permissions to the role. In the Permissions tab you will see an Assigned Permissions List and an Unassigned Permissions List; assigned permissions are those already granted to the role in question, and unassigned permissions are a list of possible permissions from which you can choose to add to the role. These actions range from the ability to install applications on devices to modifying organization settings, and many more.
Every role is assigned the 'system.login' and 'system.logout' permissions by default in order to allow access to the Kobiton portal. These cannot be removed. The remaining optional permissions are listed according to category. The categories are depicted in the image below. You can expand or minimize the full list of permissions within each category by clicking the expansion arrow at the side of each category header. To add a permission, click the purple plus (+) sign beside the selected permission and it will be added to the Assigned Permissions List.
5. As with the teams configuration, please be sure to click "Save" at the bottom of the Add New Role page to confirm and apply your configuration changes for your new role. Once you have an active role available for RBAC to display in your Roles page, you can click the purple hyperlinked name of the role to view that role's Details page.
As with teams, you can see the name and description of the role. You also have the ability to clone, disable, or delete your chosen role; these options function identically to those described in Step 6 of the Teams guide above. Please note you do not have the ability to change or assign a Default Role. The Default Role within Kobiton is the pre-configured role provided by Kobiton called MEMBER; any user can be assigned to multiple custom roles, so the MEMBER default need not be changed.
You can also view the Members tab to see a list of members assigned to the selected role. The list provides names and emails to identify the members. If you wish to remove any members from this role, you can click the red minus (-) sign beside their name. You can search for a particular member in the "Search Members" search bar. Please note that as with teams, users can be members of more than one role; however, if there is a permissions conflict, the most recent role to be assigned to that user will be negated and an error message will be displayed.
Users tab
1. The Users tab is the next tab in the Org Management page. From here you can view the list of users in your Kobiton organization, as well as invite new users to your organization. You can also search for users by name or email in the "Search Users" search bar. To invite new users to join your org, click the "Invite" button.
2. When you click the "Invite" button, you are taken to the Invite Users page. Here you can enter an email address you wish to attach to the user as an identifier, and you can also assign that user to a role and a team during the invitation process (instead of allowing them to be added to the default team and role). Once you have completed the invitation information, click "Send Invitation". An invitation generated via email should arrive in the inbox of the email you entered with further steps for the user to take for the user to complete the joining process.
3. Once your user list is generated, you have the option to disable or remove the user from the Users tab. Click on the item in the list you wish to interact with so that it is highlighted (do not click on any of the hyperlinked text or you will be redirected to another page.) Once the user data you select is highlighted, the options to Disable or Remove will appear at the top of the Users page; clicking the user data again will toggle the buttons to disappear. The "Disable" and "Remove" buttons will only be available for Active status users; "Disable" functions as the disable action described in previous sections, and "Remove" works the same way as the previously discussed "Delete" option.
For users whose invitation has not yet been accepted, a 'Pending' status will be shown next to their user data. When you highlight a user with a pending status, the "Disable" button will appear but will be greyed out; instead of "Remove", you will see "Remove Invitation", as shown below. This will revoke the invitation made to that user. If they attempt to join Kobiton from their invitation email the attempt will be considered invalid. Should you wish for that user to be added to the organization you will need to send a new invitation to that email address.
4. Displayed in the Users tab is a series of general information about each user in the list, including their team, role, whether or not they are using SSO login settings, and the status of their invitation. Clicking on the purple hyperlinked text under the user's Teams column will take you to the Team Details page for that team; likewise, clicking on the hyperlinked text under the user's Roles column will take you to the Role Details page for that role. Clicking the user's name (also hyperlinked in purple) will take you to the User Details page.
5. The User Details page, much like the details for teams and roles, will display general info about the user. You will see the user's name, email, organization, and the option to enable SSO. You can also access the Disable and Remove options directly from this User Details page.
6. In the User Roles tab, you will still see the information from the Details tab. In addition you will see any roles the user is a member of; clicking the "Derived Permissions" hyperlink in the upper-right area of the Assigned Roles box will display the permissions associated with that role. You can remove a user from a specified role from this page as well. The Teams tab functions very similarly, displaying the user's associated teams and providing the option to remove the user from any listed teams on that page.
7. In the User History tab, you will see the activity of a user listed in chronological order. The default view will display all activity types for the last seven days, but the dropdown menus at the top of the page will allow you to sort the content according to activity type (user account activities, device retainment, or device enablement), and/or according to time (all time, today, last 30 days, or a custom timeframe you can set as seen in the image below.) The activity types are broken down for you here:
-
Activities
-
User Login: when the user login to Kobiton portal
-
User Logout: when the user logout of Kobiton portal
-
Removed User: ‘User_Name’ : When the user removed other users
-
Disabled User: ‘User_Name’ : When the user disabled other users
-
User Created: When user first login (from invitation) to Kobiton OR added again (removed before) AND accept the invitation again
-
-
Device Retainment
-
Device Retained: Soft-booking (retain), utilizing the device
-
Device Released: Finish to use the devices (end session in: Manual, Auto,…)
-
-
Device Enablement (link to the user that hosted this device)
-
Device Registered: when the device was hosted successfully
-
Device Unregistered: when the device was unplugged (disconnected)
-
Device Restarted: when the user click restart the device
-
From the User History view, a user can click on the hyperlink of a device or session to navigate to the associated Session Details page to the associated device's modal view.
Transfer Organization Owner role to another user
Every organization must have an Organization Owner (colloquially Org Owner); while this is not a role that is obviously listed in RBAC, it is important to understand its function. The Org Owner is essentially the master Admin role, with all of the permissions associated with an Admin as well as abilities specific to the Org Owner (such as viewing and editing detailed subscription information). If at any time you need to transfer the Org Owner role to another Admin user, you can do this from the Users Details tab of the user intended to be transferred.
Please be aware that the role cannot be automatically transferred at this time, nor can it be transferred by another Admin after an Org Owner's account is disabled or deleted, so before an Org Owner's account is disabled/deleted, the present Org Owner must transfer their role to another Admin user. The Org Owner account itself is the only account with this ability. Should an attempt be made to remove the Org Owner's user account in any way, a prompt will appear suggesting the transfer be performed:
Org Owners can also edit their own information eg. team, and role in Users Details.
Device Bundles tab
1. The final tab in the Org Management page is the Device Bundles tab. Devices can be grouped together into bundles that allow easier separation and identification for use by different teams; for example, you may want one bundle that is all of your Android devices, or another bundle that is all devices hosted in Data Center X. Listed here you will see all custom device bundles that you have created, as well as three default bundles created by Kobiton: your top 5, 10, and 20 devices used globally for your testing. By viewing these bundles you can always know which of your devices are seeing the most testing traffic.
You can toggle your bundle view to display bundles according to OS: if the bundle contains an iOS device, clicking the iOS toggle will trigger RBAC to display those bundles, and the same applies for Android devices. You can create a new bundle by clicking the "New Bundle" button in the upper-right corner of the Your Bundles box.
2. You will be redirected to the Manage Configuration Bundle page. You can type in the name of your bundle in the upper-left corner of the page. In the search bar to the upper-right of the page, you can search for specific devices by device name. Once you have found the devices you wish to add to your bundle, click the "Apply" circle to the far right of the device's listing. The circle will fill in purple with a white checkmark to confirm the device has been selected.
You can also click the "Device Reference" button for any other preexisting bundles shown on the left (circled in the image below) and Kobiton will retrieve and automatically select/apply the devices contained within that bundle. This can be very useful if you wish to copy a bundle and make only minor changes, or build off of a bundle that has already been created. Once your bundle is finished, click the "Save Bundle" button in the upper-right corner of the page.
3. From the Device Bundles page, you can view how many devices of which kind (iOS or Android) are included in the bundle. You can also edit the bundle by clicking the pencil icon to the right side of the bundle listing, or delete the bundle by clicking the trash can icon. Choosing to edit the bundle will take you to the Manage Configuration Bundle page, this time with the selected bundle displayed: all devices in that bundle will be relocated to the top of the device list, and in addition to the "Save Bundle" button you will also see a "Reset Bundle" button, which allows you to reset the bundle to its last saved state.
If you have any questions or issues regarding using RBAC, please submit a support ticket at support.kobiton.com.