Account and Users Management

Terminology

To start working with flexiManage, a user (identified by his e-mail address) should create an account and organization/s. The system allows multi-tenancy and defines Accounts and Organizations as described further in this page. The email used for creating the Account will be the owner (you may add more users as owners) and billing email of the account. You may consider using an email alias for the opening of the Account.

Account

An entity that allows to manage multiple separate networks. A network that include flexiEdge devices, tunnels and other configurations is associated with an Organization. A User in an Account can create multiple Organizations that belong to that Account. An example of an Account is a Manage Service Provide (MSP) or s System Integrator (SI) that manages multiple networks for different customers.

The Account is the billing entity. All Organizations of the Account will be billed in the Account level and through the payment method of the Account.

Group

Group of multiple networks / organizations. Used to assign management permission as a group. Every organization is associated with one group.

Organization

An entity that include all the network inventory and configuration, usually a single enterprise with a single network. It is possible to connect tunnels between Devices of the same Organization but different Organizations (even under the same account) are not connected, hence, it is not possible to create a Tunnel between a Device in Organization A to a Device in Organization B. All the network management is done in the scope of an Organization and therefore, it is required to create an organization to manage a network.

The relationship between Account, Group, and Organization is show in the folloing chart:

@startuml

node Account as A
node "Group 1" as G1
node "Group 2" as G2
node "Organization 1.1" as O11
node "Organization 1.2" as O12
node "Organization 1.3" as O13
node "Organization 2.1" as O21
node "Organization 2.2" as O22
A -- G1
A -- G2
G1 -- O11
G1 -- O12
G1 -- O13
G2 -- O21
G2 -- O22

@enduml

Roles and Permissions

A user in the system is granted access to a resource (Account, Group, or Organization) with permissions according to his role. The permissions are derived by three parameters:

Permission To Defines which type of resource is permitted: Account, Organization, or Group
Entity The name of the account, organization or group
Role Defines the permissions allowed for every operation on the resource: Owner, Manager, or Viewer

Based on the permission level, a user is allowed to perform various operations on the resource. The user that creates an account becomes the account owner and can invite other users to access resources on his account with different permission levels.

When permitting access to an account, an owner, manager, or viewer roles could be set. Each role grants different permission levels as follows:

Account Roles:

Owner:

  • Update the account
  • Handle billing aspects
  • Create/Update Organizations
  • Add/Update/Delete users to the account or organizations
  • Change user permissions
  • Manage all organizations

Manager:

  • Create/update organizations
  • Add/Update/Delete users to the account (only to permissions below the Manager) or organizations
  • Change user permissions
  • Manage all organizations

Viewer:

  • View all organizations

Organization or Group Roles:

Manager:

  • Manage organization
  • Add/Update/Delete users to the organization
  • Change user permissions

Viewer:

  • See devices and network status
  • See network reports

The following figure shows an examples of multiple users with various roles.

@startuml

rectangle SP1 #Lime [
<b>type: Account
--
Provider1
]
rectangle ENT1 #SkyBlue [
<b>type: organization
--
Enterprise1
]
rectangle ENT2 [
<b>type: organization
--
Enterprise2
]
actor "User1" <<Account1>> as U1
actor "User2" <<Account1>> as U2
actor "User3" <<Organization2>> as U3
actor "User4" <<Organization2>> as U4
actor "User5" <<Organization2>> as U5
actor "User6" <<Organization1>> as U6
SP1 -- U1 : Owner
SP1 -- U2 : Manager
ENT1 --- U2 : Manager
ENT1 -- U6 : Viewer
ENT2 -- U3 : Manager
ENT2 -- U4 : Viewer
ENT2 -- U5 : Viewer
ENT2 -- U2 : Manager
note bottom of U1 : Account\nOwner
note bottom of U2 : Account Manager\ncan administrate\nmultiple organizations

@enduml