Custom Roles and Permissions User Guide (COMING SOON)

This user guide provides an overview of custom roles and permissions in Tehama and describes how to create and assign a custom role.

For a simple overview of the predefined roles in Tehama, see the Roles User Guide. It provides general information on the capabilities that users with each of these roles has and how these capabilities are dependent on the role that the user's organization has in a Tehama Room.

Note: The Custom Roles and Permissions capability is not available by default. If you want it enabled for your organization, contact Tehama Support.

Note: Be aware that enabling the Custom Roles and Permissions capability has implications for role setting in Tehama's SSO User Provisioning. Read the section Custom Roles & Permissions and SSO User Provisioning in the Authentication User Guide for more information.


What are Custom Roles and Permissions

Roles are groups of permissions that are assigned to members.

Permission sets are collections of authorizations to perform actions.

The actions in a permission set are related to one another. They are the actions required to complete a specific task, or set of tasks.

Tehama currently predefines four base roles:

  • Org Admin
  • Org Manager
  • Room Manager
  • Staff

For most users of Tehama, one of these four roles are sufficient for their needs. Other users may have the need to add additional permissions to these base roles. For these users, Tehama provides the ability to create custom roles constructed of base roles plus additional permissions, grouped in related 'sets' that are relevant to a particular user's job requirements.

There are three permission sets available:

  • Org Auditor
  • Business Analyst
  • TCU Usage Auditor

Any number of these permissions sets can be combined with one of the 'Org Manager', 'Room Manager' and 'Staff' base roles to form a custom role. (Note that the 'Org Admin' base role already has all the capabilities defined in these three permission sets.)

For example, an organization could create a custom role that has the permission in the base 'Staff' role plus the permission in the permission set 'TCU Usage Auditor'. That would allow members with that role to have the usual Staff permissions and, as well, monitor the TCU Usage data for the Room.

Be aware that the capabilities in a role will differ depending on the function/role the member's organization has in a Tehama Room. See the Roles and their permissions vis-a-vis Room management section in the Roles User Guide for a chart explaining the division of responsibilities for the roles, depending on the organization role/function in the Room.


Base roles

Here is an overview of the available base roles.

 • Org Admin

The 'Org Admin' role has full access to the organization. A user with this role:

  • Manages the organization's profile information.
  • Manages the organization's authentication method.
  • Manages the organization and Room membership.
  • Can create/archive/delete Rooms.
  • Can add/edit/delete/assign policies.
  • Can manage data access (e.g.: via the configuration and management of Tehama Gateways) in Rooms connected-to by their organization.
  • Can create/edit/delete/assign-users-to Desktop templates in Rooms owned by their organization.
  • Can be assigned to Desktop templates and connect to the instances for them.
  • Receives all Room approval notifications/invitations.
  • Has full auditing abilities. This includes:
    • Activity Stream: Can view all events in the organization.
    • Recordings: Can access live and recorded sessions in the organization.
  • Has visibility into organization TCU Usage.
    • TCU Usage Configuration: Can access TCU Usage options and data for the assigned organization.
    • TCU Usage Notification: Can enable TCU Usage notifications for the assigned organization.
    • Metering Report: Can access granular breakdown of usage metering report related to the organization.
  • Sees all reports, including TCU Usage/Metering reports.
  • Can request that the organization be deactivated.
  • Has the ability to reactivate the organization once it is deactivated, before it is deleted.

There is only one Org Admin user in each organization - and there must be one. This role is given to the user who first creates the organization, by default. The role can be assigned to any other organization member, automatically demoting the existing Org Admin to the role of Org Manager.

 • Org Manager

The 'Org Manager' role has full access to the organization, except for TCU Usage and the ability to deactivate the organization. A user with this role:

  • Manages the organization and Room membership.
  • Can create/archive/delete Rooms.
  • Can add/edit/delete/assign policies.
  • Can manage data access (e.g.: via the configuration and management of Tehama Gateways) in Rooms connected-to by their organization.
  • Can create/edit/delete/assign-users-to Desktop templates in Rooms owned by their organization.
  • Can be assigned to Desktop templates and connect to the instances for them.
  • Receives all Room approval notifications/invitations.
  • Has full auditing abilities. This includes:
    • Activity Stream: Can view all events in the organization.
    • Recordings: Can access live and recorded sessions in the organization.
  • Sees all reports, except the Webhook Event Types report.
  • Can request that the organization be deactivated.

There can be any number of Org Managers in each organization.

 • Room Manager

The 'Room Manager' role has access only to those Rooms in the organization of which they are a member. A user with this role:

  • Manages the organization and Room membership for Rooms of which they are a member.
  • Can assign policies in Rooms of which they are a member.
  • Can manage data access (e.g.: via the configuration and management of Tehama Gateways) in Rooms connected-to by their organization of which they are a member.
  • Can create/edit/delete/assign-users-to Desktop templates in Rooms owned by their organization of which they are a member.
  • Can be assigned to Desktop templates and connect to the instances for them for Rooms of which they are a member.
  • Receives all approval notifications for Room memberships in Rooms of which they are a member.
  • Has full auditing abilities for Rooms of which they are a member. This includes:
    • Activity Stream: Can view all events in the Room.
    • Recordings: Can access live and recorded sessions in the Room.
  • Sees all report information for Rooms of which they are a member.

There can be any number of Room Managers in each organization.

 • Staff

The 'Staff' role has partial access only to those Rooms in the organization of which they are a member. A user with this role:

  • Can be assigned to Desktop templates and connect to the instances for them in Rooms of which they are a member.

There can be any number of Staff in each organization.


Permission Sets

Here is an overview of the available permission sets.

 • Org Auditor

Ensures user compliance with the organization's policies and diagnoses issues when necessary.

  • Activity Stream Can view all events in the assigned organization.
  • Recordings Can access live and recorded sessions in the assigned organization.

 • Business Analyst

Access reporting tools to understand how the platform is being leveraged and identify potential optimizations.

  • Reports Has full access to reporting capabilities in the assigned organization.

 • TCU Usage Auditor

Understands how platform usage contributes to costs and identifies areas for optimization.

  • TCU Usage Configuration Can access TCU Usage options and data for the assigned organization.
  • Metering Report Can access granular breakdown of usage metering report related to the organization.

View Permissions and Roles

The Org Admin user and the Org Managers can view the Permissions and Roles available in the organization.

View the permissions and roles in your organization as follows:

  1. Log in to the Tehama Web UI.
  2. Click on the ORGANIZATION tab.
  3. Click on the PERMISSIONS sidebar item. You will see the Roles and Permissions table.

    Note: You may see the Create Role page instead of the Roles and Permissions table. You will see this page if you navigated away from the PERMISSIONS sidebar item while you, an Org Admin, were in the midst of creating or editing a role. Click the CANCEL button at the bottom of the page to stop creating a role, in order to return to the page with the Roles and Permissions table.

Create a Custom Role

Only the Org Admin user can create a custom role for the organization.

Create a custom role as follows:

  1. Log in to the Tehama Web UI.
  2. Click on the ORGANIZATION tab.
  3. Click on the PERMISSIONS sidebar item. You will see the Roles and Permissions table.

    Note: You may see the Create Role page instead of the Roles and Permissions table. You will see this page if you navigated away from the PERMISSIONS sidebar item while you were in the midst of creating or editing a role. You can begin your role creation from here, skipping the next step, or click CANCEL at the bottom of the page to return to the page with the Roles and Permissions table, in order to begin afresh.

  4. Click on the CREATE ROLE button. You will see the Create Role page.

    Note: Be careful not to navigate away from the PERMISSIONS sidebar item while creating your role. When you return to the PERMISSIONS sidebar, you will see the Create Role page again, but your changes will be lost.

  5. Enter the name you want to give your custom role in the "Role Name" field.
  6. Enter the description of your custom role in the "Role Description" field.
  7. Select the base permission set you want for your custom role.
  8. Select the custom permission set(s) that you want to be part of your custom role.
  9. Click on the CREATE ROLE button. You will be returned to the Roles and Permissions table. Your new custom role will be a new entry in the table.

Assign a Role

The Org Admin user and the Org/Room Managers can assign a role to an organization member.

You can assign a role, custom or predefined, when inviting a new member to your organization. Follow the instructions in the Add members to an organization section in the Organization User Guide.

You can also assign a role by editing the role of an existing member in your organization. Follow the instructions in the Edit a member's role section in the Organization User Guide.


Edit a Custom Role

Only the Org Admin user can edit a custom role.

Edit a custom role as follows:

  1. Log in to the Tehama Web UI.
  2. Click on the ORGANIZATION tab.
  3. Click on the PERMISSIONS sidebar item. You will see the Roles and Permissions table. (Note, if you are navigating back to this sidebar item, after having navigated elsewhere while you in the midst of creating a role, you will be returned to the Create Role page in the state in which you left it. Click CANCEL at the bottom of the page to return to the Roles and Permissions table.)

    Note: You may see the Create Role page instead of the Roles and Permissions table. You will see this page if you navigated away from the PERMISSIONS sidebar item while you were in the midst of creating or editing a role. Click CANCEL at the bottom of the page to return to the page with the Roles and Permissions table.

  4. Place a checkmark beside the entry for the role you want to edit.
  5. Click on the EDIT button at the top of the table. You will see the Edit Role page.

    Note: Be careful not to navigate away from the PERMISSIONS sidebar item while editing your role. When you return to the PERMISSIONS sidebar, you will see the Create Role page instead of the Edit Role page, and any changes you may have made will be lost. If you have done this accidentally, click CANCEL at the bottom of the page to return to the page with the Roles and Permissions table and begin again at step 4.

  6. Edit any of the fields on the page.
  7. Click on the SAVE ROLE button. You will be returned to the Roles and Permissions table. You will see your edited custom role in the table.

Delete a Custom Role

Only the Org Admin user can delete a custom role.

Delete a custom role as follows:

  1. Log in to the Tehama Web UI.
  2. Click on the ORGANIZATION tab.
  3. Click on the PERMISSIONS sidebar item. You will see the Roles and Permissions table. (Note, if you are navigating back to this sidebar item, after having navigated elsewhere while you in the midst of creating a role, you will be returned to the Create Role page in the state in which you left it. Click CANCEL at the bottom of the page to return to the Roles and Permissions table.)
  4. Place a checkmark beside the entry for the role you want to delete.
  5. Click on the DELETE button at the top of the table. You will see the DELETE ROLE dialog.
  6. If any members of the organization are currently assigned to the role, the dialog will advise you to reassign these users to another role before deleting the role. If this is the case, click on the BACK button in the dialog and go to the organization's MEMBERS tab. From that tab you can identify the members with this role. (Filter on the role in the Roles column.) Then click on their names to see their profile and edit their role to be something else. Return to the PERMISSIONS sidebar menu and try again.
  7. Click on the DELETE button in the dialog. You will be returned to the Roles and Permissions table. Your role will no longer be in the table.