# Admin Users/Groups

Cloudbrink provides role-based access controls for the administrators managing their Cloudbrink environment, with built-in administrator roles. Customers can assign administrator users to these roles so that there is a granular level of access to the configurations within the administration team. Here are the built-in admin roles on Cloudbrink:

&#x20;

a.     Super-admin:- Admin user having permissions to do everything on the tenant

b.     Delegated-admin:- Admin user having permissions to make configuration changes (CRUD operations) as well as Visibility. Delegated admins do not have permissions to change subscription status or add more user licenses.

c.     Read-only:- Read-only users can only view the configuration and other traffic data. No CRUD operations are allowed for the read-only users.&#x20;

&#x20;

When the customer registers for Cloudbrink service, the primary point of contact (user and email-ID) is given the super-admin role by default. It is expected that this super-admin user logs into the Cloudbrink tenant portal for the first-time and adds other delegated-admins as required. The super-admin is expected to complete the first-time onboarding process as well.&#x20;

&#x20;

Delegated-admin users are mainly responsible for configuration and monitoring of Cloudbrink as part of their regular IT operations/systems. Delegated-admins have permissions for performing CRUD (create, read, update, delete) operations on the configuration entities. Delegated-admin users can create other delegated-admins as well but not Super-Admins. Delegated-admin users do not have permissions to change the subscription (eg: adding more named-user licenses).&#x20;

&#x20;

**Admin Groups**

&#x20;

Cloudbrink provides a built-in admin-group by name SuperAdmins, with the role as super-admin. Customer can configure a security group on their IDP with same name (SuperAdmins) and add IT admins who will manage Cloudbrink service to this security group. When Admins attempt to login to Cloudbrink management portal, they would be authenticated by the IDP and based on their group membership info, Cloudbrink will decide if the admin has access to the Cloudbrink portal or not.&#x20;

&#x20;

Customer can create more admin groups and assign the groups with either SuperAdmin or DelegatedAdmin roles. Same admin groups can be configured on IDP and add admin users to those groups based on the role that must be assigned for each user. Cloudbrink can extract the group info and provide correct level of access to the admins.&#x20;

&#x20;

<figure><img src="/files/EnM4SFhhb8oXzNdndJN4" alt=""><figcaption></figcaption></figure>

**Admin Users**

&#x20;

If customers don’t want to change their IDP due to security team dependencies, local admin users can be created and assigned to the admin groups. In this case, admin users will not be redirected to IDP (because there is no IDP here). Admin users can login to portal by just providing username and password created locally.&#x20;

<figure><img src="/files/FCoP5GWm42bzj9tqXj3X" alt=""><figcaption></figcaption></figure>

**Read-only Admin Role**

&#x20;

Cloudbrink now supports “read-only” admin role. The admin users in this role will not be able to “add” or “update” or “delete” any configuration from the Cloudbrink management portal. The read-only admin users can only “view” all the information on the management portal. &#x20;

&#x20;

a)     Customers can use this capability for providing access to admins who are responsible only “monitor” the service and review the service usage. &#x20;

b)     It also helps in cases where customers have admins from several business units but the maintenance of Cloudbrink service is done by one central admin team. All the business unit admins can be provided read-only access so that they can monitor the service usage.&#x20;

&#x20;

Configure → Admin Groups/Users → Admin Groups → New


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudbrink.com/configuration/admin-users-groups.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.