Roles & Permissions
SecureLink uses a role-based access control (RBAC) system to govern what each user can see and do within the platform. Permissions are enforced on both the frontend (UI visibility) and backend (API authorization).
Navigate to Administration > Roles & Permissions in the sidebar.
Roles Page
Stat Cards
| Card | Description |
|---|---|
| Total Roles | Number of defined roles |
| System Roles | Built-in roles that cannot be modified |
| Custom Roles | User-created roles |
Roles Table
| Column | Description |
|---|---|
| Role Name | Role name with a "System" badge for built-in roles |
| Type | Admin, Editor, Viewer, or Custom (color-coded) |
| Description | Role description |
| Permissions | Number of permissions assigned |
| Actions | View, Edit (custom only), Delete (custom only) |
Click on any role to open its detail page.
Built-in Roles
SecureLink includes system roles that cannot be modified or deleted:
SuperAdmin
Full platform access with all permissions. SuperAdmins can:
- Manage all tenants and their resources
- Create and manage users of any type
- Configure system-wide settings
- Access Global VSA for multi-orchestrator management
- Approve devices across all tenants
TenantAdmin
Full access within their assigned tenant. TenantAdmins can:
- Manage edges, connectors, and shared gateways for their tenant
- Create and manage VPN users within their tenant
- Configure network settings (peering, routing, WireGuard) for their tenant's devices
- View monitoring dashboards and logs scoped to their tenant
VPN User
VPN client access only. VPN users can:
- Connect to their tenant's VPN network via client applications
- View their own connection status and profile
VPN users have no access to the management UI.
Creating a Custom Role
- Click Add Role.
- Fill in the role form:
| Field | Required | Description |
|---|---|---|
| Name | Yes | Role name |
| Description | No | Role description |
| Type | Yes | Admin, Editor, Viewer, or Custom |
-
Permission assignment:
- For Admin, Editor, or Viewer types, permissions are automatically assigned based on the type template
- For Custom type, manually select individual permissions (Create, Read, Update, Delete)
-
Click Create to save.
Permission Areas
Permissions are organized into functional areas with four actions each:
| Area | Create | Read | Update | Delete |
|---|---|---|---|---|
| Equipment | Add edges, connectors, MTGEs | View device lists and details | Edit device configuration | Remove devices |
| Network | Create peering groups, policies | View peering, routing | Edit peering, routing config | Remove groups, policies |
| Monitoring | — | View dashboards, logs, metrics | — | — |
| Users | Invite users | View user lists | Edit user roles, status | Disable/delete users |
| Settings | — | View settings | Edit system/tenant settings | — |
How Permissions Are Enforced
Permissions are embedded in the VSN+ session token, which is issued during the authentication flow:
- The user authenticates via Keycloak (username and password).
- The Keycloak JWT is exchanged for a VSN+ session token via the
/auth/exchangeendpoint. - The VSN+ session token contains the user's
userType,tenantId,roles, andpermissions. - The frontend uses the token to control UI visibility (hiding menu items, disabling buttons).
- The backend validates the token on every API request and enforces authorization at the route and service level.
This means that even if a user manipulates the frontend, the backend will reject any unauthorized API calls.
Role Detail
Click View on any role row to open the Role Detail page. It has four tabs:
Overview
- Role Information — Name, type (with badge), description, whether it's a system role
- Timestamps — Created date, last updated, created by
Users
A table of all users assigned to this role:
| Column | Description |
|---|---|
| Name | User's display name (links to user detail page) |
| User's email address | |
| Status | Active or Disabled |
| Assigned Date | When the user was assigned this role |
Permissions
A visual breakdown of the role's permissions:
- Role type summary — Description of the role's permission level
- Permission grid — Create, Read, Update, and Delete shown as green (granted) or gray (not granted) cards
SuperAdmin users bypass all permission checks. The Permissions tab shows a simplified "full access" explanation for SuperAdmin roles.
Activity
An audit log of changes made to this role:
| Column | Description |
|---|---|
| Timestamp | When the change occurred |
| Action | Action type (Created, Updated, etc.) with color-coded badge |
| User | Who made the change |
| Details | What was changed |
| Status | Success or failure |
Role Assignment
- Roles are assigned during user invitation (see Admin Users)
- A user's role can be changed by clicking Edit Info on the user detail page
- Changing a user's role takes effect on their next login or token refresh
Changing a user's role from SuperAdmin to TenantAdmin restricts their access to a single tenant. Ensure the correct tenant is selected before saving the change.