Beta v0.2.0🚀 CollectorCtrl Beta v0.2.0 for Windows & Linux is Live⊞ Windows🐧 LinuxDownload on GitHub →
Get Started

Users & Custom Roles (RBAC)

CollectorCtrl incorporates a granular Role-Based Access Control (RBAC) architecture to secure management operations. This ensures that network operators, compliance officers, and application teams only access features corresponding to their operational scope.

1. User Account Administration

The Users administration page allows you to provision, edit, and audit user access accounts.

User Management Panel

User Types & Authentication Mechanisms

CollectorCtrl supports hybrid authentication sources, managed in the database (users table):

  • Local Accounts: User credentials managed directly by the platform. Passwords are encrypted on the server using industry-standard Bcrypt hashing. A local administrator can force password resets or lock accounts.
  • SSO Provisioned Accounts (OIDC): Provisioned automatically upon successful authentication via OpenID Connect. OIDC accounts do not contain a local password field, and authentication is delegated to the enterprise identity provider.

2. Standard System Roles

Out of the box, CollectorCtrl includes three built-in system roles that fit most default deployment profiles:

Role NameScope of PermissionsKey Operations Allowed
AdminSystem-wide AdministratorAccess to all fleet actions, security configurations, SSO group mapping, SMTP parameters, custom RBAC definition, API key creation, and database pruning hooks.
EditorInfrastructure OperatorFull fleet operation, including YAML policy editing, canary rollout releases, custom binary builds, remote agent control (restarts/log fetches), and semantic mapping. Blocked from system configs and audit settings.
ViewerAuditor / DeveloperRead-only access to view the agent inventory list, effective YAML configuration trees, and log streams. Prevented from triggering command executes or modifying policies.

3. Custom Roles & Feature Permissions

For larger enterprise installations requiring precise team segregation, CollectorCtrl supports the creation of custom roles.

Custom Roles Definition

Custom Role Schema

Custom roles map specific features to fine-grained action lists. This is stored in the database schema under a JSON array structure:

{
  "name": "Datacentre Operator",
  "permissions": {
    "fleet": ["view", "control"],
    "packages": ["view", "upload"],
    "registry": ["view"],
    "discovery": ["view", "tag"],
    "system": []
  }
}

Granular Feature Reference

When designing a custom role, permissions are defined across these feature domains:

  • fleet (Fleet Management):
    • view: Access to view agent grids and configs.
    • configure: Ability to write YAML overrides and policies.
    • control: Ability to execute remote commands (Start/Stop/Restart OTel and Supervisor, fetch log streams).
  • packages (Binary Repository):
    • view: View available packages.
    • upload: Upload new binary files or trigger dynamic upgrades.
    • delete: Remove older binaries from disk.
  • registry (Semantic Translation):
    • view: View translation mappings.
    • update: Write semantic overrides or import bulk CSVs.
  • discovery (Template Auditing):
    • view: View structural configuration groups.
    • tag: Assign friendly metadata names to templates.
  • system (System Configurations):
    • view / update: Manage database settings, SSO providers, SMTP configuration, and licensing.
  • audit (Compliance Auditing):
    • view / export: View SIEM logs and export full REST API interaction logs.