Hi y’all, Carolina from support here!!
Today’s tip is about access management! With the access management you can give TagoRun users powerful permissions without giving access to your entire TagoRUn application! So, let’s go with a few and useful information:
Instead of “all-or-nothing” admin roles, Access Management uses Policies. A policy combines two things:
-
Target:
- Who or what (User or Analysis) will applied to this policy permission (tags, tag_match, or ID).
-
Permission:
-
What action can be taken (e.g., view, edit, delete).
-
Which resources (dashboards, devices, etc.) the permission applies to.
-
This means you can safely grant a user the permission to edit dashboards, but scope it to only the “Project Alpha” dashboards. Powerful, yet controlled.
The real power comes from using Tags for dynamic scoping. Here’s how it works:
-
You attach a tag like project: "x” to a user.
-
You attach the same project: "x” tag to relevant dashboards, devices, and buckets.
-
Select Tag Match.
And that is it! The user automatically gets access to all "x” resources. Need to add a new device to the project? Just tag it with a project: "x”. No policy update needed!! This makes scaling your access rules effortless.
Remember, these two modules work hand-in-hand:
-
User Management: Defines who the user is (their profile, login, tags).
-
Access Management: Defines what they can do and where (via policies).
Another important tips:
-
Avoid “Any” for Targets or Permissions unless you truly want global access,“Any” removes restrictions and exposes all resources.
-
Keep tags consistent and standardized (same keys/values on users and resources) to make tag matching predictable.
Have you built a nice policy using tags? Or do you have questions about setting up a specific rule? Share your thoughts or use cases below. Let’s learn from each other’s configurations!
Cheers,