# IAM
Tessell’s Identity and Access Management (IAM) application under the Governance app family helps you securely control access to Tessell applications. It lets you define user personas that enable the privileges and accesses to an user under that persona. You can create your own custom personas and add the access to applications as per your need. Identity providers like Microsoft Entra ID and Okta can be configured to manage user life cycle.
***
### Prerequisites
Ensure that you have registered your cloud subscription and added your network details in the Subscriptions application under the Governance app family.
For more information on cloud subscriptions, see [Subscriptions](https://docs.tessell.com/tessell/governance/subscriptions).
***
### Users
On the left navigation pane of Tessell portal, select IAM under Governance to view the IAM dashboard. It consists of three tabs, Users, Personas, and Identity Providers.
The Users tab displays a comprehensive list of users, describing their assigned personas, authentication modes, associated subscriptions, and current status.
The Users tab includes the following filters:
* **Search** - Specify a name of the user to search for a specific user in the search bar. As you type, the list automatically filters and displays user names that match the characters you specify.
* **Subscription** - You can choose a cloud subscription from the dropdown list. By default, all the subscriptions are displayed. The possible values are ‘All’ or any specific subscription.
* **Personas** - You can choose a user persona from the dropdown list. By default, all the personas are displayed. The possible values are All, Account Owner, Administrator, Data Owner, Infra Admin, or any custom persona.
* **Status** - You can choose a status from the dropdown list. By default, all the statuses are displayed. The possible statuses are All, Active, Invited, or Inactive.
* **Clear** - Select this to clear the selected filters and revert back to default settings.
#### Invite User
To reduce the administrative efforts to create a new user each time with user’s information, Tessell provides an **Invite User** feature where an administrator with IAM app access can invite users using their email id, and select persona and subscriptions. Invited users can then use email received from the administrator to specify their details and login to the Tessell portal using their preferred authentication mode.
To invite a user:
1. On the top-right corner of the window, click **+ Invite User**.
The ‘Invite a new user’ dialog box opens.
2. Specify the email address of the user in the **Email** field.
3. From the **Persona** dropdown list, choose a persona.
Notice the change in number of applications assigned for a persona when you change a persona.
4. To view the associated applications, click **View all N apps**, where N is the number of applications assigned.
5. Search for a specific subscription to assign in the **List of subscriptions** field.
6. All the subscriptions are listed below the search field, select from the list to assign.
7. To select all subscriptions, select the check box **Select all**.
8. Click **Invite** to send an invite mail to the user.
After the required fields are filled, use the code as an alternative method to invite a user.
1. Use the **Code** button from the bottom left corner of the dialog box to view the code in different languages like Shell, Python, Go, Java, Javascript, and PowerShell.
2. You can copy or download the code using the respective buttons in the top-right corner.
3. Use the **Close** button at the bottom right corner to return back to the main window.
The fields in the Users table provide following information:
* **Name** - Displays the name of the user provided during their initial login to the Tessell portal. It also displays the email ID of the user below the name.
* **Persona** - Displays the user's assigned persona, which is set by the administrator either during the initial invitation or after the user joins the portal.
* **Authentication Mode** - Displays the authentication mode used by the user during their initial login. It can be Email, Google, Microsoft Entra ID, or Okta.
* **Subscriptions** - Displays the subscriptions assigned to the user. Account owners are assigned all subscriptions. Administrators assign subscriptions to other personas during the initial invitation, and these are displayed under this column.
* **Status** - Displays the user’s current status. Statuses can be Active, Invited, or Inactive.
* **Ellipsis icon** - Click the ellipsis icon to perform following actions:
* **Disable** - This option is available when the user’s status is active. To disable, click this option and confirm your choice in the confirmation pop-up. After the user is disabled, they cannot access the Tessell portal.
* **Enable** - This option is available when the user's status is inactive. To enable, click this option and confirm your choice in the confirmation pop-up. After the user is enabled, they can access the Tessell portal.
**Note**:
* You cannot enable or disable your own status.
* If you have used Microsoft Entra ID or Okta for authentication, enabling and disabling is managed in the respective identity provider’s portal.
* **Change Persona** - This option allows you to change the user’s persona to any other available persona’s.
* To change a persona, click this option and select a persona from the list.
The ‘Change Persona’ dialog box opens.
* When downgrading to a persona with fewer privileges, users lose access to some privileges associated with their previous higher-privileged persona.
* To downgrade, you have to transfer the ownership of the servers if they were available in a higher-privileged persona. Also, remove the user from the co-owner roles of the servers that were in higher-privileged persona.
* Click **Submit** to change persona.
* **Grant/Revoke admin access to database services** - Account owners can grant or revoke administrative access to database services. This functionality applies to all personas except the account owner themselves.
Figure 1: IAM application Users tab
***
### Personas
The Personas tab in the IAM application provides a comprehensive overview of both default and custom personas. It allows you to view the applications assigned to each persona. You can also create custom personas as per your need.
#### Default Persona
Tessell provides four default personas Account Owner, Data Owner, Administrator, and Infra Admin. Default personas have a set of pre-defined applications in them, you cannot add applications in default personas.
* **Account Owner** - This persona has access to all the applications in all the app families.
* **Data Owner** - This persona has access to the applications in the DB Services app family.
* **Administrator** - This persona has access to the applications in the DB Services app family and the following applications.
* Infrastructure Management app family
* Servers
* Monitoring Perf Insights Infra
* Governance app family
* Compute
* Networks
* DB Governance
* Support app family
* Tickets
* **Infra Admin** - This persona has access to the applications in the DB Services app family and the following applications.
* Infrastructure Management app family
* Servers
* Monitoring Perf Insights Infra
* Governance app family
* Compute
* DB Governance
* Support app family
* Tickets
#### Custom Persona
If the default personas do not meet your requirements, you can create a custom persona, allowing you to select the specific applications you need.
**Create a Custom Persona**
To create a custom persona,
1. Click the **+** plus icon (Create a Custom Persona) at the end of the personas list.
The ‘Add persona’ dialog box opens.
2. Specify the name of the custom persona in the **Name** field.
3. Optionally, specify a description for your custom persona.
4. Select the apps from their respective app family.
When you select an app, the color of the app turns to blue from grey.
5. Click **Add** to create a new custom persona.
Click the ellipsis icon on any custom persona to access the options Update and Delete.
* **Update** - Use this option to add or remove the apps from a custom persona. Also, you can update the description of the persona. To update, select the apps and update the description and then click **Update**.
* **Delete** - Use this option to delete a custom persona. To delete, select this option and a confirmation dialog box is displayed to confirm your choice, and then click **Delete**.
As an alternative method, use the code to create a custom persona.
1. Use the **Code** button from the bottom left corner of the dialog box to view the code in different languages like Shell, Python, Go, Java, Javascript, and PowerShell.
2. You can copy or download the code using the respective buttons in the top-right corner.
3. Use the **Close** button at the bottom right corner to return back to the main window.
Figure 2 - IAM application Personas tab
***
### Identity Providers
Tessell offers configuring identity providers like Microsoft Entra ID and Okta to manage users. This is useful when you already have Microsoft Entra ID or Okta as identity providers and would like to import them to Tessell. In this case, authentication of the users is done with your identity provider.
To enhance the security of user accounts, Tessell supports multi-factor authentication via Email. This feature is not enabled on the portal by default; to use it, please contact Tessell support.
#### Microsoft Entra ID
**Microsoft Entra ID (IDP) Configuration**
1. On the Azure portal, under **Enterprise Applications**, create a new application for Tessell.
2. Add Entra users to the newly created app. These are the users that should have access to Tessell.
3. To set up single sign on, select **Set up single sign on** section to configure the IDP side of SSO configuration in the app.
3. Tessell requires the admin to configure three Tessell related fields in the new app’s SSO configuration. Fetch the values for these fields from Tessell portal. They are located in the IAM app under **Identity Providers**.
4. Configure below fields in the Azure app under **Basic SAML** Configuration.
* Identifier (Entity ID)
* Reply URL (Assertion Consumer Service URL)
* Sign on URL
5. Leave the **Attributes & Claims** as the preset defaults.
**Tessell (SP) Configuration**
Perform the following configuration steps in the Tessell UI.
1. For each app, Microsoft generates a unique login URL, identifier, and certificate to access the app. These must be copied from the Azure app to Tessell.
2. The above fields must be configured in Tessell under the IAM app. In Tessell UI, go to **Governance** > **IAM** > **Identity Providers** > **Microsoft Entra ID**.
3. After Tessell is configured with the IDP details, the last step is to invite the Entra users to Tessell. You can invite users to Tessell in Tessell’s IAM app (as shown below). Please ensure users invited to Tessell are also added to the Tessell enterprise application in Azure.
***
#### Okta
**Okta configuration**
1. Navigate to the Okta admin console and create an app.
2. Use the SAML 2.0 protocol while creating an app. This is the only protocol supported by Tessell.
3. Add an optional icon and add a mandatory name as Tessell in the app.
1. Download and use below logo:
4. Now log in to Tessell as Account Owner and go to Identity Providers.
1. Click **Okta** > **Configure**.
2. Note down the Entity ID, SSO URL, and SCIM Base URL.
5. Add the Entity ID and SSO URL noted in step 4.
6. Add firstName, lastName, and email attributes mapping.
7. Use the options and complete the app creation in Okta.
8. On the Sign On tab, change the **Application username** **format** to Email.
9. Go to the General tab of the app and enable SCIM provisioning.
10. The provisioning tab starts showing up now.
11. Go to Tessell API key as an Account Owner and create an API key that never expires.
12. Edit the SCIM provisioning in Okta and add the details.
1. Select Authentication type as Bearer and add the API key generated in Tessell.
2. Add the SCIM endpoint noted in step 4.
13. Verify the connection. Only **Create Users** and **Update User Attributes** should be green.
14. Go to provisioning and enable the fields for SCIM.
15. Go to SAML configuration on the same page and note the details. This needs to be feeded to Tessell.
16. Go to Tessell IDP and add the details noted in the previous page of Okta.
17. At this stage, the connection setup and linking between Tessell and Okta are complete. Now create a user in AD configured with Okta, add the user to a group.
18. Manually importing the users as Okta agents takes an hour to sync.
19. Assign the newly imported user the Tessell app.
20. Log in to Okta as the user (newly created). Tessell app shows up in the list of apps.
1. After the user clicks on the app, the user automatically lands on the my services page of Tessell. The user is assigned a Data Owner role and included in the default subscription.
21. Disable the user in the AD and check if the user cannot log in/access Tessell after this.
