Users and Roles
vBox uses a workspace-based RBAC (Role-Based Access Control) system where permissions are determined dynamically per workspace or customer organization. This means a user’s effective role can vary depending on which resource they are accessing.
User Roles
Section titled “User Roles”vBox defines three primary roles. Roles are derived from permission strings assigned at the workspace or customer level:
| Role | Internal Permission | Description |
|---|---|---|
| Organization Reader | (default — no elevated permission) | Read-only access to assigned organization dashboards and recommendations |
| Organization Contributor (MSP) | Temp.OrganizationContributor | Full operational access — assessments, customer management, workspace navigation |
| Organization Owner (Account Manager) | Temp.OrganizationOwner | Customer relationship management — organization settings, user management, reports |
Organization Reader
Section titled “Organization Reader”Organization Readers have the most restricted access level, designed for end customers who need to view their organization’s data.
Capabilities:
- View dashboards for assigned organizations
- Access recommendations (Security, Operations, Cost)
- View cost details and historical data
- Create and manage tasks
- View reports and summaries
Restrictions:
- Cannot access workspace management
- Cannot modify organization settings
- Cannot manage users
- Cannot create or manage assessments
- Can only access organizations they are explicitly assigned to
Organization Contributor (MSP)
Section titled “Organization Contributor (MSP)”Organization Contributors are MSP (Managed Service Provider) users with comprehensive access to manage multiple customer organizations.
Capabilities:
- All Organization Reader capabilities
- Create and manage assessments (Cost, Security, Operations)
- View and navigate workspaces
- Create and manage customer organizations
- Configure organization settings through the customer wizard
- Access all customer dashboards and reports
- Manage organization users (Readers, Contributors, Owners)
- Configure feature toggles and subscription plans
- Set up notifications and ITSM integration
- Import recommendations and questionnaires
- Edit recommendation properties
- Access Advanced optimizations tab
Organization Owner (Account Manager)
Section titled “Organization Owner (Account Manager)”Organization Owners focus on customer relationship management and have elevated access to customer-facing features.
Capabilities:
- View customer organizations and profiles
- Manage customer information and settings
- View customer dashboards and reports
- Manage users within customer organizations
- Access customer summaries and recommendations
- Access Advanced optimizations tab
Restrictions:
- Cannot access workspace management
- Cannot create or manage assessments
- Cannot modify technical settings (subscriptions, scheduling)
Inventory Permissions
Section titled “Inventory Permissions”In addition to role-based access, vBox has granular inventory view permissions that control access to resource-level data:
| Permission | Constant | Controls |
|---|---|---|
| Cost Inventory View | OptimizationInventory.View | Access to cost recommendation resource inventory and export |
| Security Inventory View | SecurityInventory.View | Access to security recommendation resource tabs and export |
| Operations Inventory View | OperationsInventory.View | Access to operations recommendation resource inventory and export |
Route Guards and Access Control
Section titled “Route Guards and Access Control”vBox implements route guards that enforce access control throughout the application. Guards wait for permissions to load before evaluating access, ensuring accurate authorization.
| Route Guard | Protected Routes | Required Role |
|---|---|---|
canActivateMsp | MSP-specific features (assessments, imports, workspace creation/editing) | Organization Contributor |
canActivateCustomerRoute | Customer organization routes | Contributor or Owner (plus assignment check) |
canActivateWorkspaceRoute | Workspace management routes | User must have access to the specific workspace |
canActivateChildFeatureFlag | Feature-specific routes | User with access + feature flag enabled for the organization |
How Route Guards Work
Section titled “How Route Guards Work”canActivateMsp
- Allows: Organization Contributors
- Blocks: Organization Readers, Organization Owners (unless the route also permits Owners)
- On denial: Redirects to home with snackbar message
canActivateCustomerRoute
- Allows: Contributors, Owners
- Also checks: User assignment to the specific organization
- For Contributors: Checks all accessible customers
- For Readers: Only checks their explicitly assigned
clientsIds - On denial: Redirects to home with snackbar message
canActivateWorkspaceRoute
- Validates: The
workspaceIdexists in the user’s accessible workspaces - On denial: Redirects to home with snackbar message
canActivateChildFeatureFlag
- Checks: Feature flag is enabled for the route’s organization
- On denial: Redirects to home
Unauthorized Page
Section titled “Unauthorized Page”If you navigate to a resource you do not have permission to access, vBox displays a dedicated Unauthorized (403) page with:
- A clear error message explaining the access denial
- A link to contact support at help@vboxcloud.com (pre-filled with your error details)
- A Log out button to switch accounts if needed
OBO Authentication (On-Behalf-Of)
Section titled “OBO Authentication (On-Behalf-Of)”vBox uses Microsoft Entra ID On-Behalf-Of (OBO) authentication for actions that require direct access to your Azure resources.
When OBO Authentication Appears
Section titled “When OBO Authentication Appears”The OBO authorization modal appears automatically before:
- Running a manual assessment
- Deploying an assessment environment
- Starting an assessment
Authorization Flow
Section titled “Authorization Flow”- A modal appears titled “vBox Authorization” explaining that Microsoft Entra ID consent is required
- Click the Authorize button to open a Microsoft authentication popup
- Sign in and grant consent in the popup window
- The popup closes and you are returned to vBox with authorization complete
Authorization Errors
Section titled “Authorization Errors”If authorization fails, a snackbar notification will display an error message. Common causes:
- The Microsoft popup was blocked by your browser — allow popups for the vBox domain
- Your Azure AD account does not have sufficient permissions
- Network connectivity issues during the authentication flow
Azure Authorization Status
Section titled “Azure Authorization Status”You can check your OBO authorization status in the Global Settings dialog (accessible from the application header for Contributors). The Azure Authorization section shows:
- A checkmark icon if vBox is authorized to access Azure resources on your behalf
- A warning icon if authorization is needed or has expired
User Management
Section titled “User Management”Organization-Level User Assignment
Section titled “Organization-Level User Assignment”Within each customer organization, users are assigned to specific roles through the Customer Configuration Wizard (Step 3):
| Role | Assignment | Description |
|---|---|---|
| Organization Readers | Add/remove with Email, First Name, Last Name | Users with read-only access to organization data |
| Organization Contributors | Add/remove with Email, First Name, Last Name | MSP users assigned to manage this organization |
| Organization Owner | Select from Organization Contributors | Primary account manager for the customer |
| Scheduled Data Collection User | Select from Organization Contributors | User account used for scheduled data collection runs |
User Assignment Best Practices
Section titled “User Assignment Best Practices”- Principle of Least Privilege — Assign users only the minimum access level required
- Regular Audits — Periodically review user assignments to ensure they are still appropriate
- Clear Responsibilities — Document which Contributors are responsible for which organizations
- Owner Assignment — Ensure each customer has a designated Organization Owner
- Data Collection User — Verify the Scheduled Data Collection User has appropriate Azure permissions
Role-Based Feature Access
Section titled “Role-Based Feature Access”Feature visibility depends on three factors: user role, feature flags, and organization assignment.
1. User Role
Section titled “1. User Role”| Feature | Organization Reader | Organization Owner | Organization Contributor |
|---|---|---|---|
| Dashboards | Assigned orgs only | Assigned orgs only | All orgs |
| Recommendations | Assigned orgs only | Assigned orgs only | All orgs |
| Tasks | Assigned orgs only | Assigned orgs only | All orgs |
| Customer Management | No | Yes | Yes |
| Assessments | No | No | Yes |
| Workspace Management | No | No | Yes |
| Global Settings | No | No | Yes |
2. Feature Flags
Section titled “2. Feature Flags”Features enabled for the customer organization control access to specific areas:
| Feature Flag | Routes Affected | Description |
|---|---|---|
| Security | /organization/:customerId/security | Security features and Secure Score |
| Operations | /organization/:customerId/operations | Operations features and Observability Score |
| Cost Details | /organization/:customerId/cost | Detailed cost analysis |
| BI Analytics | Summary pages | Embedded Metabase dashboards |
| Tasks | /organization/:customerId/tasks | Task management features |
3. Organization Assignment
Section titled “3. Organization Assignment”Organization Readers can only access organizations to which they are explicitly assigned. Organization Contributors have access to all organizations within their accessible workspaces.
Global Settings
Section titled “Global Settings”Organization Contributors can access the Global Settings dialog from the application header. It includes:
Azure Authorization
Section titled “Azure Authorization”- Displays the current OBO authorization status (authorized or needs authorization)
- See OBO Authentication above for details
Workspaces and Organizations Visibility
Section titled “Workspaces and Organizations Visibility”- Tree-based selector for choosing which workspaces and organizations appear in your navigation
- Search field with clear button to filter the tree
- Toggle Collapse button to expand/collapse all nodes
- Select All option at the top of the tree
- At least one workspace or organization must be selected
Security Considerations
Section titled “Security Considerations”- Role Assignment — Regularly audit user role assignments to ensure they match current responsibilities
- Organization Access — Verify that users only have access to organizations they should manage
- Feature Flags — Ensure feature flags match subscription plans to prevent unauthorized access
- Scheduled Data Collection User — Ensure the data collection user has appropriate Azure permissions and is kept up to date
- OBO Authorization — Review OBO authorization status periodically in Global Settings
Troubleshooting Access Issues
Section titled “Troubleshooting Access Issues”If you are experiencing access issues:
- Verify Role — Confirm your user role has the required permissions for the resource you are trying to access
- Check Assignment — Ensure you are assigned to the organization (for Organization Readers)
- Feature Flags — Verify the feature is enabled for the organization
- OBO Authorization — If running assessments, check that OBO authorization is complete in Global Settings
- Unauthorized Page — If you see the 403 page, use the support email link to request access
- Contact Administrator — Reach out to your vBox administrator if issues persist