Skillable role-based access control
- 13 Sep 2024
- 11 Minutes to read
- Print
Skillable role-based access control
- Updated on 13 Sep 2024
- 11 Minutes to read
- Print
Article summary
Did you find this summary helpful?
Thank you for your feedback
When migrating to Skillable, one of the most important aspects to understand is that of role-based access control (RBAC) and how that impacts your users and operations. With Skillable, there are 3 areas to think about RBAC in - Microsoft Azure, Skillable Studio, and Skillable TMS (or your delivery platform of choice). Permissions in each of these platforms are configured and function differently, this article explains these differences and when to best apply each role to a user.
Azure role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. These controls can be applied at a very broad scope, a very narrow scope, or a combination there of - for example scope can be an individual resource, a resource group, or across the subscription. For more information, check out What is Azure role-based access control (Azure RBAC)?
Skillable Studio and Skillable TMS support organization-based RBAC. This means that the default scope is a bit broader across all of a particular organization (similar to a subscription in Azure). While the scope is broad, the specific permissions may vary based on several different roles in each system.
In this article, all roles are logically grouped into three role types, based on their scope of influence:
Administrator roles: Roles that are responsible for the highest level of configuration & security.
Lab management roles: Roles that are responsible for building & managing lab profiles.
Lab delivery roles: Roles that are responsible for facilitating classes or taking labs.
All Built-in Roles
The below list of roles spans across all systems and provides a summarized view of what possible roles different individuals may need in different systems.
Role type | Built-in role | Platform | Description |
|---|---|---|---|
Administrator | Microsoft Entra | Grant full control to implement Skillable integration in Azure & create users in Entra ID. Learn more about the Global Administrator role. | |
Administrator | Microsoft Azure | Grant full control to create/manage resource groups & compute galleries, and grant permissions to other users. Learn more about the Owner role. | |
Administrator | Microsoft Azure | Grant full control to create/manage resource groups & compute galleries, except for assigning roles to other users. Learn more about the Contributor role. | |
Administrator | Skillable Studio | Grant full control to create/manage Subscription Pools, Templates, Themes, and grant permissions to other users. | |
Lab Management | Skillable Studio | Grant full control to create/manage Lab Profile, VM Profiles, Cloud Resource Templates, and Access Control Policies. | |
Lab Management | Skillable Studio | Grant full control of lab instructions presented to the learner. | |
Lab Management | Skillable Studio | Grant permission to create or modify questions and performance tasks. | |
Lab Delivery | Skillable Studio | Grant permissions make labs accessible over API/LTI. | |
Lab Management | Skillable Studio | Grant permission to view, launch, and monitor labs for support purposes. | |
Administrator | Skillable TMS | Grant full control to create/manage Courses, Classes, Self-Paced course catalogs, and grant permissions to other users. | |
Administrator | Skillable TMS | Grant full control to create/manage Courses and related objects. | |
Lab Delivery | Skillable TMS | Grant full control to deliver and add student enrollments to classes. Can also monitor live student environments. | |
Lab Delivery | Skillable TMS | Grant permissions to view & complete courses & classes. |
Azure Role-Based Access Control
Role type | Built-in role | Description |
|---|---|---|
Administrator | Grant full control to implement Skillable integration in Azure & create users in Entra ID. Learn more about the Global Administrator role. | |
Administrator | Grant full control to create/manage resource groups & compute galleries, and grant permissions to other users. Learn more about the Owner role. | |
Administrator | Grant full control to create/manage resource groups & compute galleries, except for assigning roles to other users. Learn more about the Contributor role. |
Global Administrator Role
Global Administrator is one of the most powerful roles within Azure/Entra and is not a role that should be given freely. For Skillable there is only a single one-time action that requires this role, in most cases you can have an existing user with this role perform that task so that there is not a proliferation of users with this access. The only action a Global Administrator needs to perform is:
Configure the Skillable Integration in the tenant.
Owner Role
Assign the Owner role to give a user full control to create or manage resources directly in Azure, and grant permissions to other users in Azure. When a user has the Owner role on a subscription or resource group, they can perform the following actions across all resources within their scope:
Assign roles to administrators, so they can manage lab-related resources.
Assign roles to lab managers, so they can create and update VM images.
Create Azure Compute Galleries & VM images.
View, delete, and change settings for compute galleries.
View all deployed resources supporting running labs (if scoped at subscription level).
Caution
When you assign the Owner or Contributor role on the subscription, then these permissions also apply to non-lab related resources that exist in the subscription.
Contributor Role
Assign the Contributor role to give a user full control to create or manage resources directly in Azure. The Contributor role has the same permissions as the Owner role, except for:
Performing role assignments
Caution
When you assign the Owner or Contributor role on the subscription, then these permissions also apply to non-lab related resources that exist in the subscription.oes here
Your content goes here
Skillable Studio Role-Based Access Control
Role type | Built-in role | Description |
|---|---|---|
Administrator | Grant full control to create/manage Subscription Pools, Templates, Themes, and grant permissions to other users. | |
Lab Management | Grant full control to create/manage Lab Profile, VM Profiles, Cloud Resource Templates, and Access Control Policies. | |
Lab Management | Grant full control of lab instructions presented to the learner. | |
Lab Management | Grant permission to create or modify questions and performance tasks. | |
Lab Delivery | Grant permissions make labs accessible over API/LTI. | |
Lab Management | Grant permission to view, launch, and monitor labs for support purposes. |
Azure Lab Administrator Role
Every organization will have at least one user with this role. Assign the Azure Lab Administrator Role to give a user full control over Skillable Studio components that need to be shared across a large number of labs, where accidental changes could have catastrophic effects. When a user has the Azure Lab Administrator role in Skillable Studio, they can do the following activities:
Specify subscriptions & authentication information for labs to deploy in Azure.
View, create and edit Lab Templates, to provide lab developers with a reliable configuration & quick starting point.
View, create and edit Script Templates, for lab developers to have access to a shared library of scoring or automation scripts.
View, create and edit Themes that tailor the look and feel of the Lab Client for learners.
View, create and edit Lab Tags that allow for managed key:value pairs to add metadata values on labs.
View, create and edit Lab Evaluations, to receive valuable feedback about the lab experience from learners.
Assign roles to users that allow for more individuals to manage, build, or support labs.
Azure Lab Developer Role
Assign the Azure Lab Developer role to give a user access to create or modify labs and the various Skillable Studio components, such as VM profiles and resource templates, that make up a lab definition. When a user has the Azure Lab Developer role in Skillable Studio, they can do the following activities:
View, create and edit lab profiles from lab templates or from scratch.
View, create and edit VM profiles that align to an Azure Marketplace or Compute Gallery image.
View, create and edit ARM templates that deploy additional lab resources beyond VMs.
View, create and edit Access Control Policies that control costs and what the user is able to deploy.
View, create and edit lab instructions.
View and assign cloud subscriptions to labs
View and assign evaluations to labs
Import lab definitions exported from Azure.
Publish Lab Series to the API.
Organization Instruction Editor Role
Assign the Organization Instruction Editor role to give a user access to modify lab instructions that are presented to the learner. When a user has the Organization Instruction Editor role in Skillable Studio, they can do the following activities:
View lab profiles & series.
Modify lab instructions.
Included in Lab Developer
Users with the Azure Lab Developer role already have these permissions. Only use this role to create users with a more limited scope of access.
Organization Activity Editor Role
Assign the Organization Activity Editor role to give a user access to create or modify questions or performance tasks that are presented to the learner. When a user has the Organization Activity Editor role in Skillable Studio, they can do the following activities:
View lab profiles & series.
View, create and edit multiple choice questions.
View, create and edit short answer questions.
View, create and edit Automated Activities.
Organization Lab Series Publisher Role
Assign the Organization Lab Series Publisher role to give a user access to edit Lab Series so they can make labs available over API or LTI. When a user has the Organization Lab Series Publisher role in Skillable Studio, they can do the following activities:
View and edit lab series
Add API Consumers to labs
Included in Lab Developer
Users with the Azure Lab Developer role already have these permissions. Only use this role to create users with a more limited scope of access.
Organization Lab Report Viewer Role
Assign the Organization Lab Report Viewer role to give a user access to either support or QA test labs prior to them being available for other users. When a user has the Organization Lab Report Viewer role in Skillable Studio, they can do the following activities:
View and launch any lab profiles.
View any student user accounts and their launch history
View detailed information about user lab instances, including any errors.
Access over-the-shoulder monitoring of student environments for live troubleshooting.
Skillable TMS Role-Based Access Control
Role type | Built-in role | Description |
|---|---|---|
Administrator | Grant full control to create/manage Courses, Classes, Self-Paced course catalogs, and grant permissions to other users. | |
Administrator | Grant full control to create/manage Courses and related objects. | |
Lab Delivery | Grant full control to deliver and add student enrollments to classes. Can also monitor live student environments. | |
Lab Delivery | Grant permissions to view & complete courses & classes. |
Azure Labs Operations Manager Role
Every organization will have at least one user with this role. Assign the Operations Manager role to give a user full control over your Skillable Training Management System (TMS) organization to manage users, content, and training. When a user has the Operations Manager role in the Skillable TMS, they can do the following activities:
View and edit courses.
View and launch labs outside of scheduled classes.
Monitor and take control of student labs.
View and edit organization preferences.
View, create, edit, and assign roles to users.
View, create, and edit classes for instructor-led learning/training.
View, create, and edit course assignments and subscriptions for self-paced learning/training.
View, create, and edit surveys and assessments.
Create and manage badges.
Create Course - Full Role
Assign the Create Course – Full role to give a user access to create and manage content for your Skillable Training Management System (TMS) organization. Create courses and supplemental materials to enhance learning. When a user has the Create Course - Full role in the Skillable TMS, they can do the following activities:
View, create, and edit courses.
View, create, and edit SCORM modules.
View, create, and edit course tags.
View, create, and edit custom fields.
View, create, and edit surveys and assessments.
View, create, and edit publishing groups.
View, create, and edit course completion certificates.
Included in Operations Manager
Users with the Azure Labs Operations Manager role already have these permissions. Only use this role to create users with a more limited scope of access.
Instructor Role
Assign the Instructor role to give a user access to manage and conduct classes. Instructors manage the rosters, control access to activities, and monitor and assist students with labs via over-the-shoulder lab monitoring. When a user has the Instructor role in the Skillable TMS, they can do the following activities:
View courses and course activities.
View and launch labs outside of scheduled classes.
Monitor and take control of student labs.
Share files directly to student lab VMs.
View and edit classes.
Basic User (Student)
All users in the Skillable Training Management System (TMS) are assigned the Basic User role at the time of user creation. This allows for the self-management of their account and access to assigned training. When a user has the Basic User role in the Skillable TMS, they can do the following activities:
View and edit their own user account.
View current training and transcript pages.
View courses.
View and complete assigned training and classes.
Was this article helpful?