meshStack

meshStack

  • User Docs
  • Administrator Docs
  • API Docs
  • Release Notes
  • Feedback

›Concepts

Getting Started

  • How to get started with meshStack
  • AWS S3 Quickstart Guide
  • AKS Platform Quickstart Guide
  • AKS Developer Platform Guide

Concepts

  • Overview
  • Administration Roles
  • Onboarding
  • meshWorkspaces
  • meshProjects
  • meshTenants
  • Replication Configuration
  • Delete Tenants
  • meshUsers
  • meshPlatforms
  • Landing Zones
  • Open Service Brokers (OSB)
  • Guide: Emergency Users
  • Managing Tags
  • Policies
  • Unmanaged Tenants
  • meshStack Settings
  • Workspace Services
  • API Users
  • DNS and SSL Certificates
  • Customizing
  • Product Feedback Collection

Identity & Access

  • Identity and Access Management
  • Identity Provider
  • Identity Lookup
  • Authorization
  • User & Group LDAP Synchronisation
  • User & Group SCIM Synchronisation

Building Blocks

  • Building Blocks
  • Private Runners
  • Terraform/OpenTofu state managed by meshStack
  • Permission Delegation on AWS
  • Connecting meshStack and a Pipeline

Metering & Billing

  • Cost Management
  • Configuration

Amazon Web Services

  • Integration
  • Landing Zones
  • Metering
  • SSO Setup
  • Reserved Instances & Savings Plans Guide

Microsoft Azure

  • Integration
  • Landing Zones
  • Metering

Google Cloud Platform

  • Integration
  • Landing Zones
  • Metering

Cloud Foundry

  • Integration
  • Metering

Kubernetes

  • Integration
  • Landing Zones
  • Metering

GitHub

  • Pipeline Automation
  • Repository Provisioning

OpenShift

  • Integration
  • Landing Zones
  • Metering

OpenStack

  • Integration
  • Metering

OSB Services

  • Integration
  • Metering
  • meshcloud OSB API Profile
  • Tenant Services
  • Tutorial: Implement a Broker

Operations

  • Managed Service
  • Email
  • Logging & Auditing
  • Monitoring & Telemetry
  • Backup
  • Security FAQ

Guides

  • How to integrate a meshPlatform into meshStack
  • How to manually integrate AWS as meshPlatform
  • How to manually integrate Azure as meshPlatform
  • How to manually integrate GCP as meshPlatform
  • How to create your own platform
  • How to manage partner level permissions
  • How to use scoped API keys
  • How to setup and manage a Building block
Edit

Guide: Emergency Users

meshStack manages access to cloud platforms, projects and resources. In case urgent intervention is required by someone without regular access permissions there must be a defined process to securely access meshProjects and associated meshTenants. This page outlines step-by-step procedures that Platform Operators can use as the basis for their own emergency procedures. Depending on your organization's requirements, these procedures can be augmented with additional organisational or technical procedures.

Example use cases for emergency users and emergency intervention include

  • An important application has stopped functioning and operating users needs access to debug and fix the problem
  • Project access for a specific user must be immediately revoked (e.g. due to an account compromise)

In all cases access permissions can always be modified through the meshPartner account which is managed by an operations team. If available, a user with workspace manager access is also sufficient for some cases.

Emergency Access with Workspace Manager

If a user with workspace manager access is available, meshProject users and roles can be managed the normal way, even if the workspace manager is not assigned to the meshProject.

First, the user requiring emergency access must be invited to the meshWorkspace

  • Ensure that the correct meshWorkspace is selected
  • Open the Workspace Access tab in the workspace control plane and navigate to Current Access subtab.
  • At the bottom of the screen, type in the name or e-mail of the new user and invite them with the desired role.

You can also grant workspace manager rights to the newly invited user, i.e. if the emergency user needs to modify other user permissions. In this case, the new user can perform the following steps themselves.

Adding emergency as Workspace Manager

The user can then be assigned to meshProjects belonging to the meshWorkspace:

  • In the project overview in the workspace control plane, open the designated project by clicking on its name.
  • Navigate to the Project Access tab and open the Current Access subtab.
  • Add the user with the desired project role.

Since emergency access should only be temporary, it's strongly advised to assign the user a role with a set expiration date which will ensure that the user is automatically removed from the meshProject after the specified date.

Approving emergency user requests

User project role assignments can be configured to require consent from multiple workspace managers (4 eye principle). To avoid situations where not enough workspace managers are available to confirm an urgent user role request, the meshPartner can confirm project role requests directly:

  • Ensure that the partner is selected from the meshWorkspace drop down
  • Open "Administration" from the settings menu in the top right
  • Navigate to "Workspaces" and select "User Pending Role Requests" from the actions column for the meshWorkspace to which the project is assigned
  • Approve the user role request

Removing emergency user via meshWorkspace

When emergency access is no longer required the following steps will revert performed changes:

  • Remove user from meshProject by opening the project again and navigating to Project Access > Current Access (performed automatically if expiration date was set)
  • Remove user from meshWorkspace via the workspace control plane: go to Workspace Access > Current Access.

Access with meshPartner

Even when no workspace manager is available, users with partner admin/employee access can manage permissions for their managed meshWorkspaces.

Adding emergency user as meshPartner

Note: this only works when Workspace Manager role assignment is enabled via the panel. This depends on the restrictCustomerAdminRoleAssignment configuration value (read more here)

In order to manage users for a specific meshProject, the partner user must add their own account to the respective meshWorkspace as a workspace manager:

  • Ensure that the meshPartner is selected from the meshWorkspace dropdown
  • Open "Administration" from the settings menu in the top right
  • Navigate to "Workspaces" and select "Workspace User" from the actions column for the target workspace
  • Activate “Add Myself” button in the top right

Afterwards they may proceed to manage users for this meshWorkspace as a workspace manager (see previous section).

Removing emergency user as meshPartner

Since the meshPartner user is now a workspace manager the procedure is the same as outlined in the previous section. However, to revert the temporary workspace manager role assignment, another workspace manager must remove the partner user from the workspace via Workspace Access > Current Access.

Auditing Emergency Access

Since meshWorkspace/meshProject access permissions should not be granted lightly all changes to them are logged and can be audited by partner admin/employee users.

Workspace History

  • Ensure that the meshPartner is selected from the meshWorkspace drop down
  • Open "Administration" from the settings menu in the top right
  • Navigate to "Workspaces" and select "Workspace History"

The list contains all meshWorkspace events (i.e. sent invitations, added/removed users, role changes), when they occurred and who initiated the action. Event specific information (i.e. who the recipient of an invite was) is available via the “Details” button.

Project History

  • Ensure that the meshPartner is selected from the meshWorkspace drop down
  • Open "Administration" from the settings menu in the top right
  • Navigate to "Workspaces" and select "Workspace Projects"
  • Find the project and select "Project History"

The general information per project event is the same as before. Event types include user assignments and project role changes. Event specific information is again available via the “Details” button.

Last updated on 2/21/2024
← PreviousManaging Tags →
  • Emergency Access with Workspace Manager
    • Adding emergency as Workspace Manager
    • Approving emergency user requests
    • Removing emergency user via meshWorkspace
  • Access with meshPartner
    • Adding emergency user as meshPartner
    • Removing emergency user as meshPartner
  • Auditing Emergency Access
    • Workspace History
    • Project History
meshStack
Docs
User DocumentationAdministrator DocumentationSecurity FAQ
Get in Touch
SupportWebsiteLinkedIn
More
Release NotesGitHub
Copyright © 2025 meshcloud GmbH