A meshCustomer usually represents a product team or department in your organization. Self-service within a meshCustomer allows you to invite and manage team members, create meshProjects and maintain organizational metadata like payment methods.
Organizations implementing meshStack can choose to offer self-service customer registration via meshPanel or externalize the process to some existing ITSM or process automation system. Operators can read more about these options here.
In any case, the meshCustomer creation process always involves collecting basic customer information like name, identifier and any additional metadata specific to your organization.
Managing your meshCustomer
Every aspect of your meshCustomer can be managed in the so-called customer control plane. The customer control plane is the highest control plane. From that level, you can navigate to various control planes like the project control plane or the tenant control plane. Each control plane has a similar scheme. Depending on your permissions within the customer and the meshStack configuration, you will have access to different tabs like Settings or Financials. The customer control plane below shows the control plane from the perspective of a Customer Admin.
General information of a meshCustomer (like its name) and Customer Tags can be edited under the Settings tab. The customer identifier is also shown here, but it can never be changed, as it is used as an immutable identifier of the meshCustomer for its representation in the different cloud platforms. You are however able to change the display name of the meshCustomer.
If configured by your Cloud Foundation team, you may also be able to edit additional customer metadata tags in the Settings Tab.
Invite users to a meshCustomer team
If you would like to give others access to your meshCustomer and the related meshProjects, go to your Access Control tab. You can access them by pressing the settings icon on the top right of the meshPanel. From here, navigate to Access Control. Here you can invite users or groups to the meshCustomer. You can search for users via first & last name, email and username. The users that can be found via this search depend on the configured IAM system in you meshInstallation. It is e.g. possible to search for users in an Active Directory or a Google Cloud Directory. Additionally all users already known to meshStack can be found via this user search. Besides users, also groups can be searched for. You can search for groups via their name and identifier.
If you want to invite a user that it is not known to the connected IAM system and meshStack, you are able to invite a user by providing the first and last name as well as an email address. The invited user will be matched via the email address when he logs in the first time to meshStack. The "invite user" link is available when the search did not return any results.
You can initially setup the meshCustomer role in the dropdown which describes the access level of the invited user or group. Press "+" to add to the meshCustomer. All users and members of the group will receive an email with the information, that they have been granted access to your meshCustomer.
Assigning a meshCustomer role is necessary in order to give access to meshProjects insight the meshCustomer. If 4 eyes-principle is active, the user or group will not be assigned directly to your meshCustomer. Another Customer Admin has to approve this role assignment first. Therefore the user or group will appear in the "Pending Requests" section.
For not having to assign multiple users individually to your projects, you can also group them in a user group. The user group is only available inside your meshCustomer. User groups can be assigned roles on a meshCustomer and a meshProject in the same way as for usual users.
You can view user groups within your customer account by going to the Groups section in the Access Control tab. Currently, creating a group is only supported via meshObject API.
Assign meshCustomer Roles
You can change the role assigned to each user or group on the current meshCustomer. To change the assigned role choose a new role from the dropdown.
A user or a group can be assigned multiple roles simultaneously. All users and members will receive the combined rights of all their assigned roles.
The following roles are available:
- Customer Owner: Has full access to the meshCustomer and its projects and can manage access to the meshCustomer account. A user that has this role will be the contact person for any matters related to the meshCustomer. There can be maximum two Customer Owners in a meshCustomer. If a Customer Owner already exists, that Customer Owner can assign the Customer Owner role to another user. If a Customer Owner doesn't exist, the Customer Admins can assign a Customer Owner.
- Customer Admin: Has full access to the meshCustomer and its projects and can manage access to the meshCustomer account.
- Customer Employee: Has full access to project resources, but cannot manage access, create projects, etc of the meshCustomer account.
The following table provides details about the functionality available to the different roles.
|Customer Owner||Customer Admin||Customer Employee|
|Project Control Plane||✓||✓||✓|
|Tenant Control Plane||✓||✓||✓|
|Assign Customer Owner||✓|
|Customer User Groups||✓||✓|
|Publish Service Broker||✓||✓|
The roles that are available for Partner and Admin customers are described in the Administration section.
meshCustomer roles grant rights in meshStack only. In order to access cloud resources users need to be granted a role on a meshProject.
Remove assigned meshCustomer Roles
If you would like to remove a user or group from your meshCustomer go to the Access Control tab and select Current Access. You can click the "trash" icon in the Current Access section to remove the user or group from your meshCustomer. If 4-AP is active in your meshInstallation and the role request has not been approved by another Customer Admin yet, click the "trash" icon in the "Access Requests" section. When removing someone from the meshCustomer, the user or group is automatically removed from all projects it has access to. All users won't be able to access cloud resources of your projects anymore, if they are not assigned via another role binding anymore. The users or members of the group will be informed via email, that their access to the meshCustomer was revoked.
Before a meshCustomer may be deleted, a check is performed to verify the following:
- all meshProjects in the meshCustomer have been deleted. This means, that they are not only marked for deletion, but that they have actually been deleted in the platforms.
- all published Service Brokers in the meshCustomer have been deactivated
The deletion can be performed only by the Customer Owners! You can delete the customer under Settings > Danger Zone in the customer control plane. You will be asked for confirmation and a deletion reason when you click the button.
Note : The deletion of a customer can not be reversed!
The following steps will be done during deletion:
- all assigned users & groups as well as pending binding requests will be removed from the meshCustomer
- all payment methods on the meshCustomer will be soft-deleted, so meshPartners can still get details like info on usage of these payment methods
- all policy violations related to the deleted meshCustomer will be removed
- a "deleted" event is written to the customer events, including a reason that was provided during deletion
meshCustomers are soft-deleted, so meshPartners can still see deleted meshCustomers and their events in the Admin Area. Deleted meshCustomers and meshPaymentMethods will be highlighted by a "Deleted" label.