meshWorkspace
A meshWorkspace usually represents a product team or department in your organization. Self-service within a meshWorkspace allows you to invite and manage team members, create meshProjects and maintain organizational metadata like payment methods.
Workspace Creation
Organizations implementing meshStack can choose to offer self-service workspace registration via meshPanel or externalize the process to some existing ITSM or process automation system. Partners can read more about these options here.
In any case, the meshWorkspace creation process always involves collecting basic workspace information like name, identifier and any additional metadata specific to your organization.
Managing your meshWorkspace
Every aspect of your meshWorkspace can be managed in the so-called workspace control plane. The workspace control plane is the highest control plane. From that level, you can navigate down to the project control plane & tenant control plane. Each control plane has a similar layout. Depending on your permissions within the workspace and the meshStack configuration, you will have access to different tabs like Settings or Financials. The workspace control plane below shows the control plane from the perspective of a Workspace Manager.
General information of a meshWorkspace (like its name) and Workspace Tags can be edited under the Settings tab. The workspace identifier is also shown here, but it can never be changed, as it is used as an immutable identifier of the meshWorkspace for its representation in the different cloud platforms. You are however able to change the display name of the meshWorkspace.
If configured by your Cloud Foundation team, you may also be able to edit additional workspace metadata tags in the Settings Tab.
Invite users to a meshWorkspace team
If you would like to give others access to your meshWorkspace and the related meshProjects, go to your Workspace Access tab. You can access them by pressing the settings icon on the top right of the meshPanel. From here, navigate to Current Access. Here you can invite users or groups to the meshWorkspace. You can search for users via first & last name, email and username. The users that can be found via this search depend on the configured IAM system in you meshInstallation. It is e.g. possible to search for users in an Active Directory or a Google Cloud Directory. Additionally all users already known to meshStack can be found via this user search. Besides users, also groups can be searched for. You can search for groups via their name and identifier.
If you want to invite a user that it is not known to the connected IAM system and meshStack, you are able to invite a user by providing the first and last name as well as an email address. The invited user will be matched via the email address when he logs in the first time to meshStack. The "invite user" link is available when the search did not return any results.
You can initially setup the meshWorkspace role in the dropdown which describes the access level of the invited user or group. Press "+" to add to the meshWorkspace. All users and members of the group will receive an email with the information, that they have been granted access to your meshWorkspace.
Assigning a meshWorkspace role is necessary in order to give access to meshProjects insight the meshWorkspace. If 4 eyes-principle is active, the user or group will not be assigned directly to your meshWorkspace. Another Workspace Manager has to approve this role assignment first. Therefore the user or group will appear in the "Pending Requests" section.
User Groups
For not having to assign multiple users individually to your projects, you can also group them in a user group. The user group is only available inside your meshWorkspace. User groups can be assigned roles on a meshWorkspace and a meshProject in the same way as for usual users.
You can view user groups within your workspace by going to the User Groups section in the Access Control tab.
Currently, creating a group is only supported via the meshStack API and to create one you will need a Workspace identifier, which you can find on the Workspace overview.
Assign meshWorkspace Roles
You can change the role assigned to each user or group on the current meshWorkspace. To change the assigned role choose a new role from the dropdown.
A user or a group can be assigned multiple roles simultaneously. All users and members will receive the combined rights of all their assigned roles.
The following roles are available:
- Workspace Owner: Has full access to the meshWorkspace and its projects and can manage access to the meshWorkspace. A user that has this role will be the contact person for any matters related to the meshWorkspace. There can be maximum two Workspace Owners in a meshWorkspace. If a Workspace Owner already exists, that Workspace Owner can assign the Workspace Owner role to another user. If a Workspace Owner doesn't exist, the Workspace Managers can assign a Workspace Owner.
- Workspace Manager: Has full access to the meshWorkspace and its projects and can manage access to the meshWorkspace.
- Workspace Member: Has full access to project resources, but cannot manage access, create projects, etc. of the meshWorkspace.
meshWorkspace Roles
The following table provides details about the functionality available to the different roles.
| Workspace Owner | Workspace Manager | Workspace Member | |
|---|---|---|---|
| View Projects | ✓ | ✓ | (if assigned) |
| Workspace Projects | ✓ | ✓ | |
| Create Project | ✓ | ✓ | |
| Edit Project | ✓ | ✓ | |
| Add meshTenants | ✓ | ✓ | |
| Delete meshTenants | ✓ | ✓ | |
| Payment Information | ✓ | ✓ | |
| Access Control | ✓ | ✓ | |
| Expired Access | ✓ | ✓ | |
| Project Statements | ✓ | ✓ | |
| Delete Project | ✓ | ✓ | |
| Workspace Users | ✓ | ✓ | |
| Give Access | ✓ | ✓ | |
| Edit Access | ✓ | ✓ | |
| Remove Access | ✓ | ✓ | |
| Assign Workspace Owner | ✓ | ||
| Workspace User Groups | ✓ | ✓ | |
| Workspace Settings | ✓ | ✓ | |
| Payment Methods | ✓ | ✓ | |
| Service Broker Development | ✓ | ✓ |
The roles that are available meshStack Administrators are described in the Administration section.
meshWorkspace roles grant rights in meshStack only. In order to access cloud resources users need to be granted a role on a meshProject.
Remove assigned meshWorkspace Roles
If you would like to remove a user or group from your meshWorkspace go to the Workspace Access tab and select Current Access. You can click the "trash" icon in the Current Access section to remove the user or group from your meshWorkspace. If 4-AP is active in your meshInstallation and the role request has not been approved by another Workspace Manager yet, click the "trash" icon in the "Access Requests" section. When removing someone from the meshWorkspace, the user or group is automatically removed from all projects it has access to. All users won't be able to access cloud resources of your projects anymore, if they are not assigned via another role binding anymore. The users or members of the group will be informed via email, that their access to the meshWorkspace was revoked.
Roles Recertification
If you do not have a central Identity and Access Management (IAM) system for recertifying roles, you can still recertify roles locally in meshStack by controlling the duration of access for a Workspace. To do this, navigate to the Settings page and select the Compliance tab. From there, you can choose a specific time frame for a particular Workspace role, such as a 6-month limit for the Workspace Owner role. This means that users cannot be assigned to the Workspace Owner role for longer than 6 months. By choosing a specific time frame, you also make it mandatory to set an expiration date for Workspace roles. This means that an expiration date for a Workspace role will be required during Workspace creation or when assigning users afterward. After the expiration date, users will be automatically unassigned from Workspace.
Role recertification is also available for assigning users to the role via API. When you enable Workspace Role Recertification in the Settings, the system will automatically set an expiration date when you create a WorkspaceUserBinding or WorkspaceGroupBinding using the meshObject API. For instance, if you've configured on the Settings page to limit a Workspace Owner's access to 6 months, any Workspace Owner created via the API will automatically have an expiration date of 6 months from the date they were created.
Workspace Deletion
Before a meshWorkspace may be deleted, a check is performed to verify the following:
- all meshProjects in the meshWorkspace have been deleted
- all published Service Brokers in the meshWorkspace have been deactivated
The deletion can be performed only by the Workspace Owners! You can delete the workspace under Deletion in the workspace control plane. You will be asked for confirmation and a deletion reason.
Note : The deletion of a workspace can not be reversed!
The following steps will be done during deletion:
- all assigned users & groups as well as pending binding requests will be removed from the meshWorkspace
- all payment methods on the meshWorkspace will be soft-deleted, so meshPartners can still get details like info on usage of these payment methods
- all policy violations related to the deleted meshWorkspace will be removed
- a "deleted" event is written to the workspace events, including a reason that was provided during deletion
meshWorkspaces are soft-deleted, so meshPartners can still see deleted meshWorkspaces and their events in the Admin Area. Deleted meshWorkspaces and meshPaymentMethods will be highlighted by a "Deleted" label.