Q
WebAPIViduraQuperSync
WebIAMRBAC

Identity & Access Management

The IAM module provides multi-tenant role-based access control (RBAC) for the Quper platform. It manages users, groups, roles, environments, and fine-grained permissions across all modules.

Route prefix: /identity-and-access-management

Module Structure

Route Tree
/identity-and-access-management
├── /user-management           → User CRUD & profile management
├── /groups                    → Group creation & membership
├── /roles                     → Role hierarchy & definitions
├── /environments              → Environment/tenant management
└── /permissions
    ├── /general               → Global permission settings
    └── /user-permissions      → Per-user permission overrides

User Management

Provides full CRUD operations for platform users within the active tenant:

  • Create users — Invite by email with role assignment at creation time
  • Edit profiles — Update display name, contact info, and role assignments
  • Deactivate users — Soft-delete preserves audit trail while revoking access
  • Bulk operations — Select multiple users for role assignment or deactivation

Groups

Groups allow permission sets to be applied to multiple users collectively. Group management supports:

  • Creating named groups with descriptions
  • Adding/removing users from groups via member management UI
  • Assigning roles to groups (roles cascade to all group members)
  • Group-level permission overrides

Roles

Roles define a collection of permissions. The platform ships with built-in roles and supports custom role creation:

RoleAccess Level
AdminFull platform access including IAM management
EditorRead/write to all analytics modules, no IAM access
ViewerRead-only access to all analytics modules
FinOps AnalystFull access to Cost & Usage module only
DBAFull access to Redshift Health module only
On-CallRead access to Monitoring module, can acknowledge alerts

Environments

Environments represent logical tenants or workspace boundaries. Each environment has its own:

  • Redshift cluster connection credentials
  • Cost and usage data scope
  • User membership (users can belong to multiple environments)
  • Alert rule configurations

Multi-tenancy

Quper uses environment-level isolation. All API requests include the active environment ID, and the backend enforces data separation at the query level.

Permissions

General Permissions

Global permission settings that apply to all users not covered by more specific role or user-level overrides. This follows a hierarchical override pattern:

Permission Resolution Order
1. User-level override (highest priority)
2. Group-level permission
3. Role-level permission
4. General (global) permission (lowest priority)

User Permissions

Fine-grained per-user permission overrides that take precedence over role and group assignments. Use cases include:

  • Granting temporary elevated access to a specific user
  • Restricting a user's access to specific modules even if their role allows it
  • Compliance-driven access restrictions