Using Teams
The Teams feature of Tines allows for logical separation of users, credentials, resources, and stories. Team members will only be able to access the configuration items of teams that they are a part of unless they are a tenant owner.
Team members can be added using the "Invite" button on the "Members" page of the team. If an account does not exist yet in the tenant when added to a team, an invitation email will be sent to the user to join the tenant. Members can be removed from a team at any point by any team administrator or a tenant owner, unless they are the last member of the Team.
Roles
All members of a team or group must be assigned a role in Tines, e.g., Team Admin, Editor or Viewer. Each role has a set of permissions assigned to them which will give read and or write access to objects in the team or group.
1. Team Admin
This role gives the user unrestricted read and write permissions to all objects in the team. This is useful for admins or team managers responsible to adding/removing users from a team. This will also give them permission to perform destructive actions on a team such such as deleting stories, resources or credentials.
A team admin can change the role of a user or assign a role to a new user on the team members
list.
2. Editor
This role gives the user read and write permissions to most objects on the team, but unlike the team admin role, they cannot perform destructive actions on the team such as deleting stories, resources or credentials. For stories with change management enabled, this role will also restrict pushing test changes to the live story (this action is reserved for team admins only).
This role is useful for most users who simply want to create, edit and run stories in Tines.
3. Viewer
This role gives the user read-only permission to most objects on the team.
This role useful for situations where a colleague or auditor needs oversight or understanding of an automated workflow, without the ability to alter it – or even accidentally break it.
4. Case manager
This role is only available to customers with cases enabled.
This role gives the user read-write permissions to cases, while restricting access to other objects on the team (stories, resources, credentials, events, etc.).
This role is useful for users who work with cases and do not need access to many other aspects of the system.
Note that while Case managers are not able to access most objects in their team, they are still able to author stories in their drafts and access objects (resources, credentials, stories for "send to story") shared globally with all users.
Permissions table
*Sensitive components of a credential that could increase risk of malicious credential exposure have further restrictions:
Access (control where the credential can be used): changes are restricted to Team Admin.
Domains (Specify allowed domains, URL paths, or server hosts to use restricted credentials in outbound requests): changes are restricted to Team Admin or the credential creator.
Sharing across teams
By default, objects (credentials, resources and send to story enabled stories) can be shared across teams.
This allows you to securely reuse the object in multiple places. If it's updated in one team, it's updated across teams. Please note: all credentials and resources must have a unique name across the tenant.
Credentials and resources can be shared by using the "Access" configuration options within the object. Sharing is enabled within the team the credential or resource exists by default, with the option of "All teams & drafts" available to make the item available to all teams within the tenant.
Similarly, when send to story is enabled, you can share a story by: opening that story, opening the send to story settings modal from the right hand panel, and selecting teams from the "Access" section. This allows other teams to use this story in their send to story actions.
See also Send to Story: Enabling a story for Send to Story and Send to Story: Access.
Custom object sharing
If enabled on your tenant, you can determine with which teams an object is shared. You'll see the option to select teams individually when you open the access configuration options on any of the objects: credentials, resources, or stories with send to story enabled.
Team story allocation
If you have multiple teams in a tenant, the tenant owner can provision story limits by team.
Go to your Team dropdown menu in the top left corner
Click on
Settings
Choose
Story allocation
from the secondary popoverCheck the box for the team(s) you want to limit
Set the maximum stories for the team(s)
Click
Save
You can always come back and modify these settings.