• Administrator overview
• Managing users and permissions
  • User roles and access permissions
  • Creating users
  • Editing users
  • Unlocking a user account
  • Resending a user activation link
  • Deleting or deactivating users
  • Using groups
  • Managing departments
  • Managing passwords and password policies
  • Setting account-wide access policies
  • Changing a resource owner
  • Using Single Sign-On (SSO)
    • Using Single Sign-on (SSO) with Azure Active Directory (AAD)
    • Configuring an ADFS claim rule for SSO
• Managing account-wide settings
  • Adding container registries
• Managing public IP addresses
• Managing WANs
  • Overview: VPNs
    • Creating a VPN
      • VPN configuration parameters
        • AWS VPC: VPN configuration example
        • Azure VPN: VPN configuration example
        • Cisco ASA: VPN configuration example
        • Cisco IOS: VPN configuration example
        • Juniper SRX: VPN configuration example
        • pfSense: VPN configuration example
        • strongSwan: VPN configuration example
  • Overview: Skytap on Azure ExpressRoute connections
    • Creating a Skytap on Azure ExpressRoute connection
    • Creating a customer-managed Skytap on Azure ExpressRoute connection
  • Testing the WAN
    • Troubleshooting VPN test failures
  • Connecting an environment network to a WAN
  • Configuring WAN access controls
  • Editing an existing WAN connection
  • Disable a WAN
• Managing Metered RAM and storage usage
  • How usage is calculated
  • Viewing current usage and enabling pay-as-you-go capacity
  • Reserved capacity for Skytap on Azure
  • Reserved capacity for Skytap on IBM Cloud
  • Setting usage limits
  • Setting up notifications
  • VM pinning
• Reporting overview
  • Viewing and exporting user information
  • Viewing and exporting group information
  • Generating department reports
  • Generating audit reports
    • Configuring the webhook service for audit data
  • Viewing usage data
    • Using labels for in-depth reporting
    • Creating usage label categories
    • Configuring the webhook service for usage data
  • Enabling other users to generate reports
• Security best practices
• Other best practices
• Sharing templates with users in other Skytap accounts
• Finding the source environment from a sharing portal URL
• Including your logo in the Skytap interface

User roles and access permissions

This document describes the Skytap permissions model and explains the differences between different user roles.

Overview: Access to templates, environment, and assets

Most activity in Skytap centers on templates, environments, and assets (resources). Generally, a user’s permissions to edit and use an environment, template, or asset depends on his or her user role and whether or not the user owns the resource.

Default access and permissions

Users create resources by importing VMs, uploading asset files, or cloning existing resources. When a user creates a resource, the user becomes the resource owner.

• Standard users and user managers have permission to view, edit, share, or delete the resources they own. By default, users can’t view the resources owned by other users.
• Administrators have permission to view, edit, share, or delete all of the resources created in the account.

Extending access and permissions to other Skytap users

An administrator can give other, non-administrator users the ability to generate reports.

Additionally, a user or administrator can share a resource with other Skytap users by adding the resource to a project. The project members can view, use, and/or manage the resource, depending on their project role and user role. For more information, see Understanding project roles.

Public templates and assets

Skytap provides public templates and public assets that include pre-built environments and helpful files. These resources are owned by Skytap—not by other users.

• Public templates can’t be added to projects, but they can be copied (and their copies can be shared).
• Administrators can enable or restrict each user’s access to public templates and assets (see Additional user permissions below).
• Administrators can’t edit or delete public templates or assets.

User roles

When you create a user, you assign one of four user roles: Restricted, Standard, User Manager, or Administrator, with the following permissions.

Restricted	Standard	User Manager	Administrator	Can do this
				Access shared project resources
*				Create and own projects
†				Create environments, templates, and assets
				Create and edit users and groups
				Delete groups
	‡	‡		Create and view reports.
				Create and edit departments
				Delete users
				Create and edit account-wide settings (password policies, access policies, usage limits, etc.)
				Edit and delete environments, templates, and assets owned by all users in the account.

* A restricted user can’t create a project, but another user can make a restricted user a project owner. For information specific to project roles, see Understanding project roles.

† Restricted users have limited permission to create environments.

‡ An administrator must grant reporting privileges for a user to create and view reports.

---

Generally:

• The restricted role is best for users who need tightly-controlled access to a limited number of resources.
• The standard role is best for most users.
• The user manager role is best for users who need to manage and organize users and groups but who don’t need full administrator capabilities.
• The administrator role is best for trusted users in your organization who need to manage users, resources, and account-wide settings.

VPN permissions

Administrators can restrict a user’s ability to connect Skytap virtual environments to a VPN in the account. For more information, see Configuring access to a VPN.

Additional user permissions

Skytap has additional permissions that you can enable or disable for each user. Some of these permissions are displayed only when specific features are enabled in your account.

The table below shows the additional permissions that are optional (O) for each type of user.

• Most permissions are mandatory (M) for administrators and can’t be disabled.
• Restricted users can’t have most permissions enabled.

Restricted	Standard	User Manager	Administrator	Permission
O	O	O	M	This user is able to access public templates and public assets.
- -	O	O	M	This user is able to import VMs into Skytap.
- -	O	O	M	This user is able to export VMs from Skytap.
- -	O	O	M	This user is able to generate reports from Skytap. Reporting can be enabled for the entire account or just the user's department.
- -	O	O	O	This user is able to set promiscuous mode on VM network adapters for Skytap. This permission is displayed when your customer account is enabled for promiscuous mode.

For instructions, see Editing users.

Viewing owned and shared resources in Skytap