Tenant view of the hub uses Common Services: Identity & Access Management (IAM) for access and role management. All users need a role in the IAM system to access TSGs and TSG-based tenants. Using Identity and Access, you can manage tenant users, service accounts, and access to various resources within Common Services, and enterprise apps. You're required to assign roles for users but roles are optional for service accounts. Users in the tenant view of the hub are not required to be added to Customer Support Portal accounts unless needed to operate onboarding or offboarding tasks.

Roles work as a union. If you assign a role to a user for a specific app and another role for All Apps & Services, the user will get the union of both permissions. For example, consider a scenario where a user is assigned a role for the Strata Logging Service app with a role that does not allow download or share permissions. If that same user is also assigned the Superuser role for All Apps & Services, the user is able to download and share. The behavior is to check the specific app first and if the permission isn't available, then check All Apps & Services. For more information about what each role can do, you can view the permissions in the platform for each role.

For steps to configure and manage roles and permissions, see Common Services: Identity and Access