System, Account and User Management
Control Plane provides a unified experience for managing NATS Accounts and Users, governed by Control Plane's role-based access controls.
Creation and management of accounts and users: Administrators can create or delete accounts, add or remove users from accounts, and manage permissions and access controls. Users can view the limits of their credentials and download their credentials by logging into the application after being assigned.
Assign permissions and access controls: Control Plane allows account administrators to assign granular permissions and access controls to individual accounts and users. Administrators can control which accounts and users access to specific subjects and which limits are enforced on the account or user.
Importing and Exporting Subjects on an Account: Control Plane allows access to share subjects to and from other accounts.
A System is a single NATS Cluster (or Super Cluster) configured to run in Operator mode using a NATS Resolver. The following items are required to setup a System:
- Cluster URL
- System Account User Credentials
- Operator Signing Key
Systems are configured using the [config file(/control-plane/deployment/configuration). Each system contains:
- A graph of the system's NATS topology
- A list of connections
- Accounts associated to this system, and an associated account view when clicking on the account name.
- Analytics about client connectivity, server performance, and thoroughput metrics
An application administrator can assign access to the system.
An account is a logical collection of NATS users and jetstream assets. SCP's context will change when viewing an account. This allows more granular access to permissions, metrics and observability within your NATS topology.
The account view comes with several features, including:
- Account anayltics and overview
- Limit management for the Account and its associated Jetstream entities
- Connections specific to the account
- NATS User Management
- Jetstream Asset Management
- Account Alert Rules
- Subjects can be shared across accounts to assist in sharing messages between NATS clusters to eliminate the need for complex or custom code.
A NATS User refers to an entity that interacts with the NATS messaging system. A NATS User can be a client application, service, or any software component that utilizes NATS for communication and data exchange. The list of NATS Users and Signing Key Groupos available in SCP are listed in the account context under Users
Signing Key Groups
NATS Users in SCP are required to be associated with a Signing Key Group. Control Plane promotes good key hygiene with a concept called a Signing Key Group. This allows or denies a group of users to publish or subscribe to specified subjects. Each group can also be scoped or Unscoped
- Scoped - Permissions and Limits will be set on the Group. Users assigned to the Signing Key Group will inherit the permissions and limits from the group it was assigned to.
- Unscoped - Permissions and Limits will be set on the NATS User. Each User will need their limits and Permissions assigned.
Signing Key Groups allow key rotations so each user can stay secure.
Each NATS User's JWT can be downloaded with the correct scope. Once a NATS User has been created, credentials can be downloaded via Control Plane. This capability resides in the NATS User overview
This can be reached in the following steps:
- From the home page, click the Name of the target system
- Click on the selected account
- Click on NATS Users.
- Click on the NATS User to download.
- Download the credentials