1. Elisity
  2. Cloud Control Center
  3. Identity and Access Management

Role Based Access Control (RBAC)

Avatar
Dana Yanch

Overview

Cloud Control Center's Role-Based Access Control (RBAC) feature empowers administrators to define custom roles with specific privileges and assign these roles to users, either created locally, integrated through Single Sign-On (SSO), or for API Clients. This level of customization ensures that after authentication, user interactions with the Cloud Control Center are strictly governed by the privileges of their assigned role.

 

Steps to Set Up IAM Using RBAC

 

Accessing the RBAC Settings

  1. Log into Cloud Control Center (CCC): Use your administrative credentials to log into the CCC.
  2. Navigate to the Settings tab.
  3. Under the Admin section, select Role Based Access Control.

Default Roles

By default, Cloud Control Center provides two predefined roles:

1. Tenant User: Users with this role can view all components of the user interface (UI), such as Devices, Policies, Virtual Edges, Analytics and more. However, they are not permitted to make any modifications.

2. Tenant Admin: Users with this role have comprehensive access, allowing them to view and modify any component of the UI.

 

Components of RBAC

Role Name

  • Definition: Customizable name for the role.

Privileges

  • Scope: Pertains to each component of the UI.
  • Privilege: Can be set to 'Enabled' or 'Disabled', governing the visibility and interaction level a user has with each UI component.

Creating a New Role

Steps:

1. Initiation: Click on "Create New Role".

2. Naming: Provide a name for the role. Optionally, select "Enable All Privileges" for full access, then deselect specific privileges as needed.

3. Privilege Selection:

  •  Component-wise Customization: For each UI component:
    •  Visibility Toggle: Use the toggle button to show or hide the component in the UI menu.

    •  Privilege Granularity: If shown, enable or disable specific privileges for that component.

Refer to the Setting Up Identity and Access Management (IAM) Using Role-Based Access Control (RBAC) in Cloud Control Center article for the list of available privileges and the API endpoints which are connected to each privilege. 

After configuring the necessary privileges, click "Save Changes" to finalize the new role.

 

Managing RBAC Roles

Clicking on the more options icon (three vertical dots) shows options for managing RBAC roles.

Here's a summary of the available options:

Edit Role Name: Allows you to modify the name of an existing role.

This is useful for updating role names to better reflect the responsibilities or access levels associated with the role without altering its permissions.

Clone Role: Creates a duplicate of an existing role.

This is beneficial for creating a new role with similar permissions to an existing one. The cloned role can then be customized further if needed, saving time compared to creating a new role from scratch.

Delete Role: Permanently removes an existing role from the system.

This option should be used when a role is no longer needed. Deleting a role ensures it is no longer available for assignment, helping to maintain an organized and relevant set of roles within the RBAC system.

 

These options provide flexibility in managing user roles, allowing administrators to update, replicate, and remove roles as needed to align with organizational changes and security policies.

 

Assigning Roles to Users

Assigning roles to users is a straightforward process in the Cloud Control Center:

1. Navigate: Go to the User Management section.



2. Selection: Choose the user you wish to assign a role to and click 'Edit'.



3. Role Assignment: In the user's settings, select the desired role from the available options.



For API Clients, refer to the Cloud Control Center API documentation for detailed instructions on leveraging RBAC. For SSO users, consult the SSO documentation section in the knowledge base to understand how to automatically assign roles based on your specific SSO integration.

 

Cloud Control Center's RBAC is designed to provide a flexible and secure mechanism to tailor user access and privileges, ensuring users interact with the platform in a controlled and predefined manner. Whether defining new roles from scratch, cloning existing ones, or assigning roles to users, administrators are equipped with intuitive tools to streamline the role configuration process.

 

Mapping Roles to API Clients

Step 1 - Generate API Client Credentials:

  • For API access, navigate to the API Clients section under User Management.
  • Click on Add API Client.
  • Fill in the client details:
    • Select a role for the API client to inherit permissions.
    • Set the access duration or choose Set Unlimited Access.
    • Provide a description for the API client.
  • Click on Generate Credentials.

 

Step 2 - View and Copy Client Credentials:

  • Once the credentials are generated, you will see a dialog with the Client ID and Client Secret.
  • Copy the Client Secret and store it in a safe place, as you will not be able to retrieve it again.

Step 3 - Use API Client Credentials:

  • Use the generated client credentials (Client ID and Client Secret) to obtain a token when calling an API endpoint.
  • Include the token in your API requests to authenticate and authorize access.

Best Practices

Least Privilege Principle

  • Assign the minimum required permissions to roles to reduce security risks.
  • Importance: Minimizes potential damage from compromised accounts or insider threats.

Regular Audits

  • Conduct regular audits of roles and permissions to ensure they align with current organizational needs.
  • Importance: Keeps the system secure by identifying and rectifying unnecessary permissions.

Update Policies

  • Keep your IAM policies updated as your organization evolves or as new security threats emerge.
  • Importance: Ensures that your security measures stay effective against the latest threats.

 

Was this article helpful?
0 out of 0 found this helpful