Role Based Access Control: aka Does Bobby from the mail room need admin access? - mattoattacko/class GitHub Wiki

Role-based Access Control (RBAC)

  • RBAC is a computer security protocol in which we look to restrict system access to various levels of authorized users.
  • Can be thought of as a roles and privileges based system. Not everyone given access to a computers system needs the same permissions.
  • RBAC is a flexible access control technology
  • Role describes the level of access given to a user's account.
  • Three guidelines we should follow are as such; Role Assignment, Role Authorization, and Permission Authorization.
  • Role Assignment: user access given only if the user has selected or been assigned a role that requires it
  • Role Authorization: user's active role must be authorized for the user. This helps make sure that users can take on only roles that they are authorized for.
  • Permission Authorization: the user can gain access only if the access is authorized for that user's active role. This makes sure that the users can exercise only the permissions that they are authorized for.
  • RBAC has two types of users; Account Owner and Account User.
  • Account owners are the primary contact for the account and has full permissions to execute all capabilities, for all products/processes available on the system.. Accounts only have a single account owner. Only the account owner can create new users, modify existing users, and delete users.
  • Account users have been added to the account via the account owner. They have been given assigned a role that gives them permissions to a specific product/role.

Roles that RBAC Offer

  • Multiple-product roles give access to resources associated with multiple products. Users can be given Full Access or Read-Only Access.
  • Custom roles can be defined by the owner to assign users different permissions for different products, allowing more flexibility. Product:admin (CRUD), Product:creator (CRU), and Product:observer ( R ).
  • Account roles can be assigned to the users that we need to manage our customer accounts. Billing:admin (CRUD) and Billing:observer ( R )