Reading Class 13 - morgan-401-advanced-javascript/seattle-javascript-401n14 GitHub Wiki

Read Access Control (ACL)

5 steps to rbac link

What is RBAC?

RBAC is nothing more than the idea of assigning system access to users based on their role within an organization. The system needs of a given workforce are analyzed, with users grouped into roles based on common job responsibilities and system access needs. Access is then assigned to each person based strictly on their role assignment. With tight adherence to access requirements established for each role, access management becomes much easier. RBAC vs. ABAC vs. ACL

There are some alternatives for/variations of RBAC, including:

  • Access control lists (ACL) โ€” An ACL is a means of defining access rights by a given user or user group, to a specific object, such as a document. As a simple example, an ACL could be used to allow users from one department to make changes to a document, while only allowing users from other departments to read the document.

  • Attribute-based access control (ABAC) โ€” ABAC, sometimes known as policy-based access control, can use a variety of attributes, including user department, time of day, location of access, type of access required, etc. to determine whether a userโ€™s access request should be granted.

rbac at Rackspace

Link

RBAC has the following types of users:

  • Account owner - The account owner is the primary contact for the account and has full permissions to execute all capabilities for every product available. Each account has a single account owner.

  • Account user - The account user is a user who has been added by the account owner and has been assigned to specific product or account roles.

RBAC has the following custom roles:

  • Product:admin - The Product Admin role has permissions to create, read, update, and delete resources for the designated product.

  • Product:creator - The Product Creator role has permissions to create, read, and update resources for the designated product. This role cannot delete a resource. All destructive actions are prohibited.

  • Product:observer - The Product Observer role has permissions to read given resources for the designated product. This role is read-only.

Assign the following account roles to the users who manage your Rackspace customer account:

  • Billing:admin - The Billing Admin role has permissions to create, read, update, and delete billing and payment resources for the designated product.

  • Billing:observer - The Billing Observer role has permissions to read billing and payment resources for the designated product. This role is read-only.

Skim

wiki - rbac link

Watch

rbac tutorial link